Attaching policy arn ValidationError

  # aws_iam_role_policy_attachment.assume-cross-account-dns[0] will be created
  + resource "aws_iam_role_policy_attachment" "assume-cross-account-dns" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::REDACT:policy/assume-cross-account-dns"
      + role       = "arn:aws:iam::REDACT:role/external-dns20230208222035255800000004"
    }

error:

╷
│ Error: attaching policy arn:aws:iam::REDACTED:policy/assume-cross-account-dns to IAM Role arn:aws:iam::REDACTED:role/external-dns20230208222035255800000004: ValidationError: The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_-
│ 	status code: 400, request id: acde7f70-a538-4e6b-8a1c-efc033185e2a
│
│   with aws_iam_role_policy_attachment.assume-cross-account-dns[0],
│   on eks.tf line 375, in resource "aws_iam_role_policy_attachment" "assume-cross-account-dns":
│  375: resource "aws_iam_role_policy_attachment" "assume-cross-account-dns" {
│

Looking at the proposed role in the aws_iam_role_policy_attachment it looks like it matches the alphanumeric characters and/or the following: +=,.!_-

Any suggestions?

Here is the TF. I’m wondering if it’s not the name of my role but it’s the count.index in the policy attachment? This would then be TF validation being broken in cases with count.index not the actual roleName?

  resource "aws_iam_policy" "assume-cross-account-dns" {
    count       = local.tenant_account

    name        = "assume-cross-account-dns"
    path        = "/"
    description = "AssumeRole to update Route53"

    # Terraform's "jsonencode" function converts a
    # Terraform expression result to valid JSON syntax.
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect   = "Allow",
          Action   = "sts:AssumeRole",
          Resource = "arn:aws:iam::REDACT:role/external-dns-cross-account"
        }
      ]
    })

    tags = local.tags
  }

  resource "aws_iam_role_policy_attachment" "assume-cross-account-dns" {
    count      = local.tenant_account

    policy_arn = aws_iam_policy.assume-cross-account-dns[0].arn
    role       = module.external_dns_irsa_role.iam_role_arn
  }

This was because I was putting ARN instead of the name of the role.