awscc_cloudformation_guard_hook: target_operations doesn't support CLOUD_CONTROL

[quixoticmonk]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Terraform v1.10.0-beta1
on darwin_amd64
+ provider registry.terraform.io/hashicorp/awscc v1.21.0

Affected Resource(s)

• awscc_cloudformation_guard_hook

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "awscc_cloudformation_guard_hook" "example" {
  alias = "AWSCC::S3::Hooks"
  rule_location = {
    uri = "s3://ccapihooks/safebucket.guard"
  }
  execution_role    = awscc_iam_role.example.arn
  failure_mode      = "FAIL"
  target_operations = ["CLOUD_CONTROL"]
  hook_status       = "ENABLED"
  target_filters = {
    actions           = ["CREATE", "UPDATE"]
    invocation_points = ["PRE_PROVISION"]
    target_names      = ["AWS::S3::Bucket"]
  }

}

Expected Behavior

• Expected the hook to be created on the target AWS account.

Actual Behavior

• Deployment failed with the below message

╷
│ Error: Invalid Attribute Value Match
│
│   with awscc_cloudformation_guard_hook.example,
│   on main.tf line 8, in resource "awscc_cloudformation_guard_hook" "example":
│    8:   target_operations = ["CLOUD_CONTROL"]
│
│ Attribute target_operations[0] value must be one of: ["RESOURCE" "STACK" "CHANGE_SET"], got: "CLOUD_CONTROL"

Steps to Reproduce

1. terraform apply with an execution role and a guard rule saved in an S3 bucket.

Important Factoids

• Reference documentation : https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-guardhook.html#aws-resource-cloudformation-guardhook-properties

TargetOperations
Specifies which type of operation the Hook is run against.

Valid values: STACK | RESOURCE | CHANGE_SET | CLOUD_CONTROL

• Current schema published doesn't support CLOUD_CONTROL.

  
      "TargetOperation": {
          "description": "Which operations should this Hook run against? Resource changes, stacks or change sets.",
          "type": "string",
          "enum": [
              "RESOURCE",
              "STACK",
              "CHANGE_SET"
          ]
      },

### References

[quixoticmonk]

This applies to the awscc_cloudformation_lambda_hook as well : https://github.com/hashicorp/terraform-provider-awscc/blob/main/internal/service/cloudformation/schemas/AWS_CloudFormation_LambdaHook.json#L18-L26