Terraform: Cannot change region for CloudWatch alarm using provider field

Created on 27 Jun 2016 · 2Comments · Source: hashicorp/terraform

As best as I can tell, AWS will only send CloudWatch metrics for Route 53 to us-east-1 (only mention of it I've found in the docs so far is here). This includes the metrics for Route 53 Health Checks. Therefore, if you try to create a CloudWatch alarm for the health check in some other region, that alarm will not work (it'll always be in INSUFFICIENT_DATA state).

Unfortunately, if you configure an AWS provider for some other region (e.g. us-west-1), it doesn't seem like you can override that region for the aws_cloudwatch_metric_alarm using the provider field.

Terraform Version

Terraform v0.6.16

Affected Resource(s)

aws_cloudwatch_metric_alarm
provider

Terraform Configuration Files

provider "aws" {
  region = "us-west-1"
}

# [ ... create lots of resources in us-west-1 ... ] 

# Route 53 health check 
resource "aws_route53_health_check" "site_is_up" {
  fqdn = "example.com"
  port = 80
  type = "HTTP"
  resource_path = "/"
  failure_threshold = 2
  request_interval = 30
}

# Now I want to create a CloudWatch alarm for the route 53 health check, and that alarm must live in us-east-1
provider "aws" {
  alias = "east"
  region = "us-east-1"
}

resource "aws_cloudwatch_metric_alarm" "site_is_up" {
  # Try to force this alarm to be created in us-east-1
  provider = "aws.east"

  alarm_name = "site-is-up"
  namespace = "AWS/Route53"
  metric_name = "HealthCheckStatus"
  dimensions = {
    HealthCheckId = "${aws_route53_health_check.site_is_up.id}"
  }
  comparison_operator = "LessThanThreshold"
  evaluation_periods = "1"
  period = "60"
  statistic = "Minimum"
  threshold = "1"
  unit = "None"
}

Expected Behavior

My alarm is created in us-east-1 and shows "OK" status.

Actual Behavior

I get an error from Terraform:

aws_cloudwatch_metric_alarm.site_is_up: Creating metric alarm failed: ValidationError: Invalid region us-west-1 specified. Only us-east-1 is supported.

Note that if I remove the provider field from the aws_cloudwatch_metric_alarm resource, it creates it correctly, but it puts it in us-west-1!!

Steps to Reproduce

terraform apply

Try it with and without the provider field.

Important Factoids

The route 53 health check and alarm code is in a module.

Source

brikis98

👎1

Most helpful comment

OK, I figured out what's going on here. It turns out that this is actually poor documentation and a confusing error message from AWS.

It turns out that the error message is not about the CloudWatch _alarm_, but about the SNS topic I was notifying in the alarm:

resource "aws_cloudwatch_metric_alarm" "site_is_up" {
  # ...
  alarm_actions = ["arn:aws:sns:us-west-1:1234567:foobar"]
}

Notice how the ARN of that SNS topic is in us-west-1. This is what the error is actually complaining about. You can't send a a notification from an alarm in one region to an SNS topic in another.

Key takeaway: If you're creating alarms based on Route 53 metrics, both the alarms AND the SNS topics they notify must live in us-east-1.

brikis98 on 28 Jun 2016

👍2 👎1

All 2 comments