Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deploying inspectorv2_filter resource fails due to inconsistent key #1364

Open
nadove-ucsc opened this issue Dec 12, 2023 · 2 comments
Open

Deploying inspectorv2_filter resource fails due to inconsistent key #1364

nadove-ucsc opened this issue Dec 12, 2023 · 2 comments

Comments

@nadove-ucsc
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
  • The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Terraform v1.3.10
on linux_amd64

providers.json:

    "terraform": {
        "required_version": "1.3.10",
        "required_providers": {
            "external": {
                "source": "hashicorp/external",
                "version": "2.2.0"
            },
            "null": {
                "source": "hashicorp/null",
                "version": "3.2.0"
            },
            "google": {
                "source": "hashicorp/google",
                "version": "4.58.0"
            },
            "aws": {
                "source": "hashicorp/aws",
                "version": "5.11.0"
            },
            "awscc": {
                "source": "hashicorp/awscc",
                "version": "0.66.0"
            }
        }
    },
    "provider": [
        {
            "aws": {}
        },
        {
            "aws": {
                "region": "us-east-1",
                "alias": "us-east-1"
            }
        },
        {
            "aws": {
                "region": "us-west-2",
                "alias": "us-west-2"
            }
        },
        {
            "google": {
                "billing_project": "platform-hca-dev",
                "user_project_override": true
            }
        }
    ]
}

Affected Resource(s)

  • awscc_inspectorv2_filter

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

{
    "resource": [
        {
            "awscc_inspectorv2_filter": [
                {
                    "signing_proxy": {
                        "filter_action": "SUPPRESS",
                        "name": "exclude_image_signing_proxy",
                        "filter_criteria": {
                            "repository_name": {
                                "comparison": "Equals",
                                "value": "docker.io/cllunsford/aws-signing-proxy"
                            }
                        }
                    }
                }
            ]
        }
    ]
}

Debug Output

Panic Output

Expected Behavior

We expect a filter to be created, using the filter criteria as is documented. Note that filter_criteria (snake case) is documented as a required attribute

Actual Behavior

The deployment fails because the filter_criteria key is not recognized. Terraform claims that it should be spelled "FilterCriteria".

Success! The configuration is valid.
...
Terraform will perform the following actions:

  # awscc_inspectorv2_filter.signing_proxy will be created
  + resource "awscc_inspectorv2_filter" "signing_proxy" {
...
    }

Plan: 1 to add, 0 to change, 0 to destroy.
...
╷
│ Error: AWS SDK Go Service Operation Unsuccessful
│ 
│   with awscc_inspectorv2_filter.signing_proxy,
│   on gitlab.tf.json line 1839, in resource[31].awscc_inspectorv2_filter[0].signing_proxy:
│ 1839:                     }
│ 
│ Calling Cloud Control API service CreateResource operation returned: operation error CloudControl: CreateResource, https response error StatusCode: 400, RequestID: c7aea817-47a3-4795-8f06-b1684125f10a, api error
│ ValidationException: Model validation failed (#: required key [FilterCriteria] not found)
╵

Using FilterCriteria in the resource config instead of filter_criteria results in a validation error that points back to filter_criteria being the correct spelling:

╷
│ Error: Extraneous JSON object property
│ 
│   on gitlab.tf.json line 1833, in resource[31].awscc_inspectorv2_filter[0].signing_proxy:
│ 1833:                         "FilterCriteria": {
│ 
│ No argument or block type is named "FilterCriteria".
╵
╷
│ Error: Missing required argument
│ 
│   on gitlab.tf.json line 1839, in resource[31].awscc_inspectorv2_filter[0].signing_proxy:
│ 1839:                     }
│ 
│ The argument "filter_criteria" is required, but no definition was found.
╵```

Thus, it is impossible to actually deploy an Inspectorv2 Filter using the AWSCC provider, because it either fails during validation or deployment, depending on how the key is spelled.

### Steps to Reproduce

1. Copy the resource config and 

2. `terraform apply`

### Important Factoids

<!--- Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? --->

### References

<!---
Information about referencing Github Issues: https://help.github.com/articles/basic-writing-and-formatting-syntax/#referencing-issues-and-pull-requests

Are there any other GitHub issues (open or closed) or pull requests that should be linked here? Vendor documentation? For example:
--->

* #0000
@quixoticmonk
Copy link
Collaborator

quixoticmonk commented Sep 16, 2024
edited
Loading

@nadove-ucsc The input for the filter_criteria based on your example should be ecr_image_repository_name instead of repository_name. You should be able to deploy it via the below configuration, if you were still having the issues.

resource "awscc_inspectorv2_filter" "name" {
  filter_action = "SUPPRESS"
  filter_criteria = {
    ecr_image_repository_name=[{
      comparison = "EQUALS"
      value = "docker.io/cllunsford/aws-signing-proxy"
    }]
  }
  name = "example-filter"
}

@nadove-ucsc nadove-ucsc mentioned this issue Sep 17, 2024
Open
@hannes-ucsc
Copy link

hannes-ucsc commented Sep 20, 2024
edited
Loading

I am a team mate of @nadove-ucsc.

@quixoticmonk, that makes sense, thank you. We don't have time at the moment to try the proposed fix (we specified invalid configuration). Feel free to close this issue but consider that the error message might need to be improved since it provided no insight as to which part of our configuration was invalid.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hannes-ucsc @quixoticmonk @nadove-ucsc