Open 3h4x opened 4 years ago
Have the same issue. When i try add this policy manual by AWS Management console I have error:
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies
I'm seeing this failure pretty consistently when the role is created and the domain policy is created at the same time. if i re-apply after the role has been created, the domain policy can be created successfully.
relevant module config:
iam_role_arns = ["*"]
iam_authorizing_role_arns = [
for id in local.allowed_account_ids :
"arn:aws:iam::${id}:root}"
]
iam_actions = ["es:*"]
error on first apply:
│ Error: InvalidTypeException: Error setting policy: [{
│ "Version": "2012-10-17",
│ "Statement": [
│ {
│ "Sid": "",
│ "Effect": "Allow",
│ "Action": "es:*",
│ "Resource": [
│ "arn:aws:es:eu-west-1:ME:domain/prod-eu-1/*",
│ "arn:aws:es:eu-west-1:ME:domain/prod-eu-1"
│ ],
│ "Principal": {
│ "AWS": [
│ "arn:aws:iam::MEN:role/prod-eu-1-user",
│ "*"
│ ]
│ }
│ }
│ ]
│ }]
I have the same problem. Any idea?
I'm having the same issue too :(
Maybe the role has to be created first and then the domain policy. Perhaps an explicit depends_on may solve this issue.
The error seems still there, this was working though, trying to figure out what has changed.
│ Error: InvalidTypeException: Error setting policy: [{"Version":"2012-10-17"}]
│
│ with module.central_logs_opensearch.aws_elasticsearch_domain_policy.default[0],
│ on modules/aws-elasticsearch/main.tf line 287, in resource "aws_elasticsearch_domain_policy" "default":
│ 287: resource "aws_elasticsearch_domain_policy" "default" {
│
Describe the Bug
ES was created without
iam_role_arns
. After adding it and applying it failed with:This is due to IAM did not yet have Unique Identifier available. Every ARN entity is converted to Unique Identifier for security reasons.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids
Expected Behavior
It should simply apply changes. Second apply works fine.
Steps to Reproduce
iam_role_arns
iam_role_arns
It might be hard to reproduce due to a lot of factors.