Terraform-provider-aws: aws_cloudwatch_event_target role_arn and built-in target
_This issue was originally opened by @susannamartinelli as hashicorp/terraform#16929. It was migrated here as a result of the provider split. The original body of the issue is below._
Hi there,
I found a lack of documentation regarding Built-in command in aws_cloudwatch_event_target.
For example I need to Stop a running Instance after the Event rule is triggered so I wrote my target in this way:
resource "aws_cloudwatch_event_target" "mongolocal-stop" {
target_id = "mongo.local-stop"
rule = "${aws_cloudwatch_event_rule.mongolocal-stop.name}"
arn = "arn:aws:automation:${var.aws_region}:${var.aws_account_id}:action/EC2StopInstance/EC2StopInstance_mongolocal-stop"
input = "${jsonencode("arn:aws:ec2:${var.aws_region}:${var.aws_account_id}:instance/${aws_instance.mongolocal.id}")}"
}
But this target will fail because I need to associate a particular Role (in order to have the right policies to Stop an instance) to this target.
I simply want that the resulting target like this:
In the documentation there is a field called role_arn, I've tried to associate in this file the role.arn shown in the picture but during the apply phase there is an error:
* aws_cloudwatch_event_target.mongolocal-stop: Creating CloudWatch Event Target failed: ValidationException: RoleArn is not supported for target arn:aws:automation:%REGION%:%ACCOUNT%:action/EC2StopInstance/EC2StopInstance_mongolocal-stop.
Last but not least :) is there a list of built-in actions associable to a target?
For example in this case I've used arn:aws:automation:${var.aws_region}:${var.aws_account_id}:action/EC2StopInstance/... but I'm wondering if i could use arn:aws:automation:${var.aws_region}:${var.aws_account_id}:action/EC2StartInstance/.... etc.
My terraform version is: v0.10.8
Thanks
Best
hashibot
All 6 comments
I have the same issue with a different action:
aws_cloudwatch_event_target.ebs_snapshot: Creating CloudWatch Event Target failed: ValidationException: RoleArn is not supported for target arn:aws:automation:eu-west-1:${var.aws_account_id}:action/EBSCreateSnapshot/EBSCreateSnapshot_ebs_vol_a.
Looks like we can only use RoleARN with aws_cloudwatch_event_rule but not with aws_cloudwatch_event_target resource.
Terraform version:
$ terraform --version
Terraform v0.11.1
- provider.aws v0.1.4
- provider.template v1.0.0
EDIT
I realized I had an ancient provider.aws version, since then I've upgraded to 1.6.0 but the issue is still the same:
Terraform v0.11.1
- provider.aws v1.6.0
- provider.template v1.0.0
rszalski
on 18 Dec 2017
looks like AWS does not support this.
in the ebs schedule snapshot tutorial, they note:
Creating rules with built-in targets is supported only in the AWS Management Console.
azban
on 12 Feb 2018
@rszalski I was actually able to get this working with EC2 CreateSnapshot API call event targets using a slightly different target ARN:
resource "aws_cloudwatch_event_target" "example_event_target" {
target_id = "example"
rule = "${aws_cloudwatch_event_rule.snapshot_example.name}"
arn = "arn:aws:events:${var.aws_region}:${var.account_id}:target/create-snapshot"
input = "${jsonencode("${aws_ebs_volume.example.id}")}"
role_arn = "${aws_iam_role.snapshot_permissions.arn}"
}
The target's ARN was arn:aws:events:${var.aws_region}:${var.account_id}:target/create-snapshot instead of arn:aws:automation:${var.aws_region}:${var.aws_account_id}:action/EBSCreateSnapshot/EBSCreateSnapshot_ebs_vol_a. This allows you to set the role_arn on the target resource. I'm not sure why this works, as I believe @azban was correct in saying that this isn't a supported feature of AWS. But I'm also not complaining.
I posted a more detailed writeup in this stackoverflow response
kevinchabreck
on 30 Apr 2018
@kevinchabreck nice!
I thought I saw somewhere on AWS' CW console that they said they were working to make the CloudWatch built-in triggers exposed better via the API. Maybe they made a change recently and now the ability is there?
tehmaspc
on 30 Apr 2018
Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!
![github-actions[bot] picture](https://avatars2.githubusercontent.com/in/15368?v=4&s=40)
github-actions[bot]
on 19 Apr 2020
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 19 Jun 2020
Related issues
joelittlejohn
ยท
3Comments
hashibot
ยท
3Comments
hashibot
ยท
3Comments
dvishniakov
ยท
3Comments
hashibot
ยท
3Comments
Most helpful comment
looks like AWS does not support this.
in the ebs schedule snapshot tutorial, they note: