terraform - 无法创建 AWSConfig 规则：InvalidParameterValueException：空格不能用于输入参数：阈值

Question

我正在尝试创建一个 aws 配置规则来检查 cloudtrail 警报是否已启用。Error: Error creating AWSConfig rule: Failed to create AWSConfig rule: InvalidParameterValueException: Blank spaces are not acceptable for input parameter: threshold.运行时出现以下错误terraform apply。我不确定输入参数参数中的格式问题是什么（请参阅 参考资料input_parameters）。如果我删除除metricNameie之外的所有内容，则应用有效

input_parameters = "{\"metricName\":\"CloudTrailConfigChanges\"}"

任何帮助将不胜感激。

resource aws_config_config_rule ensure-log-alarm-exists-for-cloudtrail {
  name = "ensure-log-alarm-exists-for-cloudtrail"
  description = "Checks whether cloudwatch alarm is on for cloudtrail configuration changes"

  source {
    owner = "AWS"
    source_identifier = "CLOUDWATCH_ALARM_SETTINGS_CHECK"
  }
  
  input_parameters = "{\"metricName\":\"CloudTrailConfigChanges\",\"threshold\":1,\"evaluationPeriod\":1,\"period\":300,\"comparisionOperator\":\"GreaterThanOrEqualToThreshold\",\"statistic\":\"Sum\"}"
}

从 json 字符串解析类型 ints 似乎存在问题：https ://github.com/hashicorp/terraform-provider-aws/issues/773#issuecomment-385454229

即使使用我也会遇到同样的错误

  input_parameters =<<EOF
{
  "metricName":"CloudTrailConfigChanges",
  "threshold":1
}
EOF

或者

input_parameters = jsonencode({"metricName":"CloudTrailConfigChanges","threshold"=1})

转换用引号括起来的 int 值也不起作用。

resource "aws_config_config_rule" "ensure-log-alarm-exists-for-cloudtrail" {
  name        = "ensure-log-alarm-exists-for-cloudtrail"
  description = "Checks whether cloudwatch alarm is on for cloudtrail configuration changes"

  source {
    owner             = "AWS"
    source_identifier = "CLOUDWATCH_ALARM_SETTINGS_CHECK"
  }

  input_parameters = jsonencode({
    metricName = "CloudTrailConfigChanges"
    threshold  = "1"
  })
}

上面的代码产生以下错误：

Unknown parameters provided in the inputParameters:

Answer 1

在您的示例中，您仍然将阈值指定为整数。试着把它变成一个字符串。

resource "aws_config_config_rule" "ensure-log-alarm-exists-for-cloudtrail" {
  name        = "ensure-log-alarm-exists-for-cloudtrail"
  description = "Checks whether cloudwatch alarm is on for cloudtrail configuration changes"

  source {
    owner             = "AWS"
    source_identifier = "CLOUDWATCH_ALARM_SETTINGS_CHECK"
  }

  input_parameters = jsonencode({
    metricName = "CloudTrailConfigChanges"
    threshold  = "1"
  })
}

Answer 2

我遇到了这样的错误，为我解决的问题是添加一个条件。我不完全理解为什么这会起作用以及为什么在没有条件的情况下会导致此错误，但我看到了 AWS 示例中使用的条件。

例如，我首先尝试使用这样简单的方法来引用参数：

        "InputParameters": {
            "appNames": {
                "Ref": "ApplicationNames"
            }
        }

当我的资源像这样直接引用 ApplicationNames 参数时，它给出了那个错误。但是以Conditions这种方式使用和引用参数会导致它工作，就像在这个完整的模板示例中一样：

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Just a stripped-down example",
    "Parameters": {
        "ApplicationNames": {
            "Type": "String",
            "Default": "This Has Spaces",
            "MinLength": "1",
            "ConstraintDescription": "This parameter is required."
        }
    },
    "Conditions": {
        "ApplicationNamesDefined": {
            "Fn::Not": [
                {
                    "Fn::Equals": [
                        "",
                        {
                            "Ref": "ApplicationNames"
                        }
                    ]
                }
            ]
        }
    },
    "Resources": {
        "SampleRule": {
            "Type": "AWS::Config::ConfigRule",
            "DependsOn": "SecurityHubCustomUpdaterFunction",
            "Properties": {
                "ConfigRuleName": "TheName",
                "Description": "It was here that I was getting 'Blank spaces are not acceptable for input parameter: applicationNames' before I added the Conditions and Fn::If to reference it",
                "InputParameters": {
                    "appNames": {
                        "Fn::If": [
                            "ApplicationNamesDefined",
                            {
                                "Ref": "ApplicationNames"
                            },
                            {
                                "Ref": "AWS::NoValue"
                            }
                        ]
                    }
                },
                "Scope": {
                    "ComplianceResourceTypes": [
                        "AWS::SSM::ManagedInstanceInventory"
                    ]
                },
                "Source": {
                    "Owner": "AWS",
                    "SourceIdentifier": "EC2_MANAGEDINSTANCE_APPLICATIONS_REQUIRED"
                }
            }
        }
    }
}

因此，您可能想尝试Conditions使用。