I'm trying to add a an aws_config_config_rule resource with a set of input_parameters, but I keep getting
Error: Error creating AWSConfig rule: Failed to create AWSConfig rule: InvalidParameterValueException: Unknown parameters provided in the inputParameters: {"targetBucket":"mybucket"}.
# Enables access logging for the CloudTrail S3 bucket
resource aws_config_config_rule cloudtrail-s3-bucket-logging-enabled {
name = "cloudtrail-s3-bucket-logging-enabled"
description = "Checks whether logging is enabled for your S3 buckets."
source {
owner = "AWS"
source_identifier = "S3_BUCKET_LOGGING_ENABLED"
}
scope {
compliance_resource_id = aws_s3_bucket.mybucket.arn
compliance_resource_types = ["AWS::S3::Bucket"]
}
input_parameters = jsonencode({"targetBucket":"${aws_s3_bucket.mybucket.id}"})
}
I figured I could use the jsonencode function https://www.terraform.io/docs/configuration/functions/jsonencode.html. I came across a github issue: https://github.com/hashicorp/terraform/issues/14074, but it is different from what I'm experiencing. Any help would be greatly appreciated.
I was using the wrong input parameters for this rule. This works
# Ensures that the S3 bucket used by CloudTrail is not publicly accessible
resource aws_config_config_rule cloudtrail-s3-bucket-not-publicy-accessible {
name = "cloudtrail-s3-bucket-not-publicy-accessible"
description = "Checks whether the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item."
source {
owner = "AWS"
source_identifier = "S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS"
}
scope {
compliance_resource_id = aws_s3_bucket.mybucket.id
compliance_resource_types = ["AWS::S3::Bucket"]
}
input_parameters = "{\"IgnorePublicAcls\":\"True\",\"BlockPublicPolicy\":\"True\",\"BlockPublicAcls\":\"True\",\"RestrictPublicBuckets\":\"True\"}"
}