Terraform: Unable to create custom AWS Config rule

Created on 28 Apr 2017  ยท  6Comments  ยท  Source: hashicorp/terraform

I'm trying to create a custom AWS Config rule, I have the Lambda part set up but when I try and create the aws_config_config_rule resource I get an error from the AWS API. Details below:

Terraform Version

0.9.4

Affected Resource(s)

  • aws_config_config_rule

Terraform Configuration Files

provider "aws" {}

resource "aws_config_config_rule" "example" {
  name = "example"

  source {
    owner             = "CUSTOM_LAMBDA"
    source_identifier = "arn:aws:lambda:eu-west-1:123412341234:function:example"

    source_detail {
      message_type = "ConfigurationItemChangeNotification"
    }
  }
}

Debug Output

I can't access gists from behind my corporate proxy, but here's the snippet of the debug from when it tries to create the rule:

2017/04/28 15:20:25 [DEBUG] apply: aws_config_config_rule.example: executing Apply
2017/04/28 15:20:25 [DEBUG] plugin: terraform: aws-provider (internal) 2017/04/28 15:20:25 [DEBUG] No meta timeoutkey found in Apply()
2017/04/28 15:20:25 [DEBUG] plugin: terraform: aws-provider (internal) 2017/04/28 15:20:25 [DEBUG] Creating AWSConfig config rule: {
2017/04/28 15:20:25 [DEBUG] plugin: terraform:   ConfigRule: {
2017/04/28 15:20:25 [DEBUG] plugin: terraform:     ConfigRuleName: "example",
2017/04/28 15:20:25 [DEBUG] plugin: terraform:     Source: {
2017/04/28 15:20:25 [DEBUG] plugin: terraform:       Owner: "CUSTOM_LAMBDA",
2017/04/28 15:20:25 [DEBUG] plugin: terraform:       SourceDetails: [{
2017/04/28 15:20:25 [DEBUG] plugin: terraform:           MessageType: "ConfigurationItemChangeNotification"
2017/04/28 15:20:25 [DEBUG] plugin: terraform:         }],
2017/04/28 15:20:25 [DEBUG] plugin: terraform:       SourceIdentifier: "arn:aws:lambda:eu-west-1:123412341234:function:example"
2017/04/28 15:20:25 [DEBUG] plugin: terraform:     }
2017/04/28 15:20:25 [DEBUG] plugin: terraform:   }
2017/04/28 15:20:25 [DEBUG] plugin: terraform: }
2017/04/28 15:20:25 [DEBUG] plugin: terraform: aws-provider (internal) 2017/04/28 15:20:25 [DEBUG] Waiting for state to become: [success]
2017/04/28 15:20:25 [DEBUG] plugin: terraform: aws-provider (internal) 2017/04/28 15:20:25 [DEBUG] [aws-sdk-go] DEBUG: Request config/PutConfigRule Details:
2017/04/28 15:20:25 [DEBUG] plugin: terraform: ---[ REQUEST POST-SIGN ]-----------------------------
2017/04/28 15:20:25 [DEBUG] plugin: terraform: POST / HTTP/1.1
2017/04/28 15:20:25 [DEBUG] plugin: terraform: Host: config.eu-west-1.amazonaws.com
2017/04/28 15:20:25 [DEBUG] plugin: terraform: User-Agent: aws-sdk-go/1.8.13 (go1.8; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.9.4
2017/04/28 15:20:25 [DEBUG] plugin: terraform: Content-Length: 224
2017/04/28 15:20:25 [DEBUG] plugin: terraform: Authorization: <REMOVED>
2017/04/28 15:20:25 [DEBUG] plugin: terraform: Content-Type: application/x-amz-json-1.1
2017/04/28 15:20:25 [DEBUG] plugin: terraform: X-Amz-Date: 20170428T142025Z
2017/04/28 15:20:25 [DEBUG] plugin: terraform: X-Amz-Target: StarlingDoveService.PutConfigRule
2017/04/28 15:20:25 [DEBUG] plugin: terraform: Accept-Encoding: gzip
2017/04/28 15:20:25 [DEBUG] plugin: terraform:
2017/04/28 15:20:25 [DEBUG] plugin: terraform: {"ConfigRule":{"ConfigRuleName":"example","Source":{"Owner":"CUSTOM_LAMBDA","SourceDetails":[{"MessageType":"ConfigurationItemChangeNotification"}],"SourceIdentifier":"arn:aws:lambda:eu-west-
1:123412341234:function:example"}}}
2017/04/28 15:20:25 [DEBUG] plugin: terraform: -----------------------------------------------------
  name:                                                         "" => "example"
  rule_id:                                                      "" => "<computed>"
  source.#:                                                     "0" => "1"
  source.0.owner:                                               "" => "CUSTOM_LAMBDA"
  source.0.source_detail.#:                                     "0" => "1"
  source.0.source_detail.746308089.event_source:                "" => ""
  source.0.source_detail.746308089.maximum_execution_frequency: "" => ""
  source.0.source_detail.746308089.message_type:                "" => "ConfigurationItemChangeNotification"
  source.0.source_identifier:                                   "" => "arn:aws:lambda:eu-west-1:123412341234:function:example"
2017/04/28 15:20:25 [DEBUG] plugin: terraform: aws-provider (internal) 2017/04/28 15:20:25 [DEBUG] [aws-sdk-go] DEBUG: Response config/PutConfigRule Details:
2017/04/28 15:20:25 [DEBUG] plugin: terraform: ---[ RESPONSE ]--------------------------------------
2017/04/28 15:20:25 [DEBUG] plugin: terraform: HTTP/1.1 400 Bad Request
2017/04/28 15:20:25 [DEBUG] plugin: terraform: Connection: close
2017/04/28 15:20:25 [DEBUG] plugin: terraform: Content-Length: 175
2017/04/28 15:20:25 [DEBUG] plugin: terraform: Content-Type: application/x-amz-json-1.1
2017/04/28 15:20:25 [DEBUG] plugin: terraform: Date: Fri, 28 Apr 2017 14:20:25 GMT
2017/04/28 15:20:25 [DEBUG] plugin: terraform: X-Amzn-Requestid: d25cf2fb-2c1d-11e7-b7cb-fff38f58ee2e
2017/04/28 15:20:25 [DEBUG] plugin: terraform:
2017/04/28 15:20:25 [DEBUG] plugin: terraform: {"__type":"InvalidParameterValueException","message":"SourceDetails should be null/empty if the owner is AWS. SourceDetails should be provided if the owner is CUSTOM_LAMBDA."}
2017/04/28 15:20:25 [DEBUG] plugin: terraform: -----------------------------------------------------

