如何定义一个 elb-custom-security-policy-ssl-check AWS 配置规则。

huangapple
go评论96阅读模式
英文:

How to define a elb-custom-security-policy-ssl-check aws config rule

问题

以下是AWS配置elb-custom-security-policy-ssl-check规则的描述的翻译:

  1. 标识符:ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
  3. 资源类型:AWS::ElasticLoadBalancing::LoadBalancer
  5. 触发类型:配置更改
  7. AWS区域:除了亚太地区(雅加达)、非洲(开普敦)、中东(阿联酋)、亚太地区(海得拉巴)、亚太地区(大阪)、亚太地区(墨尔本)、欧洲(米兰)、AWS GovCloud(美国东部)、以色列(特拉维夫)、欧洲(西班牙)、欧洲(苏黎世)之外的所有支持的AWS区域
  9. 参数:
  11. sslProtocolsAndCiphers
  12. 类型:字符串
  13. 逗号分隔的密码和协议列表。

我正在为AWS配置创建一个Terraform配置,并创建了以下变量以传递此规则的输入参数

  1. variable "elb_custom_security_policy_ssl_check" {
  2.   type    = string
  3.   default = "AES128-SHA256,TLSv1.3"
  4. }

但是我遇到了一个内部错误,因为符合性包未创建,但是当我删除该规则时,它会创建。我正在尝试弄清楚默认值的正确表示方式。

Terraform符合性包代码:

  1. resource "aws_config_conformance_pack" "conformancepack" {
  2.   name = "conformancepact"
  4.   template_body = <<EOT
  6. Resources:
  7.   ElbCustomSecurityPolicySslCheck:
  8.     properties:
  9.       ConifigRuleName: elb-custom-security-policy-ssl-check
  10.       InputParameters:
  11.         sslProtocolsAndCiphers: ${var.elb_custom_security_policy_ssl_check}
  12.       Scope:
  13.         ComplianceResourceTypes:
  14.         - AWS::ElasticLoadBalancing::LoadBalancer
  15.       Source:
  16.         Owner: AWS
  17.         SourceIdentifier: ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
  18.     Type: AWS::Config::ConfigRule
  19. EOT
  20. }

希望这可以帮助您解决问题。

英文:

I have the following description of the aws config elb-custom-security-policy-ssl-check rule:

  1.     Identifier: ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
  2.     
  3.     Resource Types: AWS::ElasticLoadBalancing::LoadBalancer
  4.     
  5.     Trigger type: Configuration changes
  6.     
  7.     AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), Israel (Tel Aviv), Europe (Spain), Europe (Zurich) Region
  8.     
  9.     Parameters:
  10.     
  11.     sslProtocolsAndCiphers
  12.     Type: String
  13.     Comma separated list of ciphers and protocols.

I am creating a terraform configuration for aws config and I have this variable created to pass the input parameter for this rule:

  1. variable "elb_custom_security_policy_ssl_check" {
  2.   type    = string
  3.   default = "AES128-SHA256,TLSv1.3"
  4. }

but I am getting an internal error as the conformance pack isn't created, but when I remove that rule it gets created. The proper representation of the default values is what I am trying to figure out.

Terraform conformance pack code:

  1. resource "aws_config_conformance_pack" "conformancepack" {
  2.   name = "conformancepact"
  4.   template_body = <<EOT
  6. Resources:
  7.   ElbCustomSecurityPolicySslCheck:
  8.     properties:
  9.       ConifigRuleName: elb-custom-security-policy-ssl-check
  10.       InputParameters:
  11.         sslProtocolsAndCiphers: ${var.elb_custom_security_policy_ssl_check}
  12.       Scope:
  13.         ComplianceResourceTypes:
  14.         - AWS::ElasticLoadBalancing::LoadBalancer
  15.       Source:
  16.         Owner: AWS
  17.         SourceIdentifier: ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
  18.     Type: AWS::Config::ConfigRule
  19. EOT
  20. }

答案1

得分: 1

在您的conformancePack配置中存在拼写错误,应该是ConfigRuleName而不是ConifigRuleName。

英文:

There is a spelling error in your conformancePack configuration ConifigRuleName instead of ConfigRuleName

答案2

得分: 1

问题在于使用heredoc语法创建的YML文件中使用了错误的参数:

  1.   template_body = <<EOT
  3. Resources:
  4.   ElbCustomSecurityPolicySslCheck:
  5.     properties:  <------------- 这不是正确的属性名称
  6.       ConfigRuleName: elb-custom-security-policy-ssl-check
  7.       InputParameters:
  8.         sslProtocolsAndCiphers: ${var.elb_custom_security_policy_ssl_check}
  9.       Scope:
  10.         ComplianceResourceTypes:
  11.         - AWS::ElasticLoadBalancing::LoadBalancer
  12.       Source:
  13.         Owner: AWS
  14.         SourceIdentifier: ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
  15.     Type: AWS::Config::ConfigRule
  16. EOT

应该修复为如下所示(请注意,应该是Properties而不是properties):

  1. resource "aws_config_conformance_pack" "conformancepack" {
  2.   name = "conformancepact"
  4.   template_body = <<EOT
  5. Resources:
  6.   ElbCustomSecurityPolicySslCheck:
  7.     Properties:
  8.       ConfigRuleName: elb-custom-security-policy-ssl-check
  9.       InputParameters:
  10.         sslProtocolsAndCiphers: "${var.elb_custom_security_policy_ssl_check}"
  11.       Scope:
  12.         ComplianceResourceTypes:
  13.         - AWS::ElasticLoadBalancing::LoadBalancer
  14.       Source:
  15.         Owner: AWS
  16.         SourceIdentifier: ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
  17.     Type: AWS::Config::ConfigRule
  18. EOT
  19. }

然而,根据terraform文档的注释,请注意以下内容:

> 在成功创建或更新符合性包之前,帐户必须具有适当的IAM权限的配置记录器。另请参阅aws_config_configuration_recorder资源

英文:

The issue is that the YML created with the heredoc syntax is using a wrong parameter:

  1.   template_body = <<EOT
  3. Resources:
  4.   ElbCustomSecurityPolicySslCheck:
  5.     properties:  <------------- This is not the correct property name
  6.       ConfigRuleName: elb-custom-security-policy-ssl-check
  7.       InputParameters:
  8.         sslProtocolsAndCiphers: ${var.elb_custom_security_policy_ssl_check}
  9.       Scope:
  10.         ComplianceResourceTypes:
  11.         - AWS::ElasticLoadBalancing::LoadBalancer
  12.       Source:
  13.         Owner: AWS
  14.         SourceIdentifier: ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
  15.     Type: AWS::Config::ConfigRule
  16. EOT

This should be fixed to look like the following (note that it is Properties instead of properties):

  1. resource "aws_config_conformance_pack" "conformancepack" {
  2.   name = "conformancepact"
  4.   template_body = <<EOT
  5. Resources:
  6.   ElbCustomSecurityPolicySslCheck:
  7.     Properties:
  8.       ConfigRuleName: elb-custom-security-policy-ssl-check
  9.       InputParameters:
  10.         sslProtocolsAndCiphers: "${var.elb_custom_security_policy_ssl_check}"
  11.       Scope:
  12.         ComplianceResourceTypes:
  13.         - AWS::ElasticLoadBalancing::LoadBalancer
  14.       Source:
  15.         Owner: AWS
  16.         SourceIdentifier: ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
  17.     Type: AWS::Config::ConfigRule
  18. EOT
  19. }

However, based on the terraform documentation note the following:

> The account must have a Configuration Recorder with proper IAM permissions before the Conformance Pack will successfully create or update. See also the aws_config_configuration_recorder resource.

huangapple
  • 本文由 发表于 2023年7月12日 22:56:09
  • 转载请务必保留本文链接:https://go.coder-hub.com/76671935.html
  • amazon-web-services
  • aws-config
  • terraform
  • terraform-provider-aws
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定