I'm using Terraform 1.3.5 and this module previously worked flawlessly, until I renamed the module. Now I am getting this error:
Error: creating EventBridge Target (cleanup-terraform-20221130175229684800000001): ValidationException: RoleArn is required for target arn:aws:events:us-east-1:123456789012:api-destination/services-destination/c187090f-268b-4d9b-b09d-f9b077e0c0cf.
│ status code: 400, request id: 63dc6425-2a94-4f66-b7c2-106b0607d964
│
│ with module.a-eventbridge-trigger.aws_cloudwatch_event_target.api_destination,
│ on ..\a-eventbridge-trigger\main.tf line 61, in resource "aws_cloudwatch_event_target" "api_destination":
│ 61: resource "aws_cloudwatch_event_target" "api_destination" {
Here is the complete content of the main.tf in the module:
# configures api connection
resource "aws_cloudwatch_event_connection" "auth" {
name = "services-token"
description = "Gets oauth bearer token"
authorization_type = "OAUTH_CLIENT_CREDENTIALS"
auth_parameters {
oauth {
authorization_endpoint = "${var.vars.apiBaseUrl}${var.vars.auth}"
http_method = "POST"
client_parameters {
client_id = var.secretContent.Client_Id
client_secret = var.secretContent.Client_Secret
}
oauth_http_parameters {
body {
key = "grant_type"
value = "client_credentials"
is_value_secret = true
}
body {
key = "client_id"
value = var.secretContent.Client_Id
is_value_secret = true
}
body {
key = "client_secret"
value = var.secretContent.Client_Secret
is_value_secret = true
}
}
}
}
}
# configures api destination
resource "aws_cloudwatch_event_api_destination" "request" {
name = "services-destination"
description = "Requests clean up"
invocation_endpoint = "${var.vars.apiBaseUrl}${var.vars.endpoint}"
http_method = "POST"
invocation_rate_limit_per_second = 20
connection_arn = aws_cloudwatch_event_connection.auth.arn
}
# sets up the scheduling
resource "aws_cloudwatch_event_rule" "every_midnight" {
name = "${var.name}-services-cleanup"
description = "Fires on every day at midnight of UTC+0"
schedule_expression = "cron(0 0 * * ? *)"
is_enabled = true
}
# tells the scheduler to call the api destination
resource "aws_cloudwatch_event_target" "api_destination" {
rule = aws_cloudwatch_event_rule.every_midnight.name
arn = aws_cloudwatch_event_api_destination.request.arn
}
And the module is called like this from the root module:
module "a-eventbridge-trigger" {
source = "../a-eventbridge-trigger"
name = local.prefixName
resourceTags = local.commonTags
vars = var.vars
secretContent = var.secrets
}
Here is the providers.tf:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.43.0"
}
}
backend "s3" {}
}
What am I missing and why would it stop working suddenly?
I have run a complete destroy and fresh apply but I still get this.
Related
I'm trying to create a gcp cloud armor rate limiting "throttle" resource but i keep getting the error below.
Error: Unsupported block type
│
│ on main.tf line 20, in resource "google_compute_security_policy" "throttle":
│ 172: rate_limit_options {
│
│ Blocks of type "rate_limit_options" are not expected here.
Here is what my resource block looks like;
resource "google_compute_security_policy" "throttle" {
name = "${var.environment_name}-throttle"
description = "rate limits request based on throttle"
rule {
action = "throttle"
preview = true
priority = "1000"
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["*"]
}
}
rate_limit_options {
conform_action = "allow"
exceed_action = "deny(429)"
enforce_on_key = "ALL"
rate_limit_threshold {
count = "200"
interval_sec = "300"
}
}
}
}
here is what my provide block look like
provider "google-beta" {
project = var.project[var.environment_name]
region = "us-central1"
}
How do i declare the rate_limit_option block?
This worked for me:
resource "google_compute_security_policy" "throttle" {
name = ${var.environment_name}-throttle"
description = "rate limits"
provider = google-beta
rule {
action = "throttle"
preview = true
priority = "1000"
rate_limit_options {
conform_action = "allow"
exceed_action = "deny(429)"
enforce_on_key = "ALL"
rate_limit_threshold {
count = "200"
interval_sec = "300"
}
}
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["*"]
}
}
}
}
The block rate_limit_options is supported by the google-beta provider.
Use this:
provider "google-beta" {
project = "my-project-id"
...
}
Using the google-beta provider
I am getting below error while creating firewall manager policy for cloud front distribution.
the documentation provide little details on how to deploy a Cloudfront distribution which is a Global resource.
I am getting below error while executing my code:
aws_fms_policy.xxxx: Creating...
╷
│ Error: error creating FMS Policy: InternalErrorException:
│
│ with aws_fms_policy.xxxx,
│ on r_wafruleset.tf line 1, in resource "aws_fms_policy" "xxxx":
│ 1: resource "aws_fms_policy" "xxxx" {
│
╵
Releasing state lock. This may take a few moments...
main.tf looks like this with provider information:
provider "aws" {
region = "ap-southeast-2"
assume_role {
role_arn = "arn:aws:iam::${var.account_id}:role/yyyy"
}
}
provider "aws" {
alias = "us_east_1"
region = "us-east-1"
assume_role {
role_arn = "arn:aws:iam::${var.account_id}:role/yyyy"
}
}
r_fms.tf looks like this:
resource "aws_fms_policy" "xxxx" {
name = "xxxx"
exclude_resource_tags = true
resource_tags = var.exclude_tags
remediation_enabled = true
provider = aws.us_east_1
include_map {
account = ["123123123"]
}
resource_type = "AWS::CloudFront::Distribution"
security_service_policy_data {
type = "WAFV2"
managed_service_data = jsonencode(
{
type = "WAFV2"
defaultAction = {
type = "ALLOW"
}
overrideCustomerWebACLAssociation = false
postProcessRuleGroups = []
preProcessRuleGroups = [
{
excludeRules = []
managedRuleGroupIdentifier = {
vendorName = "AWS"
managedRuleGroupName = "AWSManagedRulesAmazonIpReputationList"
version = true
}
overrideAction = {
type = "COUNT"
}
ruleGroupArn = null
ruleGroupType = "ManagedRuleGroup"
sampledRequestsEnabled = true
},
{
excludeRules = []
managedRuleGroupIdentifier = {
managedRuleGroupName = "AWSManagedRulesWindowsRuleSet"
vendorName = "AWS"
version = null
}
overrideAction = {
type = "COUNT"
}
ruleGroupArn = null
ruleGroupType = "ManagedRuleGroup"
sampledRequestsEnabled = true
},
]
sampledRequestsEnabledForDefaultActions = true
})
}
}
I have tried to follow the thread but still getting below error:
https://github.com/hashicorp/terraform-provider-aws/issues/17821
Terraform Version:
Terraform v1.1.7
on windows_386
+ provider registry.terraform.io/hashicorp/aws v4.6.0
There is open issue in terraform aws provider.
A workaround for this issue is to remove: 'version' attribute;
AWS has recently introduced Versioning with WAF policies managed by Firewall Manager; which is causing this weird error.
Though a permanent fix is InProgress (refer my earlier post) we can remove the attribute to avoid this error.
Another approach is to use the new attribute: versionEnabled=true in case you want versioning enabled.
On GCP, I'm trying to create a Cloud Run service and a Serverless Network Endpoint Group with this Terraform code below:
provider "google" {
credentials = file("myCredentials.json")
project = "myproject-813137"
region = "asia-northeast1"
}
resource "google_cloud_run_service" "default" {
name = "hello-world"
location = "asia-northeast1"
template {
spec {
containers {
image = "gcr.io/myproject-813137/hello-world:latest"
}
}
}
traffic {
percent = 100
latest_revision = true
}
}
data "google_iam_policy" "noauth" {
binding {
role = "roles/run.invoker"
members = [
"allUsers",
]
}
}
resource "google_cloud_run_service_iam_policy" "noauth" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
policy_data = data.google_iam_policy.noauth.policy_data
}
resource "google_compute_region_network_endpoint_group" "cloudrun_neg" {
provider = google-beta
name = "neg"
network_endpoint_type = "SERVERLESS"
region = "asia-northeast1"
cloud_run {
service = google_cloud_run_service.default.name
}
}
But I got this error:
Error: Invalid value for region: project: required field is not set
Are there any mistakes in my Terraform code?
Remove "provider = google-beta" from "google_compute_region_network_endpoint_group":
resource "google_compute_region_network_endpoint_group" "cloudrun_neg" {
# provider = google-beta // Here to remove
name = "neg"
network_endpoint_type = "SERVERLESS"
region = "asia-northeast1"
cloud_run {
service = google_cloud_run_service.default.name
}
}
Even though you have already defined provider "google" below, you redefined "provider = google-beta" in "google_compute_region_network_endpoint_group":
provider "google" {
credentials = file("myCredentials.json")
project = "myproject-813137"
region = "asia-northeast1"
}
That's why you got this error:
Error: Invalid value for region: project: required field is not set
I am creating an AWS CodePipeline resource with terraform:
resource "aws_codepipeline" "codepipeline" {
name = "codepipeline-tst"
role_arn = "${aws_iam_role.codepipeline_role.arn}"
artifact_store {
location = "codepipeline-eu-east-1-<ACC_NUM>"
type = "S3"
}
stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "ThirdParty"
provider = "GitHub"
version = "1"
output_artifacts = ["artifact"]
configuration = {
Owner = "MyOwner"
Repo = "MyRepo"
Branch = "master"
OAuthToken = ""
}
}
}
stage {
name = "Deploy"
action {
name = "Deploy"
category = "Deploy"
owner = "AWS"
provider = "CodeDeploy"
input_artifacts = ["artifact"]
version = "1"
}
}
}
When running terraform apply, after 2min of aws_codepipeline.codepipeline: Still creating. it returns
Error: Error creating CodePipeline: ValidationException: 1 validation error detected: Value at 'pipeline.stages.1.member.actions.1.member.configuration' failed to satisfy constraint: Map value must satisfy constraint: [Member must have length less than or equal to 1000, Member must have length greater than or equal to 1]
Edit:
The new deploy stage is:
stage {
name = "Deploy"
action {
name = "Deploy"
category = "Deploy"
owner = "AWS"
provider = "CodeDeploy"
input_artifacts = ["artifact"]
version = "1"
configuration = {
ApplicationName = "my-app"
DeploymentGroupName = "bar"
}
}
}
I have this app created using:
resource "aws_codedeploy_app" "my-app" {
compute_platform = "Server"
name = "my-app"
}
And the group using:
resource "aws_codedeploy_deployment_group" "my_group-2" {
app_name = "my-app"
deployment_group_name = "bar"
service_role_arn = "arn..."
ec2_tag_filter {
key = "aws:autoscaling:groupName"
type = "KEY_AND_VALUE"
value = "MyContainerService"
}
auto_rollback_configuration {
enabled = false
}
}
Your "Deploy" action has not 'configuration' properties which is required.
CodeDeploy action requires two configuration parameter:
Application name
Deployment group
Please add them to this Action.
When I execute the command terraform apply it throws the Error. Every configurations and connectivity from my local machine works fine. I checked using the below command.
gcloud auth login and
Verified using gcloud config list.
I have attached the main and variable tf files below
resource "google_project" "my_project" {
name = "${var.project_name}"
project_id = "${var.project_id}"
}
provider "google" {
project = "${var.project_id}"
region = "${var.region}"
zone = "${var.zone}"
}
resource "google_project_services" "project" {
project = "${var.project_id}"
services = ["composer.googleapis.com", "iam.googleapis.com", "cloudresourcemanager.googleapis.com"]
}
resource "google_pubsub_topic" "topic" {
name = "${var.topic}"
project = "${var.project_id}"
}
resource "google_pubsub_subscription" "push_subscriptions" {
count = "${length(var.push_subscriptions)}"
name = "${lookup(var.push_subscriptions[count.index], "name")}"
topic = "${google_pubsub_topic.topic.name}"
project = "${var.project_id}"
depends_on = ["google_pubsub_topic.topic"]
}
resource "google_pubsub_subscription" "pull_subscriptions" {
count = "${length(var.pull_subscriptions)}"
name = "${lookup(var.pull_subscriptions[count.index], "name")}"
topic = "${google_pubsub_topic.topic.name}"
project = "${var.project_id}"
depends_on = ["google_pubsub_topic.topic"]
}
Variables.tf file
variable "project_id" {
default = "media-intelligence-244309"
}
variable "region" {
default = "asia-south1"
}
variable "zone" {
default = "asia-south1-b"
}
variable "project_name" {
default = "media-intelligence"
}
variable "topic" {
default = "topic-1"
}
variable "push_subscriptions" {
type = "list"
default = []
}
variable "pull_subscriptions" {
type = "list"
default = []
}
Error: Error applying plan:
3 error(s) occurred:
google_project_services.project: 1 error(s) occurred:
google_project_services.project: Error authoritatively enabling Project media-244309 Services: Get https://cloudresourcemanager.googleapis.com/v1/projects/media-244309?alt=json&prettyPrint=false: oauth2: cannot fetch token: 400 Bad Request
Response: {
"error": "invalid_grant",
"error_description": "Robot is disabled."
}