aws_iam_policy_document renders Principals incorrectly

[hashibot]

This issue was originally opened by @kerbou as hashicorp/terraform#16590. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Hi all

I'm using the aws_iam_policy_document data source to create an IAM policy for my managed AWS ElasticSearch cluster for managing anonymous access. However the returned output rendered by "data.aws_iam_policy_document.es_cluster.json" does not produce the desired output blocking otherwise valid requests

Version: Terraform v0.10.7

A bare-bone example of my policy data source (

data "aws_iam_policy_document" "es_cluster" {
 statement {
   actions = [
     "es:*",
   ]
   principals {
     type        = "AWS"
     identifiers = ["*"]
   }		
   resources = [
     " (some ARN) "
   ]
   condition {
     test     = "IpAddress"
     variable = "aws:SourceIp"
     values = [
   	"1.1.1.1"
     ]
   }
 }
}

Actual Behavior

The data source produces the following policy using data.aws_iam_policy_document.elasticsearch_cluster.json:

Notice the rendering of the principal

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "es:*",
      "Resource": " (some ARN)",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "1.1.1.1"
        }
      }
    }
  ]
}

Result: Requests to my ES cluster is blocked for anonymous users

Expected Behavior

Changing the "principal" array by explicitly declaring "AWS" as a principal allows my anonymous requests to pass through as expected:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": " (some ARN)",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "1.1.1.1"
        }
      }
    }
  ]
}

In my view the rendering of the Principal is what's causing problems. I've tried a few tricks but haven't been able so far cheating the rendering engine into producing the desired output.

Is there a known workaround that I can use?

Best regards

P.S. - Kudos to the Terraform team and community by the way, the product is indeed great. This is the first time it's been causing me problems that wasn't entirely PEBCAK or ReadTheFuckingManual related (not ruling out that this one could fall into one of those categories as well) :o)

[jurajseffer]

@kerbou workaround would be to not use statement at all and just explicitly templating it, e.g. inside of aws_elasticsearch_domain you'd have

access_policies = <<CONFIG
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": " (some ARN)",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "1.1.1.1"
        }
      }
    }
  ]
}
CONFIG

[brandonramsey]

Arrived here while researching the same issue.

According to Amazon here:

To grant permission to everyone, also referred as anonymous access, you set the wildcard, "*", as the Principal value. For example, if you configure your bucket as a website, you want all the objects in the bucket to be publicly accessible. The following are equivalent:

"Principal":"*"

"Principal":{"AWS":"*"}

Granted, this applies to S3 buckets and I'm also trying to create a policy for managed ElasticSearch -- maybe this is actually a wrinkle in AWS specific to ElasticSearch policies?

Do you know -- does the blank SID matter at all? (Edit: I tested and get the same response with a non-empty Sid value)

[kerbou]

Nope - no idea if the blank SID changes anything Den lør. 31. mar. 2018 08.22 skrev Brandon Ramsey <notifications@github.com

…

: Arrived here while researching the same issue. According to Amazon here <https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html> : To grant permission to everyone, also referred as anonymous access, you set the wildcard, "*", as the Principal value. For example, if you configure your bucket as a website, you want all the objects in the bucket to be publicly accessible. The following are equivalent: "Principal":"*" "Principal":{"AWS":"*"} Granted, this applies to S3 buckets and I'm *also* trying to create a policy for managed ElasticSearch -- maybe this is actually a wrinkle in AWS specific to ElasticSearch policies? Do you know -- does the blank SID matter at all? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2216 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACZNO0CEchZqS-6jukADIBi13GEFpWppks5tjyCagaJpZM4QWc49> .

[mangobatao]

@brandonramsey hey, did you get it work for the anonymous access by
"Principal":"*"

[bflad]

FYI this pull request is probably relevant here where we may no longer normalize type = "AWS" and identifier = "*" to "Principal": "*" in the aws_iam_policy_document data source: #4248

[bflad]

#4248 has been merged and will release with v1.19.0 of the AWS provider, which will now correctly handle the distinction between type = "AWS" and type = "*" to properly allow rendering "Principal": {"AWS": "*"} versus "Principal": "*" (respectively).

[bflad]

This has been released in version 1.19.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!