"deny_nonsecure_transport = false" generates broken policy

[DenisMkS]

Description

the state

module "efs" {
  source = "terraform-aws-modules/efs/aws"

  # File system
  name                     = "example-test-backend"
  encrypted                = true
  deny_nonsecure_transport = false
  throughput_mode          = "bursting"

  lifecycle_policy = {
    transition_to_ia = "AFTER_1_DAY"
  }

  # Mount targets / security group
  mount_targets = {
    "eu-west-1c" = {
      subnet_id = "subnet-f12345f6"
    }
  }
  security_group_description = "workers test EFS security group"
  security_group_vpc_id      = "vpc-123123"
  security_group_rules = {
    vpc = {
      # relying on the defaults provdied for EFS/NFS (2049/TCP + ingress)
      description = "NFS ingress from VPC private subnets"
      cidr_blocks = ["172.31.0.0/16"]
    }
  }

  # Backup policy
  enable_backup_policy = false

  # Replication configuration
  create_replication_configuration = false

}

• [x] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: 1.6.4

• Terraform version: Terraform v1.5.7

• Provider version(s): v5.71.0

Expected behavior

state applied successfully

Actual behavior

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.efs.aws_efs_file_system_policy.this[0] will be created
  + resource "aws_efs_file_system_policy" "this" {
      + bypass_policy_lockout_safety_check = false
      + file_system_id                     = "fs-3823847328973"
      + id                                 = (known after apply)
      + policy                             = jsonencode(
            {
              + Version = "2012-10-17"
            }
        )
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.efs.aws_efs_file_system_policy.this[0]: Creating...
╷
│ Error: putting EFS File System Policy (fs-08d330b2c16d1c3f1): operation error EFS: PutFileSystemPolicy, https response error StatusCode: 400, RequestID: 3093c885-ab9c-4e8e-adb2-b2f0b9fefd30, InvalidPolicyException: Invalid policy JSON structure.
│ 
│   with module.efs.aws_efs_file_system_policy.this[0],
│   on .terraform/modules/efs/main.tf line 132, in resource "aws_efs_file_system_policy" "this":
│  132: resource "aws_efs_file_system_policy" "this" {
│ 
╵

[DenisMkS]

Fixed by adding attach_policy = false It would be nice to add this to the documentation for deny_nonsecure_transport