terraform-provider-aws: Bug: leading whitespace causes aws_iam_policy to incorrectly report valid JSON policies as invalid

Terraform Version

0.10.7, 0.9.11

Affected Resource(s)

aws_iam_role
aws_iam_policy

Terraform Configuration Files

resource "aws_iam_policy" "nodes_sqs_policy" {
    name        = "nodes_sqs_policy"
    description = "nodes SQS"
    policy = <<EOF
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "sqs:GetQueueAttributes"
          ],
          "Resource": [
            "arn:aws:sqs:us-east-1:123123123:myapp-dev-us-east-1*"
          ]
        }
      ]
    }
EOF
}

Expected Behavior

The policy was applied

Actual Behavior

1 error(s) occurred:

* aws_iam_policy.nodes_sqs_policy: "policy" contains an invalid JSON policy

Important Factoids

According to RFC 4627, “Insignificant whitespace is allowed before or after any of the six structural characters.”

Removing the whitespace before the first character in the policy allows it to be applied:

data "template_file" "nodes_iam_sqs" {
    name        = "nodes_sqs_policy"
    description = "nodes SQS"
    policy = <<EOF
{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "sqs:GetQueueAttributes"
          ],
          "Resource": [
            "arn:aws:sqs:us-east-1:123123123:myapp-dev-us-east-1*"
          ]
        }
      ]
    }
EOF
}

References

Terraform #11906 is where the JSON validation was applied.

About this issue

Original URL
State: open
Created 7 years ago
Reactions: 22
Comments: 20

Most upvoted comments

FWIW I have switched almost exclusively to the aws_iam_policy_document data resources for these policies. JSON blocks cause more trouble than they are worth.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#basic-example

Here is a very hand utility you can use to generate them from the json policy themselves in more or less one line with echo.

https://github.com/flosell/iam-policy-json-to-terraform

devopsrick on Jul 22, 2021

Can be in a stale state, but it’s still a bug 😄

goetzc on Dec 9, 2020

jsonencode() solved my issue

policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        }
    ]
  })

yogeshbodke on Apr 6, 2021

I finally had a minute to write https://github.com/terraform-providers/terraform-provider-aws/pull/5887 but I don’t currently have an environment I can run acceptance tests in. If someone can pull my branch, run make testacc TEST=./aws TESTARGS='-run=TestAccAWSLaunchTemplate_', and post results in the PR thread, that might help get this merged.

WintersMichael on Sep 14, 2018

+1 I encountered this as well

lakshmigk01 on Jun 29, 2018

Also affects terraform 0.11.4, aws provider 1.13.0

mplanchard on Apr 3, 2018