[Bug]:

[charlesetii]

Terraform Core Version

1.3.3

AWS Provider Version

~> 3.0.0

Affected Resource(s)

Issue

Issues with aws_config_conformance_pack resource timing out. It will timeout at 5 minutes. How can we increase this timeout with no timeouts option on the resource? It does build correctly after the timeout

Terraform code to create conformance pack with trigger to rebuild

locals {
   generic_config_conformance_pack_bucket_resource_prefix = "some-bucket-prefix"
   generic_config_resource_prefix = "some-config-prefix"
   restrict_port_remediation = "arn to SSM doc"
}

resource "aws_s3_bucket" "conformance_pack_source" {
  bucket_prefix = "${lower(local.generic_config_conformance_pack_bucket_resource_prefix)}-conform-packs-"
  acl           = "private"

  tags = merge(var.common_tags, {
    Tier = "Security"

  })

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}

resource "aws_s3_bucket_versioning" "conformance_pack_source" {
  bucket = aws_s3_bucket.conformance_pack_source.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_public_access_block" "conformance_pack_source" {
  bucket                  = aws_s3_bucket.conformance_pack_source.id
  block_public_acls       = true
  block_public_policy     = true
  restrict_public_buckets = true
  ignore_public_acls      = true
}

data "template_file" "sandbox_conformance_pack" {
  template = file("${path.module}/source/templates/Sandbox-Conformance-Pack.yml")

  vars = {
    config_rule_prefix                      = local.generic_config_resource_prefix,
    sandbox_not_any_ip_lambda_arn           = aws_lambda_function.sandbox_lambda_source_identify_any_ip_usage.arn
    ssm_execution_role                      = data.aws_iam_role.ssm_automation_execution_role.arn
    ssm_document_remediate_rds              = "AWSConfigRemediation-DisablePublicAccessToRDSInstance"
    ssm_document_remediate_restricted_ports = local.restrict_port_remediation
  }
}

resource "aws_s3_bucket_object" "conformance_pack_source" {
  bucket = aws_s3_bucket.conformance_pack_source.bucket
  key    = "Sandbox_Conformance_Pack.yml"

  content_base64 = base64encode(data.template_file.sandbox_conformance_pack.rendered)
}

# Used to trigger replacement on new conformance pack yml
resource "null_resource" "conformance_pack_replacement_trigger" {
  triggers = {
    string = data.template_file.sandbox_conformance_pack.rendered
  }
}

resource "aws_config_conformance_pack" "sandbox_conformance_pack" {
  # name = "${local.generic_config_conformance_pack_resource_prefix}-Sandbox"
  name = "${local.generic_config_conformance_pack_resource_prefix}-Sandbox"

  template_s3_uri = "s3://${aws_s3_bucket.conformance_pack_source.bucket}/${aws_s3_bucket_object.conformance_pack_source.id}"

  lifecycle {
    replace_triggered_by = [
      null_resource.conformance_pack_replacement_trigger
    ]
  }
}

