Sling Academy
Home/DevOps/Terraform Error – MalformedPolicyDocument: Has prohibited field Resource

Terraform Error – MalformedPolicyDocument: Has prohibited field Resource

Last updated: February 03, 2024

Understanding the Error

When using Terraform to manage AWS resources, you may encounter various errors that can halt your deployment process. One such error is MalformedPolicyDocument: Has prohibited field Resource. This error is encountered when defining IAM policies, indicating an issue with how the policy document is structured, particularly with the Resource or NotResource elements. Understanding the cause and knowing how to fix it is crucial for maintaining a smooth infrastructure as code (IaC) process.

The Cause

This error occurs when Terraform attempts to apply an IAM policy that AWS does not accept due to an incorrect structure or content. Specifically, it’s asserting that the policy document includes a Resource field in a context where it’s not allowed or expected by AWS.

Solution 1: Validate Policy Syntax

The first step should always be to ensure your policy follows AWS’s IAM JSON policy grammar correctly. A common mistake is placing resource-specific permissions in a statement meant for managing permissions across all resources or vice versa.

  1. Review the IAM JSON policy grammar documentation provided by AWS.
  2. Ensure that your policy document’s structure aligns with the AWS specifications, particularly regarding the use and placement of Resource and NotResource fields within the policy.
  3. Correct the policy syntax and apply changes using Terraform.

Notes: This solution is crucial as it addresses the root cause of the error by ensuring alignment with AWS policy grammar. While it requires careful review, it prevents repetitive errors in future deployments.

Solution 2: Use Conditional Statements Wisely

Inappropriate use of conditional statements with Resource or NotResource in policy documents can also trigger this error. Conditionals must be used correctly to ensure they do not imply restrictions on resources not intended to be covered by the policy.

  1. Identify conditional statements in your policy document.
  2. Review AWS documentation on conditions in IAM policies to understand their correct usage.
  3. Adjust the conditional statements in your policy to ensure they align with AWS best practices and the intended policy scope.
  4. Reapply the policy using Terraform.

Notes: This solution hinges on a deep understanding of IAM policies and can prevent future errors of a similar nature. However, it may not be straightforward for beginners and requires familiarity with AWS IAM documentation.

Solution 3: Redefine Resource Scope

Another effective fix is reconsidering and possibly narrowing down the Resource scope defined in your policy. Sometimes, specifying too broad a scope or an incorrect resource can lead to this error.

  1. Assess the resources your policy aims to cover.
  2. Narrow down the resource scope by being as specific as possible about which AWS resources the policy should apply to.
  3. Update your Terraform configuration and the policy document accordingly.
  4. Reapply the changes to see if the issue is resolved.

Notes: This method helps ensure that policies are not only correct but also adherent to the principle of least privilege, minimizing potential security risks. However, it may require ongoing adjustments as your AWS resource usage evolves.

Conclusion

Fixing a MalformedPolicyDocument: Has prohibited field Resource error in Terraform requires a careful examination of your IAM policy documents against AWS’s specifications. By validating the policy’s syntax, leveraging conditional statements wisely, and accurately defining resource scope, you can resolve this error and streamline your Terraform deployments. Regular policy review and adjustment in response to infrastructure changes are key to avoiding similar issues in the future.

Next Article: Using Terraform ‘state list’ command to list resources

Previous Article: Terraform: How to trigger a Lambda function on resource creation

Series: Terraform Tutorials

DevOps

You May Also Like

  • How to reset Ubuntu to factory settings (4 approaches)
  • Making GET requests with cURL: A practical guide (with examples)
  • Git: What is .DS_Store and should you ignore it?
  • NGINX underscores_in_headers: Explained with examples
  • How to use Jenkins CI with private GitHub repositories
  • Terraform: Understanding State and State Files (with Examples)
  • SHA1, SHA256, and SHA512 in Terraform: A Practical Guide
  • CSRF Protection in Jenkins: An In-depth Guide (with examples)
  • Terraform: How to Merge 2 Maps
  • Terraform: How to extract filename/extension from a path
  • JSON encoding/decoding in Terraform: Explained with examples
  • Sorting Lists in Terraform: A Practical Guide
  • Terraform: How to trigger a Lambda function on resource creation
  • How to use Terraform templates
  • Understanding terraform_remote_state data source: Explained with examples
  • Jenkins Authorization: A Practical Guide (with examples)
  • Solving Jenkins Pipeline NotSerializableException: groovy.json.internal.LazyMap
  • Understanding Artifacts in Jenkins: A Practical Guide (with examples)
  • Using Jenkins with AWS EC2 and S3: A Practical Guide