I am trying to define scope in Terraform. I can launch managed rule without scope, it works. But when I am trying to define scope got some error:
Inappropriate value for attribute "compliance_resource_types": set of string
required.
Maybe someone can help to write the scope correctly?
Here is the code for scope :
scope {
compliance_resource_types = "AWS::EC2::SecurityGroup"
}
As the documentation states for compliance_resource_types of resource aws_config_config_rule:
A list of resource types of only those AWS resources that you want to trigger an evaluation for the rule. e.g. AWS::EC2::Instance. You can only specify one type if you also specify a resource ID for compliance_resource_id. See relevant part of AWS Docs for available types.
You are using a single string instead of a list of strings.
The following change should fix your issue:
resource "aws_config_config_rule" "example" {
# ... other configuration ...
scope {
compliance_resource_types = ["AWS::EC2::SecurityGroup"]
}
}
Related
I am new to Terraform so I am sure that I am just missing something simple, but when attempting to deploy a CloudFormation stack, I am encountering an error when applying capabilities.
Here is my stack resource:
resource "aws_cloudformation_stack" "member_remediation" {
name = "smx-sharr-member-remediation"
capabilities = [CAPABILITY_IAM, CAPABILITY_AUTO_EXPAND]
parameters = {
SecHubAdminAccount = var.parameter_SecHubAdmin
CreateS3BucketForRedshiftAuditLogging = var.parameter_CreateS3
LogGroupName = var.parameter_LogGroupName
LoadAFSBPMemberStack = var.parameter_LoadAFSBPStack
LoadCIS120MemberStack = var.parameter_LoadCISStack
LoadPCI321MemberStack = var.parameter_LoadPCIStack
}
template_body = file("${path.module}/cf-templates/aws-sharr-member.yml")
}
This is what the stack provides when trying to deploy in the console:
And here is the error Terraform is providing to me when performing a plan:
Exception Error in plan -
Error: Invalid reference
on .terraform/modules/aws-securityhub-master/module/main.tf line 1120, in resource "aws_cloudformation_stack" "member_remediation":
1120: capabilities = [CAPABILITY_IAM, CAPABILITY_AUTO_EXPAND]
A reference to a resource type must be followed by at least one attribute
access, specifying the resource name.
Error: Invalid reference
on .terraform/modules/aws-securityhub-master/module/main.tf line 1120, in resource "aws_cloudformation_stack" "member_remediation":
1120: capabilities = [CAPABILITY_IAM, CAPABILITY_AUTO_EXPAND]
A reference to a resource type must be followed by at least one attribute
access, specifying the resource name.
I'm not sure what attribute or resource reference the capability is requiring OR how to write it up in the resource layout. I am not finding many examples of CF stacks being deployed leveraging the capabilities option.
Any help is greatly appreciated!
NOTE: I have looked over the following question on Stack Overflow already - it didn't help me in this case:
AWS CloudFormation Stack update error: Requires capabilities : [CAPABILITY_IAM]
The argument type for capabilities is set(string). It appears you are attempting to resolve undefined first class expressions. You probably meant to cast the elements as literal strings, which we can do with the normal syntax:
capabilities = ["CAPABILITY_IAM", "CAPABILITY_AUTO_EXPAND"]
I am calling a module (Terraform v0.13.7) and have this statement to determine an AWS SNS Alarm action (if environment is production, use this, otherwise use this):
alarm_sns_topic_arn = var.environment == "production" ? data.terraform_remote_state.outputs.alarm_sns_topic_arn["foo1"] : data.terraform_remote_state.outputs.alarm_sns_topic_arn["foo2"]
When run, I get an error Error: Incorrect attribute value type. The variable alarm_sns_topic_arn is a string type. foo1 and foo2 should resolve to the correct ARN values, and I confirmed that when hardcoding the values it fails as well.
The full error reads:
Error: Incorrect attribute value type
on ../../../modules/aws/elasticache_cluster/cloudwatch.tf line 70, in resource "aws_cloudwatch_metric_alarm" "elasticache_alarm":
70: alarm_actions = var.alarm_sns_topic_arn # This variable is currently a null default
Inappropriate value for attribute "alarm_actions": set of string required.
Banging my head against the wall — what am I missing?
Well, this is embarrassing, and of course makes sense in light of the error:
alarm_actions - (Optional) The list of actions to execute when this alarm transitions into an ALARM state from any other state. Each action is specified as an Amazon Resource Name (ARN).
I simply needed to specify a list type for my variable and enclose the statement in [].
I have a firewall rule in my GCP project and the values are read from variables at run time, it works successfully however i now have a use case where i want to add a deny block instead of allow. You cannot have both in there, is there a way to have the allow block be replaced by a deny block based on a condition.
Perhaps if the variable name is X, then use a deny block, or else use allow block. See sample code below.
resource "google_compute_firewall" "fw" {
....
allow {
protocol = var.somevariable[element(keys(var.somevariable), count.index)]["protocol"]
ports = var.somevariable[element(keys(var.somevariable), count.index)]["ports"]
}
...
}
I think it's a job for what they call dynamic blocks
In short: I see it as having two dynamic blocks, one for allow and one for deny. Each of them would use some conditions (might be mutually exclusive). A stub of your code could be:
resource "google_compute_firewall" "fw" {
dynamic "allow" {
for_each = var.allow_entries
...
}
dynamic "block" {
for_each = var.block_entries
...
}
}
This is setup.tf
data "google_compute_network" "selected" {
name = "${var.network}"
}
It's very basic. I just want to create a network in Google Cloud.
I run this with:
terraform apply -var 'network=net1'
But I still got an error like:
Error: resource 'data.google_compute_network.selected' config: unknown variable referenced: 'network'; define it with a 'variable' block
When I don't use variables in works like expected.
I guess you should have the variable defined to get terraform not complain about it.
variable "network" {
description = "your description goes here"
type = "string/map/list/boolean"
default = "default value here"
}
You can put this in your main file or may be in a separate file called input.tf but it just has to be present in the same directory.
terraform apply -var 'your-var=your-value' will override the value of the default in the variable section.
Terraform Doc: https://www.terraform.io/docs/configuration/variables.html
I have a parameter "SecretKey" and I want to provide a default value to it (http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html) and the default value would be a generated random string. I already have a lambda function to do the generation of the key and a custom resource (call it RandomSecretKey) to get the value. Ultimately, I want to be able to do this in the parameters section:
"SecretKey": {
...
"Default": { "Fn::GetAtt": ["RandomSecretKey", "Value"] }
}
And this parameter would be referenced somewhere.
But this doesn't work because CloudFormation expects a static String based on the error message. Is there a way to do this?
No. It's not possible to have a dynamic default value for CloudFormation. The reason being that the template has not executed at all at the time that parameters are being collected.
If you want this to be a parameter, your generated value will have to be generated outside of the template and passed into the template as a parameter. You could do this from a bootstrapping creation script.
Alternatively, you should be able to use a Custom Resource in your template to generate your random secret key. It should be able to persist through stack updates.
References:
Custom Resources Docs - http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html
Custom Resources Example - https://blogs.aws.amazon.com/application-management/post/Tx2FNAPE4YGYSRV/Customers-CloudFormation-and-Custom-Resources