Failed to create AWSConfig rule: InvalidParameterValueException: Blank spaces are not acceptable for input parameter: threshold

Question

I am trying to create an aws config rule for checking that cloudtrail alarms are enabled. I get the following error Error: Error creating AWSConfig rule: Failed to create AWSConfig rule: InvalidParameterValueException: Blank spaces are not acceptable for input parameter: threshold. when I run terraform apply. I'm not sure what the formatting issue is in the input parameters argument (see input_parameters). The apply works if I remove everything except for metricName i.e

input_parameters = "{\"metricName\":\"CloudTrailConfigChanges\"}"

Any help would be greatly appreciated.

resource aws_config_config_rule ensure-log-alarm-exists-for-cloudtrail {
  name = "ensure-log-alarm-exists-for-cloudtrail"
  description = "Checks whether cloudwatch alarm is on for cloudtrail configuration changes"

  source {
    owner = "AWS"
    source_identifier = "CLOUDWATCH_ALARM_SETTINGS_CHECK"
  }
  
  input_parameters = "{\"metricName\":\"CloudTrailConfigChanges\",\"threshold\":1,\"evaluationPeriod\":1,\"period\":300,\"comparisionOperator\":\"GreaterThanOrEqualToThreshold\",\"statistic\":\"Sum\"}"
}

It seems like there is an issue parsing type ints from json strings: https://github.com/hashicorp/terraform-provider-aws/issues/773#issuecomment-385454229

I get the same error even with

  input_parameters =<<EOF
{
  "metricName":"CloudTrailConfigChanges",
  "threshold":1
}
EOF

or

input_parameters = jsonencode({"metricName":"CloudTrailConfigChanges","threshold"=1})

Converting wrapping the int value in quotes does not work either.

resource "aws_config_config_rule" "ensure-log-alarm-exists-for-cloudtrail" {
  name        = "ensure-log-alarm-exists-for-cloudtrail"
  description = "Checks whether cloudwatch alarm is on for cloudtrail configuration changes"

  source {
    owner             = "AWS"
    source_identifier = "CLOUDWATCH_ALARM_SETTINGS_CHECK"
  }

  input_parameters = jsonencode({
    metricName = "CloudTrailConfigChanges"
    threshold  = "1"
  })
}

The code above produces the following error:

Unknown parameters provided in the inputParameters:

Answer 1

With your examples you're still specifying the threshold as an integer. Try making it a string.

resource "aws_config_config_rule" "ensure-log-alarm-exists-for-cloudtrail" {
  name        = "ensure-log-alarm-exists-for-cloudtrail"
  description = "Checks whether cloudwatch alarm is on for cloudtrail configuration changes"

  source {
    owner             = "AWS"
    source_identifier = "CLOUDWATCH_ALARM_SETTINGS_CHECK"
  }

  input_parameters = jsonencode({
    metricName = "CloudTrailConfigChanges"
    threshold  = "1"
  })
}

Answer 2

I ran into an error like this, and what resolved it for me was to add a condition. I don't fully understand why this worked and why it caused this error without the condition, but I saw the condition used in an AWS example.

For example, I first tried using something straightforward like this to reference a parameter:

        "InputParameters": {
            "appNames": {
                "Ref": "ApplicationNames"
            }
        }

When my resource referenced the ApplicationNames parameter directly like this, it was giving that error. But using Conditions and referencing the parameter this way caused it to work, as in this full template example:

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Just a stripped-down example",
    "Parameters": {
        "ApplicationNames": {
            "Type": "String",
            "Default": "This Has Spaces",
            "MinLength": "1",
            "ConstraintDescription": "This parameter is required."
        }
    },
    "Conditions": {
        "ApplicationNamesDefined": {
            "Fn::Not": [
                {
                    "Fn::Equals": [
                        "",
                        {
                            "Ref": "ApplicationNames"
                        }
                    ]
                }
            ]
        }
    },
    "Resources": {
        "SampleRule": {
            "Type": "AWS::Config::ConfigRule",
            "DependsOn": "SecurityHubCustomUpdaterFunction",
            "Properties": {
                "ConfigRuleName": "TheName",
                "Description": "It was here that I was getting 'Blank spaces are not acceptable for input parameter: applicationNames' before I added the Conditions and Fn::If to reference it",
                "InputParameters": {
                    "appNames": {
                        "Fn::If": [
                            "ApplicationNamesDefined",
                            {
                                "Ref": "ApplicationNames"
                            },
                            {
                                "Ref": "AWS::NoValue"
                            }
                        ]
                    }
                },
                "Scope": {
                    "ComplianceResourceTypes": [
                        "AWS::SSM::ManagedInstanceInventory"
                    ]
                },
                "Source": {
                    "Owner": "AWS",
                    "SourceIdentifier": "EC2_MANAGEDINSTANCE_APPLICATIONS_REQUIRED"
                }
            }
        }
    }
}

So you may want to try with Conditions usage.