[Bug]: "aws_backup_report_plan" errors out when report template is "compliance" type, when deploying multi-account from management account

[mohammednias]

Terraform Core Version

12.3.1

AWS Provider Version

5.5.0

Affected Resource(s)

• aws_backup_report_plan

Expected Behavior

aws_backup_report_plan should create the report plan for report template type is "CONTROL_COMPLIANCE_REPORT" or "RESOURCE_COMPLIANCE_REPORT", when deploying from management account, for multi account setup.

Curently its only working when the report template type is either "BACKUP_JOB_REPORT", "COPY_JOB_REPORT" or "RESTORE_JOB_REPORT"

Actual Behavior

AWS api returns with validation error:

"Error: creating Backup Report Plan : InvalidParameterValueException: Invalid parameter: For multi-account, multi-Region reports, use Accounts, OrganizationUnits and Regions"

Relevant Error/Panic Output Snippet

aws_backup_report_plan.this["CONTROL_COMPLIANCE_REPORT"]: Creating...
aws_backup_report_plan.this["RESOURCE_COMPLIANCE_REPORT"]: Creating...

Error: creating Backup Report Plan (default_control_compliance_report): InvalidParameterValueException: Invalid parameter: For multi-account, multi-Region reports, use Accounts, OrganizationUnits and Regions
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "xxxxxxxxxxx"
  },
  Message_: "Invalid parameter: For multi-account, multi-Region reports, use Accounts, OrganizationUnits and Regions"
}

  on main.tf line 19, in resource "aws_backup_report_plan" "this":
  19: resource "aws_backup_report_plan" "this" {

Error: creating Backup Report Plan (default_resource_compliance_report): InvalidParameterValueException: Invalid parameter: For multi-account, multi-Region reports, use Accounts, OrganizationUnits and Regions
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "xxxxxxxxxxx"
  },
  Message_: "Invalid parameter: For multi-account, multi-Region reports, use Accounts, OrganizationUnits and Regions"
}

  on main.tf line 19, in resource "aws_backup_report_plan" "this":
  19: resource "aws_backup_report_plan" "this" {

Terraform Configuration Files

resource "aws_backup_framework" "this" {
  name        = "framework_test_backup_default"
  description = "Backup framework."

  control {
    name = "BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK"

    input_parameter {
      name  = "requiredRetentionDays"
      value = "1"
    }
  }
}

data "aws_s3_bucket" "backup_report" {
  bucket = "backup-report-bucket"
}

resource "aws_backup_report_plan" "this" {
  for_each = toset(["CONTROL_COMPLIANCE_REPORT", "RESOURCE_COMPLIANCE_REPORT"])

  name        = "report_${lower(each.key)}"
  description = "AWS Backup report for ${each.key}"

  report_delivery_channel {
    formats        = ["CSV"]
    s3_bucket_name = data.aws_s3_bucket.backup_report.id
  }

  report_setting {
    accounts             = ["1111111", "222222", "3333333"]
    # organization_units   = [] # tried with this param, and without it, both have same error.
    framework_arns       = aws_backup_framework.this.arn
    regions              = ["ap-southeast-2"]
    report_template      = each.key
  }

}

Steps to Reproduce

1) Create aws backup frame work with atleast one control in it, from aws management account (Orgaization management account) 2) Crete backup report plan with report template type of either "CONTROL_COMPLIANCE_REPORT" or "RESOURCE_COMPLIANCE_REPORT", selecting previously created aws backup framework, and by adding target aws account under the AWS organization

Note : Same setup works manually in AWS console, its "ONLY" not working when creating via terraform

Debug Output

Terraform will perform the following actions:

  # aws_backup_report_plan.this["CONTROL_COMPLIANCE_REPORT"] will be created
  + resource "aws_backup_report_plan" "this" {
      + arn               = (known after apply)
      + creation_time     = (known after apply)
      + deployment_status = (known after apply)
      + description       = "AWS Backup report for CONTROL_COMPLIANCE_REPORT"
      + id                = (known after apply)
      + name              = "default_control_compliance_report"

      + report_delivery_channel {
          + formats        = [
              + "CSV",
            ]
          + s3_bucket_name = "backup-report"
        }

      + report_setting {
          + accounts             = [
              + "1111111111",
              + "22222222",
              + "33333333",
            ]
          + framework_arns       = [
              + "arn:aws:backup:ap-southeast-2:77777777777:framework:framework_backup_all-xxxx-c1e7-42c7-xx-xxxxxx",
            ]
          + number_of_frameworks = 1
          + regions              = [
              + "ap-southeast-2",
            ]
          + report_template      = "CONTROL_COMPLIANCE_REPORT"
        }
    }

  # aws_backup_report_plan.this["RESOURCE_COMPLIANCE_REPORT"] will be created
  + resource "aws_backup_report_plan" "this" {
      + arn               = (known after apply)
      + creation_time     = (known after apply)
      + deployment_status = (known after apply)
      + description       = "AWS Backup report for RESOURCE_COMPLIANCE_REPORT"
      + id                = (known after apply)
      + name              = "default"

      + report_delivery_channel {
          + formats        = [
              + "CSV",
            ]
          + s3_bucket_name = "backup-report"
        }

      + report_setting {
          + accounts             = [
              + "111111111111,
              + "222222222",
              + "333333333",
            ]
          + framework_arns       = [
              + "arn:aws:backup:ap-southeast-2:7777777777:framework:framework_backup_all-xxxxx-c1e7-42c7-8972-xxxxxx",
            ]
          + number_of_frameworks = 1
          + regions              = [
              + "ap-southeast-2",
            ]
          + report_template      = "RESOURCE_COMPLIANCE_REPORT"
        }
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_backup_report_plan.this["CONTROL_COMPLIANCE_REPORT"]: Creating...
aws_backup_report_plan.this["RESOURCE_COMPLIANCE_REPORT"]: Creating...

Error: creating Backup Report Plan (default: InvalidParameterValueException: Invalid parameter: For multi-account, multi-Region reports, use Accounts, OrganizationUnits and Regions
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "xxxxx-xx-4745-bfad-xxxxxx"
  },
  Message_: "Invalid parameter: For multi-account, multi-Region reports, use Accounts, OrganizationUnits and Regions"
}

  on main.tf line 19, in resource "aws_backup_report_plan" "this":
  19: resource "aws_backup_report_plan" "this" {

Error: creating Backup Report Plan (default): InvalidParameterValueException: Invalid parameter: For multi-account, multi-Region reports, use Accounts, OrganizationUnits and Regions
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "xxxx-a11d-xxxx-bce7-xxxxxxx"
  },
  Message_: "Invalid parameter: For multi-account, multi-Region reports, use Accounts, OrganizationUnits and Regions"
}

  on main.tf line 19, in resource "aws_backup_report_plan" "this":
  19: resource "aws_backup_report_plan" "this" {

ERRO[0014] Hit multiple errors:
Hit multiple errors:
exit status 1

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

Yes

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @mohammednias 👋 Thank you for taking the time to raise this! So that we have the necessary information in order to look into this, can you supply debug logs (redacted as needed) as well?

[rjdavidson]

I ran into this exact same issue when using CloudFormation as well. It might be an issue with the AWS API?

[rjdavidson]

I figured out what the issue is. When you are creating a multi-account report, you cannot specify a framework. If you remove the framework ARN, this works fine.