0

I have the following description of the aws config elb-custom-security-policy-ssl-check rule:

    Identifier: ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
    
    Resource Types: AWS::ElasticLoadBalancing::LoadBalancer
    
    Trigger type: Configuration changes
    
    AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), Israel (Tel Aviv), Europe (Spain), Europe (Zurich) Region
    
    Parameters:
    
    sslProtocolsAndCiphers
    Type: String
    Comma separated list of ciphers and protocols.

I am creating a terraform configuration for aws config and I have this variable created to pass the input parameter for this rule:

variable "elb_custom_security_policy_ssl_check" {
  type    = string
  default = "AES128-SHA256,TLSv1.3"
}

but I am getting an internal error as the conformance pack isn't created, but when I remove that rule it gets created. The proper representation of the default values is what I am trying to figure out.

Terraform conformance pack code:

resource "aws_config_conformance_pack" "conformancepack" {
  name = "conformancepact"

  template_body = <<EOT

Resources:
  ElbCustomSecurityPolicySslCheck:
    properties:
      ConifigRuleName: elb-custom-security-policy-ssl-check
      InputParameters:
        sslProtocolsAndCiphers: ${var.elb_custom_security_policy_ssl_check}
      Scope:
        ComplianceResourceTypes:
        - AWS::ElasticLoadBalancing::LoadBalancer
      Source:
        Owner: AWS
        SourceIdentifier: ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
    Type: AWS::Config::ConfigRule
EOT
}
George Udosen
  • 906
  • 1
  • 13
  • 28

2 Answers2

1

There is a spelling error in your conformancePack configuration ConifigRuleName instead of ConfigRuleName

alex
  • 240
  • 6
1

The issue is that the YML created with the heredoc syntax is using a wrong parameter:

  template_body = <<EOT

Resources:
  ElbCustomSecurityPolicySslCheck:
    properties:  <------------- This is not the correct property name
      ConfigRuleName: elb-custom-security-policy-ssl-check
      InputParameters:
        sslProtocolsAndCiphers: ${var.elb_custom_security_policy_ssl_check}
      Scope:
        ComplianceResourceTypes:
        - AWS::ElasticLoadBalancing::LoadBalancer
      Source:
        Owner: AWS
        SourceIdentifier: ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
    Type: AWS::Config::ConfigRule
EOT

This should be fixed to look like the following (note that it is Properties instead of properties):

resource "aws_config_conformance_pack" "conformancepack" {
  name = "conformancepact"

  template_body = <<EOT
Resources:
  ElbCustomSecurityPolicySslCheck:
    Properties:
      ConfigRuleName: elb-custom-security-policy-ssl-check
      InputParameters:
        sslProtocolsAndCiphers: "${var.elb_custom_security_policy_ssl_check}"
      Scope:
        ComplianceResourceTypes:
        - AWS::ElasticLoadBalancing::LoadBalancer
      Source:
        Owner: AWS
        SourceIdentifier: ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
    Type: AWS::Config::ConfigRule
EOT
}

However, based on the terraform documentation note the following:

The account must have a Configuration Recorder with proper IAM permissions before the Conformance Pack will successfully create or update. See also the aws_config_configuration_recorder resource.

Marko E
  • 13,362
  • 2
  • 19
  • 28