Cannot create AWS Config rules in Zurich region eu-central-2

prateekrastogi92 · March 22, 2024, 1:53pm

Unable to create AWS Config Organization managed rule specifically in eu-central-2.
I get the AccessDeniedException error. With the same configuration and role and permissions I am able to create in other regions e.g. eu-central-1, us-east-1, eu-north-1 etc.

Terraform version: v1.7.5
Aws provider version: v5.12.0

(I tried with latest 5.41.0 as well but it’s the same error)

Below is the code

resource "aws_config_organization_managed_rule" "account-part-of-organizations" {

  name             = "account-part-of-organizations"
  rule_identifier  = "ACCOUNT_PART_OF_ORGANIZATIONS"
  input_parameters = <<EOF
        { 
            "MasterAccountId": "376488398418"
        }
        EOF
  depends_on       = [aws_config_configuration_recorder.x]
}

resource "aws_config_organization_managed_rule" "cloudtrail-enabled" {

  name            = "cloudtrail-enabled"
  rule_identifier = "CLOUD_TRAIL_ENABLED"

  depends_on = [aws_config_configuration_recorder.x]
}

resource "aws_config_organization_managed_rule" "cloudtrail-encryption-enabled" {

  name            = "cloudtrail-encryption-enabled"
  rule_identifier = "CLOUD_TRAIL_ENCRYPTION_ENABLED"

  depends_on = [aws_config_configuration_recorder.x]
}

resource "aws_config_organization_managed_rule" "root-account-mfa-enabled" {

  name            = "root-account-mfa-enabled"
  rule_identifier = "ROOT_ACCOUNT_MFA_ENABLED"

  depends_on = [aws_config_configuration_recorder.x]
}

resource "aws_config_configuration_recorder" "x" {
  name     = "x"
  role_arn = var.config_role_arn

  recording_group {
    all_supported                 = true
    include_global_resource_types = true
  }
}

resource "aws_config_configuration_recorder_status" "x" {
  name       = aws_config_configuration_recorder.x.name
  is_enabled = true
  depends_on = [aws_config_delivery_channel.x]
}

resource "aws_config_delivery_channel" "x" {
  name           = "x"
  s3_bucket_name = var.config_bucket_name
  depends_on     = [aws_config_configuration_recorder.main]
}

resource "aws_iam_role" "aws_config" {
  name               = "awsconfig"
  assume_role_policy = data.aws_iam_policy_document.assume_for_config.json
}

data "aws_iam_policy_document" "aws_config_s3_channel" {
  policy_id = "AWSConfigS3Channel"

  statement {
    sid    = "AllowObjectAccess"
    effect = "Allow"
    actions = [
      "s3:PutObject",
      "s3:PutObjectAcl",
    ]
    resources = ["arn:aws:s3:::x/*"]

    condition {
      test     = "StringLike"
      variable = "s3:x-amz-acl"
      values   = ["bucket-owner-full-control"]
    }
  }

  statement {
    sid    = "AllowBucketAccess"
    effect = "Allow"
    actions = [
      "s3:GetAccelerateConfiguration",
      "s3:GetBucketAcl",
      "s3:GetBucketCORS",
      "s3:GetBucketLocation",
      "s3:GetBucketLogging",
      "s3:GetBucketNotification",
      "s3:GetBucketPolicy",
      "s3:GetBucketRequestPayment",
      "s3:GetBucketTagging",
      "s3:GetBucketVersioning",
      "s3:GetBucketWebsite",
      "s3:GetLifecycleConfiguration",
      "s3:GetReplicationConfiguration",
      "s3:ListBucket",
    ]
    resources = ["arn:aws:s3:::x"]
  }
}

resource "aws_iam_policy" "aws_config_s3_channel" {
  name        = "aws_config_s3_channel"
  description = "AWS Config to access centralized audit bucket"
  policy      = data.aws_iam_policy_document.aws_config_s3_channel.json
}

resource "aws_iam_role_policy_attachment" "aws_config_s3_channel" {
  role       = aws_iam_role.aws_config.name
  policy_arn = aws_iam_policy.aws_config_s3_channel.arn
}

data "aws_iam_policy" "config_role" {
  arn = "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole"
}

resource "aws_iam_role_policy_attachment" "aws_config_audit_access" {
  role       = aws_iam_role.aws_config.name
  policy_arn = data.aws_iam_policy.config_role.arn
}

resource "aws_config_configuration_aggregator" "x" {
  depends_on = [aws_iam_role_policy_attachment.config-aggregator-organization-policy]

  name = "x"

  organization_aggregation_source {
    all_regions = false
    regions     = "eu-central-2"
    role_arn    = aws_iam_role.config-aggregator-organization-role.arn
  }
}

resource "aws_iam_role" "config-aggregator-organization-role" {
  name = "AWSConfigRoleForOU"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "config-aggregator-organization-policy" {
  role       = aws_iam_role.config-aggregator-organization-role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations"
}

prateekrastogi92 · March 26, 2024, 7:46am

Org rules not yet supported in Zurich region

Topic		Replies	Views
Is it possible to enable regions when creating aws_organizations_account? AWS	0	746	May 27, 2021
Fail to create a cross_region_copy_rule for DLP Terraform	0	514	October 27, 2022
Enable aws config Terraform	0	258	May 5, 2020
Terraforming AWS Config across multiple sub-accounts + multiple regions Terraform	2	1196	January 10, 2022
Aws provider can't assume role but AWS CLI can AWS	4	5073	April 7, 2023

Cannot create AWS Config rules in Zurich region eu-central-2

Related topics