Terraform-provider-aws: S3 bucket policy malformed - Error putting S3 policy: MalformedPolicy: Policy has invalid resource

Created on 5 Dec 2019  ยท  4Comments  ยท  Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @gregorzupan as hashicorp/terraform#23570. It was migrated here as a result of the provider split. The original body of the issue is below._

Terraform Version

Terraform v0.11.11

  • provider.aws v1.60.0
  • provider.template v1.0.0

Terraform Configuration Files

resource "aws_s3_bucket" "wdb" {
  bucket = "YYYYYYY"
  acl    = "private"

  tags {
    Name = "Wdb bucket"
  }
}

data "template_file" "wdb_policy_file" {
  template = "${file("${path.module}/policies/s3-wdb-shared-policy.json")}"

  vars {
    aws_wdb_bucket_arn = "${aws_s3_bucket.wdb.arn}"
  }
}

resource "aws_s3_bucket_policy" "wdb" {
  bucket = "${aws_s3_bucket.wdb.id}"

  policy = "${data.template_file.wdb_policy_file.rendered}"
}

----policy json
{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "Wdb-CrossAccount",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::XXXXXX:root"
          },
          "Action": "s3:*",
          "Resource": [
              "arn:aws:s3:::${aws_wdb_bucket_arn}/*",
              "arn:aws:s3:::${aws_wdb_bucket_arn}"
          ]
      }
  ]
}

...

Debug Output

aws_s3_bucket_policy.wdb: Error putting S3 policy: MalformedPolicy: Policy has invalid resource
status code: 400,

Expected Behavior

Policy should be attached to bucket.

Actual Behavior

Error listed above is displayed

Steps to Reproduce

  1. terraform apply

Additional Context

If I take policy.json and apply it in AWS console via bucket policy it works.

needs-triage servics3
Source
picture hashibot[bot]

Most helpful comment

Any update?

picture zgre on 11 Dec 2019
👍9

All 4 comments

Any update?

zgre picture zgre on 11 Dec 2019
👍9

Is there any movement on this issue?

pquery picture pquery on 8 Jun 2020

Wow, I'm having the same exact issue!. So seems to be a bug from version 0.11

`โฏ terraform --version
Terraform v0.12.28

  • provider.aws v2.69.0`
jav-12 picture jav-12 on 9 Jul 2020

Hey!
Correct me if I'm wrong, but resources in the policy are really incorrect. There should be the bucket name (id) provided to get ARN as a result:

"Resource": [
              "arn:aws:s3:::${aws_s3_bucket.wdb.id}/*",
              "arn:aws:s3:::${aws_s3_bucket.wdb.id}"
          ]
ek8484 picture ek8484 on 30 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  ยท  3Comments
dvishniakov picture dvishniakov  ยท  3Comments
ccslamstack picture ccslamstack  ยท  3Comments
EmmN picture EmmN  ยท  3Comments
carmas picture carmas  ยท  3Comments