Fixing the Terraform Error creating IAM Role. MalformedPolicyDocument Has prohibited field Resource
Today, we'll unravel a common hurdle that you might encounter while working with Terraform and AWS:
Error creating IAM Role. MalformedPolicyDocument: Has prohibited field Resource
This error can put a wrinkle in your cloud deployment process, but don't worry. I'm here to guide you through it, step by step.
By the end of this post, you'll have a good grasp of what this error means, why it happens, and most importantly, how to fix it. So let's dive right in.
Table of Content
- Deciphering The Error
- Unraveling The IAM Policy Document
- The Fix: Simple Yet Effective!
- A Different Approach: Using assume_role_policy
- Wrapping Up
Deciphering The Error
Terraform is a fabulous tool for managing your cloud infrastructure as code. But like all tools, it might sometimes throw errors that may seem cryptic at first glance. Let's dissect this particular error message to make it a bit more understandable.
-
Error creating IAM Role: This part informs us that Terraform ran into trouble while trying to create an AWS Identity and Access Management (IAM) role.
-
MalformedPolicyDocument: The term "malformed" implies that the policy document associated with the IAM role doesn't comply with the expected format or structure.
-
Has prohibited field Resource: And here's the crux of the problem! The policy document contains a field named "Resource" that shouldn't be there.
Unraveling The IAM Policy Document
To fully understand and fix this error, we need to delve into the structure of an IAM policy document. When defining an IAM policy, the "Resource" field is used to specify the objects to which the policy statement applies.
However, not all permissions require you to designate a resource, and including it where it's not needed can trigger an error.
Here's a piece of Terraform code that might cause this error:
1# main.tf
2resource "aws_iam_role_policy" "example" {
3 name = "example"
4 role = aws_iam_role.example.id
5
6 policy = <<EOF
7{
8 "Version": "2012-10-17",
9 "Statement": [
10 {
11 "Action": [
12 "ec2:Describe*"
13 ],
14 "Effect": "Allow",
15 "Resource": "*"
16 }
17 ]
18}
19EOF
20}
The "Resource" field here is set to "*", meaning it applies to all resources. However, if the policy action you're trying to allow or deny doesn't support specifying resources, you'll get the error we're discussing.
The Fix: Simple Yet Effective!
The solution is quite simple: remove the "Resource" field from the policy statement for actions that don't require it. Here's what the corrected policy looks like:
1# main.tf
2
3resource "aws_iam_role_policy" "example" {
4 name = "example"
5 role = aws_iam_role.example.id
6
7 policy = <<EOF
8{
9 "Version": "2012-10-17",
10 "Statement": [
11 {
12 "Action": [
13 "ec2:Describe*"
14 ],
15 "Effect": "Allow"
16 }
17 ]
18}
19EOF
20}
A Different Approach: Using assume_role_policy
The error we've been discussing can also pop up when you're defining an IAM Role with an assume_role_policy in Terraform. The assume_role_policy is a policy document that allows an entity, such as an AWS service or another AWS account, to assume the role.
A common mistake is adding a Resource field to the assume_role_policy. This field should not be present here. Instead, the assume_role_policy should specify which entities are allowed to assume the role.
Here's an example of how to define an IAM Role that can be assumed by EC2 instances:
1# main.tf
2
3resource "aws_iam_role" "example" {
4 name = "example"
5 assume_role_policy = <<EOF
6{
7 "Version": "2012-10-17",
8 "Statement": [
9 {
10 "Action": "sts:AssumeRole",
11 "Principal": {
12 "Service": "ec2.amazonaws.com"
13 },
14 "Effect": "Allow",
15 "Sid": ""
16 }
17 ]
18}
19EOF
20}
21
In this example, EC2 instances (specified by the "Service" principal "ec2.amazonaws.com") are allowed to assume this role. No Resource field is present or needed.
Wrapping Up
Understanding errors is a crucial part of being a developer, and it's equally important in the realm of Terraform and AWS. I hope this blog post helped to clarify the "MalformedPolicyDocument: Has prohibited field Resource" error.
