Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error building RabbitMQ : Audit logging is not supported for RabbitMQ brokers #24

Closed
dumblerod opened this issue Mar 25, 2021 · 3 comments · Fixed by #28
Closed

Error building RabbitMQ : Audit logging is not supported for RabbitMQ brokers #24

dumblerod opened this issue Mar 25, 2021 · 3 comments · Fixed by #28
Labels
bug 🐛 An issue with the system

Comments

@dumblerod
Copy link

Describe the Bug

When trying to create a RabbitMQ broker using this module, I get an error: Audit logging is not supported for RabbitMQ brokers.

Expected Behavior

Rabbit MQ broker should be created when I set required values.

Example Code

I'm trying to provide most relevant code here. Lots of dependencies I'm leaving off for VPC, but that's all pretty standard.

rabbitmq.tf file

resource "aws_security_group" "rmq_cluster" {
  name        = "${var.appname}-rmq-sg"
  description = "for Rabbit MQ Broker"

  vpc_id = module.vpc.vpc_id

  ingress {
    protocol    = -1
    from_port   = 0
    to_port     = 0
    cidr_blocks = [var.vpccidr]
    description = "Allow all resources in VPC resources to communicate with Rabbit MQ"
  }

  egress {
    protocol    = -1
    from_port   = 0
    to_port     = 0
    cidr_blocks = [var.vpccidr]
    description = "Allow all outbound access from Rabbit MQ"
  }

  tags = local.tags
}

module "mq_broker" {
  source = "cloudposse/mq-broker/aws"
  version = "0.9.0"

  name                         = local.broker_name
  engine_type                  = "RabbitMQ"
  engine_version               = var.rmq_engine_version
  host_instance_type           = var.rmq_host_instance_type
  deployment_mode              = var.rmq_deployment_mode
  vpc_id                       = module.vpc.vpc_id
  subnet_ids                   = local.rmq_subnet_list
  use_existing_security_groups = true
  audit_log_enabled            = false
  existing_security_groups     = [aws_security_group.rmq_cluster.id]
  mq_application_user          = superuser
  mq_application_password      = unbreakablepassword
  tags                         = local.tags
}

vars.tfvars file

rmq_host_instance_type    = "mq.t3.micro"
rmq_engine_version        = "3.8.6"
rmq_deployment_mode       = "SINGLE_INSTANCE"

locals.tf file

broker_name      = "${var.appname}-${var.env}-rmq-${random_string.suffix.result}"
rmq_subnet_list = var.rmq_deployment_mode == "SINGLE_INSTANCE" ? [module.vpc.private_subnets.0] : module.vpc.private_subnets

Error Output

Error: BadRequestException: Audit logging is not supported for RabbitMQ brokers.
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "2564760b-18ab-4e41-9179-8f6e437e0dbe"
  },
  ErrorAttribute: "logs.audit",
  Message_: "Audit logging is not supported for RabbitMQ brokers."
}

  on .terraform/modules/mq_broker/main.tf line 73, in resource "aws_mq_broker" "default":
  73: resource "aws_mq_broker" "default" {
@dumblerod dumblerod added the bug 🐛 An issue with the system label Mar 25, 2021
@dumblerod
Copy link
Author

dumblerod commented Mar 25, 2021
edited

If I had to guess, in main.tf, the lines (94-97) include audit = var.audit_log_enabled. This can't be passed in if engine_type = RabbitMQ. Even setting audit=false will triggers an error in the aws_mq_broker Terraform resource. Possible fix for line 96:
audit = var.audit_log_enabled != "" ? var.audit_log_enabled : null

@phnahes
Copy link

phnahes commented Mar 30, 2021
edited

If I had to guess, in main.tf, the lines (94-97) include audit = var.audit_log_enabled. This can't be passed in if engine_type = RabbitMQ. Even setting audit=false will triggers an error in the aws_mq_broker Terraform resource. Possible fix for line 96:
audit = var.audit_log_enabled != "" ? var.audit_log_enabled : null

Not works too =/

Error: BadRequestException: Audit logging is not supported for RabbitMQ brokers.
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "6a40c5c0-4928-423a-93bb-90cc4c0e50b9"
  },
  ErrorAttribute: "logs.audit",
  Message_: "Audit logging is not supported for RabbitMQ brokers."
}

But omiting the block

  logs {
    general = var.general_log_enabled
    audit   = var.audit_log_enabled
  }

Works fine :)

So, will broken in the var.encryption_enabled.
if you omit this block too, it works completely:

  dynamic "encryption_options" {
    for_each = var.encryption_enabled ? ["true"] : []
    content {
      kms_key_id        = var.kms_mq_key_arn
      use_aws_owned_key = var.use_aws_owned_key
    }
  }

@mhmdio
Copy link

mhmdio commented Apr 4, 2021

I think since there is a big differences between ActiveMQ and RabbitMQ, there could be a flag like rabbitmq_enabled = true or something and create another complete resource for that, otherwise, generalisation of this could be complex and hard to maintain. null values will not work, I tested them.

@heathsnow heathsnow mentioned this issue Apr 6, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 An issue with the system
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Dynamic logs block
3 participants
@phnahes @mhmdio @dumblerod