import * as aws from "@pulumi/aws";

// Create an IAM role for DLM
const dlmRole = new aws.iam.Role("dlmRole", {
  assumeRolePolicy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [{
      Action: "sts:AssumeRole",
      Effect: "Allow",
      Principal: {
        Service: "<http://dlm.amazonaws.com|dlm.amazonaws.com>"
      }
    }]
  })
});

// Attach necessary policies to the role
new aws.iam.RolePolicyAttachment("dlmRolePolicyAttachment", {
  role: dlmRole.name,
  policyArn: "arn:aws:iam::aws:policy/service-role/AWSDataLifecycleManagerServiceRole"
});

// Create the DLM policy
const dlmPolicy = new aws.dlm.LifecyclePolicy("weeklyAmiPolicy", {
  description: "Weekly AMI creation with reboot",
  executionRoleArn: dlmRole.arn,
  state: "ENABLED",
  policyDetails: {
    resourceTypes: ["INSTANCE"],
    policyType: "IMAGE_MANAGEMENT",
    schedules: [{
      name: "Weekly AMI",
      createRule: {
        cronExpression: "cron(0 3 ? * 3 *)",
      },
      retainRule: {
        count: 23  // Keep last 23 AMIs which is nearly 6 months worth
      },
      copyTags: true,
      tagsToAdd: {
        CreatedBy: "DLM",
      },
      variableTags: {
        id: "$(instance-id)",
      },
      crossRegionCopyRules: [{
        target: "us-west-2",
        encrypted: true,
        copyTags: true,
        retainRule: {
          interval: 6,
          intervalUnit: "MONTHS",
        },
      }],
    }],
    targetTags: {
      Snapshot: "true"
    },
    parameters: {
      noReboot: false,  // This ensures the instance is rebooted for consistency
      excludeBootVolume: false
    }
  }
});
~

This code when executed results in

error: 1 error occurred:

* updating DLM Lifecycle Policy (policy-00affe076bc508be2): operation error DLM: UpdateLifecyclePolicy, https response error StatusCode: 400, RequestID: 89053d1f-37ad-4cca-8d12-f128f6462ad9, InvalidRequestException: The following parameters(s) are invalid: {Target}

If the crossRegionCopyRules are commented out, it works. I've tried different values for the target: but that does not help. I think the api is looking for targetRegion (or similar in the JSON) but that's a guess. Is this a bug? should I report it on github somewhere?

image.png

this might be an upstream thing

Was “target_region”: https://github.com/hashicorp/terraform-provider-aws/blame/0148137dc6fb802b97b74036846777ab15c0f9ad/internal/service/dlm/lifecycle_policy.go#L142 Changed to “target”: https://github.com/hashicorp/terraform-provider-aws/blame/9bd24ee2574b4dcfa60ab2ac0c154965623c0ebd/internal/service/dlm/lifecycle_policy.go#L336 Changed to constant (“target”): https://github.com/hashicorp/terraform-provider-aws/blame/9a42dce8c6aabd737635769b49a1380aeb68b36b/internal/service/dlm/lifecycle_policy.go#L331 I don't see any mention of

target_region

in main

ah, here we go https://github.com/hashicorp/terraform-provider-aws/issues/24226

get that 👍 ready 🙂

there's also a PR someone kindly did https://github.com/hashicorp/terraform-provider-aws/pull/33796