I am running into an error while trying to enable the AWS IOT AccountAuditConfiguration. Unfortunately there is no support for that in AWS Terraform (if there is please let me know). The cloudformation supports it. I wrote the terraform script to invoke it and I am running into resource already exists error. I think I want to update it rather than to declare it.
Here are the files.
The sample.json.tpl file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Amazon Web Services IoT AccountAuditConfiguration Template",
"Resources": {
"IoTAuditConfiguration": {
"Type": "AWS::IoT::AccountAuditConfiguration",
"Properties": {
"AccountId": "${account_id}",
"AuditCheckConfigurations": {
"AuthenticatedCognitoRoleOverlyPermissiveCheck": { "Enabled": true },
"CaCertificateExpiringCheck": { "Enabled": true },
"CaCertificateKeyQualityCheck": {"Enabled": true },
"ConflictingClientIdsCheck": { "Enabled": true },
"DeviceCertificateExpiringCheck": { "Enabled": true },
"DeviceCertificateKeyQualityCheck": { "Enabled": true },
"DeviceCertificateSharedCheck": { "Enabled": true },
"IntermediateCaRevokedForActiveDeviceCertificatesCheck" : {"Enabled" : true},
"IotPolicyOverlyPermissiveCheck": { "Enabled": true },
"IoTPolicyPotentialMisConfigurationCheck" : {"Enabled" : true},
"IotRoleAliasAllowsAccessToUnusedServicesCheck": { "Enabled": true },
"IotRoleAliasOverlyPermissiveCheck": { "Enabled": true },
"LoggingDisabledCheck": { "Enabled": true },
"RevokedCaCertificateStillActiveCheck": { "Enabled": true },
"RevokedDeviceCertificateStillActiveCheck": { "Enabled": true },
"UnauthenticatedCognitoRoleOverlyPermissiveCheck": { "Enabled": true }
},
"AuditNotificationTargetConfigurations": {
"Sns": {
"TargetArn": "${sns_notifications_arn}",
"RoleArn": "${role}",
"Enabled": true
}
},
"RoleArn": "${role}"
}
}
}
}
The cloudformation_deploy.tf
data "template_file" "aws_iot_account_audit_enable" {
template = "${file("${path.module}/sample.json.tpl")}"
vars = {
account_id = data.aws_caller_identity.current.account_id
sns_notifications_arn = aws_sns_topic.iot_topic.arn
role = aws_iam_role.iot_role.name
}
}
resource "aws_cloudformation_stack" "stack" {
name = "stack"
template_body = "${data.template_file.aws_iot_account_audit_enable.rendered}"
}
This is the error I am getting.
Error: waiting for CloudFormation Stack (arn:aws:cloudformation:us-east-2:xxxxxxxxxxxx:stack/stack/xxxxxxxxxxxxx)
create: failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE):
["The following resource(s) failed to create: [IoTAuditConfiguration]. Rollback requested by user."
"Resource handler returned message: "The AccountAuditConfiguration already exists." (RequestToken: xxxxxxxxxxxxxxxxxxx, HandlerErrorCode: AlreadyExists)"]
I think I am trying to create something which already exists? How do I go about updating/configuring it?
2
Answers
I remembered that I had once run the audit manually sometime ago. It seems to have created some configurations to which Terraform did not have access. So I added needed permissions to ec2 role. Then ran the command in an EC2 instance:
This is documentation around the command.
"The following delete-account-audit-configuration example restores the default settings for AWS IoT Device Defender for this account, disabling all audit checks and clearing configuration data. It also deletes any scheduled audits for this account. Use this command with caution."
Since both CloudFormation and terraform are IaC tools, I would say the same thing applies in both cases: if a resource exists, it needs to be imported. There is a way to import existing resources into the CloudFormation stack as well. If the stack needs to be imported to terraform, that also can be done. However, if you want to use only terraform, there is the AWS CC provider, and such a resource exists there:
https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/iot_account_audit_configuration