I have the following TF piece of code but it fails with the below error:
provider "aws" {
alias = "DR"
region = var.dr_aws_region_name
}
resource "aws_kms_key" "dlm_cross_region_copy_cmk" {
provider = aws.DR
multi_region = true
description = "${var.consul_cluster_name} Alternate Region KMS Key"
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "dlm-cross-region-copy-cmk",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
POLICY
}
resource "aws_iam_role" "dlm_lifecycle_role" {
name = "dlm-lifecycle-role-consul-${var.consul_cluster_name}"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "dlm.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy" "dlm_lifecycle" {
name = "dlm-lifecycle-policy-consule-${var.consul_cluster_name}"
role = aws_iam_role.dlm_lifecycle_role.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeImageAttribute",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DeleteSnapshot",
"Resource": "arn:aws:ec2:*::snapshot/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:ResetImageAttribute",
"ec2:DeregisterImage",
"ec2:CreateImage",
"ec2:CopyImage",
"ec2:ModifyImageAttribute"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:EnableImageDeprecation",
"ec2:DisableImageDeprecation"
],
"Resource": "arn:aws:ec2:*::image/*"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt"
],
"Resource": "${aws_kms_key.dlm_cross_region_copy_cmk.arn}"
}
]
}
EOF
}
provider "aws" {
alias = "MAIN"
region = var.aws_region
}
resource "aws_dlm_lifecycle_policy" "consul-lifecycle-policy" {
provider = aws.MAIN
description = "DLM lifecycle policy for consul cluster ${var.consul_cluster_name}"
execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn
state = "ENABLED"
policy_details {
resource_types = ["INSTANCE"]
policy_type = "IMAGE_MANAGEMENT"
parameters {
no_reboot = true
}
schedule {
name = "2 weeks of daily snapshots"
create_rule {
interval = 12
interval_unit = "HOURS"
times = ["23:45"]
}
retain_rule {
interval = 14
interval_unit = "DAYS"
}
tags_to_add = {
SnapshotCreator = "DLM"
}
copy_tags = true
cross_region_copy_rule {
target = var.dr_aws_region_name
encrypted = true
cmk_arn = aws_kms_key.dlm_cross_region_copy_cmk.arn
copy_tags = true
retain_rule {
interval = 14
interval_unit = "DAYS"
}
}
}
target_tags = {
consul-auto-discover = var.consul_cluster_name
}
}
}
ERROR:
│ Error: error updating DLM Lifecycle Policy (policy-002196a7e9bcca444): InvalidRequestException: The following parameters(s) are invalid: {Target}
│ {
│ RespMetadata: {
│ StatusCode: 400,
│ RequestID: "10c05837-591c-4f73-8373-7909c44be352"
│ },
│ Code_: "InvalidParameter",
│ Message_: "The following parameters(s) are invalid: {Target}"
│ }
│
│ with aws_dlm_lifecycle_policy.consul-lifecycle-policy,
│ on data-lifecycle.tf line 125, in resource "aws_dlm_lifecycle_policy" "consul-lifecycle-policy":
│ 125: resource "aws_dlm_lifecycle_policy" "consul-lifecycle-policy" {
│
╵
What am i missing?