After a custom rule is triggered, a Function Compute function in the custom rule evaluates resources, calls the PutEvaluations operation of Cloud Config, and then returns the evaluation result. After you execute a custom rule, the evaluation result shows no data. To troubleshoot the issue, use one of the following methods:
-
Troubleshoot by using ActionTrail
In the ActionTrail console, use the Event Query feature to check for calls to the PutEvaluations API.
If the invocation records of the PutEvaluations operation exist after you execute a custom rule, the custom rule was executed and no resources were matched. Otherwise, the custom rule failed to be executed.
NoteSelect the China (Shanghai) region.
-
Troubleshoot by using Function Compute
If the logging feature is enabled for the function, you can view the invocation records of the PutEvaluations operation. For more information about how to enable the logging feature for a function, see Configure logging.
After you run the custom rule, print logs on the Code tab and then check for calls to the PutEvaluations API on the Logs tab. If call records for PutEvaluations exist, the rule ran successfully but found no matching resources. Otherwise, the rule failed to run.
-
Check the featurePath configuration of the conditional rule
For a conditional rule, which you create by selecting Based on Condition, the
featurePathproperty uses a JSONPath expression to extract a field value from the configuration of a target resource. Cloud Config then compares this value to an expected value. If the JSONPath specified byfeaturePathdoes not find a matching node in the resource's configuration or returns an empty set, the evaluation result is "no data".For example, you create a conditional rule to check whether a security group has an inbound rule where
SourceCidrIpis0.0.0.0/0. ThefeaturePathis configured as$.Permissions.Permission[?(@.SourceCidrIp=='0.0.0.0/0')].SourceCidrIp. If a security group does not have an inbound rule with aSourceCidrIpof0.0.0.0/0, the JSONPath filter expression returns an empty set. The evaluation result for that security group is "no data". However, a security group that has such a rule is considered non-compliant.An evaluation result of "no data" does not mean the resource is non-compliant. It means the rule could not extract a value from the resource's configuration for comparison. Before you create a conditional rule, use the resource details page or an API to verify that the configuration structure of the target resource contains the field referenced by
featurePath.