iam策略中的资源标记和匹配条件未按预期工作

我有一个策略文档，如下所示，带有resource标记和stringquals条件。

{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"arn:aws:ec2:ap-south-1::image/ami-*",
"arn:aws:ec2:ap-south-1:736855795947:key-pair/test-webserver",
"arn:aws:ec2:ap-south-1:736855795947:network-interface/*",
"arn:aws:ec2:ap-south-1:736855795947:security-group/sg-01bec6381887b636d",
"arn:aws:ec2:ap-south-1:736855795947:subnet/subnet-0f7b9499f8a8817",
"arn:aws:ec2:ap-south-1:736855795947:volume/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"arn:aws:ec2:ap-south-1:736855XXXXXX:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Environment": "dev"
}
}
}

我已经用上面提到的相同标签标记了我的ec2实例。当我用地形创建实例时，我得到的错误如下：

{
"DecodedMessage":"{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"AIDA2XEAHFDV6BNRDDIX6","name":"clixtream_deploy_user","arn":"arn:aws:iam::736855795947:user/clixtream_deploy_user"},"action":"ec2:RunInstances","resource":"arn:aws:ec2:ap-south-1:736855795947:instance/*","conditions":{"items":[{"key":"ec2:InstanceMarketType","values":{"items":[{"value":"on-demand"}]}},{"key":"aws:Resource","values":{"items":[{"value":"instance/*"}]}},{"key":"aws:Account","values":{"items":[{"value":"736855795947"}]}},{"key":"ec2:AvailabilityZone","values":{"items":[{"value":"ap-south-1b"}]}},{"key":"ec2:ebsOptimized","values":{"items":[{"value":"false"}]}},{"key":"ec2:IsLaunchTemplateResource","values":{"items":[{"value":"false"}]}},{"key":"ec2:InstanceType","values":{"items":[{"value":"t3.medium"}]}},{"key":"ec2:RootDeviceType","values":{"items":[{"value":"ebs"}]}},{"key":"ec2:InstanceProfile","values":{"items":[{"value":"arn:aws:iam::736855795947:instance-profile/clixtream_profile"}]}},{"key":"aws:Region","values":{"items":[{"value":"ap-south-1"}]}},{"key":"aws:Service","values":{"items":[{"value":"ec2"}]}},{"key":"ec2:InstanceID","values":{"items":[{"value":"*"}]}},{"key":"aws:Type","values":{"items":[{"value":"instance"}]}},{"key":"ec2:Tenancy","values":{"items":[{"value":"default"}]}},{"key":"ec2:Region","values":{"items":[{"value":"ap-south-1"}]}},{"key":"aws:ARN","values":{"items":[{"value":"arn:aws:ec2:ap-south-1:736855795947:instance/*"}]}}]}}}"
}

但当我删除策略文档中的StringEquals条件时，我可以成功地创建实例，而不会从terraform中出现任何错误。

我的aws_instance的tf代码如下：

resource "aws_instance" "test_collector_instance" {
ami           = data.aws_ami.ubuntu.id
instance_type = var.instance_machine_type
key_name = var.key_name
iam_instance_profile = aws_iam_instance_profile.test_profile.name
subnet_id = var.subnet_id_1
vpc_security_group_ids = [var.security_group_id]
associate_public_ip_address = "true"
tags = {
Name = "test-collector"
Environment = "dev"
owningTeam = "test"
}
lifecycle {
create_before_destroy = true
}
connection {
type        = "ssh"
user        = "ubuntu"
private_key = "${file("./test-webserver.pem")}"
host        = "${self.public_ip}"
}
provisioner "file" {
source      = "run-collector.sh"
destination = "/home/ubuntu/run-collector.sh"
}
provisioner "file" {
source      = "../collector/log_agent_config.json"
destination = "/home/ubuntu/log_agent_config.json"
}
provisioner "remote-exec" {
inline = [
"chmod +x /home/ubuntu/run-collector.sh",
"sudo /home/ubuntu/run-collector.sh ${var.aws_region} ${var.aws_account_id}",
]
}
provisioner "remote-exec" {
inline = [
"curl -O https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb",
"sudo dpkg -i -E ./amazon-cloudwatch-agent.deb",
"sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/home/ubuntu/log_agent_config.json -s",
"sleep 5",
"sudo cat /opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log"
]
}
}

我的地形版本是v1.0.1&aws提供程序版本为v3.49.0。除了实例之外，我还创建了aws_ami_from_instance地形资源，它从这个实例创建了ami，然后创建了一个带有创建的ami的启动组，以及使用创建的启动组的ASG。我已经用环境名称标记了ASG。