How to fix string required error message

resource "aws_iam_role" "Orchestration_role"{
    name = var.orchestration_role_name

    assume_role_policy = <<EOF
{
    "Version":"2012-10-17",
    "Statement": [
        {
           "Effect": "Allow",
           "Action": "sts:AssumeRoleWithWebIdentity",
           "Principal":{
               "Federated":"arn:aws:iam::${var.aws_oidc_account}:oidc-provider/token.actions.githubusercontent.com"
           },
           "Condition":{
               "ForAnyValue:StringLike":{
                   "token.actions.githubusercontent.com:sub": "${var.oidc_condition_statement}"
               }
           }
        }
    ]
}
EOF
}

variable.tf

variable "oidc_condition_statement"{
    type = list(string)
}

tfvars

oidc_condition_statement          = ["repo:organization/terraform-aws-githubaction:ref:refs/heads/staging","repo:organization/terraform-aws-githubaction:pull_request"]

I am getting the below error when i run terraform apply:

Invalid template interpolation value
var.oidc_condition_statement is list of string with 2 elements Cannot include the given value in a string template: string required.

Hi @darekorex,

var.oidc_condition_statement is a list of strings and so this is a correct error message: it’s not possible to concatenate a list into a string directly.

With that said, I don’t think you really need string concatenation there at all, because I believe the correct policy document syntax there is to include a JSON array.

Therefore I think the following would produce the required result:

  assume_role_policy = jsonencode({
    Version   = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = "sts:AssumeRoleWithWebIdentity"
        Principal = {
          Federated = "arn:aws:iam::${var.aws_oidc_account}:oidc-provider/token.actions.githubusercontent.com"
        }
        Condition = {
          "ForAnyValue:StringLike" = {
            "token.actions.githubusercontent.com:sub" = var.oidc_condition_statement
          }
        }
      },
    ]
  })

Terraform’s jsonencode function knows how to convert all Terraform values into equivalent JSON strings, including lists, and so the above should automatically convert var.oidc_condition_statement into a JSON array as part of encoding that entire value.

@apparentlymart ,Thank you for your reponse.It worked