The error message doesn't really make sense, as far as I can see Terraform/aws-sdk-go is sending the right fields, owner is CUSTOM_LAMBDA and SourceDetails are provided, :man_shrugging:

Expected Behavior

AWS Config rule is created

Actual Behavior

aws_config_config_rule.example: Creating...
  arn:                                                          "" => "<computed>"
  name:                                                         "" => "example"
  rule_id:                                                      "" => "<computed>"
  source.#:                                                     "0" => "1"
  source.0.owner:                                               "" => "CUSTOM_LAMBDA"
  source.0.source_detail.#:                                     "0" => "1"
  source.0.source_detail.746308089.event_source:                "" => ""
  source.0.source_detail.746308089.maximum_execution_frequency: "" => ""
  source.0.source_detail.746308089.message_type:                "" => "ConfigurationItemChangeNotification"
  source.0.source_identifier:                                   "" => "arn:aws:lambda:eu-west-1:123412341234:function:example"
Error applying plan:

1 error(s) occurred:

* aws_config_config_rule.example: 1 error(s) occurred:

* aws_config_config_rule.example: Failed to create AWSConfig rule: InvalidParameterValueException: SourceDetails should be null/empty if the owner is AWS. SourceDetails should be provided if the owner is CUSTOM_LAMBDA.
        status code: 400, request id: 12a7a5f7-2c1d-11e7-bd2c-27f008fce504

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Steps to Reproduce

  1. terraform apply
bug provideaws
Source
picture bodgit

Most helpful comment

Hey @bodgit. We went ahead and defaulted event_source to aws.config. You won't need to specify if it anymore and other users shouldn't experience the headache that you went thorough!

picture mbfrahry on 4 May 2017
👍2

All 6 comments

Figured it out, it's due to event_source not being present. The docs say this is optional but I get the above misleading error without it, so my resource now looks like this:

provider "aws" {}

resource "aws_config_config_rule" "example" {
  name = "example"

  source {
    owner             = "CUSTOM_LAMBDA"
    source_identifier = "arn:aws:lambda:eu-west-1:123412341234:function:example"

    source_detail {
      event_source = "aws.config" # XXX
      message_type = "ConfigurationItemChangeNotification"
    }
  }
}

And it now works without problem.

bodgit picture bodgit on 28 Apr 2017

Hey @bodgit. We went ahead and defaulted event_source to aws.config. You won't need to specify if it anymore and other users shouldn't experience the headache that you went thorough!

mbfrahry picture mbfrahry on 4 May 2017
👍2

@mbfrahry : I have faced the same issue and its solved by adding event_source. Thanks @bodgit

ramkarthik-sys picture ramkarthik-sys on 5 Jun 2017

@mbfrahry: Also needed to add event_source = "aws.config" to get working.

3xcellent picture 3xcellent on 18 Jul 2017

Documentation should be updated, the source_detail parameters are mentioned as (Optional).

I needed to add message_type, default event_source seems to be working.

source {
    owner             = "CUSTOM_LAMBDA"
    source_identifier = "${aws_lambda_function.lambda_01.arn}"

    source_detail {
      #event_source = "aws.config"
      message_type = "ConfigurationItemChangeNotification"
    }
  }
ghost picture ghost on 8 Sep 2017

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 7 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sprokopiak picture sprokopiak  ยท  3Comments
rjinski picture rjinski  ยท  3Comments
pawelsawicz picture pawelsawicz  ยท  3Comments
cpoole picture cpoole  ยท  3Comments
ketzacoatl picture ketzacoatl  ยท  3Comments