Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EKS rule pack errors #57

Open
madchap opened this issue Nov 12, 2024 · 5 comments
Open

EKS rule pack errors #57

madchap opened this issue Nov 12, 2024 · 5 comments

Comments

@madchap
Copy link

madchap commented Nov 12, 2024

Hi,

Thanks for pulling this together!

I am starting to use this module, and wanted to start with a couple packs which have few rules.

My stanza is as

module "managed_rules_workloads" {
    source  = "niaid/managed-config-rules/aws"
    version = "2.1.1"

    organization_managed = true

    # You can exclude AWS accounts when deploying Organization rules
    excluded_accounts = [
      var.management_account,
      var.sectools_account,
      var.log_archives_account,
    ]

  rule_packs = [
    "Security-Best-Practices-for-EKS"
  ]
}

and I getting the following errors (other rules seem to be all created, even though I have not thoroughly checked each):

Error: creating ConfigService Organization Managed Rule (eks-cluster-supported-version): operation error Config Service: PutOrganizationConfigRule, https response error StatusCode: 400, RequestID: 8c045758-dddf-4d56-9ae8-8e466353fb35, InvalidParameterValueException: The required parameter oldestVersionSupported is not present in the inputParameters, please refer to Config rules documentation for the required parameters.
│
│   with module.managed_rules_workloads.module.org[0].aws_config_organization_managed_rule.rule["eks-cluster-supported-version"],
│   on .terraform/modules/managed_rules_workloads/modules/organization/main.tf line 1, in resource "aws_config_organization_managed_rule" "rule":
│    1: resource "aws_config_organization_managed_rule" "rule" {
│
╵
╷
│ Error: creating ConfigService Organization Managed Rule (eks-cluster-oldest-supported-version): operation error Config Service: PutOrganizationConfigRule, https response error StatusCode: 400, RequestID: 853f05b3-6ee7-40be-86fc-68a554ffcc52, InvalidParameterValueException: The ruleIdentifier EKS_CLUSTER_OLDEST_SUPPORTED_VERSION is invalid. Please refer to Config rules documentation for a list of valid identifiers that can be used for OrganizationManagedRuleMetadata.
│
│   with module.managed_rules_workloads.module.org[0].aws_config_organization_managed_rule.rule["eks-cluster-oldest-supported-version"],
│   on .terraform/modules/managed_rules_workloads/modules/organization/main.tf line 1, in resource "aws_config_organization_managed_rule" "rule":
│    1: resource "aws_config_organization_managed_rule" "rule" {

Thanks for your support!
@bensonce
Copy link
Contributor

Hi, @madchap! Thanks for your patience and thanks for raising the issue. I'll get this sorted out.

@bensonce
Copy link
Contributor

@madchap

The variable for the eks-cluster-supported-version does say the oldestVersionSupported value is optional but it looks like it's required. Try modifying your module block with something like this:

module "managed_rules_workloads" {
  source  = "niaid/managed-config-rules/aws"
  version = "2.1.1"

  organization_managed = true

  # You can exclude AWS accounts when deploying Organization rules
  excluded_accounts = [
    var.management_account,
    var.sectools_account,
    var.log_archives_account,
  ]

  rule_packs = [
    "Security-Best-Practices-for-EKS"
  ]

  eks_cluster_supported_version_parameters = {
    oldestVersionSupported = "eks.12"
  }
}

I'm still looking into the second error. The EKS_CLUSTER_OLDEST_SUPPORTED_VERSION identifier is the same one from the documentation, and I double checked through the console and that appears to be the correct identifier:

Screenshot 2024-12-10 at 2 51 10 PM

I'll continue to investigate when I can. Let me know if that first suggestion resolves the first error.

@bensonce
Copy link
Contributor

No updates yet. Will continue to look into this when I can.

@madchap
Copy link
Author

madchap commented Dec 16, 2024

Hi @bensonce, I should be able to test your first recommendation out this week. Cheers.

@madchap
Copy link
Author

madchap commented Dec 18, 2024

1 down it seems, the result now is:

* Failed to execute "tofu apply" in .
  ╷
  │ Error: creating ConfigService Organization Managed Rule (eks-cluster-oldest-supported-version): operation error Config Service: PutOrganizationConfigRule, https response error StatusCode: 400, RequestID: bc5d2bb8-3ad4-4d91-a725-1dfbd4166d27, InvalidParameterValueException: The ruleIdentifier EKS_CLUSTER_OLDEST_SUPPORTED_VERSION is invalid. Please refer to Config rules documentation for a list of valid identifiers that can be used for OrganizationManagedRuleMetadata.
  │
  │   with module.managed_rules_workloads.module.org[0].aws_config_organization_managed_rule.rule["eks-cluster-oldest-supported-version"],
  │   on .terraform/modules/managed_rules_workloads/modules/organization/main.tf line 1, in resource "aws_config_organization_managed_rule" "rule":
  │    1: resource "aws_config_organization_managed_rule" "rule" {
  │
  ╵

  exit status 1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@madchap @bensonce