provider/aws: Ignore errors in S3 JSON bucket policies #3331
Conversation
|
Hey @AlexanderEkdahl – I tried this out but wasn't getting the results I was expecting. I used this config: output "rendered" {
value = "${template_file.policy.rendered}"
}
resource "aws_s3_bucket" "main" {
bucket = "testbucketctssomethign"
policy = "${template_file.policy.rendered}"
website {
index_document = "index.html"
}
}
resource "template_file" "policy" {
template = <<POLICY
{
"Statement": [
{
"Effect": "${bucket_name}",
"Principal": "*",
"Action": "*",
"Resource": "*",
"Sid":""
}
],
"Version": "2008-10-17"
}
POLICY
vars {
bucket_name = "Allow"
}
}I got this error: I'll check with @phinze to see if this is a core issue with Templates (maybe, not sure). Until then, do you see anything wrong with my template file or policy? Do you have an example config that applies cleanly? Thanks! |
catsby
added
the
waiting-response
|
This PR might have become irrelevant seeing how I submitted this almost 5 months ago. Regarding your policy. Shouldn't the resource parameter be a valid ARN(http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)? A working-non-working policy that I remember testing with: |
|
Tested again using Terraform v0.6.7-dev (5435188+CHANGES) and this PR is still relevant and throws an error because the string |
|
I can confirm this is a core issue with templates. The following example: {
"Resources" : {
"my-vpc": {
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : "${cidr}",
"Tags" : [
{"Key": "Name", "Value": "Primary_CF_VPC"}
]
}
}
}
}resource "template_file" "stack" {
template = "template.json"
vars {
cidr = "10.0.0.0/16"
}
}
resource "aws_cloudformation_stack" "network" {
name = "networking-stack"
template_body = "${template_file.stack.rendered}"
}results in the following plan: tested using |
|
After tuning the error message I can also say the which leads me to a conclusion that this issue is described in #4169 |
|
It has to do with Terraform trying to normalize JSON input. Probably because AWS will do it once the resource has been created which would lead to inconsistencies if the input was not normalized. The reason this does not happen to other fields is because the policy field uses a It is not the |
|
Hi @AlexanderEkdahl! I believe some fixes have been applied that should fix this for S3 policies in particular - we no longer use the StateFunc to normalise JSON - this approach will be rolled out across all policies over time. Please feel free to reopen if you still see this with Terraform 0.7.3 (coming shortly) or later. Thanks for the pull request, and sorry it took so long to get a resolution here! |
…dpoing (hashicorp#3331) Updated documentation to reflect "Read Single Audit Request Header" endpoint is GET-based.
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
With this PR the following works:
Previously the value of policy would be
"${template_file.policy.rendered}"which would result in the value"Error parsing JSON: invalid character '$' looking for beginning of value"and not the rendered template file.It is not up to terraform to validate input anyway.