Terraform: Terraform interpolation causes issues when heredoc contains json
Terraform Version
This issue reproduces with the AWS policies that have IAM variables, but I believe it's an issue with the interpolation of heredocs and not AWS provider specific.
Terraform v0.11.7
+ provider.aws v1.22.0
Terraform Configuration Files
resource "aws_iam_policy" "manage_own_auth" {
name = "manage_own_auth"
path = "/"
description = "Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey*",
"iam:*SSHPublicKey*"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
}
POLICY
}
Debug Output
$ terraform validate .
2018/08/15 18:10:06 [INFO] Terraform version: 0.11.7
2018/08/15 18:10:06 [INFO] Go runtime version: go1.10.1
2018/08/15 18:10:06 [INFO] CLI args: []string{"/usr/local/Cellar/terraform/0.11.7/bin/terraform", "validate", "."}
2018/08/15 18:10:06 [DEBUG] Attempting to open CLI config file: ~/.terraformrc
2018/08/15 18:10:06 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2018/08/15 18:10:06 [INFO] CLI command args: []string{"validate", "."}
2018/08/15 18:10:06 [DEBUG] plugin: waiting for all plugin processes to complete...
Error: Error loading /tmp/test.tf: Error reading config for aws_iam_policy[manage_own_auth]: parse error at 11:70: expected "}" but found ":"
Expected Behavior
For Terraform to not remove interpolation strings it doesn't know. For here doc to be applied as is, with no interpolation from Terraform.
Actual Behavior
See error.
Steps to Reproduce
terraform validate .
Additional Context
Trying to escape chrs only leads to different errors:
Error: aws_iam_policy.manage_own_auth: "policy" contains an invalid JSON: invalid character '$' in string escape code
Error: aws_iam_policy.manage_own_auth: "policy" contains an invalid JSON: invalid character '{' in string escape code
References
Ref AWS docs on variables: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html
u2mejc
All 3 comments
hey @u2mejc
Thanks for opening this issue
In the example above the syntax ${} will cause Terraform to try and evaluate the field as an interpolation function (which changed in Terraform 0.8) - since you want to use this value literally and not as an interpolation function this will need to be double-escaped (using two $ symbols). Would you be able to take a look and see if escaping as below solves your issue:
resource "aws_iam_policy" "manage_own_auth" {
name = "manage_own_auth"
path = "/"
description = "Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey*",
"iam:*SSHPublicKey*"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/$${aws:username}"
}
POLICY
}
Thanks!
tombuildsstuff
on 16 Aug 2018
Yes, that was it, thank you!
u2mejc
on 17 Aug 2018
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 2 Apr 2020
Related issues
cpoole
ยท
3Comments
thebenwaters
ยท
3Comments
Seraf
ยท
3Comments
franklinwise
ยท
3Comments
rjinski
ยท
3Comments
Most helpful comment
hey @u2mejc
Thanks for opening this issue
In the example above the syntax
${}will cause Terraform to try and evaluate the field as an interpolation function (which changed in Terraform 0.8) - since you want to use this value literally and not as an interpolation function this will need to be double-escaped (using two $ symbols). Would you be able to take a look and see if escaping as below solves your issue:Thanks!