Search code examples
amazon-web-servicesaws-cloudformationaws-config

"Parameter values specified for a template which does not require them." when trying to deploy a conformance pack via AWS cloudformation

I am working on a proof of concept for deploying a conformance pack via AWS cloudformation and I am stumped by the error "Parameter values specified for a template which does not require them." The config rule I am using does require a parameter. Code is attached. I have also tested the template with cfn-lint and do not receive any feedback/errors.

My template is "simple" and below:

Parameters:
  ElbPredefinedSecurityPolicySslCheckParamPredefinedPolicyName:
    Default: ELBSecurityPolicy-2016-08
    Type: String
Resources:
  TestingConformancePack:
    Type: AWS::Config::ConformancePack
    Properties:
      ConformancePackName: TestCP
      ConformancePackInputParameters:
      -
        ParameterName: PredefinedPolicyName
        ParameterValue: !Ref ElbPredefinedSecurityPolicySslCheckParamPredefinedPolicyName
      TemplateBody: |
        Resources:
          ElbPredefinedSecurityPolicySslCheck:
            Properties:
              ConfigRuleName: elb-predefined-security-policy-ssl-check
              InputParameters:
                predefinedPolicyName:
                  Ref: ElbPredefinedSecurityPolicySslCheckParamPredefinedPolicyName
              Scope:
                ComplianceResourceTypes:
                - AWS::ElasticLoadBalancing::LoadBalancer
              Source:
                Owner: AWS
                SourceIdentifier: ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK
            Type: AWS::Config::ConfigRule
Solution

  • The cause is that you are passing a parameter (the one specified in ConformancePackInputParameters) to a CloudFormation template (the one specified in TemplateBody) that does not contain a Parameters section and therefore expects no parameters. To solve this, you need to add a parameter to the inner CloudFormation template, which you can then refer to in predefinedPolicyName:

    The following template works for me:

    Parameters:
  ElbPredefinedSecurityPolicySslCheckParamPredefinedPolicyName:
    Default: ELBSecurityPolicy-2016-08
    Type: String
Resources:
  TestingConformancePack:
    Type: AWS::Config::ConformancePack
    Properties:
      ConformancePackName: TestCP
      ConformancePackInputParameters:
      -
        ParameterName: PredefinedPolicyName
        ParameterValue: !Ref ElbPredefinedSecurityPolicySslCheckParamPredefinedPolicyName
      TemplateBody: |
        Parameters:
          PredefinedPolicyName:
            Type: String
        Resources:
          ElbPredefinedSecurityPolicySslCheck:
            Properties:
              ConfigRuleName: elb-predefined-security-policy-ssl-check
              InputParameters:
                predefinedPolicyName:
                  Ref: PredefinedPolicyName
              Scope:
                ComplianceResourceTypes:
                - AWS::ElasticLoadBalancing::LoadBalancer
              Source:
                Owner: AWS
                SourceIdentifier: ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK
            Type: AWS::Config::ConfigRule