[Bug]: aws_iam_policy_document panics on nested arrays in Principal.AWS #46188
Description
Terraform and AWS Provider Version
$ terraform --version
Terraform v1.11.4
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v6.27.0
Also confirmed on v6.28.0.
Affected Resource(s) or Data Source(s)
aws_iam_policy_document(data source)
Expected Behavior
When source_policy_documents contains JSON with an invalid nested array structure in Principal.AWS (e.g., [["arn:..."], "arn:..."] instead of ["arn:...", "arn:..."]), the provider should return a descriptive error message indicating the policy JSON contains an invalid Principal structure.
Actual Behavior
The provider panics with an unrecoverable error instead of returning a proper diagnostic.
Relevant Error/Panic Output
panic: interface conversion: interface {} is []interface {}, not string
goroutine 44 [running]:
github.com/hashicorp/terraform-provider-aws/internal/service/iam.(*iamPolicyStatementPrincipalSet).UnmarshalJSON(...)
github.com/hashicorp/terraform-provider-aws/internal/service/iam/policy_model.go:160 +0x58c
encoding/json.(*decodeState).object(0x140010c9cb0, {0x11d5cb200?, 0x14001bf05e0?, 0x0?})
encoding/json/decode.go:605 +0x5c0
...
github.com/hashicorp/terraform-provider-aws/internal/service/iam.dataSourcePolicyDocumentRead(...)
github.com/hashicorp/terraform-provider-aws/internal/service/iam/policy_document_data_source.go:190 +0x1104
Error: The terraform-provider-aws_v6.27.0_x5 plugin crashed!
Sample Terraform Configuration
Click to expand configuration
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "6.27.0"
}
}
}
provider "aws" {
region = "us-west-2"
skip_credentials_validation = true
skip_metadata_api_check = true
skip_requesting_account_id = true
access_key = "mock"
secret_key = "mock"
}
locals {
# This creates a nested array: [["arn:..."], "arn:..."]
# which is invalid but should not cause a panic
policy_with_nested_array = jsonencode({
Version = "2012-10-17"
Statement = [{
Sid = "Test"
Effect = "Allow"
Principal = {
AWS = [
["arn:aws:iam::123456789012:role/nested"], # nested array
"arn:aws:iam::987654321098:root", # string
]
}
Action = ["s3:GetObject"]
Resource = "*"
}]
})
}
data "aws_iam_policy_document" "crashes" {
source_policy_documents = [local.policy_with_nested_array]
}
</details>
### Steps to Reproduce
1. Save the configuration above to `main.tf`
2. Run `terraform init`
3. Run `terraform plan`
4. Observe the panic
### Debug Logging
<details open>
<summary>Click to expand log output</summary>
```console
$ terraform plan
data.aws_iam_policy_document.crashes: Reading...
Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: Request cancelled
│
│ with data.aws_iam_policy_document.crashes,
│ on main.tf line 49, in data "aws_iam_policy_document" "crashes":
│ 49: data "aws_iam_policy_document" "crashes" {
│
│ The plugin.(*GRPCProvider).ReadDataSource request was cancelled.
╵
Stack trace from the terraform-provider-aws_v6.27.0_x5 plugin:
panic: interface conversion: interface {} is []interface {}, not string
goroutine 16 [running]:
github.com/hashicorp/terraform-provider-aws/internal/service/iam.(*iamPolicyStatementPrincipalSet).UnmarshalJSON(0x140020b03d0, {0x140041081e6, 0x54, 0x8a})
github.com/hashicorp/terraform-provider-aws/internal/service/iam/policy_model.go:160 +0x58c
encoding/json.(*decodeState).object(0x1400173c480, {0x11d29f200?, 0x140020b03d0?, 0x0?})
encoding/json/decode.go:605 +0x5c0
encoding/json.(*decodeState).value(0x1400173c480, {0x11d29f200?, 0x140020b03d0?, 0x9?})
encoding/json/decode.go:375 +0x40
encoding/json.(*decodeState).object(0x1400173c480, {0x11c837780?, 0x1400223d168?, 0x102826c30?})
encoding/json/decode.go:762 +0xae4
encoding/json.(*decodeState).value(0x1400173c480, {0x11c837780?, 0x1400223d168?, 0x1?})
encoding/json/decode.go:375 +0x40
encoding/json.(*decodeState).array(0x1400173c480, {0x11c96e540?, 0x14001af7d20?, 0x11cdfa000?})
encoding/json/decode.go:556 +0x484
encoding/json.(*decodeState).value(0x1400173c480, {0x11c96e540?, 0x14001af7d20?, 0x1400024e800?})
encoding/json/decode.go:365 +0x70
encoding/json.(*decodeState).object(0x1400173c480, {0x11d29f260?, 0x14001af7d00?, 0x102831990?})
encoding/json/decode.go:762 +0xae4
encoding/json.(*decodeState).value(0x1400173c480, {0x11d29f260?, 0x14001af7d00?, 0x102831480?})
encoding/json/decode.go:375 +0x40
encoding/json.(*decodeState).unmarshal(0x1400173c480, {0x11d29f260?, 0x14001af7d00?})
encoding/json/decode.go:178 +0x100
encoding/json.Unmarshal({0x140041081a0, 0xd0, 0xd0}, {0x11d29f260, 0x14001af7d00})
encoding/json/decode.go:108 +0xe4
github.com/hashicorp/terraform-provider-aws/internal/service/iam.dataSourcePolicyDocumentRead({0x14000f859a0?, 0x0?}, 0x1400173c3f0, {0x0?, 0x11ff21820?})
github.com/hashicorp/terraform-provider-aws/internal/service/iam/policy_document_data_source.go:190 +0x1104
Error: The terraform-provider-aws_v6.27.0_x5 plugin crashed!
This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.
GenAI / LLM Assisted Development
Claude Code for example reproduction
Important Facts and References
In policy_model.go:160, the UnmarshalJSON method assumes all elements in the Principal array are strings:
case []any:
values := []string{}
for _, v := range value.([]any) {
values = append(values, v.(string)) // Panics if v is []interface{}
}
The fix should add a type assertion check and return a proper error for non-string elements.
Related Issues
- aws_iam_policy_document source_json and override_json params crash terraform with array of "AWS" principals #3497 - Similar crash from 2018 (fixed)
- Crash: aws_iam_policy_document multiple principals #10777 - Related multiple principals crash from 2019 (fixed)
Would you like to implement a fix?
No