OrganizationCustomPolicyRuleMetadata attribute not available in PutOrganizationConfigRule

[lvthillo]

Describe the bug

I'm trying to create an organizational custom config policy rule using Guard;

Boto3 docs:

Make sure to specify one of either OrganizationCustomPolicyRuleMetadata for Custom Policy rules, OrganizationCustomRuleMetadata for Custom Lambda rules, or OrganizationManagedRuleMetadata for managed rules.

I'm trying to use OrganizationCustomPolicyRuleMetadata. The API doc.

response = client.put_organization_config_rule(
    OrganizationConfigRuleName='test-rule',
    OrganizationCustomPolicyRuleMetadata={...}
)

Expected Behavior

Creation of the AWS Config Rule.

Current Behavior

Exception:

botocore.errorfactory.InvalidParameterValueException: An error occurred (InvalidParameterValueException) when calling the PutOrganizationConfigRule operation: Specify either OrganizationCustomRuleMetadata or OrganizationManagedRuleMetadata in the input.

Reproduction Steps

I'm not completely sure on how to import the rule in the PolicyTest but it seems unrelated on how I'm adding the string. Same issue for empty string or oneliner rule.

import boto3

client = boto3.client('config')

print(boto3.__version__)


response = client.put_organization_config_rule(
    OrganizationConfigRuleName='test-rule',
    OrganizationCustomPolicyRuleMetadata={
        'PolicyRuntime': 'guard-2.x.x',
        'PolicyText': """
            let s3_buckets = Resources.*[ Type == 'AWS::S3::Bucket' ]
            let allowed_algos = ["aws:kms"]

            rule s3_buckets_allowed_sse_algorithm when %s3_buckets !empty {
                let encryption = %s3_buckets.Properties.BucketEncryption
                %encryption exists
                %encryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm in %allowed_algos

            }        
        """
    }
)

Possible Solution

No response

Additional Information/Context

Update: It's probably an API issue and not boto3 specific:

aws configservice put-organization-config-rule --organization-config-rule-name test --organization-custom-policy-rule-metadata PolicyRuntime="guard-2.x.x",PolicyText="let var=5"

An error occurred (InvalidParameterValueException) when calling the PutOrganizationConfigRule operation: Specify either OrganizationCustomRuleMetadata or OrganizationManagedRuleMetadata in the input.

SDK version used

1.24.48

Environment details (OS name and version, etc.)

macOS Monterey 12.3.1 Intel Core

[tim-finnigan]

Hi @lvthillo this worked for me with boto3 v1.24.48:

import boto3

client = boto3.client('config')

response = client.put_organization_config_rule(
    OrganizationConfigRuleName='test-rule',
    OrganizationCustomPolicyRuleMetadata={
        'OrganizationConfigRuleTriggerTypes': ['ConfigurationItemChangeNotification'],
        'PolicyRuntime': 'guard-2.x.x',
        'PolicyText': 'let test = 123'
    }
)

I tested with AWS CLI v.2.7.21 and it worked as well. Can you confirm that you're using a recent version of boto3? If you're still running into the issue please share your debug logs (with any sensitive info redacted) by adding boto3.set_stream_logger('') to your script.

[lvthillo]

@tim-finnigan Thanks for your reply. I still have the issue but I think it's related to the regional API endpoint

aws --version
aws-cli/2.7.21 Python/3.10.6 Darwin/21.4.0 source/x86_64 prompt/off

boto3 version: 1.24.49

The debug logs gave me some new insight (my client is connecting to eu-west-1 by default):

[DEBUG] https://config.eu-west-1.amazonaws.com:443 "POST / HTTP/1.1" 400 150

While this seems to work:

2022-08-11 18:29:55,551 urllib3.connectionpool [DEBUG] https://config.us-east-1.amazonaws.com:443 "POST / HTTP/1.1" 200 113

Same w CLI:
Works in us-east-1

aws configservice put-organization-config-rule --organization-config-rule-name test-1 --organization-custom-policy-rule-metadata PolicyRuntime="guard-2.x.x",PolicyText="let var=5",OrganizationConfigRuleTriggerTypes=ConfigurationItemChangeNotification

Does not work in eu-west-1 (debug gives a similar error as boto3 about the 400 error).

[tim-finnigan]

Thanks @lvthillo for following up, I could confirm that issue occurs in eu-west-1 as well. Since this relates to the service API, I created a new tracking issue for this in our cross-SDK repository: aws/aws-sdk#326. I'll report this to the Config team and will update that issue when I hear back.