Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IAM policies that have a ${aws:username} component fail to parse properly #5984

Closed
ghost opened this issue Sep 25, 2018 · 3 comments
Closed
Labels
documentation Introduces or discusses updates to documentation. service/iam Issues and PRs that pertain to the iam service.

Comments

@ghost
Copy link

ghost commented Sep 25, 2018

This issue was originally opened by @aking1012 as hashicorp/terraform#18937. It was migrated here as a result of the provider split. The original body of the issue is below.


Terraform Version

Terraform v0.11.8
+ provider.aws v1.37.0

Terraform Configuration Files

resource "aws_iam_policy" "AllowManageVirtualMFA" {
    name        = "AllowManageVirtualMFA"
    path        = "/"
    description = "Allow users to manage their own virtual MFA"
    policy      = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowUsersToCreateEnableResyncTheirOwnVirtualMFADevice",
      "Effect": "Allow",
      "Action": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:ResyncMFADevice"
      ],
      "Resource": [
        "arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
        "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
      ]
    },
    {
      "Sid": "AllowUsersToDeactivateDeleteTheirOwnVirtualMFADevice",
      "Effect": "Allow",
      "Action": [
        "iam:DeactivateMFADevice",
        "iam:DeleteVirtualMFADevice"
      ],
      "Resource": [
        "arn:aws:iam::account-id-without-hyphens:mfa/${aws:username}",
        "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
      ],
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": true
        }
      }
    },
    {
      "Sid": "AllowUsersToListMFADevicesandUsersForConsole",
      "Effect": "Allow",
      "Action": [
        "iam:ListMFADevices",
        "iam:ListVirtualMFADevices",
        "iam:ListUsers"
      ],
      "Resource": "*"
    }
  ]
}
POLICY
}

resource "aws_iam_policy" "ForceMFAAndAllowMFAManagement" {
    name        = "ForceMFAAndAllowMFAManagement"
    path        = "/"
    description = "Forces MFA and allows management of MFA.  Without MFA, users can only access IAM"
    policy      = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAllUsersToListAccounts",
      "Effect": "Allow",
      "Action": [
        "iam:ListAccountAliases",
        "iam:ListUsers"
      ],
      "Resource": [
        "arn:aws:iam::057174720035:user/*"
      ]
    },
    {
      "Sid": "AllowIndividualUserToSeeTheirAccountInformation",
      "Effect": "Allow",
      "Action": [
        "iam:ChangePassword",
        "iam:CreateLoginProfile",
        "iam:DeleteLoginProfile",
        "iam:GetAccountPasswordPolicy",
        "iam:GetAccountSummary",
        "iam:GetLoginProfile",
        "iam:UpdateLoginProfile"
      ],
      "Resource": [
        "arn:aws:iam::057174720035:user/${aws:username}"
      ]
    },
    {
      "Sid": "AllowIndividualUserToListTheirMFA",
      "Effect": "Allow",
      "Action": [
        "iam:ListVirtualMFADevices",
        "iam:ListMFADevices"
      ],
      "Resource": [
        "arn:aws:iam::057174720035:mfa/*",
        "arn:aws:iam::057174720035:user/${aws:username}"
      ]
    },
    {
      "Sid": "AllowIndividualUserToManageThierMFA",
      "Effect": "Allow",
      "Action": [
        "iam:CreateVirtualMFADevice",
        "iam:DeactivateMFADevice",
        "iam:DeleteVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:ResyncMFADevice"
      ],
      "Resource": [
        "arn:aws:iam::057174720035:mfa/${aws:username}",
        "arn:aws:iam::057174720035:user/${aws:username}"
      ]
    },
    {
      "Sid": "DoNotAllowAnythingOtherThanAboveUnlessMFAd",
      "Effect": "Deny",
      "NotAction": "iam:*",
      "Resource": "*",
      "Condition": {
        "Null": {
          "aws:MultiFactorAuthAge": "true"
        }
      }
    }
  ]
}
POLICY
}

Debug Output

There's a counter-intuitive error message in this scenario that involves an unclosed brace, when it's actually just not parsing properly.

Expected Behavior

Init and apply work.

Actual Behavior

Even init bombs out, because the parser chokes.

Steps to Reproduce

Try to perform a terraform init with the said IAM policies in a tf file.

Additional Context

Nothing special. Standalone configuration.

References

None that I am aware of.

@bflad bflad added the service/iam Issues and PRs that pertain to the iam service. label Sep 25, 2018
@bflad
Copy link
Contributor

bflad commented Sep 25, 2018

Hi @aking1012 👋 Does the configuration work if you escape all of the IAM variable dollar signs? e.g. ${aws:username} becomes $${aws:username} - there is an unfortunate collision between IAM's interpolation (${...}) and Terraform's interpolation (${...}).

@bflad bflad added the waiting-response Maintainers are waiting on response from community or contributor. label Sep 25, 2018
@aking1012
Copy link

aking1012 commented Sep 25, 2018

Double checking, but I just tried it and I think that's a no. It still throws expected "}" but found ":" -- edit I missed one. It gets it over the bar if you escape by double dollar signing.

Close-able - I just didn't see it documented anywhere.

I can only speak to plan though, not apply. We're in our initial migration, and I'm using the terraforming gem to generate state and tf files. I'm read only right now.

@bflad bflad added documentation Introduces or discusses updates to documentation. and removed waiting-response Maintainers are waiting on response from community or contributor. labels Sep 27, 2018
@ghost
Copy link
Author

ghost commented Apr 3, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 3, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
documentation Introduces or discusses updates to documentation. service/iam Issues and PRs that pertain to the iam service.
Projects
None yet
Development

No branches or pull requests

2 participants