Merge pull request #4248 from spirius/feature/iam-wildcard-pricipal

Remove principal type AWS from IAM policy wildcard normalization
hashicorp · May 11, 2018 · d8d67df · d8d67df
2 parents 693223a + bcf4ebd
commit d8d67df
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 7 deletions.
diff --git a/aws/data_source_aws_iam_policy_document_test.go b/aws/data_source_aws_iam_policy_document_test.go
@@ -239,7 +239,9 @@ var testAccAWSIAMPolicyDocumentExpectedJSON = `{
       "Sid": "",
       "Effect": "Allow",
       "Action": "kinesis:*",
-      "Principal": "*"
+      "Principal": {
+        "AWS": "*"
+      }
     },
     {
       "Sid": "",
@@ -395,7 +397,9 @@ var testAccAWSIAMPolicyDocumentSourceExpectedJSON = `{
       "Sid": "",
       "Effect": "Allow",
       "Action": "kinesis:*",
-      "Principal": "*"
+      "Principal": {
+        "AWS": "*"
+      }
     },
     {
       "Sid": "",

diff --git a/aws/iam_policy_model.go b/aws/iam_policy_model.go
@@ -73,13 +73,14 @@ func (self *IAMPolicyDoc) Merge(newDoc *IAMPolicyDoc) {
 func (ps IAMPolicyStatementPrincipalSet) MarshalJSON() ([]byte, error) {
 	raw := map[string]interface{}{}
 
-	// As a special case, IAM considers the string value "*" to be
-	// equivalent to "AWS": "*", and normalizes policies as such.
-	// We'll follow their lead and do the same normalization here.
-	// IAM also considers {"*": "*"} to be equivalent to this.
+	// Although IAM documentation says, that "*" and {"AWS": "*"} are equivalent
+	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html),
+	// in practice they are not for IAM roles. IAM will return an error if trust
+	// policy have "*" or {"*": "*"} as principal, but will accept {"AWS": "*"}.
+	// Only {"*": "*"} should be normalized to "*".
 	if len(ps) == 1 {
 		p := ps[0]
-		if p.Type == "AWS" || p.Type == "*" {
+		if p.Type == "*" {
 			if sv, ok := p.Identifiers.(string); ok && sv == "*" {
 				return []byte(`"*"`), nil
 			}

diff --git a/website/docs/d/iam_policy_document.html.markdown b/website/docs/d/iam_policy_document.html.markdown
@@ -147,6 +147,16 @@ uses `${...}`-style syntax that is in conflict with Terraform's interpolation
 syntax, so this data source instead uses `&{...}` syntax for interpolations that
 should be processed by AWS rather than by Terraform.
 
+## Wildcard Principal
+
+In order to define wildcard principal (a.k.a. anonymous user) use `type = "*"` and
+`identifiers = ["*"]`. In that case the rendered json will contain `"Principal": "*"`.
+Note, that even though the [IAM Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html)
+states that `"Principal": "*"` and `"Principal": {"AWS": "*"}` are equivalent,
+those principals have different behavior for IAM Role Trust Policy. Therefore
+Terraform will normalize the principal field only in above-mentioned case and principals
+like `type = "AWS"` and `identifiers = ["*"]` will be rendered as `"Principal": {"AWS": "*"}`.
+
 ## Attributes Reference
 
 The following attribute is exported: