Terraform - Cannot include the given value in a string template: string required

1
votes

I'm trying to use terraform to create a model on SageMaker by following this page I can't assign a full access policy to the sagemaker role due to permission constrains, so I created a role and attached a policy with part of the permissions

When I tested Terraform plan, it gave me this:

Error: Invalid template interpolation value
...

..........................
 141:                 "ecr:GetRepositoryPolicy"
 142:             ],
 143:             "Resource": [
 144:                 "arn:aws:s3:::${aws_s3_bucket.xx_xxxxxxxxxx_xxx_bucket}",
 145:                 "arn:aws:s3:::${local.binaries_bucket_name}",
 146:                 "arn:aws:s3:::${aws_s3_bucket.xx_xxxxxxxxxx_xxx_bucket}/*",
 147:                 "arn:aws:s3:::${local.binaries_bucket_name}/*",
 148:                 "arn:aws:ecr:us-east-1:*:repository/*",
 149.....................
 157:         }
 158:     ]
 159: }
 160: POLICY
    |----------------
    | aws_s3_bucket.xx_xxxxxxxxxx_xxx_bucket is object with 25 attributes

Cannot include the given value in a string template: string required.

I'm new to this, just wondering if this is complaining the bucket name is too long or something else? What should I do to fix this, I'm a bit confused. Many thanks.

(PS: Terraform version v0.13.4 + provider registry.terraform.io/hashicorp/aws v3.20.0)

2
amazon-web-servicesamazon-s3terraformterraform-provider-awsamazon-sagemaker
"around 60 lines of different permissions" - can you provide compelt, ready for copy-and-paste evaluation code?Marcin
@Marcin Hi I've added all the permissions, hopefully now can reproduce this error.Cecilia
Have you checked @Matt's answer? It is correct.Marcin

2 Answers

3
votes

It appears what you want here is the ARN of the S3 bucket, which is provided by exported resource attributes. Specifically, you probably want the arn resource attribute.

Updating your policy like:

 144:             "${aws_s3_bucket.xx_xxxxxxxxxx_xxx_bucket.arn}",
 146:             "${aws_s3_bucket.xx_xxxxxxxxxx_xxx_bucket.arn}/*",

will provide you with the String that you need by accessing the arn attribute. The currently written policy is accessing aws_s3_bucket.xx_xxxxxxxxxx_xxx_bucket, which is a Map (possibly Object) of every argument and attribute for that resource, and will not interpolate within the string of your policy.

0
votes

I think you need to create a custom policy correctly then link it to the bucket, you can see here some examples: https://registry.terraform.io/modules/JousP/s3-bucket-policy/aws/latest/examples/custom-policy