Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Changes to aws_securityhub_account resource breaks contract #30980

Closed
ctrawick opened this issue Apr 26, 2023 · 12 comments · Fixed by #33095
Closed

[Bug]: Changes to aws_securityhub_account resource breaks contract #30980

ctrawick opened this issue Apr 26, 2023 · 12 comments · Fixed by #33095
Labels
bug Addresses a defect in current functionality. partition/aws-us-gov Pertains to the aws-us-gov partition. service/securityhub Issues and PRs that pertain to the securityhub service.
Milestone
v5.14.0

Comments

@ctrawick
Copy link
Contributor

Terraform Core Version

v1.3.9

AWS Provider Version

4.64.0

Affected Resource(s)

aws_securityhub_account

Expected Behavior

Missing optional fields should not impact existing resources.

Actual Behavior

~ resource "aws_securityhub_account" "main" {
(https://gitlab.com/XXXXXX)      ~ control_finding_generator = "STANDARD_CONTROL" -> "SECURITY_CONTROL"

Relevant Error/Panic Output Snippet

│ Error: updating Security Hub Account (XXXXX): InvalidAccessException: Request contains configurations that cannot be updated by a member account XXXXX

Terraform Configuration Files

Requires multiple runs across multiple versions

Steps to Reproduce

  1. Implement AWS Security Hub in v4.63
  2. Re-apply in v4.64
  3. Fail

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

Yes
@ctrawick ctrawick added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels Apr 26, 2023
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the service/securityhub Issues and PRs that pertain to the securityhub service. label Apr 26, 2023
@justinretzolk
Copy link
Member

Hey @ctrawick 👋 Thank you for taking the time to raise this! Are you able to supply a sample Terraform configuration and debug logs (redacted as necessary) so that we have the necessary information in order to look into this?

@justinretzolk justinretzolk added waiting-response Maintainers are waiting on response from community or contributor. and removed needs-triage Waiting for first response or review from a maintainer. labels Apr 27, 2023
@lorengordon
Copy link
Contributor

@justinretzolk The issue comes from upgrading an already applied aws_securityhub_account from an earlier version of the provider to >= v4.64.0. Here is the plan:

Terraform will perform the following actions:

  # aws_securityhub_account.this will be updated in-place
  ~ resource "aws_securityhub_account" "this" {
      ~ auto_enable_controls      = false -> true
      ~ control_finding_generator = "STANDARD_CONTROL" -> "SECURITY_CONTROL"
        id                        = "REDACTED"
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

And here is the error:

aws_securityhub_account.this: Modifying... [id=REDACTED]
╷
│ Error: updating Security Hub Account (REDACTED): InvalidAccessException: Request contains configurations that cannot be updated by a member account REDACTED
│ {
│   RespMetadata: {
│     StatusCode: 401,
│     RequestID: "21556c54-f1f7-44bd-93f1-0aa7bec22c5d"
│   },
│   Code_: "InvalidAccessException",
│   Message_: "Request contains configurations that cannot be updated by a member account REDACTED"
│ }
│
│   with aws_securityhub_account.this,
│   on main.tf line 1, in resource "aws_securityhub_account" "this":
│    1: resource "aws_securityhub_account" "this" {}

@github-actions github-actions bot removed the waiting-response Maintainers are waiting on response from community or contributor. label May 1, 2023
@lorengordon
Copy link
Contributor

This feature added in this pr is the source of the issue... #30692

@lorengordon
Copy link
Contributor

@justinretzolk Anything else you need on this one?

@justinretzolk
Copy link
Member

Hey @lorengordon 👋 Thank you for checking in on this! Providing a sample Terraform configuration that can reproduce this issue, as well as debug logs (redacted as needed) would be helpful if you're able to provide them. Unfortunately I can't provide an ETA on when this will be looked into due to the potential of shifting priorities. We prioritize by count of 👍 reactions and a few other things (more information on our prioritization guide if you're interested).

@lorengordon
Copy link
Contributor

The plan I posted above basically has the config that is the problem. There isn't much more to it. It seems any version of the aws provider >= 4.64.0 is broken for the aws_securityhub_account resource, when securityhub is managed by the org, and the org has enabled the aggregated securityhub findings.

@lorengordon
Copy link
Contributor

lorengordon commented Jun 7, 2023
edited
Loading

Oh, also finding that the aws_securityhub_account resource is broken in the aws-us-gov partition since 4.64.0, since that partition does not yet support control_finding_generator. Also somehow the default value the provider is sending through is SECURITY_CONTROL, which just seems wrong in general since AWS defaults to STANDARD_CONTROL and requires explicitly enabling SECURITY_CONTROL in Security Hub.

Minimal reproducing config is just:

resource "aws_securityhub_account" "this" {}

results in:

  # aws_securityhub_account.this will be updated in-place
  ~ resource "aws_securityhub_account" "this" {
      + control_finding_generator = "SECURITY_CONTROL"

which can actually apply successfully, somehow, but then results in a perpetual diff

@lorengordon lorengordon mentioned this issue Jun 7, 2023
Closed
@mdolian
Copy link

mdolian commented Jul 14, 2023

We are also running into this:

resource "aws_securityhub_account" "main" {}

Results in:

module.security.module.nyl-securityhub.aws_securityhub_account.main
update
control_finding_generator :
"STANDARD_CONTROL"
change to
"SECURITY_CONTROL"
no-op
id :
"709321817338"


Error: updating Security Hub Account (709321817338): InvalidAccessException: Request contains configurations that cannot be updated by a member account 709321817338 { RespMetadata: { StatusCode: 401, RequestID: "f32fd578-1617-4bca-af5e-19fc5e97d4dc" }, Code_: "InvalidAccessException", Message_: "Request contains configurations that cannot be updated by a member account 709321817338" }
with module.security.module.nyl-securityhub.aws_securityhub_account.main
on .terraform/modules/security/modules/terraform-aws-nyl-securityhub/main.tf line 1, in resource "aws_securityhub_account" "main":
resource "aws_securityhub_account" "main" {}

@calvin-ntier
Copy link

setting it explicitly at member account is a workaround:

resource "aws_securityhub_account" "_" {
control_finding_generator = "STANDARD_CONTROL"
}

@justinretzolk justinretzolk added the partition/aws-us-gov Pertains to the aws-us-gov partition. label Aug 4, 2023
@iamperson347 iamperson347 mentioned this issue Aug 16, 2023
Closed
@ewbankkit ewbankkit mentioned this issue Aug 18, 2023
Merged
@github-actions github-actions bot added this to the v5.14.0 milestone Aug 21, 2023
@github-actions
Copy link

This functionality has been released in v5.14.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. partition/aws-us-gov Pertains to the aws-us-gov partition. service/securityhub Issues and PRs that pertain to the securityhub service.
Projects
None yet
Milestone
v5.14.0
5 participants
@mdolian @lorengordon @ctrawick @justinretzolk @calvin-ntier