Passing variable in a policy

darekorex · July 17, 2021, 4:47am

Hello guys,I have this Terraform.tfvars (aws_account_id = “1234567890”).When i run terraform apply, this is the error message I am getting " Error Invalid reference…A reference to a resource type must be followed by at least one attribute access, specifying the resource name". please how can I fix this error?

{
            "Sid": "Enable IAM Policies",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${aws_account_id}:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow CloudTrail to encrypt logs",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "kms:GenerateDataKey*",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${aws_account_id}:trail/*"
                }
            }
        },
        {
            "Sid": "Allow CloudTrail access",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "kms:DescribeKey",
            "Resource": "*"
        },
        {
            "Sid": "Enable CloudTrail log decrypt permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${aws_account_id}:root"
            },
            "Action": "kms:Decrypt",
            "Resource": "*",
            "Condition": {
                "Null": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "false"
                }
            }
        },
        {
            "Sid":"Allow Administration of key",
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::${aws_account_id}:root"},
            "Action": [

apparentlymart · July 19, 2021, 3:20pm

Hi @darekorex,

If this is an expression in one of your Terraform configuration files (in a .tf file, as opposed to in a separate template) then there are lots of different kinds of values in scope here and so you need to prefix your references to input variables with var. to indicate what kind of symbol you’re accessing.

For example, in the first case where you’re building an AWS root account ARN, you would write the following:

"arn:aws:iam::${var.aws_account_id}:root"

darekorex · July 20, 2021, 7:29pm

Hi @apparentlymart ,
Thank you for your answer to my previous question. It really worked ,I have another question if you don’t mind please.

I need to give all accounts in AWS Organization to use Cloudtrail to encrypt and decrypt.How do i reference them in this policy below without listing each of the over 30plus accounts?

{
            "Sid": "Allow CloudTrail to encrypt logs",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "kms:GenerateDataKey*",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${var.aws_account_id}:trail/*"

"Sid": "Enable CloudTrail log decrypt permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${var.aws_account_id}:root"
            },
            "Action": "kms:Decrypt",
            "Resource": "*",
            "Condition": {
                "Null": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "false"

darekorex · July 20, 2021, 9:38pm

How do I specify permission in the policy to allow all AWS accounts inside control tower to use encrypt and decrypt with cloudtrail without listing the accounts one after the other? Thanks in advance for your help

tbugfinder · July 20, 2021, 9:49pm

Do you have AWS organisations? Using an OU might be easiest to set up.

darekorex · July 20, 2021, 10:06pm

@tbugfinder ,we use control tower to create our accounts.Is there a way i can allow other accounts in our control tower to use cloudtrail to encrypt and decrypt or they automaticaaly inherit policy to encrypt and decrypt since they are part of the creating account.

darekorex · July 21, 2021, 2:36pm

@apparentlymart ,I’m patiently waiting for your awesome answer. I copied you on sample of the code I am working with. We have 6 accounts in our control tower and I do not want to list each of those accounts in the code.Is there a way for me to write the code to allow cloudtrail in those accounts to use this KMS-cmk?.looking forward to your answer.
thank you very much in advance

apparentlymart · July 21, 2021, 3:37pm

Hi @darekorex,

This follow-up question seems like it is more of an AWS question than a general Terraform question, and unfortunately it’s outside of my area of direct expertise because I’ve not used AWS Control Tower and so I don’t know how it integrates with IAM.

Others here might have ideas about this, though given that your follow-up question is currently hidden in a topic that started about something else I’d recommend starting a new topic in the AWS Provider category so that people with AWS knowledge are more likely to find it.

darekorex · July 21, 2021, 6:51pm

Thank you for your suggestion

darekorex · August 16, 2021, 5:43pm

@apparentlymart ,
Hi,first a big thank you for your past suggestion on here.I have a question…I have a root terragrunt.hcl that contain my remote configuration.I have 2 environments which are “prod-env and dev-env” in each of the folder i have a child terragrunt that use Include to point to the path of the root terragrunt.hcl.I just tried to run my workflow and I dont understand the error am getting.This is the error I’m getting:

Error reading file at path /github/workspace/terragrunt.hcl: open /github/workspace/terragrunt.hcl: no such file or directory

I am under the impression that terragrunt will create the workspace for me