AWS TAG POLICY CONTENT LIMIT EXCEEDED WHILE IN WEB CONSOLE IT'S INTERPRETED AS CORRECT
opened this issue · comments
This issue was originally opened by @rlig as hashicorp/terraform#24512. It was migrated here as a result of the provider split. The original body of the issue is below.
Hello,
Terraform Version
0.12.19
Terraform Configuration Files
I'm trying to create a tag policy using aws_organizations_policy resource just by passing json file as template to content argument, example below:
resource "aws_organizations_policy" "aws_master_parent_policy" {
name = "AWS_MASTER_PARENT_POLICY_"
type = "TAG_POLICY"
description = "Policy for master tag"
content = data.template_file.aws_master_parent_policy.rendered
}
Tried also using templatefile(https://www.terraform.io/docs/configuration/functions/templatefile.html) function. Same issue.
Actual Behavior
Problem is, when I create that using aws console I do not meet any errors as the whole policy has about 2000 characters (limit is 2500). When I try to create that using terraform I meet error:
Expected Behaviour
Policy created. Its size is valid.
Regards
Rlig
I tried to reproduce this error, but I couldn't.
The size of json file is 2,463 bytes.
resource "aws_organizations_policy" "aws_master_parent_policy" {
name = "test_policy_for_terraform_provider_aws"
type = "TAG_POLICY"
description = "https://github.com/terraform-providers/terraform-provider-aws/issues/12597"
content = file("test_policy.json")
}{
"tags": {
"CostCenter01": {
"tag_key": {
"@@assign": "CostCenter01"
},
"tag_value": {
"@@assign": [
"Home",
"Work"
]
}
},
"CostCenter02": {
"tag_key": {
"@@assign": "CostCenter02"
},
"tag_value": {
"@@assign": [
"Home",
"Work"
]
}
},
"CostCenter03": {
"tag_key": {
"@@assign": "CostCenter03"
},
"tag_value": {
"@@assign": [
"Home",
"Work"
]
}
},
"CostCenter04": {
"tag_key": {
"@@assign": "CostCenter04"
},
"tag_value": {
"@@assign": [
"Home",
"Work"
]
}
},
"CostCenter05": {
"tag_key": {
"@@assign": "CostCenter05"
},
"tag_value": {
"@@assign": [
"Home",
"Work"
]
}
},
"CostCenter06": {
"tag_key": {
"@@assign": "CostCenter06"
},
"tag_value": {
"@@assign": [
"Home",
"Work"
]
}
},
"CostCenter07": {
"tag_key": {
"@@assign": "CostCenter07"
},
"tag_value": {
"@@assign": [
"Home",
"Work"
]
}
},
"CostCenter08": {
"tag_key": {
"@@assign": "CostCenter08"
},
"tag_value": {
"@@assign": [
"Home",
"Work"
]
}
},
"CostCenter09": {
"tag_key": {
"@@assign": "CostCenter09"
},
"tag_value": {
"@@assign": [
"Home",
"Work"
]
}
},
"CostCenter10": {
"tag_key": {
"@@assign": "CostCenter10"
},
"tag_value": {
"@@assign": [
"Home",
"Work"
]
}
},
"CostCenter11": {
"tag_key": {
"@@assign": "CostCenter11"
},
"tag_value": {
"@@assign": [
"Home",
"Work"
]
}
},
"CostCenter12": {
"tag_key": {
"@@assign": "CostCenter12"
},
"tag_value": {
"@@assign": [
"Home",
"Work"
]
}
},
"CostCenter13": {
"tag_key": {
"@@assign": "CostCenter13"
},
