Terraform-provider-aws: Support ConfigService Remediation Configuration

Created on 16 Mar 2019 · 24Comments · Source: hashicorp/terraform-provider-aws

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS released a new feature for AWS Config which requires another resources - https://aws.amazon.com/about-aws/whats-new/2019/03/use-aws-config-to-remediate-noncompliant-resources/

The API is a bit unusual - have taken a first stab at the syntax below.

New or Affected Resource(s)

aws_config_remediation_configuration

Potential Terraform Configuration

resource "aws_config_remediation_configuration" "r" {
  rule_name = "example"

  target {
    type = "SSM_DOCUMENT"
    id = "AWS-DetachEBSVolume"
    version = "1"
  }

  parameter {
    type = "resource"
    name = "VolumeId"
  }

  parameter {
    type = "static"
    name = "AutomationAssumeRole"
    value = "arn:...role:/myRole"
  }

  depends_on = ["aws_config_config_rule.r"]
}

resource "aws_config_config_rule" "r" {
  name = "example"

  source {
    owner             = "AWS"
    source_identifier = "EC2_VOLUME_INUSE_CHECK"
  }
}

References

0000

new-resource servicconfigservice

Source

billyshambrook

👍106

Most helpful comment

So, what's holding this from being available in the provider? Are we waiting on @billyshambrook to code this enhancement?

svaranasi-traderev on 8 Jul 2019

👍8

All 24 comments

Am happy to contribute if the configuration can be confirmed

billyshambrook on 16 Mar 2019

👍1

Thanks for submitting this @billyshambrook and looking pretty good! For simplification, supporting the static values list, and the additional validation capabilities it maybe worth considering the following:

resource "aws_config_remediation_configuration" "example" {
  rule_name = "${aws_config_config_rule.example.name}"

  # We can skip dealing with the configuration block here (and this matches the API)
  target_id      = "AWS-DetachEBSVolume"
  target_type    = "SSM_DOCUMENT"
  target_version = "1"

  parameter {
    name = "example"

    # We can use the presence of the configuration blocks to match to the API structs
    resource_value {
      value = "" # can be validated with ResourceValueType constants
    }

    static_value {
      # at the very least this needs to be a list to match the API
      values = [""] 
    }
  }
}

Hope that makes sense. I'll get the AWS Go SDK update submitted so that's not holding this up.

bflad on 17 Mar 2019

👍5

Updated AWS Go SDK is merged. 👍

bflad on 20 Mar 2019

👍1

Where is the usage documented? Can't find anything in docs.

svaranasi-traderev on 29 May 2019

👍3

Hi guys, where are we on this? I'm looking to configure remediation action to sent SNS notification while creating a config rule with terraform

techish-io on 21 Jun 2019

👍2

So, what's holding this from being available in the provider? Are we waiting on @billyshambrook to code this enhancement?

svaranasi-traderev on 8 Jul 2019

👍8

I opened a WIP PR in order to code that feature, but I saw I forgot to plug the function names in the provider.go file, which I did in my last commit.
Now my code is actually executed and tested (whereas it was just compiled beforehand).
Sadly, I don't understand the >1000 lines of error messages the make test command gives me back (you can see them there : https://travis-ci.org/terraform-providers/terraform-provider-aws/jobs/559461783 ).
If anybody knows what (I guess) obvious thing I forgot, please feel free to tell me, I'm going to read terraform-providers/terraform-provider-aws docs in order to find a clue.

andy-b-84 on 16 Jul 2019

Thanks to @meroje for pointing me out to this part :

--- FAIL: TestProvider (0.06s)
    provider_test.go:60: err: 1 error occurred:
            * resource aws_config_remediation_configuration: resource_type: One of optional, required, or computed must be set

now I understand how to declare Optional, Required & Computed fields. Still in progress.

andy-b-84 on 16 Jul 2019

I hate to be that guy, but we have been eagerly waiting to get remediation rolled out via Terraform. So, are we there yet?

svaranasi-traderev on 7 Aug 2019

No, hence my PR

andy-b-84 on 8 Aug 2019

it appears were missing reviewers on the pr, in case anyone reading this can fix that

nik-shornikov on 20 Nov 2019

@bflad can you please review this PR, please?

MRinalducci on 18 Feb 2020

Yes, I need this in my life :)

DRC-TJensen on 20 Feb 2020

I need this as well. Indeed, a dear friend of mine asked me to forward you the following message:

Ian, I am so very sad. Every morning I wake up and hope to see Terraform support for config remediation. Every night I go to bed with tears streaming down my face because I must still manage these resources manually. I have nightmares at least twice per week, wherein the year is 2023 and config remediation is still unsupported.

As you can see, my friend is in a desperate state. Can you help him?

ian-axelrod on 26 Feb 2020

😄4

I too would like to see this added on behalf of @ian-axelrod's dear friend in need.

Shikkic on 26 Feb 2020

@ian-axelrod you could tell your friend to use cloud formation deployed by terraform to do this while he's waiting if its that bad:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-remediationconfiguration.html

aggallim on 26 Feb 2020

👍2

Need this !!

Armand1989 on 9 Mar 2020

👍6

Wishing for this as well.

kylecompassion on 18 Mar 2020

You can also just do a AWS Config CLI command in your job to add them after the rule is created. That is how I am getting around this.
`

sh 'aws configservice put-remediation-configurations --remediation-configurations file://InstanceTypesAreT2micro.json --region us-east-2'

Would be nice if this was just all included though.

DRC-TJensen on 18 Mar 2020

where are we on this PR

abhijitsingamaneni on 11 May 2020

^-- sorry, looks like rebasing spammed the issue tracker. I forked Andy's work (thanks Andy!) and got something working: https://github.com/terraform-providers/terraform-provider-aws/pull/13884 (or, if there are commit signing requirements https://github.com/terraform-providers/terraform-provider-aws/pull/13885)

cgetzen on 23 Jun 2020

@gdavison or @anGie44 do you have a moment to review either of the above PRs? Thank you :)

cgetzen on 5 Aug 2020

👍1

This has been released in version 3.7.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

hashibot[bot] on 18 Sep 2020

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 17 Oct 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Terraform support for Alexa Smart Home Lambda trigger

joelittlejohn · 3Comments

Feature: S3 bucket-wide default encryption

reedloden · 3Comments

Using security_groups instead of the correct vpc_security_group_ids on an instance within VPC results in instance recreation on each apply

andywirv · 3Comments

tainting an ecs service and running terraform apply receives Creation of service was not idempotent

hashibot · 3Comments

Failed to destroy AWS node with volume: * aws_volume_attachment.jenkins_disk_attachment: Error waiting for Volume (vol-XXXX) to detach from Instance: i-XXXXX

hashibot · 3Comments