Terraform: Parsing Error in the IAM Policy

Created on 26 Feb 2018  ยท  3Comments  ยท  Source: hashicorp/terraform

Terraform Version

terraform -v
Terraform v0.11.3
+ provider.aws v1.9.0

Debug Output

TF_LOG=trace terraform init
2018/02/26 10:17:31 [INFO] Terraform version: 0.11.3  3802b14260603f90c7a1faf55994dcc8933e2069
2018/02/26 10:17:31 [INFO] Go runtime version: go1.9.1
2018/02/26 10:17:31 [INFO] CLI args: []string{"/Volumes/swdata/nworks/repo/aws/bin/terraform", "init"}
2018/02/26 10:17:31 [DEBUG] Attempting to open CLI config file: /Users/neraliu/.terraformrc
2018/02/26 10:17:31 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2018/02/26 10:17:31 [INFO] CLI command args: []string{"init"}
2018/02/26 10:17:31 [DEBUG] command: loading backend config file: /Users/neraliu/nworks/repo/aws/terraform/project
2018/02/26 10:17:31 [DEBUG] plugin: waiting for all plugin processes to complete...
There are some problems with the configuration, described below.

The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.

Error: Error loading /Users/neraliu/nworks/repo/aws/terraform/project/10-iamp.tf: Error reading config for aws_iam_policy[iam-manage-mfa]: parse error at 14:34: expected "}" but found ":"

Crash Output

Expected Behavior

Should have no parsing error when I terraform init on the following tf file.

Actual Behavior

I found that the parsing error is coming from the following IAM policy configuration of ${aws:username}, this is a valid policy setting on the AWS, however, it causes parsing error when I terraform init on it.

$ cat 10-iamp.tf
....
resource "aws_iam_policy" "iam-manage-mfa" {
    name        = "iam-manage-mfa"
    path        = "/"
    description = ""
    policy      = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowUsersToCreateEnableResyncDeleteTheirOwnVirtualMFADevice",
      "Effect": "Allow",
      "Action": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:ResyncMFADevice",
        "iam:DeleteVirtualMFADevice"
      ],
      "Resource": [
        "arn:aws:iam::*:mfa/${aws:username}",
        "arn:aws:iam::*:user/${aws:username}"
      ]
    },
    {
      "Sid": "AllowUsersToDeactivateTheirOwnVirtualMFADevice",
      "Effect": "Allow",
      "Action": [
        "iam:DeactivateMFADevice"
      ],
      "Resource": [
        "arn:aws:iam::*:mfa/${aws:username}",
        "arn:aws:iam::*:user/${aws:username}"
      ],
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": true
        }
      }
    },
    {
      "Sid": "AllowUsersToListMFADevicesandUsersForConsole",
      "Effect": "Allow",
      "Action": [
        "iam:ListMFADevices",
        "iam:ListVirtualMFADevices",
        "iam:ListUsers"
      ],
      "Resource": "*"
    }
  ]
}
POLICY
}

Steps to Reproduce

  1. Create the tf file with the above policy
  2. Run terraform init, then you can get the parsing error.

References

It is valid IAM manage MFA policy
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html

provideaws question
Source
picture neraliu

Most helpful comment

I think you need to escape the $ by using $$ See: https://www.terraform.io/docs/configuration/interpolation.html

Edit: specifically the ${aws:username} should become $${aws:username}

You can escape interpolation with double dollar signs: $${foo} will be rendered as a literal ${foo}.

picture antoniobeyah on 26 Feb 2018
👍4

All 3 comments

I think you need to escape the $ by using $$ See: https://www.terraform.io/docs/configuration/interpolation.html

Edit: specifically the ${aws:username} should become $${aws:username}

You can escape interpolation with double dollar signs: $${foo} will be rendered as a literal ${foo}.

antoniobeyah picture antoniobeyah on 26 Feb 2018
👍4

This issue has been automatically migrated to terraform-providers/terraform-provider-aws#3531 because it looks like an issue with that provider. If you believe this is _not_ an issue with the provider, please reply to terraform-providers/terraform-provider-aws#3531.

hashibot[bot] picture hashibot[bot] on 26 Feb 2018

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 4 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rnowosielski picture rnowosielski  ยท  3Comments
franklinwise picture franklinwise  ยท  3Comments
ronnix picture ronnix  ยท  3Comments
allomov picture allomov  ยท  3Comments
shanmugakarna picture shanmugakarna  ยท  3Comments