The key takeaway is to always ensure that your IAM policies are well-structured and only contain necessary fields. So the next time you encounter this error, you'll know exactly what to do!
Remember, it's okay to stumble upon errors. They're not just obstacles — they're opportunities for learning and growth. Keep learning, keep growing, and keep deploying awesome cloud infrastructure with Terraform and AWS!
Posts in this Series
- Securing Sensitive Data in Terraform
- Boost Your AWS Security with Terraform : A Step-by-Step Guide
- How to Load Input Data from a File in Terraform?
- Can Terraform be used to provision on-premises infrastructure?
- Fixing the Terraform Error creating IAM Role. MalformedPolicyDocument Has prohibited field Resource
- In terraform how to handle null value with default value?
- Terraform use module output variables as inputs for another module?
- How to Reference a Resource Created by a Terraform Module?
- Understanding Terraform Escape Sequences
- How to fix private-dns-enabled cannot be set because there is already a conflicting DNS domain?
- Use Terraform to manage AWS IAM Policies, Roles and Users
- How to split Your Terraform main.tf File into Multiple Files
- How to use Terraform variable within variable
- Mastering the Terraform Lookup Function for Dynamic Keys
- Copy files to EC2 and S3 bucket using Terraform
- Troubleshooting Error creating EC2 Subnet InvalidSubnet Range The CIDR is Invalid
- Troubleshooting InvalidParameter Security group and subnet belong to different networks
- Managing strings in Terraform: A comprehensive guide
- How to use terraform depends_on meta argument?
- What is user_data in Terraform?
- Why you should not store terraform state file(.tfstate) inside Git Repository?
- How to import existing resource using terraform import comand?
- Terraform - A detailed guide on setting up ALB(Application Load Balancer) and SSL?
- Testing Infrastructure as Code with Terraform?
- How to remove a resource from Terraform state?
- What is Terraform null Resource?
- In terraform how to skip creation of resource if the resource already exist?
- How to setup Virtual machine on Google Cloud Platform
- How to use Terraform locals?
- Terraform Guide - Docker Containers & AWS ECR(elastic container registry)?
- How to generate SSH key in Terraform using tls_private_key?
- How to fix-Terraform Error acquiring the state lock ConditionalCheckFiledException?
- Terraform Template - A complete guide?
- How to use Terragrunt?
- Terraform and AWS Multi account Setup?
- Terraform and AWS credentials handling?
- How to fix-error configuring S3 Backend no valid credential sources for S3 Backend found?
- Terraform state locking using DynamoDB (aws_dynamodb_table)?
- Managing Terraform states?
- Securing AWS secrets using HashiCorp Vault with Terraform?
- How to use Workspaces in Terraform?
- How to run specific terraform resource, module, target?
- How Terraform modules works?
- Secure AWS EC2s & GCP VMs with Terraform SSH Keys!
- What is terraform provisioner?
- Is terraform destroy needed before terraform apply?
- How to fix terraform error Your query returned no results. Please change your search criteria and try again?
- How to use Terraform Data sources?
- How to use Terraform resource meta arguments?
- How to use Terraform Dynamic blocks?
- Terraform - How to nuke AWS resources and save additional AWS infrastructure cost?
- Understanding terraform count, for_each and for loop?
- How to use Terraform output values?
- How to fix error configuring Terraform AWS Provider error validating provider credentials error calling sts GetCallerIdentity SignatureDoesNotMatch?
- How to fix Invalid function argument on line in provider credentials file google Invalid value for path parameter no file exists
- How to fix error value for undeclared variable a variable named was assigned on the command line?
- What is variable.tf and terraform.tfvars?
- How to use Terraform Variables - Locals,Input,Output
- Terraform create EC2 Instance on AWS
- How to fix Error creating service account googleapi Error 403 Identity and Access Management (IAM) API has not been used in project before or it is disabled
- Install terraform on Ubuntu 20.04, CentOS 8, MacOS, Windows 10, Fedora 33, Red hat 8 and Solaris 11