TechQA.

AWS MalformedPolicyDocumentException while deploying SCP with Terraform

64 views Asked by At

I have the following SCP that I would like to apply to an org:

data "aws_iam_policy_document" "restrict-regions-policy" {
  version = "2012-10-17"
  statement {
    sid    = "RegionRestriction"
    effect = "Deny"
    not_actions = [
      "a4b:*",
      "acm:*",
      "aws-marketplace-management:*",
      "aws-marketplace:*",
      "aws-portal:*",
      "budgets:*",
      "ce:*",
      "chime:*",
      "cloudfront:*",
      "config:*",
      "cur:*",
      "directconnect:*",
      "ec2:DescribeRegions",
      "ec2:DescribeTransitGateways",
      "ec2:DescribeVpnGateways",
      "fms:*",
      "globalaccelerator:*",
      "health:*",
      "iam:*",
      "importexport:*",
      "kms:*",
      "mobileanalytics:*",
      "networkmanager:*",
      "organizations:*",
      "pricing:*",
      "route53:*",
      "route53domains:*",
      "route53-recovery-cluster:*",
      "route53-recovery-control-config:*",
      "route53-recovery-readiness:*",
      "s3:GetAccountPublic*",
      "s3:ListAllMyBuckets",
      "s3:ListMultiRegionAccessPoints",
      "s3:PutAccountPublic*",
      "shield:*",
      "sts:*",
      "support:*",
      "trustedadvisor:*",
      "waf-regional:*",
      "waf:*",
      "wafv2:*",
      "wellarchitected:*"
    ]
    actions   = ["*"]
    resources = ["*"]

    condition {
      test     = "StringNotEquals"
      variable = "aws:RequestedRegion"
      values = [
        "us-east-1",
        "eu-west-1",
      ]
    }
  }
}

resource "aws_organizations_policy" "restrict_regions" {
  name        = "restrict_regions"
  description = "Deny all regions except the ones we use"
  content     = data.aws_iam_policy_document.restrict-regions-policy.json
}

When I am running terraform apply I get the following error:

Plan: 2 to add, 0 to change, 0 to destroy.
aws_organizations_policy.restrict_regions: Creating...
╷
│ Error: creating Organizations Policy (restrict_regions): MalformedPolicyDocumentException: The provided policy document does not meet the requirements of the specified policy type.
│
│   with aws_organizations_policy.restrict_regions,
│   on scp-deny-regions.tf line 64, in resource "aws_organizations_policy" "restrict_regions":
│   64: resource "aws_organizations_policy" "restrict_regions" {
│

I am not sure why. I am following the example from here: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html

I have narrowed it down to the not_actions block. Not sure why not_actions makes it malformed...

amazon-web-services terraform aws-scp
Original Q&A
1

There are 1 answers

0
Istvan On

I have narrowed it down. Action and NotAction and mutually exclusive. Removing Action fixed the issue.

Related Questions in AMAZON-WEB-SERVICES

Related Questions in TERRAFORM

Related Questions in AWS-SCP

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions