Invalid JSON policy Error

[ghost]

This issue was originally opened by @srikanthsoma as hashicorp/terraform#17717. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Hi,

Terraform validate says "policy" contains invalid JSON policy

This is my json policy which is validate then why terraform validate says invalid policy?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket1",
                "arn:aws:s3:::bucket2",
                "arn:aws:s3:::bucket3",
                "arn:aws:s3:::bucket4",
                "arn:aws:s3:::bucket5"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::bucket1/*",
                "arn:aws:s3:::bucket2/*",
                "arn:aws:s3:::bucket3/*",
                "arn:aws:s3:::bucket4/*",
                "arn:aws:s3:::bucket5/*"
            ]
        }
    ]
}

Terraform -v:

0.11.3

Terraform reproduce:

terraform plan
terraform validate

Error:

Error: aws_iam_policy.test_policy: "policy" contains an invalid JSON policy

[bflad]

Hi @srikanthsoma 👋 I was not able to reproduce the invalid JSON error on Terraform 0.11.5 and AWS provider 1.13.0 with the aws_iam_policy resource doing something like this:

resource "aws_iam_policy" "example" {
  name = "example"

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket1",
                "arn:aws:s3:::bucket2",
                "arn:aws:s3:::bucket3",
                "arn:aws:s3:::bucket4",
                "arn:aws:s3:::bucket5"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::bucket1/*",
                "arn:aws:s3:::bucket2/*",
                "arn:aws:s3:::bucket3/*",
                "arn:aws:s3:::bucket4/*",
                "arn:aws:s3:::bucket5/*"
            ]
        }
    ]
}
EOF
}

Can you please provide more details, such as how you are configuring the resource?

[vlad2]

Hello,

Most probably it's because the policy contains leading spaces.

For resource "aws_iam_role" assume_role_policy (and leading spaces in the JSON), terraform shows an error message that the policy cannot contain leading spaces.
However, for resource "aws_iam_role_policy" (and leading spaces in the JSON), terraform simply says that policy contains an invalid JSON policy.

I think that the error message given by terraform in this case should be more specific.

[jmakanjuola]

I'm currently experiencing similar issues too.

terraform -v
Terraform v0.11.7
+ provider.aws v1.27.0
+ provider.http v1.0.1
+ provider.kubernetes v1.1.0

resource "aws_iam_role_policy" "cluster-service-linked-role" {
   name = "service-linked-role"
   role = "${aws_iam_role.cluster.name}"

   policy = <<EOF
     {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Effect": "Allow",
                 "Action": "iam:CreateServiceLinkedRole",
                 "Resource": "arn:aws:iam::*:role/aws-service-role/*"
             },
             {
                 "Effect": "Allow",
                 "Action": [
                     "ec2:DescribeAccountAttributes"
                 ],
                 "Resource": "*"
             }
         ]
     }
 EOF
 }

[blckct]

it seems one resource uses validateIAMPolicyJson and the other validateJsonString

[thefoxwings]

When you create a EOF injection, JSON doesn't like white spaces. The code about should look something like this:

resource`` "aws_iam_role_policy" "cluster-service-linked-role" {
   name = "service-linked-role"
   role = "${aws_iam_role.cluster.name}"

   policy = <<EOF
{
   "Version": "2012-10-17",
      "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/*"
        },
        {
            "Effect": "Allow",
             "Action": [
             "ec2:DescribeAccountAttributes"
        ],
        "Resource": "*"
     }
  ]
}
 EOF
 }

[kevinohara80]

Is there any reason why whitespace couldn't be trimmed? I find it much more readable to have it tab indented.

[goetzc]

I think this is a duplicate of #1873 which contains a link (#5887) to a PR with a fix to normalize JSON.

[KyMidd]

Had this exact same issue on TF 0.12.2. This policy:
resource "aws_iam_role_policy" "iam_policy" {
name = "name"
role = "iam_role"
policy = <<POLICY
(5x spaces hidden by github formatter) {
"Version": "2012-10-17",
"Statement": [

Was fixed by removing the spaces ahead of the opening curly brace:
resource "aws_iam_role_policy" "iam_policy" {
name = "name"
role = "iam_role"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [

[aeschright]

Hi folks! I'm closing this as a duplicate of #1873. Please direct any further discussion there.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!