[Bug]: AWS config rule creation in Zurich (eu-central-2) region fails with AccessDeniedException

[prateekrastogi92]

Terraform Core Version

1.7.5

AWS Provider Version

5.41.0

Affected Resource(s)

aws_config_organization_managed_rule

Expected Behavior

The aws_config_organization_managed_rule should create AWS Config rules in eu-central-2 region

Actual Behavior

Error: error creating Config Organization Managed Rule (root-account-mfa-enabled): AccessDeniedException: 
status code: 400, request id: a56a3bab-73bc-44e3-aae8-816d5aa3be1c

The same configuration works for all other regions

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_config_organization_managed_rule" "account-part-of-organizations" {

  name             = "account-part-of-organizations"
  rule_identifier  = "ACCOUNT_PART_OF_ORGANIZATIONS"
  input_parameters = <<EOF
        { 
            "MasterAccountId": "376488398418"
        }
        EOF
  depends_on       = [aws_config_configuration_recorder.x]
}

resource "aws_config_organization_managed_rule" "cloudtrail-enabled" {

  name            = "cloudtrail-enabled"
  rule_identifier = "CLOUD_TRAIL_ENABLED"

  depends_on = [aws_config_configuration_recorder.x]
}

resource "aws_config_organization_managed_rule" "cloudtrail-encryption-enabled" {

  name            = "cloudtrail-encryption-enabled"
  rule_identifier = "CLOUD_TRAIL_ENCRYPTION_ENABLED"

  depends_on = [aws_config_configuration_recorder.x]
}

resource "aws_config_organization_managed_rule" "root-account-mfa-enabled" {

  name            = "root-account-mfa-enabled"
  rule_identifier = "ROOT_ACCOUNT_MFA_ENABLED"

  depends_on = [aws_config_configuration_recorder.x]
}

resource "aws_config_configuration_recorder" "x" {
  name     = "x"
  role_arn = var.config_role_arn

  recording_group {
    all_supported                 = true
    include_global_resource_types = true
  }
}

resource "aws_config_configuration_recorder_status" "x" {
  name       = aws_config_configuration_recorder.x.name
  is_enabled = true
  depends_on = [aws_config_delivery_channel.x]
}

resource "aws_config_delivery_channel" "x" {
  name           = "x"
  s3_bucket_name = var.config_bucket_name
  depends_on     = [aws_config_configuration_recorder.main]
}

resource "aws_iam_role" "aws_config" {
  name               = "awsconfig"
  assume_role_policy = data.aws_iam_policy_document.assume_for_config.json
}

data "aws_iam_policy_document" "aws_config_s3_channel" {
  policy_id = "AWSConfigS3Channel"

  statement {
    sid    = "AllowObjectAccess"
    effect = "Allow"
    actions = [
      "s3:PutObject",
      "s3:PutObjectAcl",
    ]
    resources = ["arn:aws:s3:::x/*"]

    condition {
      test     = "StringLike"
      variable = "s3:x-amz-acl"
      values   = ["bucket-owner-full-control"]
    }
  }

  statement {
    sid    = "AllowBucketAccess"
    effect = "Allow"
    actions = [
      "s3:GetAccelerateConfiguration",
      "s3:GetBucketAcl",
      "s3:GetBucketCORS",
      "s3:GetBucketLocation",
      "s3:GetBucketLogging",
      "s3:GetBucketNotification",
      "s3:GetBucketPolicy",
      "s3:GetBucketRequestPayment",
      "s3:GetBucketTagging",
      "s3:GetBucketVersioning",
      "s3:GetBucketWebsite",
      "s3:GetLifecycleConfiguration",
      "s3:GetReplicationConfiguration",
      "s3:ListBucket",
    ]
    resources = ["arn:aws:s3:::x"]
  }
}

resource "aws_iam_policy" "aws_config_s3_channel" {
  name        = "aws_config_s3_channel"
  description = "AWS Config to access centralized audit bucket"
  policy      = data.aws_iam_policy_document.aws_config_s3_channel.json
}

resource "aws_iam_role_policy_attachment" "aws_config_s3_channel" {
  role       = aws_iam_role.aws_config.name
  policy_arn = aws_iam_policy.aws_config_s3_channel.arn
}

data "aws_iam_policy" "config_role" {
  arn = "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole"
}

resource "aws_iam_role_policy_attachment" "aws_config_audit_access" {
  role       = aws_iam_role.aws_config.name
  policy_arn = data.aws_iam_policy.config_role.arn
}

resource "aws_config_configuration_aggregator" "x" {
  depends_on = [aws_iam_role_policy_attachment.config-aggregator-organization-policy]

  name = "x"

  organization_aggregation_source {
    all_regions = false
    regions     = "eu-central-2"
    role_arn    = aws_iam_role.config-aggregator-organization-role.arn
  }
}

resource "aws_iam_role" "config-aggregator-organization-role" {
  name = "AWSConfigRoleForOU"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "config-aggregator-organization-policy" {
  role       = aws_iam_role.config-aggregator-organization-role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations"
}

Steps to Reproduce

terraform apply

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @prateekrastogi92 👋 Thank you for taking the time to raise this! That the configuration works with all other regions and the error is an AccessDeniedException (relating to permissions) indicates that this is almost certainly not a bug with the provider itself. With that in mind, you'd be better served by raising this in one of the community forums, such as the AWS Provider forum. So that we can maintain focus on bugs and feature requests for the provider, I'll be closing this issue.

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.