Amazon web services Terraform-aws_kms_密钥引发格式错误的PolicyDocumentException_Amazon Web Services_Terraform_Aws Kms

Amazon web services Terraform-aws_kms_密钥引发格式错误的PolicyDocumentException

amazon-web-services terraform

Amazon web services Terraform-aws_kms_密钥引发格式错误的PolicyDocumentException,amazon-web-services,terraform,aws-kms,Amazon Web Services,Terraform,Aws Kms,我正在为我们的客户帐户实施一些AWS安全策略。我计划通过Terraform部署这些密钥，从而使用aws_kms_密钥资源为CloudTrail加密创建一些kms密钥。下面是我的代码的外观： resource "aws_kms_key" "trail" { description = "KMS Key for CloudTrails encryption" enable_key_rotation = true policy = <<EOF { "Ver

我正在为我们的客户帐户实施一些AWS安全策略。我计划通过Terraform部署这些密钥，从而使用aws_kms_密钥资源为CloudTrail加密创建一些kms密钥。下面是我的代码的外观：

resource "aws_kms_key" "trail" {
  description         = "KMS Key for CloudTrails encryption"
  enable_key_rotation = true

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Id": "key-consolepolicy-3",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": "*",
      "Condition": {
          "StringNotLike": {
              "aws:userid": [
                  "${element(split(":", data.aws_caller_identity.current.user_id), 0)}:*"
              ]
          }
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": "*",
      "Condition": {
          "StringNotLike": {
              "aws:userid": [
                  "${element(split(":", data.aws_caller_identity.current.user_id), 0)}:*"
              ]
          }
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": "*",
      "Condition": {
          "StringNotLike": {
              "aws:userid": [
                  "${element(split(":", data.aws_caller_identity.current.user_id), 0)}:*"
              ]
          }
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}
EOF
}

resource“aws\u kms\u key”trail{
description=“CloudTrails加密的KMS密钥”
启用键旋转=真
policy=最终语句中的条件
键被复制。如果您想要多个条件，请在一个条件中创建它。
在您的最终语句中，条件
被复制。您能删除它并重试吗？太棒了，这就成功了。非常感谢奎师那！我将此标记为结束问题的答案