Deploy CloudFormation template using Terrafom

Question

I need to setup an automated process to report Security Hub findings regularly to the relevant member account based on AWS account ownership. In my investigation, I found the repository below that does what I was looking for. https://github.com/aws-samples/automated-security-hub-account-findings-reports

I added the relevant code to the repository and merged it into main, but the pipeline failed in apply stage because it needs a default value for parameter in CloudFormation template. my questions are:

1- Is this enough to only use resource "aws_cloudformation_stack" and use the CF template as source in it? or I need to create more resource when wanted to deploy a CF template using terraform?

2- I received below error once I tried to deploy CF template: Error: creating CloudFormation Stack (automated-security-hub-account-findings-reports): ValidationError: Parameters: [KMSKeyAdmin] must have values

my question is why I get that error when I'm using a cloud formation template which includes everything that needed? what should I do to resolve this issue?

Thanks

Answer 1

To answer the question about CloudFormation. Based on these lines from the CloudFormation template, you must provide a value for the input parameter:

Parameters:
  KMSKeyAdmin:
    Type: String
    Description: The Role you want to administer the KMS key used to encrypt the SNS topics.

It has no default value, hence you have to provide it. This input parameter is defined so the KMS knows which role to add to the KMS key policy, as that role will be the key administrator. However, since you are using terraform for that, you could do one of two things:

1. Define the default value for the parameter
2. Use terraform variables/syntax to specify the principal and remove the Paramters section

If you decide to use the first option, then you would do something like:

Parameters:
  KMSKeyAdmin:
    Type: String
    Description: The Role you want to administer the KMS key used to encrypt the SNS topics.
    Default: var.kms_key_admin_role_arn # or a full ARN without specifying a varible

The second option would then be:

- Sid: Allow administration of the key
  Effect: Allow
  Principal:
    AWS: 
    - var.kms_key_admin_role_arn # or a full ARN without specifying a varible

Since you have not provided the terraform code you have, I cannot test it and let you know if this works, but it should.

Last, but not the least, I would probably suggest using the templatefile built-in function. The input file would be the CloudFormation template, and then you can pass the values to the template and they will get replaced. So you could do something like:

resource "aws_cloudformation_stack" "automated_security_hub_account_findings_reports" {
  name = "automated-security-hub-account-findings-reports"
  template_body = templatefile("${path-to-the-cf-template}", {
    kms_key_admin_role_arn = "arn:aws:iam::123456789012:role/S3Acces"
  })
}

And in the templated file, you would have the following lines:

- Sid: Allow administration of the key
  Effect: Allow
  Principal:
    AWS: 
    - ${kms_key_admin_role_arn}

This will show up like this in the output then:

- Sid: Allow administration of the key
  Effect: Allow
  Principal:
    AWS:
    - arn:aws:iam::123456789012:role/S3Acces