Conformance Pack YAML being created

Parameters:
  RestrictedIncomingTrafficParamBlockedPort1:
    Default: '22'
    Type: String
  RestrictedIncomingTrafficParamBlockedPort2:
    Default: '3306'
    Type: String
  RestrictedIncomingTrafficParamBlockedPort3:
    Default: '3389'
    Type: String
  RestrictedIncomingTrafficParamBlockedPort4:
    Default: '1433'
    Type: String
  RestrictedIncomingTrafficParamBlockedPort5:
    Default: '-1'
    Type: String
Resources:
  SandboxRestrictAnyIP:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "${config_rule_prefix}-restrict-any-ip-onchange"
      Description: Restrict any ip address for ipv4 and ipv6
      Scope:
        ComplianceResourceTypes:
          - "AWS::EC2::SecurityGroup"
      Source:
        Owner: CUSTOM_LAMBDA
        SourceIdentifier: "${sandbox_not_any_ip_lambda_arn}"
        SourceDetails:
          - MessageType: ConfigurationItemChangeNotification
            EventSource: aws.config
          - MessageType: OversizedConfigurationItemChangeNotification
            EventSource: aws.config
  SandboxRestrictRDSPublicAccess:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "${config_rule_prefix}-rds-public-access"
      Description: Restrict public access for RDS
      Scope:
        ComplianceResourceTypes:
          - "AWS::RDS::DBInstance"
      Source:
        Owner: AWS
        SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK
  SandboxRestrictRDSPublicAccessRemediation:
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      DependsOn: "SandboxRestrictRDSPublicAccess"
      ConfigRuleName: '${config_rule_prefix}-rds-public-access'
      ResourceType: 'AWS::RDS::DBInstance'
      TargetId: "${ssm_document_remediate_rds}"
      TargetType: SSM_DOCUMENT
      Automatic: true
      MaximumAutomaticAttempts: 20
      RetryAttemptSeconds: 30
      Parameters:
        DbiResourceId:
          ResourceValue: 
            Value: RESOURCE_ID
        AutomationAssumeRole:
          StaticValue:
            Values:
              - '${ssm_execution_role}'
      ExecutionControls:
        SsmControls:
          ErrorPercentage: 20
          ConcurrentExecutionRatePercentage: 25
  SandboxRestrictCommonPorts:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: '${config_rule_prefix}-restricted-common-ports'
      Description: Restrict public access for common ports
      InputParameters:
        blockedPort1:
          Fn::If:
            - restrictedIncomingTrafficParamBlockedPort1
            - Ref: RestrictedIncomingTrafficParamBlockedPort1
            - Ref: AWS::NoValue
        blockedPort2:
          Fn::If:
            - restrictedIncomingTrafficParamBlockedPort2
            - Ref: RestrictedIncomingTrafficParamBlockedPort2
            - Ref: AWS::NoValue
        blockedPort3:
          Fn::If:
            - restrictedIncomingTrafficParamBlockedPort3
            - Ref: RestrictedIncomingTrafficParamBlockedPort3
            - Ref: AWS::NoValue
        blockedPort4:
          Fn::If:
            - restrictedIncomingTrafficParamBlockedPort4
            - Ref: RestrictedIncomingTrafficParamBlockedPort4
            - Ref: AWS::NoValue
        blockedPort5:
          Fn::If:
            - restrictedIncomingTrafficParamBlockedPort5
            - Ref: RestrictedIncomingTrafficParamBlockedPort5
            - Ref: AWS::NoValue
      Scope:
        ComplianceResourceTypes:
          - AWS::EC2::SecurityGroup
      Source:
        Owner: AWS
        SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC
  SandboxRestrictCommonPortsRemediation:
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      DependsOn: "SandboxRestrictCommonPorts"
      ConfigRuleName: '${config_rule_prefix}-restricted-common-ports'
      ResourceType: 'AWS::EC2::SecurityGroup'
      TargetId: "${ssm_document_remediate_restricted_ports}"
      TargetType: SSM_DOCUMENT
      Automatic: true
      MaximumAutomaticAttempts: 20
      RetryAttemptSeconds: 30
      Parameters:
        GroupId:
          ResourceValue: 
            Value: RESOURCE_ID
        AutomationAssumeRole:
          StaticValue:
            Values:
              - '${ssm_execution_role}'
      ExecutionControls:
        SsmControls:
          ErrorPercentage: 20
          ConcurrentExecutionRatePercentage: 25
Conditions:
  restrictedIncomingTrafficParamBlockedPort1:
    Fn::Not:
      - Fn::Equals:
        - ''
        - Ref: RestrictedIncomingTrafficParamBlockedPort1
  restrictedIncomingTrafficParamBlockedPort2:
    Fn::Not:
      - Fn::Equals:
        - ''
        - Ref: RestrictedIncomingTrafficParamBlockedPort2
  restrictedIncomingTrafficParamBlockedPort3:
    Fn::Not:
      - Fn::Equals:
        - ''
        - Ref: RestrictedIncomingTrafficParamBlockedPort3
  restrictedIncomingTrafficParamBlockedPort4:
    Fn::Not:
      - Fn::Equals:
        - ''
        - Ref: RestrictedIncomingTrafficParamBlockedPort4
  restrictedIncomingTrafficParamBlockedPort5:
    Fn::Not:
      - Fn::Equals:
        - ''
        - Ref: RestrictedIncomingTrafficParamBlockedPort5

Expected Behavior

Expected not to timeout as the conformance pack uses the yaml template to build out config rules and remediation

Actual Behavior

The conformance pack create will timeout. The delete does not timeout and works appropriately

Relevant Error/Panic Output Snippet

Error: error waiting for Config Conformance Pack (AE1ADMCFPINT-Sandbox) to be created: timeout while waiting for state to become 'CREATE_COMPLETE' (last state: 'CREATE_IN_PROGRESS', timeout: 5m0s)
│ 
│   with module.config.aws_config_conformance_pack.sandbox_conformance_pack,
│   on modules/config/conformance-pack-sandbox.tf line 68, in resource "aws_config_conformance_pack" "sandbox_conformance_pack":
│   68: resource "aws_config_conformance_pack" "sandbox_conformance_pack" {

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
    null = {
      version = "~> 3.2.0"
    }
  }
  backend "s3" {
    bucket = "terraform-sandbox-tf-state-bucket" # TODO: plug in aws_terraform_state_s3_bucket_name from the devops-infrastructure module
    #key            = ""          # set in Azure DevOps pipeline
    region         = "us-east-1"                      # TODO:  Verify region
    dynamodb_table = "aws-tf-locks-terraform-sandbox" # TODO: set to aws-tf-locks-${var.project_name}
  }
}

provider "aws" {
  region = var.region
  assume_role {
    role_arn = "arn:aws:iam::${var.account_id}:role/${var.terraform_role}"
  }

  ignore_tags {
    keys = [
      "InitialSetupStatus"
    ]
  }
}

# disaster recovery 
provider "aws" {
  alias  = "dr"
  region = "us-east-2" # TODO: Verify the secondary/DR region
  assume_role {
    role_arn = "arn:aws:iam::${var.account_id}:role/${var.terraform_role}"
  }
  ignore_tags {
    keys = [
      "InitialSetupStatus"
    ]
  }
}

Steps to Reproduce

Copy conformance pack yaml to bucket and run.

Debug Output

No response

Panic Output

No response

Important Factoids

This will run to completion after it fails behind the scenes but the null_resource deletes it. I can figure that out though

References

No response

Would you like to implement a fix?

No response

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Potentially related: #24545

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!