I have the following description of the aws config elb-custom-security-policy-ssl-check rule:
Identifier: ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
Resource Types: AWS::ElasticLoadBalancing::LoadBalancer
Trigger type: Configuration changes
AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), Israel (Tel Aviv), Europe (Spain), Europe (Zurich) Region
Parameters:
sslProtocolsAndCiphers
Type: String
Comma separated list of ciphers and protocols.
I am creating a terraform configuration for aws config and I have this variable created to pass the input parameter for this rule:
variable "elb_custom_security_policy_ssl_check" {
type = string
default = "AES128-SHA256,TLSv1.3"
}
but I am getting an internal error as the conformance pack isn’t created, but when I remove that rule it gets created. The proper representation of the default values is what I am trying to figure out.
Terraform conformance pack code:
resource "aws_config_conformance_pack" "conformancepack" {
name = "conformancepact"
template_body = <<EOT
Resources:
ElbCustomSecurityPolicySslCheck:
properties:
ConifigRuleName: elb-custom-security-policy-ssl-check
InputParameters:
sslProtocolsAndCiphers: ${var.elb_custom_security_policy_ssl_check}
Scope:
ComplianceResourceTypes:
- AWS::ElasticLoadBalancing::LoadBalancer
Source:
Owner: AWS
SourceIdentifier: ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
Type: AWS::Config::ConfigRule
EOT
}
2
Answers
There is a spelling error in your conformancePack configuration ConifigRuleName instead of ConfigRuleName
The issue is that the YML created with the heredoc syntax is using a wrong parameter:
This should be fixed to look like the following (note that it is
Properties
instead ofproperties
):However, based on the terraform documentation note the following: