Disable an aws_securityhub_standards_control and then enable it #31168
Comments
|
Update: I find similar issue here: hashicorp/terraform-provider-aws#20434 Currently my workaround solution is to use terraform apply -replace="aws_securityhub_standards_control.disable_instances_managed_by_amazon_systems_manager" instead of terraform apply I think this issue can be closed since https://github.com/hashicorp/terraform-provider-aws/ might be more suitable for this kind of issue. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Update:
I find similar issue here: hashicorp/terraform-provider-aws#20434
Currently my workaround solution is to use terraform apply -replace="aws_securityhub_standards_control.disable_instances_managed_by_amazon_systems_manager" instead of terraform apply
I think this issue can be closed since https://github.com/hashicorp/terraform-provider-aws/ might be more suitable for this kind of issue.
Terraform Version
Terraform v1.1.2
on windows_amd64
Terraform Configuration Files
Step 1: Execute following code first to disable a specific standard control in Security Hub (here I take SSM.1 as example):
resource "aws_securityhub_standards_control" "disable_instances_managed_by_amazon_systems_manager" {
standards_control_arn = "arn:aws:securityhub:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:control/aws-foundational-security-best-practices/v/1.0.0/SSM.1"
control_status = "DISABLED"
disabled_reason = "XXXXX"
}
Step 2: Then modify the above code as follows (control_status -> Enabled , remove disabled_reason):
resource "aws_securityhub_standards_control" "disable_instances_managed_by_amazon_systems_manager" {
standards_control_arn = "arn:aws:securityhub:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:control/aws-foundational-security-best-practices/v/1.0.0/SSM.1"
control_status = "ENABLED"
}
Expected Behavior
I expect the specific standard control should be enabled after executing Step 2
Actual Behavior
When executing Step 2, it return a error:
error updating Security Hub Standards Control (arn:aws:securityhub:ap-northeast-2:111111111111:control/aws-foundational-security-best-practices/v/1.0.0/SSM.1): InvalidInputException: DisabledReason should not be given for action other than disabling control: arn:aws:securityhub:ap-northeast-2:111111111111:control/aws-foundational-security-best-practices/v/1.0.0/SSM.1
Steps to Reproduce
Step 1: Execute following codes to disable a specific standard control in SecurityHub (here I take SSM.1 as example):
resource "aws_securityhub_standards_control" "disable_instances_managed_by_amazon_systems_manager" {
standards_control_arn = "arn:aws:securityhub:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:control/aws-foundational-security-best-practices/v/1.0.0/SSM.1"
control_status = "DISABLED"
disabled_reason = "XXXXX"
}
Step 2: After executing codes in Step 1, modify the code as follows (control_status -> Enabled , remove disabled_reason)
resource "aws_securityhub_standards_control" "disable_instances_managed_by_amazon_systems_manager" {
standards_control_arn = "arn:aws:securityhub:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:control/aws-foundational-security-best-practices/v/1.0.0/SSM.1"
control_status = "ENABLED"
}
When executing Step 2, it return a error:
error updating Security Hub Standards Control (arn:aws:securityhub:ap-northeast-2:111111111111:control/aws-foundational-security-best-practices/v/1.0.0/SSM.1): InvalidInputException: DisabledReason should not be given for action other than disabling control: arn:aws:securityhub:ap-northeast-2:111111111111:control/aws-foundational-security-best-practices/v/1.0.0/SSM.1
The text was updated successfully, but these errors were encountered: