背景
我正在尝试使用EKS设置一个网络应用程序,并尝试通过Terraform设置DNS配置选项(KMS的东西和记录/规则可能会更改(。
预期结果
- 应该创建AWS_KMS_Key,&拥有政策";示例";也提供了它
描述
每当我尝试运行terraform apply或terraform plan,但没有进入yes/no步骤时,就会出现此错误。我可以创建它一次,但它似乎不允许我删除它。我已经手动禁用了该密钥,并计划将其删除。这是一个错误吗;"受保护";,或者是Terraform试图读取数据对象时出错,还是其他原因?任何帮助或见解都是值得赞赏的,我大部分时间都被这个错误弄糊涂了;不能解组字符串";,因为我从未见过任何类似的错误,我也不知道什么是"错误";解组";是.
资源对象:aws_kms_key
resource "aws_kms_key" "example" {
customer_master_key_spec = "ECC_NIST_P256"
deletion_window_in_days = 7
key_usage = "SIGN_VERIFY"
policy = data.aws_iam_policy_document.example.json
}
数据对象:aws_iam_policy_document
data "aws_caller_identity" "me" {} # Gets the account info of the current connection ~(whoami)
data "aws_iam_policy_document" "example" {
version = "2012-10-17"
statement {
sid = "Allow Route 53 DNSSEC Service"
effect = "Allow"
resources = ["*"]
actions = [
"kms:DescribeKey",
"kms:GetPublicKey",
"kms:Sign"
]
principals {
type = "Service"
identifiers = ["dnssec-route53.amazonaws.com"]
}
condition {
test = "ForAnyValue:StringEquals"
variable = "aws:SourceAccount"
values = ["${data.aws_caller_identity.me.account_id}"]
}
condition {
test = "ForAnyValue:ArnLike"
variable = "aws:SourceArn"
values = ["arn:aws:route53:::hostedzone/*"]
}
}
statement {
sid = "Allow Route 53 DNSSEC Service to CreateGrant"
effect = "Allow"
resources = ["*"]
actions = [
"kms:CreateGrant"
]
principals {
type = "Service"
identifiers = ["dnssec-route53.amazonaws.com"]
}
condition {
test = "Bool"
variable = "kms:GrantIsForAWSresource"
values = ["true"]
}
}
statement {
sid = "Enable IAM User Permissions"
effect = "Allow"
resources = ["*"]
actions = [
"kms:*"
]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.me.account_id}:root"]
}
}
}
ERROR输出(已清理(
Error: while setting policy (<Json_of_Policy_Doc>),
encountered: unmarshaling policy 1:
json: cannot unmarshal string into Go value of type awspolicy.intermediatePolicyDocument
ERROR输出
Error: while setting policy (
{"Statement":[
{"Action":["kms:DescribeKey","kms:GetPublicKey","kms:Sign"],
"Condition":{"ArnLike":{"aws:SourceArn":"arn:aws:route53:::hostedzone/*"},"StringEquals":{"aws:SourceAccount":"<aws_account_id>"}},
"Effect":"Allow",
"Principal":{"Service":"dnssec-route53.amazonaws.com"},
"Resource":"*",
"Sid":"Allow Route 53 DNSSEC Service"},
{"Action":"kms:CreateGrant",
"Condition":{"Bool":{"kms:GrantIsForAWSResource":"true"}},
"Effect":"Allow",
"Principal":{"Service":"dnssec-route53.amazonaws.com"},
"Resource":"*",
"Sid":"Allow Route 53 DNSSEC Service to CreateGrant"},
{"Action":"kms:*",
"Effect":"Allow",
"Principal":{"AWS":"arn:aws:iam::<aws_account_id>:root"},
"Resource":"*",
"Sid":"Enable IAM User Permissions"}],
"Version":"2012-10-17"}),
encountered: unmarshaling policy 1: json: cannot unmarshal string into Go value of type awspolicy.intermediatePolicyDocument
您不能使用那种sid,因为根据AWS文档[1],它只能是:
Sid元素支持ASCII大写字母(A-Z(、小写字母(A-Z(和数字(0-9(。
这意味着您不能在sid参数中使用空格。
[1]https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html