2

I am trying to create a state function with terraform. First I create a policy and assign it to an existing role processing_lambda_role.

resource "aws_iam_role_policy" "sfn_policy" {
  policy = jsonencode(
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "states.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction",
                "lambda:InvokeAsync"
            ],
            "Resource": "*"
        }
  ]
}
  )
  role = aws_iam_role.processing_lambda_role.id
}


resource "aws_sfn_state_machine" "sfn_state_machine" {
  name     = local.step_function_name
  role_arn = aws_iam_role.processing_lambda_role.arn

  definition = <<EOF
{
  "Comment": "Get Incoming Files",
  "StartAt": "GetIncomingFiles",
  "States": {
    "GetIncomingFiles": {
      "Type": "Task",
      "Resource": "${aws_lambda_function.get_incoming_lambda.arn}",
      "ResultPath": "$.Output",
      "End": true
    }
  }
}
EOF
}

I get this error:

Error: Error putting IAM role policy terraform-20211117095209110000000005: MalformedPolicyDocument: Policy document should not specify a principal.
│       status code: 400, request id: 1dd8ac18-a514-4ef3-93ae-91383e5baa07
│ 
│   with module.ingest_system["ems"].aws_iam_role_policy.sfn_policy,
│   on ../../modules/ingest_system/step_function.tf line 1, in resource "aws_iam_role_policy" "sfn_policy":
│    1: resource "aws_iam_role_policy" "sfn_policy" {

and that's how the role was originally defined:

resource "aws_iam_role" "processing_lambda_role" {
  name = local.processing_lambda_role_name
  path = "/service-role/"

  assume_role_policy = jsonencode({
    Version   = "2012-10-17"
    Statement = [
      {
        Effect    = "Allow"
        Principal = { Service = "lambda.amazonaws.com" }
        Action    = "sts:AssumeRole"
      }
    ]
  })
}
x89
  • 2,798
  • 5
  • 46
  • 110
  • The sts:AssumeRole stuff needs to be part of the trust relationship of processing_lambda_role, not part of the policy. Or what do you want the AssumeRole within the policy to achieve? – luk2302 Nov 17 '21 at 10:09
  • Would be more convenient for me to change the roles/policies than the trust relationship. Is that possible? @luk2302 – x89 Nov 17 '21 at 10:17
  • Depends on what you want to be doing, if you want to allow statemachine or lambda to assume the role, then no, you need to put that stuff into the trust relationship. If you want to allow the role to assume other roles then you can put that stuff into the policy. That is how IAM works. – luk2302 Nov 17 '21 at 10:19
  • You mean the same exact error you reported after my answer persists? Or you have new issue? – Marcin Nov 20 '21 at 21:39
  • it's an issue with Sts:AssumeRole within the state function policies so a different error but probably because of the AssumeRole @Marcin Now, I think I am only "assuming" twice, which might not be what I am supposed to do – x89 Nov 21 '21 at 10:26

1 Answers1

2

sts:AssumeRole should be in role's assume_role_policy. For example, if you want to create sfn_role for your sfn, then:


resource "aws_iam_role" "sfn_role" {
  assume_role_policy = jsonencode({
    Version   = "2012-10-17"
    Statement = [
      {
        Effect    = "Allow"
        Principal = { Service = "states.amazonaws.com" }
        Action    = "sts:AssumeRole"
      }
    ]
  })
}

resource "aws_iam_role_policy" "sfn_policy" {
  policy = jsonencode(
{
  "Version": "2012-10-17",
  "Statement": [    
    {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction",
                "lambda:InvokeAsync"
            ],
            "Resource": "*"
        }
  ]
}
  )
  role = aws_iam_role.sfn_role.id
}

resource "aws_sfn_state_machine" "sfn_state_machine" {
  name     = local.step_function_name
  role_arn = aws_iam_role.sfn_role.arn
  # ....
}
Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Sorry, but I am not sure how is it different from my code? I am already giving ```Sts:AssumeRole``` in the ```processing_lambda_role```, no? What part am I missing? – x89 Nov 17 '21 at 10:16
  • @x89 Your `aws_iam_role_policy.sfn_policy` has `Principal`, which is incorrect. It should be as in my example. – Marcin Nov 17 '21 at 10:18
  • If I remove the Principal/service part, I still get an error ```Policy statement must contain resources.``` – x89 Nov 17 '21 at 10:33
  • @x89 So add `"Resource": "*"` or more specific if you wish. – Marcin Nov 17 '21 at 10:34