amazon-web-servicesterraformyamlamazon-systems-manager

Terraform Error with SSM Document - "Unknown Property"


I'm getting a strange error when deploying this resource. Here's the error:

Exception Error in apply -
Error: Error creating SSM document: InvalidDocumentContent: Unknown property "MonitoringRole".

with module.aws-securityhub-master.aws_ssm_document.asr_document_rds_enhanced_monitoring[0],
on .terraform/modules/aws-securityhub-master/module/asr-member.tf line 516, in resource "aws_ssm_document" "asr_document_rds_enhanced_monitoring":
516: resource "aws_ssm_document" "asr_document_rds_enhanced_monitoring" {

The referenced document is a little long, but it is not mine, it's from AWS, so here's the link: https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/blob/main/source/remediation_runbooks/EnableEnhancedMonitoringOnRDSInstance.yaml

As a note, I changed the name from MonitoringRoleArn to MonitoringRole just in my troubleshooting. Otherwise the script is verbatim.

The above script is triggered by another, which is found here: https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/blob/main/source/playbooks/AFSBP/ssmdocs/AFSBP_RDS.6.yaml

To shorten it up though, the script referenced in the error is calling this parameter an "unknown property":

MonitoringRole:
  type: String
  description: (Required) The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to Amazon CloudWatch Logs.
  allowedPattern: ^arn:(aws[a-zA-Z-]*)?:iam::\d{12}:role/[a-zA-Z0-9+=,.@_/-]+$

That parameter value is passed through the other script I linked:

parameters:
  AutomationAssumeRole:
    type: String
    description: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$'
  Finding:
    type: StringMap
    description: The input from the Orchestrator Step function for the RDS.6 finding
  RemediationRoleName:
    type: String
    default: "SO0111-EnableEnhancedMonitoringOnRDSInstance"
    allowedPattern: '^[\w+=,.@-]+'
inputs:
      DocumentName: ASR-EnableEnhancedMonitoringOnRDSInstance
      TargetLocations:
        - Accounts: [ '{{ParseInput.RemediationAccount}}' ]
          Regions: [ '{{ParseInput.RemediationRegion}}' ]
          ExecutionRoleName: '{{RemediationRoleName}}'

Solution

  • As a workaround, I removed the MonitoringRole input from the AFSBP RDS.6 document and just added a "default" value to the EnableEnhancedMonitoringOnRDSInstance document since the value never changes.

    This resolved my immediate issue, though it's not the cleanest solution. I was on a tight deadline and will be revising the solution in the next version.