Terraform: aws_iam_policy: IAM Policy Variables cause a TF parse error

Note:

Changing "Resource": "arn:aws:iam::123456789012:user/${aws:username}" to "Resource": "arn:aws:iam::123456789012:user/[email protected]" works fine. Confirming the behaviour.

Hey Nathan,
the dollar sign has to be escaped by one extra dollar sign in this case. Can you try the following?

resource "aws_iam_policy" "some-resource" {
  name = "some-name"
  path = "/"
  description = "some description"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetUser"
      ],
      "Resource": "arn:aws:iam::123456789012:user/$${aws:username}"
    }
  ]
}
EOF
}

it worked for me ^

Also related to your example there's a new data source coming in 0.7.1 to make such configs more idiomatic/readable:

data "aws_caller_identity" "current" { }

resource "aws_iam_policy" "some-resource" {
  name = "some-name"
  path = "/"
  description = "some description"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetUser"
      ],
      "Resource": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/$${aws:username}"
    }
  ]
}
EOF
}

@radeksimko confirmed, thanks :) I tried escaping the {}'s with \ but had no luck. Didn't know about the extra dollar sign though, nice one.

so i must be an idiot... in another resource type we do this: https://www.terraform.io/docs/providers/aws/d/iam_policy_document.html#context-variable-interpolation

is there a reason for the inconsistency?

@flyinprogrammer The reason is mentioned there too I think

The native IAM policy document format uses ${...}-style syntax that is in conflict with Terraform's interpolation syntax

sorry for the poorly worded question.

https://github.com/hashicorp/terraform/blob/master/builtin/providers/aws/data_source_aws_iam_policy_document.go#L14

with aws_iam_policy_document resources the policies have a replacer and use &{} instead of ${}. But with this resource type, aws_iam_policy, we use $${} instead of ${}.

In regards to the previous comment, the link is now: https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/data_source_aws_iam_policy_document.go#L14

The inconsistency still stands.

Sorry to bump an old issue.
Has this been changed in terraform 0.12? I can't get either $${} nor &{} to work when reading the policy via file(...)

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.