Terraform-provider-aws: Invalid JSON policy Error
_This issue was originally opened by @SrikanthSoma as hashicorp/terraform#17717. It was migrated here as a result of the provider split. The original body of the issue is below._
Hi,
Terraform validate says "policy" contains invalid JSON policy
This is my json policy which is validate then why terraform validate says invalid policy?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket2",
"arn:aws:s3:::bucket3",
"arn:aws:s3:::bucket4",
"arn:aws:s3:::bucket5"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::bucket1/*",
"arn:aws:s3:::bucket2/*",
"arn:aws:s3:::bucket3/*",
"arn:aws:s3:::bucket4/*",
"arn:aws:s3:::bucket5/*"
]
}
]
}
Terraform -v:
0.11.3
Terraform reproduce:
terraform plan
terraform validate
Error:
Error: aws_iam_policy.test_policy: "policy" contains an invalid JSON policy
hashibot[bot]
All 10 comments
Hi @SrikanthSoma 👋 I was not able to reproduce the invalid JSON error on Terraform 0.11.5 and AWS provider 1.13.0 with the aws_iam_policy resource doing something like this:
resource "aws_iam_policy" "example" {
name = "example"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket2",
"arn:aws:s3:::bucket3",
"arn:aws:s3:::bucket4",
"arn:aws:s3:::bucket5"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::bucket1/*",
"arn:aws:s3:::bucket2/*",
"arn:aws:s3:::bucket3/*",
"arn:aws:s3:::bucket4/*",
"arn:aws:s3:::bucket5/*"
]
}
]
}
EOF
}
Can you please provide more details, such as how you are configuring the resource?
bflad
on 29 Mar 2018
Hello,
Most probably it's because the policy contains leading spaces.
For resource "aws_iam_role" assume_role_policy (and leading spaces in the JSON), terraform shows an error message that the policy cannot contain leading spaces.
However, for resource "aws_iam_role_policy" (and leading spaces in the JSON), terraform simply says that policy contains an invalid JSON policy.
I think that the error message given by terraform in this case should be more specific.
vlad2
on 15 May 2018
I'm currently experiencing similar issues too.
terraform -v
Terraform v0.11.7
+ provider.aws v1.27.0
+ provider.http v1.0.1
+ provider.kubernetes v1.1.0
resource "aws_iam_role_policy" "cluster-service-linked-role" {
name = "service-linked-role"
role = "${aws_iam_role.cluster.name}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes"
],
"Resource": "*"
}
]
}
EOF
}
jmakanjuola
on 2 Aug 2018
it seems one resource uses validateIAMPolicyJson and the other validateJsonString
blckct
on 22 Aug 2018
When you create a EOF injection, JSON doesn't like white spaces. The code about should look something like this:
resource`` "aws_iam_role_policy" "cluster-service-linked-role" {
name = "service-linked-role"
role = "${aws_iam_role.cluster.name}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes"
],
"Resource": "*"
}
]
}
EOF
}
thefoxwings
on 26 Oct 2018
Is there any reason why whitespace couldn't be trimmed? I find it much more readable to have it tab indented.
kevinohara80
on 5 Dec 2018
I think this is a duplicate of #1873 which contains a link (#5887) to a PR with a fix to normalize JSON.
goetzc
on 18 Dec 2018
Had this exact same issue on TF 0.12.2. This policy:
resource "aws_iam_role_policy" "iam_policy" {
name = "name"
role = "iam_role"
policy = <
"Version": "2012-10-17",
"Statement": [
Was fixed by removing the spaces ahead of the opening curly brace:
resource "aws_iam_role_policy" "iam_policy" {
name = "name"
role = "iam_role"
policy = <
"Version": "2012-10-17",
"Statement": [
KyMidd
on 26 Jul 2019
Hi folks! I'm closing this as a duplicate of #1873. Please direct any further discussion there.
aeschright
on 4 Oct 2019
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
hashibot[bot]
on 4 Nov 2019
Related issues
modax
·
3Comments
hashibot
·
3Comments
hazmeister
·
3Comments
hashibot
·
3Comments
gothrek22
·
3Comments
Most helpful comment
Hello,
Most probably it's because the policy contains leading spaces.
For resource "aws_iam_role" assume_role_policy (and leading spaces in the JSON), terraform shows an error message that the policy cannot contain leading spaces.
However, for resource "aws_iam_role_policy" (and leading spaces in the JSON), terraform simply says that policy contains an invalid JSON policy.
I think that the error message given by terraform in this case should be more specific.