aws_config_organization_conformance_pack does not know when Packs are deployed/created #24545
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform CLI and Terraform AWS Provider Version
Terraform v1.1.8
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v3.75.1
+ provider registry.terraform.io/hashicorp/local v2.2.2
AND
Terraform v1.1.8
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v4.12.1
+ provider registry.terraform.io/hashicorp/local v2.2.2
Affected Resource(s)
- resource "aws_config_organization_conformance_pack"
- data "local_file"
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
- main.tf
# ********** LOCAL FILES **********
data "local_file" "cis" {
filename = "./cis_conformance_packages.yml"
}
data "local_file" "operational" {
filename = "./operational_best_practices.yml"
}
data "local_file" "security" {
filename = "./security_best_practices.yml"
}
# ********** AWS CONFIG PACKS **********
resource "aws_config_organization_conformance_pack" "cis" {
name = "cis-conformance-pack"
template_body = data.local_file.cis.content
timeouts {
create = "30m"
update = "30m"
delete = "10m"
}
}
resource "aws_config_organization_conformance_pack" "operational" {
name = "operational-best-practices-pack"
template_body = data.local_file.operational.content
timeouts {
create = "30m"
update = "30m"
delete = "10m"
}
}
resource "aws_config_organization_conformance_pack" "security" {
name = "security-best-practices-pack"
template_body = data.local_file.security.content
timeouts {
create = "30m"
update = "30m"
delete = "10m"
}
}backend.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
# version = "~> 3.0"
}
}
}
provider "aws" {
region = "us-east-1"
profile = "deployer"
}Expected Behavior
terraform apply should complete when Conformance Packs are both CREATE_COMPLETE within the CloudFormation Console or API call, and when the AWS Config Console or API call shows a Conformance Pack as Deployment Successful.
Actual Behavior
Terraform times out waiting for resource completion despite Terraform-managed resources actually completing. Terraform ran for 30 minutes awaiting a response, yet the corresponding CloudFormation Stack showing "CREATE_COMPLETE" within 7 minutes in the Cloudformation Console, and the Conformance Pack showing "Deployment Successful" in the AWS Config console.
As a result, Terraform considers the created resources tainted, and attempts to redeploy the Conformance Packs every apply.
aws_config_organization_conformance_pack.operational: Still creating... [37m5s elapsed]
aws_config_organization_conformance_pack.security: Still creating... [37m5s elapsed]
aws_config_organization_conformance_pack.security: Still creating... [37m15s elapsed]
aws_config_organization_conformance_pack.operational: Still creating... [37m15s elapsed]
aws_config_organization_conformance_pack.cis: Still creating... [37m15s elapsed]
╷
│ Error: error waiting for Config Organization Conformance Pack (cis-conformance-pack) to be created: timeout while waiting for state to become 'CREATE_SUCCESSFUL' (last state: 'CREATE_IN_PROGRESS', timeout: 30m0s)
│
│ with aws_config_organization_conformance_pack.cis,
│ on main.tf line 17, in resource "aws_config_organization_conformance_pack" "cis":
│ 17: resource "aws_config_organization_conformance_pack" "cis" {
│
╵
╷
│ Error: error waiting for Config Organization Conformance Pack (operational-best-practices-pack) to be created: timeout while waiting for state to become 'CREATE_SUCCESSFUL' (last state: 'CREATE_IN_PROGRESS', timeout: 30m0s)
│
│ with aws_config_organization_conformance_pack.operational,
│ on main.tf line 26, in resource "aws_config_organization_conformance_pack" "operational":
│ 26: resource "aws_config_organization_conformance_pack" "operational" {
│
╵
╷
│ Error: error waiting for Config Organization Conformance Pack (security-best-practices-pack) to be created: timeout while waiting for state to become 'CREATE_SUCCESSFUL' (last state: 'CREATE_IN_PROGRESS', timeout: 30m0s)
│
│ with aws_config_organization_conformance_pack.security,
│ on main.tf line 35, in resource "aws_config_organization_conformance_pack" "security":
│ 35: resource "aws_config_organization_conformance_pack" "security" {
│
╵
Steps to Reproduce
terraform apply
Important Factoids
The actual Conformance Pack YAMLs being used within the data "local_file" blocks are client-owned and cannot be shared.
References
Food for Thought
Terraform is timing out awaiting a "CREATE_SUCCESSFUL" from the AWS Conformance Package CloudFormation Stack, but the finished message from CloudFormation is "CREATE_COMPLETE". What's the possibility that Terraform is looking for the wrong string?