"tag_value": {
"@@assign": [
"Home",
"Work"
]
}
}
}
}$ terraform apply
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_organizations_policy.aws_master_parent_policy will be created
+ resource "aws_organizations_policy" "aws_master_parent_policy" {
+ arn = (known after apply)
+ content = jsonencode(
{
+ tags = {
+ CostCenter01 = {
+ tag_key = {
+ @@assign = "CostCenter01"
}
+ tag_value = {
+ @@assign = [
+ "Home",
+ "Work",
]
}
}
+ CostCenter02 = {
+ tag_key = {
+ @@assign = "CostCenter02"
}
+ tag_value = {
+ @@assign = [
+ "Home",
+ "Work",
]
}
}
+ CostCenter03 = {
+ tag_key = {
+ @@assign = "CostCenter03"
}
+ tag_value = {
+ @@assign = [
+ "Home",
+ "Work",
]
}
}
+ CostCenter04 = {
+ tag_key = {
+ @@assign = "CostCenter04"
}
+ tag_value = {
+ @@assign = [
+ "Home",
+ "Work",
]
}
}
+ CostCenter05 = {
+ tag_key = {
+ @@assign = "CostCenter05"
}
+ tag_value = {
+ @@assign = [
+ "Home",
+ "Work",
]
}
}
+ CostCenter06 = {
+ tag_key = {
+ @@assign = "CostCenter06"
}
+ tag_value = {
+ @@assign = [
+ "Home",
+ "Work",
]
}
}
+ CostCenter07 = {
+ tag_key = {
+ @@assign = "CostCenter07"
}
+ tag_value = {
+ @@assign = [
+ "Home",
+ "Work",
]
}
}
+ CostCenter08 = {
+ tag_key = {
+ @@assign = "CostCenter08"
}
+ tag_value = {
+ @@assign = [
+ "Home",
+ "Work",
]
}
}
+ CostCenter09 = {
+ tag_key = {
+ @@assign = "CostCenter09"
}
+ tag_value = {
+ @@assign = [
+ "Home",
+ "Work",
]
}
}
+ CostCenter10 = {
+ tag_key = {
+ @@assign = "CostCenter10"
}
+ tag_value = {
+ @@assign = [
+ "Home",
+ "Work",
]
}
}
+ CostCenter11 = {
+ tag_key = {
+ @@assign = "CostCenter11"
}
+ tag_value = {
+ @@assign = [
+ "Home",
+ "Work",
]
}
}
+ CostCenter12 = {
+ tag_key = {
+ @@assign = "CostCenter12"
}
+ tag_value = {
+ @@assign = [
+ "Home",
+ "Work",
]
}
}
+ CostCenter13 = {
+ tag_key = {
+ @@assign = "CostCenter13"
}
+ tag_value = {
+ @@assign = [
+ "Home",
+ "Work",
]
}
}
}
}
)
+ description = "https://github.com/terraform-providers/terraform-provider-aws/issues/12597"
+ id = (known after apply)
+ name = "test_policy_for_terraform_provider_aws"
+ type = "TAG_POLICY"
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_organizations_policy.aws_master_parent_policy: Creating...
aws_organizations_policy.aws_master_parent_policy: Creation complete after 2s [id=p-95j06yzgnz]
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.- terraform: 0.12.24
- terraform-provider-aws: 2.55.0
I am seeing this issue also and i copy pasta this policy from AWS Console
terraform version
Terraform v0.12.28
+ provider.acme v1.5.0
+ provider.aws v2.65.0
+ provider.local v1.4.0
+ provider.postgresql v1.5.0
+ provider.tls v2.2.0
ls -l ./policy-documents/org-policy-tagging-xxxxx.json
-rw-r--r-- 1 xxxxx staff 4426 Sep 5 02:10 ./policy-documents/org-policy-tagging-xxxxx.json
Error: error updating Organizations Policy: ConstraintViolationException: You have exceeded the maximum policy size.
