Terraform-provider-aws: CW Event Target and SSM Automation - Error during creation (Invalid RunCommandParameters)

Created on 14 Nov 2018  ยท  8Comments  ยท  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.10
+ provider.aws v1.43.2
+ provider.template v1.0.0

Affected Resource(s)

aws_cloudwatch_event_target

Terraform Configuration Files

# Resource file for Event Target
resource "aws_cloudwatch_event_target" "ssm_automation_target" {
  count               = "${var.target_type == "ssm_automation" ? 1 : 0}"
  target_id           = "${local.target_id}"
  arn                 = "${var.arn}"
  rule                = "${var.rule}"
  role_arn            = "${var.role_arn}"
}

# Resource file for SSM Document
resource "aws_ssm_document" "ssm_document" {
  name                 = "${local.name}"
  document_type        = "${var.document_type}"
  content              = "${data.template_file.ssm_document.*.rendered[count.index]}"
  document_format      = "${var.document_format}"
  tags                 = "${local.tags}"
}

# Module file for Event Target
module config_rule_report_cw_event_target {
  source                  = "git::ssh://xxxx.xxxx.xxxx/xx-xxx/tf-aws-cw-events-target.git"
  target_type             = "ssm_automation"
  target_id               = "${upper(element(var.base_name, 7))}"
  rule                    = "${module.config_rule_report_cw_event_rule.name}"
  arn                     = "${module.config_rule_report_ssm_automation.arn}"
  role_arn                = "${module.config_rule_report_cw_role.arn}"
}

# Module file for SSM Document
module config_rule_report_ssm_automation {
  source                  = "git::ssh://xxx.xxxxxxx.xx.xx/xxxx-xxxx/tf-aws-ssm-document.git"
  name                    = "ConfigServiceRuleEvaluation"
  ssm_document            = "templates/${lower(element(var.base_name, 7))}/ssm_document.tpl"
  document_type           = "Automation"
  custom_parameter_01     = "${local.config_rule_name}"
  resource_owner          = "${var.resource_owner}"
  department              = "${var.department}"
  cost_centre             = "${var.cost_centre}"
  product_name            = "${var.product_name}"
}

Debug Output


N/A

Panic Output

N/A

Expected Behavior

CloudWatch event target created and pointing to SSM Automation document correctly.

Actual Behavior

Terraform fails to create the resource with an error related to SSM RunCommand. 

2 error(s) occurred:

* module.config_rule_report_cw_event_target.aws_cloudwatch_event_target.ssm_automation_target: 1 error(s) occurred:

* aws_cloudwatch_event_target.ssm_automation_target: Creating CloudWatch Event Target failed: ValidationException: Parameter RunCommandParameters is not valid for target DEV-AWS-CONFIG-RULE-REPORT.
    status code: 400, request id: 4075f8ec-e824-11e8-a00c-a3b361ed708c
* aws_cloudwatch_event_target.teste_ssm: 1 error(s) occurred:

* aws_cloudwatch_event_target.teste_ssm: Creating CloudWatch Event Target failed: ValidationException: Parameter RunCommandParameters is not valid for target terraform-20181114154503264000000001.
    status code: 400, request id: 4075f8c9-e824-11e8-bb3b-efc95def0a07

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error 
above and apply again to incrementally change your infrastructure.

Steps to Reproduce

  1. terraform apply

Important Factoids

N/A

References

  • #0000
serviccloudwatchevents
Source
picture maiconbaumx
👍11

Most helpful comment

The error is caused by the passed ARN, it's probably the ARN of an SSM Document in the form of arn:aws:ssm:region:account-id:document/document_name, if you want to use an SSM Automation Document as target it has to be like this arn:aws:ssm:region:account-id:automation-definition/definitionName:version so CW Events understands it's an Automation Document.

As a fix you could use a string replace

resource "aws_cloudwatch_event_target" "ssm_automation_target" {
  count               = "${var.target_type == "ssm_automation" ? 1 : 0}"
  target_id           = "${local.target_id}"
  arn                 = "${replace(var.arn, "document/", "automation-definition/")}"
  rule                = "${var.rule}"
  role_arn            = "${var.role_arn}"
}

I can't find any documentation on this behavior, but the defined ARNs for SSM can be found here.
https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

picture pvanbuijtene on 12 Jul 2019
👍2

All 8 comments

+1

miguelbaldi picture miguelbaldi on 14 Nov 2018

+1

hermes-pimentel picture hermes-pimentel on 14 Nov 2018

Hi folks ๐Ÿ‘‹ Please note that we can only utilize ๐Ÿ‘ upvote reactions to the original issue or pull request for reporting and prioritization. e.g. https://github.com/terraform-providers/terraform-provider-aws/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc "+1"/"me too" comments unfortunately only generate noise for issue/pull request followers and do not help the maintainers with prioritization. ๐Ÿ˜…

bflad picture bflad on 14 Nov 2018
👍1

I directly tried using AWS Javascript SDK and I got this error:
ValidationException: Parameter RunCommandParameters is not valid for target windows-av-update-automation.
Looks like it is a bug from AWS side.

koladilip picture koladilip on 17 Nov 2018

Hi everyone, thanks for taking the time to report this issue. Since it sounds like it's an upstream problem and could have changed without us, I'm going to close the bug report. If it's still happening with the latest Terraform and AWS provider releases, please open a new issue with as many details as possible. Thank you!

aeschright picture aeschright on 26 Jun 2019

The error is caused by the passed ARN, it's probably the ARN of an SSM Document in the form of arn:aws:ssm:region:account-id:document/document_name, if you want to use an SSM Automation Document as target it has to be like this arn:aws:ssm:region:account-id:automation-definition/definitionName:version so CW Events understands it's an Automation Document.

As a fix you could use a string replace

resource "aws_cloudwatch_event_target" "ssm_automation_target" {
  count               = "${var.target_type == "ssm_automation" ? 1 : 0}"
  target_id           = "${local.target_id}"
  arn                 = "${replace(var.arn, "document/", "automation-definition/")}"
  rule                = "${var.rule}"
  role_arn            = "${var.role_arn}"
}

I can't find any documentation on this behavior, but the defined ARNs for SSM can be found here.
https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

pvanbuijtene picture pvanbuijtene on 12 Jul 2019
👍2

Thanks @pvanbuijtene - this solved my problem.

Unfortunately looking through the CloudFormation and API reference documentation, there doesn't seem to be an easy way to get this information back from the AWS API.

In the meantime, is it worth updating the documentation to account for this case?

borrell picture borrell on 27 Aug 2019

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 1 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dvishniakov picture dvishniakov  ยท  3Comments
andywirv picture andywirv  ยท  3Comments
EmmN picture EmmN  ยท  3Comments
hashibot picture hashibot  ยท  3Comments
ghost picture ghost  ยท  3Comments