Giters

DontShaveTheYak / cf2tf

Convert Cloudformation templates to Terraform.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Could not convert Cloudformation property "Arn" to Terraform attribute

rknechtel opened this issue · comments

commented

I'm getting the following error when trying to convert the attached file (cloudtrail.yaml - cloudtrail.yaml.txt).

$ cf2tf cloudtrail.yaml > cloudtrail.tf
// Converting cloudtrail.yaml to Terraform!
Traceback (most recent call last):
  File "/usr/local/bin/cf2tf", line 8, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python3.8/dist-packages/click/core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.8/dist-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.8/dist-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/cf2tf/app.py", line 44, in cli
    config = TemplateConverter(tmpl_path.stem, cf_template, search_manger).convert()
  File "/usr/local/lib/python3.8/dist-packages/cf2tf/convert.py", line 94, in convert
    tf_resources = self.convert_to_tf(self.manifest)
  File "/usr/local/lib/python3.8/dist-packages/cf2tf/convert.py", line 146, in convert_to_tf
    tf_resources.extend(converter(resources))
  File "/usr/local/lib/python3.8/dist-packages/cf2tf/convert.py", line 331, in convert_resources
    resolved_values = self.resolve_values(
  File "/usr/local/lib/python3.8/dist-packages/cf2tf/convert.py", line 181, in resolve_values
    data[key] = self.resolve_values(
  File "/usr/local/lib/python3.8/dist-packages/cf2tf/convert.py", line 193, in resolve_values
    return allowed_func[key](self, value)
  File "/usr/local/lib/python3.8/dist-packages/cf2tf/conversion/expressions.py", line 421, in get_att
    raise ValueError(
ValueError: Could not convert Cloudformation property "Arn" to Terraform attribute of [].

It looks like it might be having an issue with these:

CloudWatchLogsLogGroupArn: !GetAtt CloudTrailLogsGroup.Arn  
CloudWatchLogsRoleArn: !GetAtt CloudTrailLogsRole.Arn

cloudtrail.yaml.txt

commented

I will take a look at this. It's related to #99

commented

@rknechtel I just checked and the latest version was able to convert your template to Terraform.

data "aws_caller_identity" "current" {}

variable customer_name {
  description = "Follow S3 naming convetion per http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-s3-bucket-naming-requirements.html"
  type = string
}

resource "aws_s3_bucket" "s3_bucket" {
  bucket = "${var.customer_name}-logs"
}

resource "aws_s3_bucket_policy" "bucket_policy" {
  bucket = aws_s3_bucket.s3_bucket.id
  policy = jsonencode({
      Statement = [
        {
          Action = [
            "s3:GetBucketAcl"
          ]
          Effect = "Allow"
          Resource = join("", ["arn:aws:s3:::", aws_s3_bucket.s3_bucket.id])
          Principal = {
            Service = "cloudtrail.amazonaws.com"
          }
        },
        {
          Action = [
            "s3:PutObject"
          ]
          Effect = "Allow"
          Resource = join("", ["arn:aws:s3:::", aws_s3_bucket.s3_bucket.id, "/AWSLogs/", data.aws_caller_identity.current.account_id, "/*"])
          Principal = {
            Service = "cloudtrail.amazonaws.com"
          }
          Condition = {
            StringEquals = {
              s3:x-amz-acl = "bucket-owner-full-control"
            }
          }
        }
      ]
    }
  )
}

resource "aws_sns_topic" "sns_topic" {
  name = "${var.customer_name}-alerts"
}

resource "aws_iam_role" "cloud_trail_logs_role" {
  name = "${var.customer_name}-cloudtrail"
  assume_role_policy = {
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          Service = [
            "cloudtrail.amazonaws.com"
          ]
        }
        Action = [
          "sts:AssumeRole"
        ]
      }
    ]
  }
  force_detach_policies = [
    {
      PolicyName = "CloudTrail"
      PolicyDocument = {
        Version = "2012-10-17"
        Statement = [
          {
            Sid = "CloudTrailPublish"
            Effect = "Allow"
            Action = [
              "logs:CreateLogStream",
              "logs:PutLogEvents"
            ]
            Resource = join("", ["arn:aws:logs:us-east-1:", data.aws_caller_identity.current.account_id, ":log-group:/aws/cloudrail/logs:log-stream:", data.aws_caller_identity.current.account_id, "_CloudTrail_us-east-1*"])
          }
        ]
      }
    }
  ]
}

resource "aws_scheduler_schedule_group" "cloud_trail_logs_group" {
  name = "/aws/cloudrail/logs"
}

resource "aws_cloudtrail" "cloud_trail" {
  s3_bucket_name = aws_s3_bucket.s3_bucket.id
  cloud_watch_logs_group_arn = aws_scheduler_schedule_group.cloud_trail_logs_group.arn
  cloud_watch_logs_role_arn = aws_iam_role.cloud_trail_logs_role.arn
  include_global_service_events = True
  is_multi_region_trail = True
}

output "sns_arn" {
  description = "SNS Topic ARN"
  value = aws_sns_topic.sns_topic.id
}

The conversion might not be 100% accurate. If you find any issues feel free to raise a new issue =).