Attaching policy arn ValidationError

cdenneen · February 16, 2023, 9:07pm

  # aws_iam_role_policy_attachment.assume-cross-account-dns[0] will be created
  + resource "aws_iam_role_policy_attachment" "assume-cross-account-dns" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::REDACT:policy/assume-cross-account-dns"
      + role       = "arn:aws:iam::REDACT:role/external-dns20230208222035255800000004"
    }

error:

╷
│ Error: attaching policy arn:aws:iam::REDACTED:policy/assume-cross-account-dns to IAM Role arn:aws:iam::REDACTED:role/external-dns20230208222035255800000004: ValidationError: The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_-
│ 	status code: 400, request id: acde7f70-a538-4e6b-8a1c-efc033185e2a
│
│   with aws_iam_role_policy_attachment.assume-cross-account-dns[0],
│   on eks.tf line 375, in resource "aws_iam_role_policy_attachment" "assume-cross-account-dns":
│  375: resource "aws_iam_role_policy_attachment" "assume-cross-account-dns" {
│

Looking at the proposed role in the aws_iam_role_policy_attachment it looks like it matches the alphanumeric characters and/or the following: +=,.!_-

Any suggestions?

cdenneen · February 16, 2023, 9:23pm

Here is the TF. I’m wondering if it’s not the name of my role but it’s the count.index in the policy attachment? This would then be TF validation being broken in cases with count.index not the actual roleName?

  resource "aws_iam_policy" "assume-cross-account-dns" {
    count       = local.tenant_account

    name        = "assume-cross-account-dns"
    path        = "/"
    description = "AssumeRole to update Route53"

    # Terraform's "jsonencode" function converts a
    # Terraform expression result to valid JSON syntax.
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect   = "Allow",
          Action   = "sts:AssumeRole",
          Resource = "arn:aws:iam::REDACT:role/external-dns-cross-account"
        }
      ]
    })

    tags = local.tags
  }

  resource "aws_iam_role_policy_attachment" "assume-cross-account-dns" {
    count      = local.tenant_account

    policy_arn = aws_iam_policy.assume-cross-account-dns[0].arn
    role       = module.external_dns_irsa_role.iam_role_arn
  }

cdenneen · February 17, 2023, 12:45am

This was because I was putting ARN instead of the name of the role.