search

awslabs / aws-config-rdk

The AWS Config Rules Development Kit helps developers set up, author and test custom Config rules. It contains scripts to enable AWS Config, create a Config rule and test it with sample ConfigurationItems.
https://aws-config-rdk.readthedocs.io
Apache License 2.0
453 stars 171 forks source link

(InvalidParameterValueException) when calling the PutEvaluations operation #290

Closed pkennedyvt closed 3 years ago

pkennedyvt commented 3 years ago

I am running some periodic rules that error running PutEvaluations. Below is one for AWS::Backup::Plan. The config team told me that it should work fine as long as the rule is periodic.

rdk 0.7.12, python 3.6

An error occurred (InvalidParameterValueException) when calling the PutEvaluations operation: The resource type AWS::Backup::BackupPlan is invalid. Only the following values are permitted: [AWS::ACM::Certificate, AWS::ApiGateway::DomainName, AWS::ApiGateway::Method, AWS::ApiGateway::RestApi, AWS::ApiGateway::Stage, AWS::ApiGatewayV2::Api, AWS::ApiGatewayV2::DomainName, AWS::ApiGatewayV2::Stage, AWS::AutoScaling::AutoScalingGroup, AWS::AutoScaling::LaunchConfiguration, AWS::AutoScaling::ScalingPolicy, AWS::AutoScaling::ScheduledAction, AWS::CloudFormation::Stack, AWS::CloudFront::Distribution, AWS::CloudFront::StreamingDistribution, AWS::CloudTrail::Trail, AWS::CloudWatch::Alarm, AWS::CodeBuild::Project, AWS::CodePipeline::Pipeline, AWS::Config::ConformancePackCompliance, AWS::DynamoDB::Table, AWS::EC2::CustomerGateway, AWS::EC2::EgressOnlyInternetGateway, AWS::EC2::EIP, AWS::EC2::FlowLog, AWS::EC2::Host, AWS::EC2::Instance, AWS::EC2::InternetGateway, AWS::EC2::NatGateway, AWS::EC2::NetworkAcl, AWS::EC2::NetworkInterface, AWS::EC2::RegisteredHAInstance, AWS::EC2::RouteTable, AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::Volume, AWS::EC2::VPC, AWS::EC2::VPCEndpoint, AWS::EC2::VPCEndpointService, AWS::EC2::VPCPeeringConnection, AWS::EC2::VPNConnection, AWS::EC2::VPNGateway, AWS::ECR::Repository, AWS::ECS::Cluster, AWS::ECS::PrimaryTaskSet, AWS::ECS::Service, AWS::ECS::TaskDefinition, AWS::ECS::TaskSet, AWS::EKS::Cluster, AWS::EKS::Nodegroup, AWS::ElasticBeanstalk::Application, AWS::ElasticBeanstalk::ApplicationVersion, AWS::ElasticBeanstalk::Environment, AWS::ElasticLoadBalancing::LoadBalancer, AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::Elasticsearch::Domain, AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, AWS::IAM::User, AWS::Kinesis::Stream, AWS::Kinesis::StreamConsumer, AWS::KinesisAnalytics::Application, AWS::KinesisAnalytics::ApplicationOutput, AWS::KinesisAnalytics::ApplicationReferenceDataSource, AWS::KinesisAnalyticsV2::Application, AWS::KinesisAnalyticsV2::ApplicationCloudWatchLoggingOption, AWS::KinesisAnalyticsV2::ApplicationOutput, AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource, AWS::KinesisFirehose::DeliveryStream, AWS::KMS::Key, AWS::Lambda::Alias, AWS::Lambda::Function, AWS::LicenseManager::LicenseConfiguration, AWS::MobileHub::Project, AWS::NetworkFirewall::Firewall, AWS::NetworkFirewall::FirewallPolicy, AWS::NetworkFirewall::RuleGroup, AWS::QLDB::Ledger, AWS::RDS::DBCluster, AWS::RDS::DBClusterParameterGroup, AWS::RDS::DBClusterSnapshot, AWS::RDS::DBInstance, AWS::RDS::DBOptionGroup, AWS::RDS::DBParameterGroup, AWS::RDS::DBSecurityGroup, AWS::RDS::DBSnapshot, AWS::RDS::DBSubnetGroup, AWS::RDS::EventSubscription, AWS::Redshift::Cluster, AWS::Redshift::ClusterParameterGroup, AWS::Redshift::ClusterSecurityGroup, AWS::Redshift::ClusterSnapshot, AWS::Redshift::ClusterSubnetGroup, AWS::Redshift::EventSubscription, AWS::S3::AccountPublicAccessBlock, AWS::S3::Bucket, AWS::SecretsManager::Secret, AWS::ServiceCatalog::CloudFormationProduct, AWS::ServiceCatalog::CloudFormationProvisionedProduct, AWS::ServiceCatalog::Portfolio, AWS::Shield::Protection, AWS::ShieldRegional::Protection, AWS::SNS::Topic, AWS::SQS::Queue, AWS::SSM::AssociationCompliance, AWS::SSM::FileData, AWS::SSM::ManagedInstanceInventory, AWS::SSM::PatchCompliance, AWS::WAF::RateBasedRule, AWS::WAF::Rule, AWS::WAF::RuleGroup, AWS::WAF::WebACL, AWS::WAFRegional::RateBasedRule, AWS::WAFRegional::Rule, AWS::WAFRegional::RuleGroup, AWS::WAFRegional::WebACL, AWS::WAFv2::WebACL, AWS::WAFv2::RuleGroup, AWS::WAFv2::IPSet, AWS::WAFv2::RegexPatternSet, AWS::WAFv2::ManagedRuleSet, AWS::XRay::EncryptionConfig, AWS::VPCFirewall::Firewall, AWS::VPCFirewall::FirewallPolicy, AWS::VPCFirewall::RuleGroup, AWS::::Account, AWS::ACMPCA::CertificateAuthority, AWS::AmazonMQ::Broker, AWS::AmazonMQ::Configuration, AWS::AmazonMQ::ConfigurationAssociation, AWS::ApiGateway::Account, AWS::ApiGateway::ApiKey, AWS::ApiGateway::Authorizer, AWS::ApiGateway::BasePathMapping, AWS::ApiGateway::ClientCertificate, AWS::ApiGateway::Deployment, AWS::ApiGateway::DocumentationPart, AWS::ApiGateway::DocumentationVersion, AWS::ApiGateway::DomainName, AWS::ApiGateway::GatewayResponse, AWS::ApiGateway::Method, AWS::ApiGateway::Model, AWS::ApiGateway::RequestValidator, AWS::ApiGateway::Resource, AWS::ApiGateway::RestApi, AWS::ApiGateway::Stage, AWS::ApiGateway::UsagePlan, AWS::ApiGateway::UsagePlanKey, AWS::ApiGateway::VpcLink, AWS::ApiGatewayV2::Api, AWS::ApiGatewayV2::ApiMapping, AWS::ApiGatewayV2::Authorizer, AWS::ApiGatewayV2::Deployment, AWS::ApiGatewayV2::DomainName, AWS::ApiGatewayV2::Integration, AWS::ApiGatewayV2::IntegrationResponse, AWS::ApiGatewayV2::Model, AWS::ApiGatewayV2::Route, AWS::ApiGatewayV2::RouteResponse, AWS::ApiGatewayV2::Stage, AWS::ApplicationAutoScaling::ScalableTarget, AWS::ApplicationAutoScaling::ScalingPolicy, AWS::AppMesh::Mesh, AWS::AppMesh::Route, AWS::AppMesh::VirtualNode, AWS::AppMesh::VirtualRouter, AWS::AppMesh::VirtualService, AWS::AppStream::DirectoryConfig, AWS::AppStream::Fleet, AWS::AppStream::ImageBuilder, AWS