IAM policy: MalformedPolicyDocument: Syntax errors in policy

3
votes

I was able to successfully run a cloudformation stack that included the following snippet, and now my ultimate goal is to get this ported to Terraform, but..

I'm getting a malformed syntax error even within the AWS Console. I tried to debug this using the AWS Console's "Policy Editor" and clicking the "Validate" button but the error is non specific. Anyone know what I'm doing wrong? It's strange, because this policy seemed to work when I deployed the cloudformation stack template. (btw, this is from GorillaStack's AutoTagging project if that helps)

This policy contains the following error: Syntax errors in policy. For more information about the IAM policy grammar, see AWS IAM Policies.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
          ],
          "Resource": "arn:aws:logs:*:*:*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "s3:GetObject",
            "s3:ListBucket"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "cloudformation:DescribeStackResource"
          ],
          "Resource": [
            { "Fn::Join": [ "", [ "arn:aws:cloudformation:", { "Ref" : "AWS::Region" }, ":", { "Ref" : "AWS::AccountId" }, ":stack/autotag/*" ] ] }
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "sts:*"
          ],
          "Resource": [
            { "Fn::GetAtt" : [ "AutoTagMasterRole", "Arn" ] }
          ]
        }
      ]
    }

My terraform configuration has the following resource (with the above snippet included)

 resource "aws_iam_role_policy" "AutoTagExecutionPolicy" {
   name = "AutoTagExecutionPolicy"
   role = "${aws_iam_role.AutoTagExecutionRole.id}"

   policy = <<EOF
   <-THE POLICY ABOVE GOES HERE->
 EOF
 }
1
amazon-cloudformationamazon-iamterraform
When you moved the Policy to terraform did you remove the Cloudformation functions like ref's? - strongjz
no, I didn't. can you extrapolate on that? For instance, do I need to interpolate the value in terraform config for entries like this in cloudformation template?: { "Ref" : "AWS::AccountId" } - buildmaestro
Each one of those functions are native to cloudformation, you'll need to convert them to variables in the terraform script. - strongjz
darn, I see. This isn't as straight forward as I thought it'd be. I didn't see anything like that in the docs. If you're confident in this answer, that points me in the right direction. - buildmaestro
I would need to convert this entire line: { "Fn::Join": [ "", [ "arn:aws:cloudformation:", { "Ref" : "AWS::Region" }, ":", { "Ref" : "AWS::AccountId" }, ":stack/autotag/*" ] ] } I have NO idea how that would look. newbie here - buildmaestro

1 Answers

0
votes

You need to convert the Cloudformation functions to variables in the terraform script.

data "aws_iam_policy_document" "example" {
  statement {
    sid    = "allow logs"
    effect = "Allow"

    action = [
      "logs:CreateLogGroup",
      "logs:CreateLogStream",
      "logs:PutLogEvents",
    ]

    Resources = [
      "arn:aws:logs:*:*:*",
    ]
  }

  statement {
    sid    = "allow s3"
    effect = "Allow"

    action = [
      "s3:GetObject",
      "s3:ListBucket",
    ]

    resource = [
      "*",
    ]
  }

  statement {
    sid = "allow cfn"

    effect = "Allow"

    action = [
      "cloudformation:DescribeStackResource",
    ]

    resource = [
      "${var.cfn_stack}",
    ]
  }

  statement {
    sid    = "allow sts"
    effect = "Allow"

    action = [
      "sts:*",
    ]

    resource = [
      "${var.AutoTagMasterRole_arn}",
    ]
  }
}

THEN 

resource "aws_iam_policy" "example" {
  name   = "example_policy"
  path   = "/"
  policy = "${data.aws_iam_policy_document.example.json}"
}

https://www.terraform.io/docs/providers/aws/d/iam_policy_document.html

https://www.terraform.io/docs/configuration/interpolation.html