I was affected by a bug in the AWS provider for Terraform recently.

I've got the following error when applying Terraform changes:

Error: creating IAM Policy (MyPolicyName): MalformedPolicyDocument: The policy failed legacy parsing

According to the AWS docs the policy for sts:AssumeRole should look like the following:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::account-id:role/Test*"
  }
}

It works that way in AWS Console and with AWS CLI (I have personally tried that in AWS Console and people on the Internet reported that it works in AWS CLI).

But not with Terraform!

The bug in the provider requires an array to be used for the Statement, like this:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::account-id:role/Test*"
  }]
}

Regardless of a single statement being used in the policy.

When I was trying to google the error without the Terraform keyword, the results were showing that I may be missing the Version statement, which I copied from AWS docs, or that it could be missing !Sub directive in my CloudFormation Stack, which I didn't have at all.

I hope you find that useful and if you are affected too, feel free to upvote the issue!