Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support ConfigService Remediation Configuration #7972

Open
billyshambrook opened this issue Mar 16, 2019 · 10 comments 路 May be fixed by #9348

Comments

@billyshambrook
Copy link

commented Mar 16, 2019

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS released a new feature for AWS Config which requires another resources - https://aws.amazon.com/about-aws/whats-new/2019/03/use-aws-config-to-remediate-noncompliant-resources/

The API is a bit unusual - have taken a first stab at the syntax below.

New or Affected Resource(s)

  • aws_config_remediation_configuration

Potential Terraform Configuration

resource "aws_config_remediation_configuration" "r" {
  rule_name = "example"

  target {
    type = "SSM_DOCUMENT"
    id = "AWS-DetachEBSVolume"
    version = "1"
  }

  parameter {
    type = "resource"
    name = "VolumeId"
  }

  parameter {
    type = "static"
    name = "AutomationAssumeRole"
    value = "arn:...role:/myRole"
  }

  depends_on = ["aws_config_config_rule.r"]
}

resource "aws_config_config_rule" "r" {
  name = "example"

  source {
    owner             = "AWS"
    source_identifier = "EC2_VOLUME_INUSE_CHECK"
  }
}

References

  • #0000
@billyshambrook

This comment has been minimized.

Copy link
Author

commented Mar 16, 2019

Am happy to contribute if the configuration can be confirmed

@bflad

This comment has been minimized.

Copy link
Member

commented Mar 17, 2019

Thanks for submitting this @billyshambrook and looking pretty good! For simplification, supporting the static values list, and the additional validation capabilities it maybe worth considering the following:

resource "aws_config_remediation_configuration" "example" {
  rule_name = "${aws_config_config_rule.example.name}"

  # We can skip dealing with the configuration block here (and this matches the API)
  target_id      = "AWS-DetachEBSVolume"
  target_type    = "SSM_DOCUMENT"
  target_version = "1"

  parameter {
    name = "example"

    # We can use the presence of the configuration blocks to match to the API structs
    resource_value {
      value = "" # can be validated with ResourceValueType constants
    }

    static_value {
      # at the very least this needs to be a list to match the API
      values = [""] 
    }
  }
}

Hope that makes sense. I'll get the AWS Go SDK update submitted so that's not holding this up.

@bflad

This comment has been minimized.

Copy link
Member

commented Mar 20, 2019

Updated AWS Go SDK is merged. 馃憤

@svaranasi-traderev

This comment has been minimized.

Copy link

commented May 29, 2019

Where is the usage documented? Can't find anything in docs.

@techish1

This comment has been minimized.

Copy link

commented Jun 21, 2019

Hi guys, where are we on this? I'm looking to configure remediation action to sent SNS notification while creating a config rule with terraform

@svaranasi-traderev

This comment has been minimized.

Copy link

commented Jul 8, 2019

So, what's holding this from being available in the provider? Are we waiting on @billyshambrook to code this enhancement?

andy-b-84 pushed a commit to andy-b-84/terraform-provider-aws that referenced this issue Jul 16, 2019
Patrick Laxton
feature(config): manage AWS Config Remediation Configuration
Answering terraform-providers#7972
This is my 1st go development ever, so please feel free to tell me if I
did something in a bad way, which is most probable :)

feat(go): learn pointers usage

feat(config): parse all simple fields

chore(naming): replace ConfigRule by RemediationConfiguration

feat(config): add read flatten function

feat(config): add delete function

feat(config): use TypeSet instead of TypeList, & parse ResourceValue

feat(config): parse StaticValue

feat(config) flatten remediation config parameters to nil, just to get the function signature right

feat(config): flatten remediation config parameters
@andy-b-84

This comment has been minimized.

Copy link

commented Jul 16, 2019

I opened a WIP PR in order to code that feature, but I saw I forgot to plug the function names in the provider.go file, which I did in my last commit.
Now my code is actually executed and tested (whereas it was just compiled beforehand).
Sadly, I don't understand the >1000 lines of error messages the make test command gives me back (you can see them there : https://travis-ci.org/terraform-providers/terraform-provider-aws/jobs/559461783 ).
If anybody knows what (I guess) obvious thing I forgot, please feel free to tell me, I'm going to read terraform-providers/terraform-provider-aws docs in order to find a clue.

@andy-b-84

This comment has been minimized.

Copy link

commented Jul 16, 2019

Thanks to @Meroje for pointing me out to this part :

--- FAIL: TestProvider (0.06s)
    provider_test.go:60: err: 1 error occurred:
        	* resource aws_config_remediation_configuration: resource_type: One of optional, required, or computed must be set

now I understand how to declare Optional, Required & Computed fields. Still in progress.

@svaranasi-traderev

This comment has been minimized.

Copy link

commented Aug 7, 2019

I hate to be that guy, but we have been eagerly waiting to get remediation rolled out via Terraform. So, are we there yet?

@andy-b-84

This comment has been minimized.

Copy link

commented Aug 8, 2019

No, hence my PR

andy-b-84 added a commit to andy-b-84/terraform-provider-aws that referenced this issue Aug 16, 2019
feature(config): manage AWS Config Remediation Configuration
Answering terraform-providers#7972
This is my 1st go development ever, so please feel free to tell me if I
did something in a bad way, which is most probable :)

feat(go): learn pointers usage

feat(config): parse all simple fields

chore(naming): replace ConfigRule by RemediationConfiguration

feat(config): add read flatten function

feat(config): add delete function

feat(config): use TypeSet instead of TypeList, & parse ResourceValue

feat(config): parse StaticValue

feat(config) flatten remediation config parameters to nil, just to get the function signature right

feat(config): flatten remediation config parameters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can鈥檛 perform that action at this time.