Passing variable in a policy

Hello guys,I have this Terraform.tfvars (aws_account_id = “1234567890”).When i run terraform apply, this is the error message I am getting " Error Invalid reference…A reference to a resource type must be followed by at least one attribute access, specifying the resource name". please how can I fix this error?

{
            "Sid": "Enable IAM Policies",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${aws_account_id}:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow CloudTrail to encrypt logs",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "kms:GenerateDataKey*",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${aws_account_id}:trail/*"
                }
            }
        },
        {
            "Sid": "Allow CloudTrail access",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "kms:DescribeKey",
            "Resource": "*"
        },
        {
            "Sid": "Enable CloudTrail log decrypt permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${aws_account_id}:root"
            },
            "Action": "kms:Decrypt",
            "Resource": "*",
            "Condition": {
                "Null": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "false"
                }
            }
        },
        {
            "Sid":"Allow Administration of key",
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::${aws_account_id}:root"},
            "Action": [

Hi @darekorex,

If this is an expression in one of your Terraform configuration files (in a .tf file, as opposed to in a separate template) then there are lots of different kinds of values in scope here and so you need to prefix your references to input variables with var. to indicate what kind of symbol you’re accessing.

For example, in the first case where you’re building an AWS root account ARN, you would write the following:

"arn:aws:iam::${var.aws_account_id}:root"

Hi @apparentlymart ,
Thank you for your answer to my previous question. It really worked ,I have another question if you don’t mind please.

I need to give all accounts in AWS Organization to use Cloudtrail to encrypt and decrypt.How do i reference them in this policy below without listing each of the over 30plus accounts?

{
            "Sid": "Allow CloudTrail to encrypt logs",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "kms:GenerateDataKey*",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${var.aws_account_id}:trail/*"

"Sid": "Enable CloudTrail log decrypt permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${var.aws_account_id}:root"
            },
            "Action": "kms:Decrypt",
            "Resource": "*",
            "Condition": {
                "Null": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "false"

How do I specify permission in the policy to allow all AWS accounts inside control tower to use encrypt and decrypt with cloudtrail without listing the accounts one after the other? Thanks in advance for your help

Do you have AWS organisations? Using an OU might be easiest to set up.

@tbugfinder ,we use control tower to create our accounts.Is there a way i can allow other accounts in our control tower to use cloudtrail to encrypt and decrypt or they automaticaaly inherit policy to encrypt and decrypt since they are part of the creating account.

@apparentlymart ,I’m patiently waiting for your awesome answer. I copied you on sample of the code I am working with. We have 6 accounts in our control tower and I do not want to list each of those accounts in the code.Is there a way for me to write the code to allow cloudtrail in those accounts to use this KMS-cmk?.looking forward to your answer.
thank you very much in advance

Hi @darekorex,

This follow-up question seems like it is more of an AWS question than a general Terraform question, and unfortunately it’s outside of my area of direct expertise because I’ve not used AWS Control Tower and so I don’t know how it integrates with IAM.

Others here might have ideas about this, though given that your follow-up question is currently hidden in a topic that started about something else I’d recommend starting a new topic in the AWS Provider category so that people with AWS knowledge are more likely to find it.

Thank you for your suggestion