Terraform-provider-aws: aws_iam_policy_document source_json and override_json params crash terraform with array of "AWS" principals

Created on 23 Feb 2018 · 4Comments · Source: hashicorp/terraform-provider-aws

AWS_Provider: 1.9.0

Terraform: 0.11.3

Using a code similar to

data "aws_iam_policy_document" "policy" {
  source_json = "${file("${var.policy_file_path}")}"
  statement {...}
}

crashes when used with the following policy

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
              "AWS": [
                "arn:aws:iam::XXXXXXXXXX:role/role1",
                "arn:aws:iam::XXXXXXXXXX:role/role2"
              ]
            },
            "Action": [
              "ecr:GetDownloadUrlForLayer"
            ]
        }
    ]
}

panic: Unsupported data type for IAMPolicyStatementPrincipalSet [recovered]
2018-02-23T15:07:48.563+0100 [DEBUG] plugin.terraform-provider-aws_v1.9.0_x4:   panic: Unsupported data type for IAMPolicyStatementPrincipalSet
2018-02-23T15:07:48.563+0100 [DEBUG] plugin.terraform-provider-aws_v1.9.0_x4: 
2018-02-23T15:07:48.563+0100 [DEBUG] plugin.terraform-provider-aws_v1.9.0_x4: goroutine 136 [running]:
2018-02-23T15:07:48.563+0100 [DEBUG] plugin.terraform-provider-aws_v1.9.0_x4: encoding/json.(*encodeState).marshal.func1(0xc420a5d848)
2018-02-23T15:07:48.563+0100 [DEBUG] plugin.terraform-provider-aws_v1.9.0_x4:   /usr/local/go/src/encoding/json/encode.go:291 +0x12a
2018-02-23T15:07:48.563+0100 [DEBUG] plugin.terraform-provider-aws_v1.9.0_x4: panic(0x2d571c0, 0x374f870)
2018-02-23T15:07:48.563+0100 [DEBUG] plugin.terraform-provider-aws_v1.9.0_x4:   /usr/local/go/src/runtime/panic.go:491 +0x283
...

Although it works with this type of policy

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
              "AWS": "arn:aws:iam::XXXXXXXXXX:role/role1"
            },
            "Action": [
              "ecr:GetDownloadUrlForLayer"
            ]
        }
    ]
}

This seems to lead here : https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/iam_policy_model.go#L104

bug serviciam

Source

ebarault

👍4

Most helpful comment

We're seeing this behavior as well using provider version 1.10.0, when creating IAM policy documents with principals that have more than one identifier.

kchristensen on 5 Mar 2018

👍2

All 4 comments

We're seeing this behavior as well using provider version 1.10.0, when creating IAM policy documents with principals that have more than one identifier.

kchristensen on 5 Mar 2018

👍2

The fix for this has been merged into master via #4277 and will release with v1.16.0 of the AWS provider, likely mid next week.

bflad on 20 Apr 2018

👍1

This has been released in version 1.16.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad on 25 Apr 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 6 Apr 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

S3 Lifecycle Rule Unnecessarily Updates on Each Terraform Apply

hashibot · 3Comments

On plan, redrive_policy is always marked as modified

hashibot · 3Comments

Please add support for default values in Cloudwatch Metric Filters

hazmeister · 3Comments

aws_elasticsearch_domain: vpc_options - subnet_ids asks for list but can only be a single value.

ccslamstack · 3Comments

Plans to support more custom endpoints in provider AWS (lambda, apigateway, ...)

hashibot · 3Comments