aws_config_organization_conformance_pack does not know when Packs are deployed/created

[daytonpa]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.8
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v3.75.1
+ provider registry.terraform.io/hashicorp/local v2.2.2

AND

Terraform v1.1.8
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v4.12.1
+ provider registry.terraform.io/hashicorp/local v2.2.2

Affected Resource(s)

• resource "aws_config_organization_conformance_pack"
• data "local_file"

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

• main.tf

  
  # ********** LOCAL FILES **********
  data "local_file" "cis" {
  filename = "./cis_conformance_packages.yml"
  }
  data "local_file" "operational" {
  filename = "./operational_best_practices.yml"
  }
  data "local_file" "security" {
  filename = "./security_best_practices.yml"
  }

** AWS CONFIG PACKS **

resource "aws_config_organization_conformance_pack" "cis" { name = "cis-conformance-pack" template_body = data.local_file.cis.content timeouts { create = "30m" update = "30m" delete = "10m" } } resource "aws_config_organization_conformance_pack" "operational" { name = "operational-best-practices-pack" template_body = data.local_file.operational.content timeouts { create = "30m" update = "30m" delete = "10m" } } resource "aws_config_organization_conformance_pack" "security" { name = "security-best-practices-pack" template_body = data.local_file.security.content timeouts { create = "30m" update = "30m" delete = "10m" } }

backend.tf
```hcl
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      # version = "~> 3.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
  profile = "deployer"
}

Expected Behavior

terraform apply should complete when Conformance Packs are both CREATE_COMPLETE within the CloudFormation Console or API call, and when the AWS Config Console or API call shows a Conformance Pack as Deployment Successful.

Actual Behavior

Terraform times out waiting for resource completion despite Terraform-managed resources actually completing. Terraform ran for 30 minutes awaiting a response, yet the corresponding CloudFormation Stack showing "CREATE_COMPLETE" within 7 minutes in the Cloudformation Console, and the Conformance Pack showing "Deployment Successful" in the AWS Config console.

As a result, Terraform considers the created resources tainted, and attempts to redeploy the Conformance Packs every apply.

aws_config_organization_conformance_pack.operational: Still creating... [37m5s elapsed]
aws_config_organization_conformance_pack.security: Still creating... [37m5s elapsed]
aws_config_organization_conformance_pack.security: Still creating... [37m15s elapsed]
aws_config_organization_conformance_pack.operational: Still creating... [37m15s elapsed]
aws_config_organization_conformance_pack.cis: Still creating... [37m15s elapsed]
╷
│ Error: error waiting for Config Organization Conformance Pack (cis-conformance-pack) to be created: timeout while waiting for state to become 'CREATE_SUCCESSFUL' (last state: 'CREATE_IN_PROGRESS', timeout: 30m0s)
│ 
│   with aws_config_organization_conformance_pack.cis,
│   on main.tf line 17, in resource "aws_config_organization_conformance_pack" "cis":
│   17: resource "aws_config_organization_conformance_pack" "cis" {
│ 
╵
╷
│ Error: error waiting for Config Organization Conformance Pack (operational-best-practices-pack) to be created: timeout while waiting for state to become 'CREATE_SUCCESSFUL' (last state: 'CREATE_IN_PROGRESS', timeout: 30m0s)
│ 
│   with aws_config_organization_conformance_pack.operational,
│   on main.tf line 26, in resource "aws_config_organization_conformance_pack" "operational":
│   26: resource "aws_config_organization_conformance_pack" "operational" {
│ 
╵
╷
│ Error: error waiting for Config Organization Conformance Pack (security-best-practices-pack) to be created: timeout while waiting for state to become 'CREATE_SUCCESSFUL' (last state: 'CREATE_IN_PROGRESS', timeout: 30m0s)
│ 
│   with aws_config_organization_conformance_pack.security,
│   on main.tf line 35, in resource "aws_config_organization_conformance_pack" "security":
│   35: resource "aws_config_organization_conformance_pack" "security" {
│ 
╵

Steps to Reproduce

1. terraform apply

Important Factoids

The actual Conformance Pack YAMLs being used within the data "local_file" blocks are client-owned and cannot be shared.

References

Food for Thought

Terraform is timing out awaiting a "CREATE_SUCCESSFUL" from the AWS Conformance Package CloudFormation Stack, but the finished message from CloudFormation is "CREATE_COMPLETE". What's the possibility that Terraform is looking for the wrong string?

[justinretzolk]

Hey @daytonpa 👋 Thank you for taking the time to raise this! Would it be possible to supply (redacted as needed) debug logs as well? You mentioned some of the data cannot be shared, so if it is not possible, I understand.

[daytonpa]

Sure I'll see what I can populate for you

[amayreddy25]

I encountered similar issue while using "aws_config_organization_conformance_pack" . Did anyone able to use this resource to create the conformance packs at org level?

I was able to get it working by using template_body instead of template_s3_uri. I guess I am doing something wrong with the way I am passing parameters to the template and pushing it to s3. I will review and repost here if I run into any additional issues. Thank you and sorry for any inconvenience.

[bmorrissirromb]

I'm also encountering this error, even when using template_body and not template_s3_uri.

The CFT stack associated with the Conformance Pack has status CREATE_COMPLETE, but the terraform client continues to wait for completion.

Behavior is pretty inconsistent but it's a huge pain.

[BrandonErkamaa]

I am also getting an error Error: error waiting for Config Organization Conformance Pack (FedRAMP-conformance-pack) to be created: unexpected state 'UPDATE_IN_PROGRESS', wanted target 'CREATE_SUCCESSFUL'. last error: %!s()

[dave-dotnet-overall]

Ive also run into this issue and given there is no way in the console to upload organization packs its means i have manual upload on an account\region basis.

[meraj-kashi]

Same issue here, organization_conformance_pack creation is failing du to timeout:

waiting for ConfigService Organization Conformance Pack (meraj) create: timeout while waiting for state to become 'CREATE_SUCCESSFUL' (last state: 'CREATE_IN_PROGRESS', timeout: 10m0s)

I tried awscc provider and have a same result. https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/config_organization_conformance_pack