::AppStream::Stack, AWS::AppStream::StackFleetAssociation, AWS::AppStream::StackUserAssociation, AWS::AppStream::User, AWS::AppSync::ApiKey, AWS::AppSync::DataSource, AWS::AppSync::FunctionConfiguration, AWS::AppSync::GraphQLApi, AWS::AppSync::GraphQLSchema, AWS::AppSync::Resolver, AWS::Athena::NamedQuery, AWS::Athena::WorkGroup, AWS::AutoScaling::AutoScalingGroup, AWS::AutoScaling::LaunchConfiguration, AWS::AutoScaling::LifecycleHook, AWS::AutoScaling::ScalingPolicy, AWS::AutoScaling::ScheduledAction, AWS::AutoScalingPlans::ScalingPlan, AWS::Backup::BackupVault, AWS::Batch::ComputeEnvironment, AWS::Batch::JobDefinition, AWS::Batch::JobQueue, AWS::Budgets::Budget, AWS::CertificateManager::Certificate, AWS::Cloud9::EnvironmentEC2, AWS::CloudFormation::Authentication, AWS::CloudFormation::CustomResource, AWS::CloudFormation::Init, AWS::CloudFormation::Interface, AWS::CloudFormation::Macro, AWS::CloudFormation::Stack, AWS::CloudFormation::WaitCondition, AWS::CloudFormation::WaitConditionHandle, AWS::CloudFront::CloudFrontOriginAccessIdentity, AWS::CloudFront::Distribution, AWS::CloudFront::StreamingDistribution, AWS::CloudTrail::Trail, AWS::CloudWatch::Alarm, AWS::CloudWatch::Dashboard, AWS::CodeBuild::Project, AWS::CodeCommit::Repository, AWS::CodeDeploy::Application, AWS::CodeDeploy::DeploymentConfig, AWS::CodeDeploy::DeploymentGroup, AWS::CodePipeline::CustomActionType, AWS::CodePipeline::Pipeline, AWS::CodePipeline::Webhook, AWS::Cognito::IdentityPool, AWS::Cognito::IdentityPoolRoleAttachment, AWS::Cognito::UserPool, AWS::Cognito::UserPoolClient, AWS::Cognito::UserPoolGroup, AWS::Cognito::UserPoolUser, AWS::Cognito::UserPoolUserToGroupAttachment, AWS::Config::AggregationAuthorization, AWS::Config::ConfigRule, AWS::Config::ConfigurationAggregator, AWS::Config::ConfigurationRecorder, AWS::Config::DeliveryChannel, AWS::DataPipeline::Pipeline, AWS::DAX::Cluster, AWS::DAX::ParameterGroup, AWS::DAX::SubnetGroup, AWS::DirectoryService::MicrosoftAD, AWS::DirectoryService::SimpleAD, AWS::DLM::LifecyclePolicy, AWS::DMS::Certificate, AWS::DMS::Endpoint, AWS::DMS::EventSubscription, AWS::DMS::ReplicationInstance, AWS::DMS::ReplicationSubnetGroup, AWS::DMS::ReplicationTask, AWS::DocDB::DBCluster, AWS::DocDB::DBClusterParameterGroup, AWS::DocDB::DBInstance, AWS::DocDB::DBSubnetGroup, AWS::DynamoDB::Table, AWS::EC2::CapacityReservation, AWS::EC2::CustomerGateway, AWS::EC2::DHCPOptions, AWS::EC2::EC2Fleet, AWS::EC2::EgressOnlyInternetGateway, AWS::EC2::EIP, AWS::EC2::EIPAssociation, AWS::EC2::FlowLog, AWS::EC2::Host, AWS::EC2::Image, AWS::EC2::Instance, AWS::EC2::InternetGateway, AWS::EC2::LaunchTemplate, AWS::EC2::NatGateway, AWS::EC2::NetworkAcl, AWS::EC2::NetworkAclEntry, AWS::EC2::NetworkInterface, AWS::EC2::NetworkInterfaceAttachment, AWS::EC2::NetworkInterfacePermission, AWS::EC2::PlacementGroup, AWS::EC2::Route, AWS::EC2::RouteTable, AWS::EC2::SecurityGroup, AWS::EC2::SecurityGroupEgress, AWS::EC2::SecurityGroupIngress, AWS::EC2::SpotFleet, AWS::EC2::Subnet, AWS::EC2::SubnetCidrBlock, AWS::EC2::SubnetNetworkAclAssociation, AWS::EC2::SubnetRouteTableAssociation, AWS::EC2::TransitGateway, AWS::EC2::TransitGatewayAttachment, AWS::EC2::TransitGatewayRoute, AWS::EC2::TransitGatewayRouteTable, AWS::EC2::TransitGatewayRouteTableAssociation, AWS::EC2::TransitGatewayRouteTablePropagation, AWS::EC2::Volume, AWS::EC2::VolumeAttachment, AWS::EC2::VPC, AWS::EC2::VPCCidrBlock, AWS::EC2::VPCDHCPOptionsAssociation, AWS::EC2::VPCEndpoint, AWS::EC2::VPCEndpointConnectionNotification, AWS::EC2::VPCEndpointServicePermissions, AWS::EC2::VPCGatewayAttachment, AWS::EC2::VPCPeeringConnection, AWS::EC2::VPNConnection, AWS::EC2::VPNConnectionRoute, AWS::EC2::VPNGateway, AWS::EC2::VPNGatewayRoutePropagation, AWS::ECR::Repository, AWS::ECS::Cluster, AWS::ECS::Service, AWS::ECS::TaskDefinition, AWS::EFS::FileSystem, AWS::EFS::MountTarget, AWS::EKS::Cluster, AWS::ElastiCache::CacheCluster, AWS::ElastiCache::ParameterGroup, AWS::ElastiCache::ReplicationGroup, AWS::ElastiCache::SecurityGroup, AWS::ElastiCache::SecurityGroupIngress, AWS::ElastiCache::SubnetGroup, AWS::ElasticBeanstalk::Application, AWS::ElasticBeanstalk::ApplicationVersion, AWS::ElasticBeanstalk::ConfigurationTemplate, AWS::ElasticBeanstalk::Environment, AWS::ElasticLoadBalancing::LoadBalancer, AWS::ElasticLoadBalancingV2::Listener, AWS::ElasticLoadBalancingV2::ListenerCertificate, AWS::ElasticLoadBalancingV2::ListenerRule, AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::ElasticLoadBalancingV2::TargetGroup, AWS::Elasticsearch::Domain, AWS::EMR::Cluster, AWS::EMR::InstanceFleetConfig, AWS::EMR::InstanceGroupConfig, AWS::EMR::SecurityConfiguration, AWS::EMR::Step, AWS::Events::EventBusPolicy, AWS::Events::Rule, AWS::FSx::FileSystem, AWS::GameLift::Alias, AWS::GameLift::Build, AWS::GameLift::Fleet, AWS::Glue::Classifier, AWS::Glue::Connection, AWS::Glue::Crawler, AWS::Glue::Database, AWS::Glue::DataCatalogEncryptionSettings, AWS::Glue::DevEndpoint, AWS::Glue::Job, AWS::Glue::Partition, AWS::Glue::Table, AWS::Glue::SecurityConfiguration, AWS::Glue::Trigger, AWS::Greengrass::ConnectorDefinition, AWS::Greengrass::ConnectorDefinitionVersion, AWS::Greengrass::CoreDefinition, AWS::Greengrass::CoreDefinitionVersion, AWS::Greengrass::DeviceDefinition, AWS::Greengrass::DeviceDefinitionVersion, AWS::Greengrass::FunctionDefinition, AWS::Greengrass::FunctionDefinitionVersion, AWS::Greengrass::Group, AWS::Greengrass::GroupVersion, AWS::Greengrass::LoggerDefinition, AWS::Greengrass::LoggerDefinitionVersion, AWS::Greengrass::ResourceDefinition, AWS::Greengrass::ResourceDefinitionVersion, AWS::Greengrass::SubscriptionDefinition, AWS::Greengrass::SubscriptionDefinitionVersion, AWS::GuardDuty::Detector, AWS::GuardDuty::Finding, AWS::GuardDuty::IPSet, AWS::GuardDuty::Master, AWS::GuardDuty::Member, AWS::GuardDuty::ThreatIntelSet, AWS::IAM::AccessKey, AWS::IAM::Group, AWS::IAM::InstanceProfile, AWS::IAM::ManagedPolicy, AWS::IAM::Policy, AWS::IAM::Role, AWS::IAM::ServiceLinkedRole, AWS::IAM::User, AWS::IAM::UserToGroupAddition, AWS::Inspector::AssessmentTarget, AWS::Inspector::AssessmentTemplate, AWS::Inspector::ResourceGroup, AWS::IoT::Certificate, AWS::IoT::Policy, AWS::IoT::PolicyPrincipalAttachment, AWS::IoT::Thing, AWS::IoT::ThingPrincipalAttachment, AWS::IoT::TopicRule, AWS::IoT1Click::Device, AWS::IoT1Click::Placement, AWS::IoT1Click::Project, AWS::IoTAnalytics::Channel, AWS::IoTAnalytics::Dataset, AWS::IoTAnalytics::Datastore, AWS::IoTAnalytics::Pipeline, AWS::Kinesis::Stream, AWS::Kinesis::StreamConsumer, AWS::KinesisAnalytics::Application, AWS::KinesisAnalytics::ApplicationOutput, AWS::KinesisAnalytics::ApplicationReferenceDataSource, AWS::KinesisAnalyticsV2::Application, AWS::KinesisAnalyticsV2::ApplicationCloudWatchLoggingOption, AWS::KinesisAnalyticsV2::ApplicationOutput, AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource, AWS::KinesisFirehose::DeliveryStream, AWS::KMS::Alias, AWS::KMS::Key, AWS::LakeFormation::DataLakeSettings, AWS::LakeFormation::Permissions, AWS::LakeFormation::Resource, AWS::Lambda::Alias, AWS::Lambda::EventSourceMapping, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::Lambda::LayerVersionPermission, AWS::Lambda::Permission, AWS::Lambda::Version, AWS::Logs::Destination, AWS::Logs::LogGroup, AWS::Logs::LogStream, AWS::Logs::MetricFilter, AWS::Logs::SubscriptionFilter, AWS::MSK::Cluster, AWS::Neptune::DBCluster, AWS::Neptune::DBClusterParameterGroup, AWS::Neptune::DBInstance, AWS::Neptune::DBParameterGroup, AWS::Neptune::DBSubnetGroup, AWS::OpsWorks::App, AWS::OpsWorks::ElasticLoadBalancerAttachment, AWS::OpsWorks::Instance, AWS::OpsWorks::Layer, AWS::OpsWorks::Stack, AWS::OpsWorks::UserProfile, AWS::OpsWorks::Volume, AWS::OpsWorksCM::Server, AWS::QLDB::Ledger, AWS::RAM::ResourceShare, AWS::RDS::DBCluster, AWS::RDS::DBClusterSnapshot, AWS::RDS::DBClusterParameterGroup, AWS::RDS::DBInstance, AWS::RDS::DBParameterGroup, AWS::RDS::DBSecurityGroup, AWS::RDS::DBSecurityGroupIngress, AWS::RDS::DBSubnetGroup, AWS::RDS::EventSubscription, AWS::RDS::OptionGroup, AWS::Redshift::Cluster, AWS::Redshift::ClusterParameterGroup, AWS::Redshift::ClusterSecurityGroup, AWS::Redshift::ClusterSecurityGroupIngress, AWS::Redshift::ClusterSubnetGroup, AWS::RoboMaker::Fleet, AWS::RoboMaker::Robot, AWS::RoboMaker::RobotApplication, AWS::RoboMaker::RobotApplicationVersion, AWS::RoboMaker::SimulationApplication, AWS::RoboMaker::SimulationApplicationVersion, AWS::Route53::HealthCheck, AWS::Route53::HostedZone, AWS::Route53::RecordSet, AWS::Route53::RecordSetGroup, AWS::Route53Resolver::ResolverEndpoint, AWS::Route53Resolver::ResolverRule, AWS::Route53Resolver::ResolverRuleAssociation, AWS::S3::Bucket, AWS::S3::BucketPolicy, AWS::SageMaker::Endpoint, AWS::SageMaker::EndpointConfig, AWS::SageMaker::Model, AWS::SageMaker::NotebookInstance, AWS::SageMaker::NotebookInstanceLifecycleConfig, AWS::SDB::Domain, AWS::SecretsManager::ResourcePolicy, AWS::SecretsManager::RotationSchedule, AWS::SecretsManager::Secret, AWS::SecretsManager::SecretTargetAttachment, AWS::ServiceCatalog::AcceptedPortfolioShare, AWS::ServiceCatalog::CloudFormationProduct, AWS::ServiceCatalog::CloudFormationProvisionedProduct, AWS::ServiceCatalog::LaunchNotificationConstraint, AWS::ServiceCatalog::LaunchRoleConstraint, AWS::ServiceCatalog::LaunchTemplateConstraint, AWS::ServiceCatalog::Portfolio, AWS::ServiceCatalog::PortfolioPrincipalAssociation, AWS::ServiceCatalog::PortfolioProductAssociation, AWS::ServiceCatalog::PortfolioShare, AWS::ServiceCatalog::ResourceUpdateConstraint, AWS::ServiceCatalog::TagOption, AWS::ServiceCatalog::TagOptionAssociation, AWS::ServiceDiscovery::Instance, AWS::ServiceDiscovery::PrivateDnsNamespace, AWS::ServiceDiscovery::PublicDnsNamespace, AWS::ServiceDiscovery::Service, AWS::SES::ConfigurationSet, AWS::SES::ConfigurationSetEventDestination, AWS::SES::ReceiptFilter, AWS::SES::ReceiptRule, AWS::SES::ReceiptRuleSet, AWS::SES::Template, AWS::SNS::Subscription, AWS::SNS::Topic, AWS::SNS::TopicPolicy, AWS::SQS::Queue, AWS::SQS::QueuePolicy, AWS::SSM::Association, AWS::SSM::Document, AWS::SSM::MaintenanceWindow, AWS::SSM::MaintenanceWindowTarget, AWS::SSM::MaintenanceWindowTask, AWS::SSM::Parameter, AWS::SSM::PatchBaseline, AWS::SSM::ResourceDataSync, AWS::StepFunctions::Activity, AWS::StepFunctions::StateMachine, AWS::Synthetics::Canary, AWS::WAF::ByteMatchSet, AWS::WAF::IPSet, AWS::WAF::Rule, AWS::WAF::SizeConstraintSet, AWS::WAF::SqlInjectionMatchSet, AWS::WAF::WebACL, AWS::WAF::XssMatchSet, AWS::WAFRegional::ByteMatchSet, AWS::WAFRegional::IPSet, AWS::WAFRegional::Rule, AWS::WAFRegional::SizeConstraintSet, AWS::WAFRegional::SqlInjectionMatchSet, AWS::WAFRegional::WebACL, AWS::WAFRegional::WebACLAssociation, AWS::WAFRegional::XssMatchSet, AWS::WorkSpaces::Workspace].: InvalidParameterValueExceptionTraceback (most recent call last): File "/var/task/BACKUP_RESOURCES.py", line 439, in lambda_handler AWS_CONFIG_CLIENT.put_evaluations(Evaluations=evaluation_copy[:100], ResultToken=result_token, TestMode=test_mode) File "/var/runtime/botocore/client.py", line 357, in _api_call return self._make_api_call(operation_name, kwargs) File "/var/runtime/botocore/client.py", line 676, in _make_api_call raise error_class(parsed_response, operation_name)botocore.errorfactory.

pkennedyvt commented 3 years ago

I replicated this behavior outside of rdk. Turns out that not all resources work with put-evaluations, even if supported by cloudformation. I'm working with the config team to add a list of services to their roadmap, and hopefully make the supported services known/publicly available.