Error: creating Organizations Policy: MalformedPolicyDocumentException

0

I have the following Terraform based on the recommended SCP:

data "aws_iam_policy_document" "restrict-regions-policy" {
  statement {
    sid    = "RegionRestriction"
    effect = "Deny"
    not_actions = [
      "a4b:*",
      "acm:*",
      "aws-marketplace-management:*",
      "aws-marketplace:*",
      "aws-portal:*",
      "budgets:*",
      "ce:*",
      "chime:*",
      "cloudfront:*",
      "config:*",
      "cur:*",
      "directconnect:*",
      "ec2:DescribeRegions",
      "ec2:DescribeTransitGateways",
      "ec2:DescribeVpnGateways",
      "fms:*",
      "globalaccelerator:*",
      "health:*",
      "iam:*",
      "importexport:*",
      "kms:*",
      "mobileanalytics:*",
      "networkmanager:*",
      "organizations:*",
      "pricing:*",
      "route53:*",
      "route53domains:*",
      "route53-recovery-cluster:*",
      "route53-recovery-control-config:*",
      "route53-recovery-readiness:*",
      "s3:GetAccountPublic*",
      "s3:ListAllMyBuckets",
      "s3:ListMultiRegionAccessPoints",
      "s3:PutAccountPublic*",
      "shield:*",
      "sts:*",
      "support:*",
      "trustedadvisor:*",
      "waf-regional:*",
      "waf:*",
      "wafv2:*",
      "wellarchitected:*"
    ]
    actions   = ["*"]
    resources = ["*"]

    condition {
      test     = "StringNotEquals"
      variable = "aws:RequestedRegion"
      values = [
        "us-east-1",
        "eu-west-1",
      ]
    }
  }
}

resource "aws_organizations_policy" "restrict-regions" {
  name        = "restrict-regions"
  description = "Deny all regions except the ones we use"
  content     = data.aws_iam_policy_document.restrict-regions-policy.json
}

When I am trying to deploy it I get the following error:

Plan: 2 to add, 0 to change, 0 to destroy.
aws_organizations_policy.restrict-regions: Creating...
╷
│ Error: creating Organizations Policy (restrict-regions): MalformedPolicyDocumentException: The provided policy document does not meet the requirements of the specified policy type.
│
│   with aws_organizations_policy.restrict-regions,
│   on scp-deny-regions.tf line 63, in resource "aws_organizations_policy" "restrict-regions":
│   63: resource "aws_organizations_policy" "restrict-regions" {
│
╵

I am not sure what is missing from the policy document.

1 Answer
0
Accepted Answer

I have narrowed it down. Action and NotAction and mutually exclusive. Removing Action fixed the issue.

Istvan
answered 5 months ago
profile pictureAWS
EXPERT
reviewed 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions