I am new to Terraform so I am sure that I am just missing something simple, but when attempting to deploy a CloudFormation stack, I am encountering an error when applying capabilities.
Here is my stack resource:
resource "aws_cloudformation_stack" "member_remediation" {
name = "smx-sharr-member-remediation"
capabilities = [CAPABILITY_IAM, CAPABILITY_AUTO_EXPAND]
parameters = {
SecHubAdminAccount = var.parameter_SecHubAdmin
CreateS3BucketForRedshiftAuditLogging = var.parameter_CreateS3
LogGroupName = var.parameter_LogGroupName
LoadAFSBPMemberStack = var.parameter_LoadAFSBPStack
LoadCIS120MemberStack = var.parameter_LoadCISStack
LoadPCI321MemberStack = var.parameter_LoadPCIStack
}
template_body = file("${path.module}/cf-templates/aws-sharr-member.yml")
}
This is what the stack provides when trying to deploy in the console:
And here is the error Terraform is providing to me when performing a plan:
Exception Error in plan -
Error: Invalid reference
on .terraform/modules/aws-securityhub-master/module/main.tf line 1120, in resource "aws_cloudformation_stack" "member_remediation":
1120: capabilities = [CAPABILITY_IAM, CAPABILITY_AUTO_EXPAND]
A reference to a resource type must be followed by at least one attribute
access, specifying the resource name.
Error: Invalid reference
on .terraform/modules/aws-securityhub-master/module/main.tf line 1120, in resource "aws_cloudformation_stack" "member_remediation":
1120: capabilities = [CAPABILITY_IAM, CAPABILITY_AUTO_EXPAND]
A reference to a resource type must be followed by at least one attribute
access, specifying the resource name.
I'm not sure what attribute or resource reference the capability is requiring OR how to write it up in the resource layout. I am not finding many examples of CF stacks being deployed leveraging the capabilities option.
Any help is greatly appreciated!
NOTE: I have looked over the following question on Stack Overflow already - it didn't help me in this case:
AWS CloudFormation Stack update error: Requires capabilities : [CAPABILITY_IAM]
The argument type for capabilities is set(string). It appears you are attempting to resolve undefined first class expressions. You probably meant to cast the elements as literal strings, which we can do with the normal syntax:
capabilities = ["CAPABILITY_IAM", "CAPABILITY_AUTO_EXPAND"]
Related
I am calling a module (Terraform v0.13.7) and have this statement to determine an AWS SNS Alarm action (if environment is production, use this, otherwise use this):
alarm_sns_topic_arn = var.environment == "production" ? data.terraform_remote_state.outputs.alarm_sns_topic_arn["foo1"] : data.terraform_remote_state.outputs.alarm_sns_topic_arn["foo2"]
When run, I get an error Error: Incorrect attribute value type. The variable alarm_sns_topic_arn is a string type. foo1 and foo2 should resolve to the correct ARN values, and I confirmed that when hardcoding the values it fails as well.
The full error reads:
Error: Incorrect attribute value type
on ../../../modules/aws/elasticache_cluster/cloudwatch.tf line 70, in resource "aws_cloudwatch_metric_alarm" "elasticache_alarm":
70: alarm_actions = var.alarm_sns_topic_arn # This variable is currently a null default
Inappropriate value for attribute "alarm_actions": set of string required.
Banging my head against the wall — what am I missing?
Well, this is embarrassing, and of course makes sense in light of the error:
alarm_actions - (Optional) The list of actions to execute when this alarm transitions into an ALARM state from any other state. Each action is specified as an Amazon Resource Name (ARN).
I simply needed to specify a list type for my variable and enclose the statement in [].
I am trying to define scope in Terraform. I can launch managed rule without scope, it works. But when I am trying to define scope got some error:
Inappropriate value for attribute "compliance_resource_types": set of string
required.
Maybe someone can help to write the scope correctly?
Here is the code for scope :
scope {
compliance_resource_types = "AWS::EC2::SecurityGroup"
}
As the documentation states for compliance_resource_types of resource aws_config_config_rule:
A list of resource types of only those AWS resources that you want to trigger an evaluation for the rule. e.g. AWS::EC2::Instance. You can only specify one type if you also specify a resource ID for compliance_resource_id. See relevant part of AWS Docs for available types.
You are using a single string instead of a list of strings.
The following change should fix your issue:
resource "aws_config_config_rule" "example" {
# ... other configuration ...
scope {
compliance_resource_types = ["AWS::EC2::SecurityGroup"]
}
}
I'm trying to create a terraform aws_lb_listener_rule resource and am getting the error "Unsupported block type - Blocks of type "host_header" are not expected here." (and the same error for the path_pattern) when I run terraform plan.
I'm using terraform 0.12 and upgraded the folder from 0.11 so there's a version.tf file with required_version = ">= 0.12". I'm using this link as a reference https://www.terraform.io/docs/providers/aws/r/lb_listener_rule.html
This is the resource block I'm using
resource "aws_lb_listener_rule" "260" {
listener_arn = data.terraform_remote_state.alb.outputs.alb_https_listener_arn
priority = 260
action {
type = "forward"
target_group_arn = module.x.target_group_arn
}
condition {
host_header {
values = ["something.com"]
}
}
condition {
path_pattern {
values = ["/a/*", "/b/*"]
}
}
}
I'm using the this setup in other files I have so I know it can run successfully. I'm wondering if there's a conflicting resource or something else I'm missing that's causing the error.
I am using the deprecated condition version in the same folder in a different file if that would cause an issue. When I isolate that resource and try to modify it it still gives me the error so I might need to delete the rule and then recreate it with the new way.
I've tried deleting the .terraform file and running terraform init again to see if that would reset anything, re-arranging the conditions if that had anything to do with it, and copying the exact code from the doc and modifying it but it still throws the error.
I can use the deprecated condition
condition {
field = "path-pattern"
values = ["/a/*", "/b/*"]
}
I've been searching online for a similar problem and had trouble finding that matches this issue.
Terraform Version : v0.11.8
Use case
Try to terminate the resources using terraform, got error while running output command.
Code:
output "frontend_rendered" {
value = "${data.template_file.user_data.rendered}"
}
Debug Output
module.test.output.test_rendered: Resource
'data.template_file.user_data' does not have attribute 'rendered' for
variable 'data.template_file.user_data.rendered'
Expected Behavior
Termination without any error.
Additional Context
This issue came after i upgraded terraform from v0.11.4 to v0.11.8 and i have also updated the aws provider to latest 1.33.0
Any help?
Thanks!
Finally i was able to find the solution.
After Terraform v0.11.4, we shouldn't evaluate unused outputs during a full destroy operation.
I'm trying to create a cloud formation template but I get the error Parameter validation failed: parameter value for parameter name PublicSubnetAz does not exist
when i run the stack creation.
My template includes in the parameter section the following property:
"PublicSubnetAz":{
"Type":"AWS::EC2::AvailabilityZone::Name",
"Default":""
}
and in my Conditions section I have
"xxx":{
"Fn::Not":[
{
"Fn::Equals":[
{
"Ref":"PublicSubnetAz"
},
""
]
}
]
}
If I didn't set the PublicSubnetAz property while creating the stack i get the error reported.
This is an expected behaviour as if the user don't select an AZ i get the first one when I need an AZ reference.
Do somebody has already addressed a similar problem and can help me?
Actually you can't have an optional parameter if this is an AWS-Specific Parameter.
There is a feature request dated 2012 but still not implemented