AWS - Terraform - SCP - MalformedPolicyDocumentException

Question

resource "aws_organizations_policy" "tag_enforcement_eks" {
  name = "tag_enforcement_eks"
  content = <<EOT
  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Deny if org:bu absent",
            "Effect": "Deny",
            "Action": [
                "eks:CreateNodegroup",
                "eks:CreateCluster"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/org:bu": ${jsonencode(var.bu)}
                }
            }
        },
        {
            "Sid": "Deny if org:zone absent",
            "Effect": "Deny",
            "Action": [
                "eks:CreateNodegroup",
                "eks:CreateCluster"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/org:zone": ${jsonencode(var.zone)}
                }
            }
        },
        {
            "Sid": "Deny if org:team absent",
            "Effect": "Deny",
            "Action": [
                "eks:CreateNodegroup",
                "eks:CreateCluster"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/org:team": ${jsonencode(var.team)}
                }
            }
        },
        {
            "Sid": "Deny if org:cluster absent",
            "Effect": "Deny",
            "Action": [
                "eks:CreateNodegroup",
                "eks:CreateCluster"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/org:cluster": ${jsonencode(var.cluster)}
                }
            }
        }
    ]
}
  EOT
}

MalformedPolicyDocumentException: The provided policy document does not meet the requirements of the specified policy type. Creating a Service Control Policy, I see the code to be correct, cant verify where is the problem. Can anyone help me out?

Where is the error?

How do you know the code is correct? What are your variables? — Marcin, Jul 29 '21 at 11:11
variables are a list of strings. I know that the code is correct as I have reproduced it on VisualEditor on the SCP Console, and its working there. — ekansh gupta, Jul 29 '21 at 13:04

score 0 · Answer 1 · edited Jul 16 '22 at 19:48

0

Your issue is this line:

"Sid": "Deny if org:bu absent"

JSON Spaces, -, _, :, and probably a few other characters aren't allowed.

The Sid element supports ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9).

edited Jul 16 '22 at 19:48

Jeremy Caney

7,102
69
48
77

answered Jul 11 '22 at 23:48

Geoff Scott

41
3

AWS - Terraform - SCP - MalformedPolicyDocumentException

1 Answers1