Created
February 28, 2020 18:37
-
-
Save piyat/840649f821234abefa636afe3932cd10 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| TEST 1: Set up an equivalent var and try to use it in data.aws_iam_policy_document. | |
| FAILS, incorrect data type tuple not string | |
| locals { | |
| a_test_var = [ | |
| "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue", | |
| "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue", | |
| "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue" | |
| ] | |
| } | |
| data "aws_iam_policy_document" "dms" { | |
| statement { | |
| sid = "DMSAllowedOperations" | |
| actions = [ | |
| "dms:DescribeSchemas", | |
| "dms:DescribeRefreshSchemasStatus", | |
| "dms:ModifyReplicationTask", | |
| "dms:StartReplicationTask", | |
| "dms:DescribeEventSubscriptions", | |
| "dms:DescribeEndpointTypes", | |
| "dms:DescribeEventCategories", | |
| "dms:StartReplicationTaskAssessment", | |
| "dms:DescribeOrderableReplicationInstances", | |
| "dms:ListTagsForResource", | |
| "dms:DescribeConnections", | |
| "dms:DescribeReplicationInstances", | |
| "dms:DeleteReplicationTask", | |
| "dms:TestConnection", | |
| "dms:DescribeEndpoints", | |
| ] | |
| effect = "Allow" | |
| resources = [ | |
| local.a_test_var | |
| ] | |
| } | |
| } | |
| Error: Incorrect attribute value type | |
| | local.a_test_var is tuple with 3 elements | |
| Inappropriate value for attribute "resources": element 0: string required. | |
| TEST 2: Set up an equivalent var and try to use it in data.aws_iam_policy_document with jsonencode! | |
| SUCCEEDS in creating policy, but policy renders incorrectly | |
| locals { | |
| a_test_var = [ | |
| "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue", | |
| "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue", | |
| "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue" | |
| ] | |
| } | |
| data "aws_iam_policy_document" "dms" { | |
| statement { | |
| sid = "DMSAllowedOperations" | |
| actions = [ | |
| "dms:DescribeSchemas", | |
| "dms:DescribeRefreshSchemasStatus", | |
| "dms:ModifyReplicationTask", | |
| "dms:StartReplicationTask", | |
| "dms:DescribeEventSubscriptions", | |
| "dms:DescribeEndpointTypes", | |
| "dms:DescribeEventCategories", | |
| "dms:StartReplicationTaskAssessment", | |
| "dms:DescribeOrderableReplicationInstances", | |
| "dms:ListTagsForResource", | |
| "dms:DescribeConnections", | |
| "dms:DescribeReplicationInstances", | |
| "dms:DeleteReplicationTask", | |
| "dms:TestConnection", | |
| "dms:DescribeEndpoints", | |
| ] | |
| effect = "Allow" | |
| resources = [ | |
| jsonencode(local.a_test_var) | |
| ] | |
| } | |
| } | |
| ======================================= | |
| terraform console | |
| > data.aws_iam_policy_document.dms | |
| "statement" = [ | |
| { | |
| "actions" = [ | |
| "dms:DeleteReplicationTask", | |
| "dms:DescribeConnections", | |
| "dms:DescribeEndpointTypes", | |
| "dms:DescribeEndpoints", | |
| "dms:DescribeEventCategories", | |
| "dms:DescribeEventSubscriptions", | |
| "dms:DescribeOrderableReplicationInstances", | |
| "dms:DescribeRefreshSchemasStatus", | |
| "dms:DescribeReplicationInstances", | |
| "dms:DescribeSchemas", | |
| "dms:ListTagsForResource", | |
| "dms:ModifyReplicationTask", | |
| "dms:StartReplicationTask", | |
| "dms:StartReplicationTaskAssessment", | |
| "dms:TestConnection", | |
| ] | |
| "condition" = [] | |
| "effect" = "Allow" | |
| "not_actions" = [] | |
| "not_principals" = [] | |
| "not_resources" = [] | |
| "principals" = [] | |
| "resources" = [ | |
| "[\"arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue\",\"arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue\",\"arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue\"]", | |
| ] | |
| "sid" = "DMSAllowedOperations" | |
| }, | |
| ] | |
| "version" = "2012-10-17" | |
| } | |
| resource "aws_iam_policy" "dms_policy" { | |
| name = "tf-dms-permissions-${terraform.workspace}" | |
| description = "Policy allowing console users to access dms resources created in terraform workspace." | |
| path = "/" | |
| policy = data.aws_iam_policy_document.dms.json | |
| } | |
| ======================================= | |
| This data type is accepted by aws_iam_policy_document | |
| TFPLAN shows: | |
| # aws_iam_policy.dms_policy will be created | |
| + resource "aws_iam_policy" "dms_policy" { | |
| .... | |
| + Resource = jsonencode( | |
| [ | |
| + "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue", | |
| + "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue", | |
| + "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue", | |
| ] | |
| ) | |
| And it gets created: | |
| aws_iam_policy.dms_policy: Creating... | |
| aws_iam_policy.dms_policy: Creation complete after 1s [id=arn:aws:iam::xyz:policy/tf-dms-permissions-testing] | |
| Apply complete! Resources: 1 added, 0 changed, 0 destroyed. | |
| Trouble is... the actual policy in AWS is invalid because of this: | |
| This policy contains the following JSON error: Unexpected token a in JSON at position 742 | |
| "Resource": "[\"arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue\",\"arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue\",\"arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue\"]" | |
| TEST 3: Do it with an old fashioned templatefile. | |
| As you've suggested this is a no go but it errors with: | |
| 2020/02/27 11:25:38 [DEBUG] aws_iam_policy.dms_policy: apply errored, but we’re indicating that via the Error pointer rather than returning it: Error creating IAM policy example: MalformedPolicyDocument: Syntax errors in policy. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Any updates on this.I am facing similar issue.