Attaching policy arn ValidationError

cdenneen · February 16, 2023, 9:07pm

  # aws_iam_role_policy_attachment.assume-cross-account-dns[0] will be created
  + resource "aws_iam_role_policy_attachment" "assume-cross-account-dns" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::REDACT:policy/assume-cross-account-dns"
      + role       = "arn:aws:iam::REDACT:role/external-dns20230208222035255800000004"
    }

error:

╷
│ Error: attaching policy arn:aws:iam::REDACTED:policy/assume-cross-account-dns to IAM Role arn:aws:iam::REDACTED:role/external-dns20230208222035255800000004: ValidationError: The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_-
│ 	status code: 400, request id: acde7f70-a538-4e6b-8a1c-efc033185e2a
│
│   with aws_iam_role_policy_attachment.assume-cross-account-dns[0],
│   on eks.tf line 375, in resource "aws_iam_role_policy_attachment" "assume-cross-account-dns":
│  375: resource "aws_iam_role_policy_attachment" "assume-cross-account-dns" {
│

Looking at the proposed role in the aws_iam_role_policy_attachment it looks like it matches the alphanumeric characters and/or the following: +=,.!_-

Any suggestions?

cdenneen · February 16, 2023, 9:23pm

Here is the TF. I’m wondering if it’s not the name of my role but it’s the count.index in the policy attachment? This would then be TF validation being broken in cases with count.index not the actual roleName?

  resource "aws_iam_policy" "assume-cross-account-dns" {
    count       = local.tenant_account

    name        = "assume-cross-account-dns"
    path        = "/"
    description = "AssumeRole to update Route53"

    # Terraform's "jsonencode" function converts a
    # Terraform expression result to valid JSON syntax.
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect   = "Allow",
          Action   = "sts:AssumeRole",
          Resource = "arn:aws:iam::REDACT:role/external-dns-cross-account"
        }
      ]
    })

    tags = local.tags
  }

  resource "aws_iam_role_policy_attachment" "assume-cross-account-dns" {
    count      = local.tenant_account

    policy_arn = aws_iam_policy.assume-cross-account-dns[0].arn
    role       = module.external_dns_irsa_role.iam_role_arn
  }

cdenneen · February 17, 2023, 12:45am

This was because I was putting ARN instead of the name of the role.

Topic		Replies	Views
AWS IAM Role "inline_policy.0.policy" contains an invalid JSON policy using $(file xyz) and jsonencode AWS	0	526	June 6, 2022
Issues with Iam_role creation AWS	2	421	January 17, 2023
Confusion about "aws_iam_role.managed_policy_arns" attribute AWS	1	2074	February 5, 2022
Unable to assume role and validate the specified targetGroupArn AWS	0	839	September 5, 2022
Invalid IAM Instance Profile name AWS	0	2240	July 19, 2020

Attaching policy arn ValidationError

Related topics