boto3 icon indicating copy to clipboard operation
boto3 copied to clipboard

Published 20 hours ago verified publisher icon boto

OrganizationCustomPolicyRuleMetadata attribute not available in PutOrganizationConfigRule

Open lvthillo opened this issue 2 years ago • 0 comments

Describe the bug

I'm trying to create an organizational custom config policy rule using Guard;

Boto3 docs:

Make sure to specify one of either OrganizationCustomPolicyRuleMetadata for Custom Policy rules, OrganizationCustomRuleMetadata for Custom Lambda rules, or OrganizationManagedRuleMetadata for managed rules.

I'm trying to use OrganizationCustomPolicyRuleMetadata. The API doc.

response = client.put_organization_config_rule(
    OrganizationConfigRuleName='test-rule',
    OrganizationCustomPolicyRuleMetadata={...}
)

Expected Behavior

Creation of the AWS Config Rule.

Current Behavior

Exception:

botocore.errorfactory.InvalidParameterValueException: An error occurred (InvalidParameterValueException) when calling the PutOrganizationConfigRule operation: Specify either OrganizationCustomRuleMetadata or OrganizationManagedRuleMetadata in the input.

Reproduction Steps

I'm not completely sure on how to import the rule in the PolicyTest but it seems unrelated on how I'm adding the string. Same issue for empty string or oneliner rule.

import boto3

client = boto3.client('config')

print(boto3.__version__)


response = client.put_organization_config_rule(
    OrganizationConfigRuleName='test-rule',
    OrganizationCustomPolicyRuleMetadata={
        'PolicyRuntime': 'guard-2.x.x',
        'PolicyText': """
            let s3_buckets = Resources.*[ Type == 'AWS::S3::Bucket' ]
            let allowed_algos = ["aws:kms"]

            rule s3_buckets_allowed_sse_algorithm when %s3_buckets !empty {
                let encryption = %s3_buckets.Properties.BucketEncryption
                %encryption exists
                %encryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm in %allowed_algos

            }        
        """
    }
)

Possible Solution

No response

Additional Information/Context

Update: It's probably an API issue and not boto3 specific:

aws configservice put-organization-config-rule --organization-config-rule-name test --organization-custom-policy-rule-metadata PolicyRuntime="guard-2.x.x",PolicyText="let var=5"

An error occurred (InvalidParameterValueException) when calling the PutOrganizationConfigRule operation: Specify either OrganizationCustomRuleMetadata or OrganizationManagedRuleMetadata in the input.

SDK version used

1.24.48

Environment details (OS name and version, etc.)

macOS Monterey 12.3.1 Intel Core

lvthillo avatar Aug 10 '22 13:08 lvthillo