策略中的主体无效

Question

每当我第一次运行以下terraform文件时，我都会收到错误：

创建IAM角色时出错SecurityMonkey：MalformedPolicyDocument：策略中的无效主体：“AWS”。

然而，我执行代码第二次执行成功创建了假定角色对象。在我看来，角色A和角色B之间的依赖关系存在一些问题。作为一种补救措施，我甚至在角色A上放了一个depends_on语句，但没有运气。

SecurityMonkeyInstanceProfile

在这里你可以查看我的TF代码。

resource "aws_iam_role" "SecurityMonkey" {
name               = "SecurityMonkey"
depends_on = ["aws_iam_role.SecurityMonkeyInstanceProfile"]
path               = "/"
assume_role_policy = <<POLICY
{
"Version": "2008-10-17",
"Statement": [
{
  "Sid": "",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::<AccountID>:role/SecurityMonkeyInstanceProfile"
  },
  "Action": "sts:AssumeRole"
  }
  ]
}
POLICY
}


resource "aws_iam_role" "SecurityMonkeyInstanceProfile" {
name               = "SecurityMonkeyInstanceProfile"
path               = "/"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
  "Effect": "Allow",
  "Principal": {
    "Service": "ec2.amazonaws.com"
  },
  "Action": "sts:AssumeRole"
 }
 ]
 }
 POLICY
 }

首先运行错误。

aws_iam_role.SecurityMonkey: Error creating IAM Role SecurityMonkey: MalformedPolicyDocument: Invalid principal in policy: "AWS":"arn:aws:iam::<AccountID>:role/SecurityMonkeyInstanceProfile"
    status code: 400, request id: 0810c923-28dd-11e6-af5d-47689d50861a

第二次运行没有错误。

terraform apply  -var-file=../../aws.tfvars
aws_iam_role.SecurityMonkeyInstanceProfile: Refreshing state... (ID: SecurityMonkeyInstanceProfile)
aws_iam_role.SecurityMonkey: Creating...
  arn:                "" => "<computed>"
  assume_role_policy: "" => "{\n  \"Version\": \"2008-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"\",\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws:iam::<AccountID>:role/SecurityMonkeyInstanceProfile\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    }\n  ]\n}\n"
  name:               "" => "SecurityMonkey"
  path:               "" => "/"
  unique_id:          "" => "<computed>"
aws_iam_role.SecurityMonkey: Creation complete

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

显然，资源是按照正确的顺序创建的，但似乎存在某种超时，导致SecurityMonkeyInstanceProfile角色无法被SecurityMonkey角色发现。几乎是鸡和蛋的问题。

任何提示？

Answer 1

你运行的是哪个terraform版本？

如果它已经是最新版本，那么我猜两个资源之间的时间间隔太短，API系统没有足够的时间来报告新资源SecurityMonkeyInstanceProfile第二个资源创建已经跟进。

尝试添加一个睡眠功能，让我知道这是否可以解决您的问题。

resource "aws_iam_role" "SecurityMonkeyInstanceProfile" {
  ...
  provisioner "local-exec" {
        command = "sleep 10"
    }
}

参考错误报告：https://github.com/hashicorp/terraform/issues/1885