[Enhancement]: `aws_cloudwatch_metric_alarm`: Add validation to prevent specifying both `metric` and `expression`

[sursingh-apptio]

Terraform Core Version

1.9.6

AWS Provider Version

4.67.0

Affected Resource(s)

aws_cloudwatch_metric_alarm->metric_query

Expected Behavior

metric_query can only have a metric block or an expression field but not both. This is not specified in the documentation and not caught with terraform plan

Actual Behavior

plan does not catch a badly configured resource.

Relevant Error/Panic Output Snippet

after `terraform apply`, the output is - 


aws_cloudwatch_metric_alarm.complex_alarm_1: Creating...
╷
│ Error: creating CloudWatch Metric Alarm (complex-alarm-1): No metric_query may have both `expression` and a `metric` specified

Terraform Configuration Files

sample resource configuration -

# High Resolution Alarms
# Complex Alarms with Multiple Metrics
resource "aws_cloudwatch_metric_alarm" "complex_alarm_1" {
  alarm_name          = "complex-alarm-1"
  alarm_description   = "Complex alarm with multiple metrics"
  comparison_operator = "GreaterThanThreshold"
  evaluation_periods  = 2
  threshold          = 90
  treat_missing_data = "missing"

  metric_query {
    id          = "high1"
    return_data = false
	expression  = "SELECT AVG(CPUUtilization) FROM AWS/EC2 GROUP BY InstanceId"
	period = 10
    metric {
      metric_name = "CPUUtilization"
      namespace   = "AWS/EC2"
      period     = 10
      stat       = "Average"
    }
  }
}

Steps to Reproduce

run terraform plan for the above resource

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.

[justinretzolk]

Hey @sursingh-apptio 👋 Thank you for taking the time to raise this! We consider adding additional functionality to existing resources (in this case, an additional validation) to be an enhancement rather than a bug. With that in mind, I'm going to make a slight modification to this issue. No further information is needed from you at this point, I just like to let people know before I make these kinds of modifications.

As a note, the documentation for the resource does have a note that calls this out:

NOTE:
You must specify either metric or expression. Not both.

[sursingh-apptio]

Thank you @justinretzolk for cleaning it up. I'll try and see if I can tackle this myself :)

[stefanfreitag]

Good evening @sursingh-apptio , good evening @justinretzolk ,

I was looking more closely into the issue and think that it is already resolved. If you have a chance to review, it would be great!

The provided Terraform configuration file I used as input. Terraform version 1.11.2 and AWS Provider version 5.92.0. The output of a terraform plan is as below:

❯ terraform plan

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: No metric_query may have both `expression` and a `metric` specified
│ 
│   with aws_cloudwatch_metric_alarm.complex_alarm_1,
│   on main.tf line 15, in resource "aws_cloudwatch_metric_alarm" "complex_alarm_1":
│   15: resource "aws_cloudwatch_metric_alarm" "complex_alarm_1" {
│ 

In the source code here the recommended check seems to be implemented.

---

Here is the full output of terraform init, terraform plan for both provider versions.

❯ terraform init -upgrade
Initializing the backend...
Initializing provider plugins...
- Finding hashicorp/aws versions matching "4.67.0"...
- Installing hashicorp/aws v4.67.0...
- Installed hashicorp/aws v4.67.0 (signed by HashiCorp)
Terraform has made some changes to the provider dependency selections recorded
in the .terraform.lock.hcl file. Review those changes and commit them to your
version control system if they represent changes you intended to make.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
❯ terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_cloudwatch_metric_alarm.complex_alarm_1 will be created
  + resource "aws_cloudwatch_metric_alarm" "complex_alarm_1" {
      + actions_enabled                       = true
      + alarm_description                     = "Complex alarm with multiple metrics"
      + alarm_name                            = "complex-alarm-1"
      + arn                                   = (known after apply)
      + comparison_operator                   = "GreaterThanThreshold"
      + evaluate_low_sample_count_percentiles = (known after apply)
      + evaluation_periods                    = 2
      + id                                    = (known after apply)
      + tags_all                              = (known after apply)
      + threshold                             = 90
      + treat_missing_data                    = "missing"

      + metric_query {
          + expression  = "SELECT AVG(CPUUtilization) FROM AWS/EC2 GROUP BY InstanceId"
          + id          = "high1"
          + period      = 10
          + return_data = false
            # (2 unchanged attributes hidden)

          + metric {
              + metric_name = "CPUUtilization"
              + namespace   = "AWS/EC2"
              + period      = 10
              + stat        = "Average"
                # (1 unchanged attribute hidden)
            }
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
❯ terraform init -upgrade
Initializing the backend...
Initializing provider plugins...
- Finding hashicorp/aws versions matching "5.92.0"...
- Installing hashicorp/aws v5.92.0...
- Installed hashicorp/aws v5.92.0 (signed by HashiCorp)
Terraform has made some changes to the provider dependency selections recorded
in the .terraform.lock.hcl file. Review those changes and commit them to your
version control system if they represent changes you intended to make.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
❯ terraform plan

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: No metric_query may have both `expression` and a `metric` specified
│ 
│   with aws_cloudwatch_metric_alarm.complex_alarm_1,
│   on main.tf line 15, in resource "aws_cloudwatch_metric_alarm" "complex_alarm_1":
│   15: resource "aws_cloudwatch_metric_alarm" "complex_alarm_1" {
│ 
╵