AWSConfig custom rule couldn't be updated

[clement-cunin]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

$ terraform --version
Terraform v0.14.11
+ provider registry.terraform.io/hashicorp/aws v4.17.1

Affected Resource(s)

• aws_config_config_rule

Terraform Configuration Files

Start with custom config rule as defined in documentation (with tags)

resource "aws_config_config_rule" "example" {
  name = "example"
  tags = { "test": "sample" }

  source {
    owner = "CUSTOM_POLICY"

    source_detail {
      message_type = "ConfigurationItemChangeNotification"
    }

    custom_policy_details {
      policy_runtime = "guard-2.x.x"
      policy_text    = <<EOF
      rule tableisactive when
          resourceType == "AWS::DynamoDB::Table" {
          configuration.tableStatus == ['ACTIVE']
      }

      rule checkcompliance when
          resourceType == "AWS::DynamoDB::Table"
          tableisactive {
              supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == "ENABLED"
      }
EOF                    
    }
  }
}

Panic Output

Error creating AWSConfig rule: Failed to create AWSConfig rule: InvalidParameterValueException: PolicyText is required when Owner is CUSTOM_POLICY

Actual Behavior

The first terraform apply work's fine to create the AWSConfig custom rule.
But if try to update the tag value, terraform fail to apply change on it.

Expected Behavior

Terraform should be able to update tags on AWSCustom rule

Steps to Reproduce

1. terraform apply
2. Update the tag value to another value like "sample2"
3. terraform apply

Important Factoids

/

References

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule

[justinretzolk]

Hey @clement-cunin 👋 Thank you for taking the time to raise this! So that we have all of the necessary information in order to look into this, can you supply debug logs (redacted as needed) as well?

[clement-cunin]

I just reproduct with the last version of terraform:

Terraform v1.2.2
on windows_amd64
+ provider registry.terraform.io/hashicorp/aws v4.17.1

The debug log of AWS call:

2022-06-09T21:30:39.736+0200 [TRACE] provider.terraform-provider-aws_v4.17.1_x5.exe: Calling downstream: tf_provider_addr=provider tf_req_id=5d8df4b0-eeab-a207-bfa3-6f3b11174111 tf_resource_type=aws_config_config_rule tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:846 @module=sdk.helper_schema timestamp=2022-06-09T21:30:39.736+0200
2022-06-09T21:30:39.736+0200 [DEBUG] provider.terraform-provider-aws_v4.17.1_x5.exe: Creating AWSConfig config rule: {
  ConfigRule: {
    ConfigRuleName: "example",
    Source: {
      CustomPolicyDetails: {
        EnableDebugLogDelivery: false,
        PolicyRuntime: "guard-2.x.x",
        PolicyText: ""
      },
      Owner: "CUSTOM_POLICY",
      SourceDetails: [{
          EventSource: "aws.config",
          MessageType: "ConfigurationItemChangeNotification"
        }]
    }
  },
  Tags: [{
      Key: "test",
      Value: "sample2"
    }]
}: timestamp=2022-06-09T21:30:39.736+0200
2022-06-09T21:30:39.736+0200 [DEBUG] provider.terraform-provider-aws_v4.17.1_x5.exe: Waiting for state to become: [success]: timestamp=2022-06-09T21:30:39.736+0200
2022-06-09T21:30:39.736+0200 [DEBUG] provider.terraform-provider-aws_v4.17.1_x5.exe: [aws-sdk-go] DEBUG: Request config/PutConfigRule Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: config.eu-west-1.amazonaws.com
User-Agent: APN/1.0 HashiCorp/1.0 Terraform/1.2.2 (+https://www.terraform.io) terraform-provider-aws/dev (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.25 (go1.17.6; windows; amd64)
Content-Length: 320
Authorization: AWS4-HMAC-SHA256 Credential=AKIAUX4YUB3AXSLNSTEA/20220609/eu-west-1/config/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-target, Signature=5f09805f82cf08d51cdaefa1c1e8d9f084f0a068971c502c9a55969d125afaeb
Content-Type: application/x-amz-json-1.1
X-Amz-Date: 20220609T193039Z
X-Amz-Target: StarlingDoveService.PutConfigRule
Accept-Encoding: gzip

{"ConfigRule":{"ConfigRuleName":"example","Source":{"CustomPolicyDetails":{"EnableDebugLogDelivery":false,"PolicyRuntime":"guard-2.x.x","PolicyText":""},"Owner":"CUSTOM_POLICY","SourceDetails":[{"EventSource":"aws.config","MessageType":"ConfigurationItemChangeNotification"}]}},"Tags":[{"Key":"test","Value":"sample2"}]}
-----------------------------------------------------: timestamp=2022-06-09T21:30:39.736+0200
2022-06-09T21:30:39.854+0200 [DEBUG] provider.terraform-provider-aws_v4.17.1_x5.exe: [aws-sdk-go] DEBUG: Response config/PutConfigRule Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 106
Content-Type: application/x-amz-json-1.1
Date: Thu, 09 Jun 2022 19:30:39 GMT
Strict-Transport-Security: max-age=86400
X-Amzn-Requestid: bf07203f-bc64-4990-8896-1b25e292b41a


-----------------------------------------------------: timestamp=2022-06-09T21:30:39.854+0200
2022-06-09T21:30:39.854+0200 [DEBUG] provider.terraform-provider-aws_v4.17.1_x5.exe: [aws-sdk-go] {"__type":"InvalidParameterValueException","message":"PolicyText is required when Owner is CUSTOM_POLICY"}: timestamp=2022-06-09T21:30:39.854+0200
2022-06-09T21:30:39.854+0200 [DEBUG] provider.terraform-provider-aws_v4.17.1_x5.exe: [aws-sdk-go] DEBUG: Validate Response config/PutConfigRule failed, attempt 0/25, error InvalidParameterValueException: PolicyText is required when Owner is CUSTOM_POLICY: timestamp=2022-06-09T21:30:39.854+0200

[beckjim]

Bug is still reproducable:
Terraform v1.6.6
on linux_amd64

• provider registry.terraform.io/hashicorp/aws v5.33.0

[ewbankkit]

Relates #24057.

[github-actions]

This functionality has been released in v5.39.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.