DevOps
Fix Terraform Error: CloudWatch Log Group Already Exists
Fix terraform CloudWatch Log Group ResourceAlreadyExistsException. Import orphaned log groups, prevent Lambda auto-creation
3 min read
DevOps
Fix Terraform Error - Error Putting S3 Policy - MalformedPolicy
How to fix MalformedPolicy errors when applying S3 bucket policies in Terraform. Debug JSON syntax, ARN format, and principal issues.
LLuca Berton1 min read
The Error
#Error putting S3 policy: MalformedPolicy: Invalid principal in policyWhat Causes This
#The S3 bucket policy has invalid JSON, incorrect ARN format, or references a principal that doesn't exist. This also happens when the policy is too large (20KB limit) or has conflicting statements.
How to Fix It
#Solution 1: Use jsonencode Instead of Heredoc
## BAD — heredoc is error-prone
resource "aws_s3_bucket_policy" "public" {
bucket = aws_s3_bucket.web.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}]
}
EOF
}
# GOOD — jsonencode catches errors at plan time
resource "aws_s3_bucket_policy" "public" {
bucket = aws_s3_bucket.web.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Sid = "PublicRead"
Effect = "Allow"
Principal = "*"
Action = "s3:GetObject"
Resource = "${aws_s3_bucket.web.arn}/*"
}]
})
}Solution 2: CloudFront OAC Policy
#resource "aws_s3_bucket_policy" "cdn" {
bucket = aws_s3_bucket.web.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Sid = "AllowCloudFront"
Effect = "Allow"
Principal = {
Service = "cloudfront.amazonaws.com"
}
Action = "s3:GetObject"
Resource = "${aws_s3_bucket.web.arn}/*"
Condition = {
StringEquals = {
"AWS:SourceArn" = aws_cloudfront_distribution.cdn.arn
}
}
}]
})
}Solution 3: Validate with AWS CLI
## Test the policy before applying
aws s3api put-bucket-policy \
--bucket my-bucket \
--policy file://policy.json \
--dry-run # Not supported, but you can validate the JSON
# Check existing policy
aws s3api get-bucket-policy --bucket my-bucket | python3 -m json.toolPrevention Tips
#- Pin provider versions — avoid surprise breaking changes
- Use CI/CD — catch errors before they hit production
- Test with
terraform plan— always review before applying - Keep Terraform updated — newer versions have better error messages
- Use
terraform validate— catches syntax errors early
Hands-On Courses
#Learn to avoid these errors with interactive, project-based courses:
- Terraform for Beginners on CopyPasteLearn
- Terraform By Example — practical code examples
- Terraform Cheat Sheet — quick reference for all commands
Related Articles
#- Terraform Troubleshooting - Common Errors and Solutions
- Terraform Enabling and Using Debugging
- Debugging with TFLint
Conclusion
#Related: Fix the Terraform inconsistent dependency lock file error — quick fix for this common issue.
This error is common and fixable. Follow the solutions above, and check our Terraform course for hands-on training that covers real-world troubleshooting scenarios.
#Terraform#Troubleshooting#DevOps#Error Fix#Infrastructure as Code
Related articles
DevOps
Fix Terraform Error: Cannot Import Into Existing State
Fix terraform import errors when a resource already exists in state. Covers state rm, state show, reimport workflow, import blocks
3 min read
DevOps
Fix Terraform Error: Too Many Command Line Arguments
Fix terraform too many command line arguments errors. Correct -var syntax, quote values with spaces, and learn proper Terraform CLI argument format for plan
3 min read
DevOps
Fix Terraform Error: Invalid Escape Sequence in String
Fix terraform invalid escape sequence errors. Double backslashes for Windows paths, use heredocs for regex, and learn all valid HCL escape sequences.
2 min read