{
RespMetadata: {
StatusCode: 400,
RequestID: "9c3535db-e23f-46b0-b6d1-a77b35ba46f5"
},
Message_: "You have exceeded the maximum policy size.",
Reason: "POLICY_CONTENT_LIMIT_EXCEEDED"
}
on org-policy-tagging.tf line 1, in resource "aws_organizations_policy" "pl_tagging_policy_xxxx_key":
1: resource "aws_organizations_policy" "pl_tagging_policy_xxxx_key" {
Policy used was
{
"tags": {
"yyy1": {
"tag_key": {
"@@assign": "xxxxx"
},
"tag_value": {
"@@assign": [
"xxxxxxx1",
"xx1",
"xxx2",
"x3",
"x4",
"x5",
"x7",
"x8",
"x9",
"x10",
"x11",
"x12",
"x12",
"x13"
]
},
"enforced_for": {
"@@assign": [
"apigateway:apikeys",
"apigateway:domainnames",
"apigateway:restapis",
"apigateway:stages",
"appmesh:*",
"athena:*",
"acm:*",
"cloudfront:*",
"cloudtrail:*",
"cloudwatch:*",
"events:*",
"codebuild:*",
"codecommit:*",
"codepipeline:*",
"cognito-identity:*",
"cognito-idp:*",
"comprehend:*",
"config:*",
"directconnect:*",
"dms:*",
"dynamodb:*",
"ec2:capacity-reservation",
"ec2:client-vpn-endpoint",
"ec2:customer-gateway",
"ec2:dhcp-options",
"ec2:elastic-ip",
"ec2:fleet",
"ec2:fpga-image",
"ec2:host-reservation",
"ec2:image",
"ec2:instance",
"ec2:internet-gateway",
"ec2:launch-template",
"ec2:natgateway",
"ec2:network-acl",
"ec2:network-interface",
"ec2:reserved-instances",
"ec2:route-table",
"ec2:security-group",
"ec2:snapshot",
"ec2:spot-instance-request",
"ec2:subnet",
"ec2:traffic-mirror-filter",
"ec2:traffic-mirror-target",
"ec2:traffic-mirror-session",
"ec2:volume",
"ec2:vpc",
"ec2:vpc-endpoint",
"ec2:vpc-endpoint-service",
"ec2:vpc-peering-connection",
"ec2:vpn-connection",
"ec2:vpn-gateway",
"elasticfilesystem:*",
"elasticbeanstalk:application",
"elasticbeanstalk:applicationversion",
"elasticbeanstalk:configurationtemplate",
"elasticbeanstalk:platform",
"ecs:task-set",
"ecs:cluster",
"ecs:service",
"elasticache:cluster",
"elasticloadbalancing:*",
"firehose:*",
"fsx:*",
"iotanalytics:*",
"iotevents:*",
"kinesisanalytics:*",
"kms:*",
"lambda:*",
"rds:cluster-pg",
"rds:es",
"rds:og",
"rds:pg",
"rds:ri",
"rds:secgrp",
"rds:subgrp",
"redshift:*",
"ram:*",
"resource-groups:*",
"route53:hostedzone",
"route53resolver:*",
"s3:bucket",
"secretsmanager:*",
"sqs:queue",
"states:*",
"storagegateway:*",
"ssm:automation-execution",
"ssm:document",
"ssm:opsitem",
"ssm:session",
"ssm:patchbaseline",
"ssm:maintenancewindowtask",
"ssm:managed-instance",
"workspaces:*"
]
}
}
}
}
I'm getting the same issue as well. The only method that worked was using jsonencode() with the policy. The file function, template resource, and data.aws_iam_policy_document resource all had the same "POLICY_CONTENT_LIMIT_EXCEEDED" error.
I'm getting the same issue as well. The only method that worked was using jsonencode() with the policy. The file function, template resource, and data.aws_iam_policy_document resource all had the same "POLICY_CONTENT_LIMIT_EXCEEDED" error.
You have an example?
I'm getting the same issue as well. The only method that worked was using jsonencode() with the policy. The file function, template resource, and data.aws_iam_policy_document resource all had the same "POLICY_CONTENT_LIMIT_EXCEEDED" error.
You have an example?
figured it out, created a local variable and wrapped the json inside jsonencode(JSON) this also worked for me
This is due to the json file exceeding the size limit. It would work if you minify the json file (jq -c . file.json > file-mini.json). A good workaround is to use jsondecode() which will produce minified output. eg: jsonencode(jsondecode(templatefile("xxx", {})))
I had the same problem. Notice that if you are using Ansible to provision, this is how you can get the minified output:
- name: Set policy check fact
set_fact:
policy_res: "{{ check_policy_result.stdout | from_json | first }}"
- name: Load policy
set_fact:
_policy: "{{ lookup(_lookup, '{{ _file }}') | from_json | to_json(separators=(',',':')) }}"
- name: Update policy - {{ _name }}
command: |
aws organizations update-policy
--policy-id {{ policy_res.Id }}
--name {{ _name }}
--description "{{ _description }}"
--content '{{ _policy }}'
when:
- check_policy_result.stdout != '[]'
Closing as it looks like a way forward was found via the comments from the community! 🚀
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.