Terraform-provider-aws: API Gateway Resource Policy JSON

Created on 30 Apr 2018  ยท  9Comments  ยท  Source: hashicorp/terraform-provider-aws

Terraform Version

Terraform v0.11.7

  • provider.aws v1.16.0

Affected Resource(s)

  • aws_api_gateway_rest_api

Terraform Configuration Files

resource "aws_api_gateway_rest_api" "api" {
  name        = "${var.api_gateway_name}"
  description = "${var.api_gateway_description}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "*",
      "Condition": {
          "IpAddress": {
              "aws:SourceIp": "123.123.123.123/19"
          }
      }
    }
  ]
}
EOF
}

Debug Output

https://gist.github.com/danieladams456/5a52c3cfaf3ce72ff788c030f93bb723

Expected Behavior

Apply sets API Gateway resource policy

Actual Behavior

Plan or apply gives error: aws_api_gateway_rest_api.api: aws_api_gateway_rest_api.api: error unescaping policy: invalid syntax

Steps to Reproduce

  1. terraform apply

Important Factoids

Adding it to an existing project fails, but creating a new project with the same policy and the single resource succeeds. Still digging into that why.

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

  • GH-4211
bug servicapigateway
Source
picture danieladams456
👍7

Most helpful comment

Thanks to @ouroboros8 a fix for escape character handling (#4606) has been merged and will release with v1.20.0 of the AWS provider later this week.

picture bflad on 22 May 2018
🎉32 👍2

All 9 comments

The seemingly relevant line in the debug output for the working project and the non-working project are the same:

"{\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Effect\\\":\\\"Allow\\\",\\\"Principal\\\":\\\"*\\\",\\\"Action\\\":\\\"execute-api:Invoke\\\",\\\"Resource\\\":\\\"*\\\",\\\"Condition\\\":{\\\"IpAddress\\\":{\\\"aws:SourceIp\\\":\\\"123.123.123.123\\/19\\\"}}}]}"

"{\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Effect\\\":\\\"Allow\\\",\\\"Principal\\\":\\\"*\\\",\\\"Action\\\":\\\"execute-api:Invoke\\\",\\\"Resource\\\":\\\"*\\\",\\\"Condition\\\":{\\\"IpAddress\\\":{\\\"aws:SourceIp\\\":\\\"123.123.123.123\\/19\\\"}}}]}"

I have updated the debug gist to include both. Thanks!

danieladams456 picture danieladams456 on 30 Apr 2018

I've done a bit of digging on this and it looks like strconv.Unquote is not happy if you pass it a string with escaped forward slashes, and the policy string AWS returns escapes the forward slash in the CIDR block.

ouroboros8 picture ouroboros8 on 11 May 2018

Thanks @ouroboros8 - looks spot on!

danieladams456 picture danieladams456 on 11 May 2018

Yup, having the same issue. Cannot get the policy to work. Looking forward to a fix.

azizbodal picture azizbodal on 16 May 2018
👍1

Same issue here as well , is there a specific format for this. ?

asrivastava2017 picture asrivastava2017 on 18 May 2018

Thanks to @ouroboros8 a fix for escape character handling (#4606) has been merged and will release with v1.20.0 of the AWS provider later this week.

bflad picture bflad on 22 May 2018
🎉32 👍2

This has been released in version 1.20.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad picture bflad on 23 May 2018

I obtained a similar issue, my terraform:

resource "aws_api_gateway_rest_api" "api" {
  name = "${var.project_name}"

  endpoint_configuration {
    types = ["${var.endpoint_type}"]
  }

  tags = {
    env     = "${var.status}"
    system  = "${var.project_name}"
    type    = "service"
  }

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}
EOF
}

Error message: Error: BadRequestException: Invalid policy document. Please check the policy syntax and ensure that Principals are valid.

extra information

provider "aws" {
  region  = "${var.region}"
  version = "~> 2.42"
}

terraform {
  required_version = ">= 0.12"
}
ricoms picture ricoms on 21 Jan 2020

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 22 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

modax picture modax  ยท  3Comments
reedloden picture reedloden  ยท  3Comments
joelittlejohn picture joelittlejohn  ยท  3Comments
hashibot picture hashibot  ยท  3Comments
hashibot picture hashibot  ยท  3Comments