Can't apply more than 10 input_paths for "aws_cloudwatch_event_target": Member must have length less than or equal to 10

[raolivei]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.12

• provider.aws v2.35.0

Affected Resource(s)

aws_cloudwatch_event_target

Terraform Configuration Files

resource "aws_cloudwatch_event_target" "guardduty_cloudwatch_event_target" {
  provider  = "aws.guardduty_dynamic_region"
  count     = var.is_master == true ? 1 : 0
  rule      = aws_cloudwatch_event_rule.guardduty_cloudwatch_event_rule.0.name
  target_id = "guardduty-sns-topic"
  arn       = aws_cloudformation_stack.guardduty_sns_topic.0.outputs["ARN"]
  input_transformer {
    input_paths = {
      "account" : "$.account",
      "severity" : "$.detail.severity",
      "Finding_ID" : "$.detail.id",
      "instanceId" : "$.detail.resource.instanceDetails.instanceId",
      "port" : "$.detail.service.action.networkConnectionAction.localPortDetails.port",
      "eventFirstSeen" : "$.detail.service.eventFirstSeen",
      "eventLastSeen" : "$.detail.service.eventLastSeen",
      "count" : "$.detail.service.count",
      "Finding_Type" : "$.detail.type",
      "region" : "$.region",
      "Finding_description" : "$.detail.description"
    }

    input_template = "\"You have a severity <severity> GuardDuty finding type <Finding_Type> in the account <account> for the EC2 instance <instanceId> in the region <region> as the <Finding_description>. The first attempt was on <eventFirstSeen> and the most recent attempt on <eventLastSeen> . The total occurrence is <count>. For more details:  https://console.aws.amazon.com/guardduty/home?region=<region>#/findings?search=id%3D<Finding_ID>\""
  }
}

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

https://gist.github.com/raolivei/402f2da632be426fe93019d68fdbc5ca

Expected Behavior

aws_cloudwatch_event_target resource created with 11 tags.

Actual Behavior

Error: Updating CloudWatch Event Target failed: ValidationException: 1 validation error detected: Value '{severity=$.detail.severity, Finding_ID=$.detail.id, instanceId=$.detail.resource.instanceDetails.instanceId, port=$.detail.service.action.networkConnectionAction.localPortDetails.port, eventFirstSeen=$.detail.service.eventFirstSeen, eventLastSeen=$.detail.service.eventLastSeen, count=$.detail.service.count, Finding_Type=$.detail.type, region=$.region, account=$.account, Finding_description=$.detail.description}' at 'targets.1.member.inputTransformer.inputPathsMap' failed to satisfy constraint: Member must have length less than or equal to 10
        status code: 400, request id: 1cddcfb8-aae7-49b4-8b18-796d638f4d99

Steps to Reproduce

1. Add more than 10 inputh_paths to the resource
2. terraform apply

[DrFaust92]

this seems to be an AWS limitation

according to the API docs 10 is the limit:

	// Map of JSON paths to be extracted from the event. You can then insert these
	// in the template in InputTemplate to produce the output to be sent to the
	// target.
	//
	// InputPathsMap is an array key-value pairs, where each value is a valid JSON
	// path. You can have as many as 10 key-value pairs. You must use JSON dot notation,
	// not bracket notation.
	//
	// The keys can't start with "AWS".
	InputPathsMap map[string]*string `type:"map"`

[gdavison]

Hi @raolivei, thanks for raising this. This is actually a limitation of the AWS API, as @DrFaust92 referenced. We will add validation to that field to provide a better error message and also add proper documentation in the provider documentation. I've created #15653 to track this.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!