Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: add enabled_standard_arns if service_enabled is true in aws_securityhub_configuration_policy #36740

Conversation

sbldevnet
Copy link
Contributor

@sbldevnet sbldevnet commented Apr 4, 2024

Description

If enabled_standard_arns is used, and service_enabled is set to false, it will be included in the AWS API call. Now it's only added if it is not empty.
This will fix the issue when trying to create a SecurityHub configuration policy without enabling any standards.

Current version ConfigurationPolicy:

2024-04-05T09:11:42.103+1030 [DEBUG] provider.terraform-provider-aws_v5.43.0_x5: HTTP Request Sent: ...
  http.request.body=
  | {"ConfigurationPolicy":{"SecurityHub":{"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers":[]},"ServiceEnabled":true}},"Description":"ExampleDescription","Name":"Example"}

With the proposed fix:

2024-04-05T08:59:08.187+1030 [DEBUG] provider.terraform-provider-aws: HTTP Request Sent: http.request.header.x_amz_security_token="*****" rpc.method=CreateConfigurationPolicy
 http.request.body=
  | {"ConfigurationPolicy":{"SecurityHub":{"EnabledStandardIdentifiers":[],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers":[]},"ServiceEnabled":true}},"Description":"Enable SecurityHub in the organization","Name":"EnableSecurityHubOrganization"}

enabled_standard_arns must be included only if service_enabled is true.

Relations

Closes #36739

References

https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_SecurityHubPolicy.html
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/securityhub/create-configuration-policy.html

Output from Acceptance Testing

% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/basic' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go  test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/basic -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/basic
--- PASS: TestAccSecurityHub_serial (84.46s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (84.46s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/basic (84.46s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	89.319s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/disappears' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go  test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/disappears -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/disappears
--- PASS: TestAccSecurityHub_serial (60.87s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (60.87s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/disappears (60.87s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	65.561s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/^C' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go  test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/^C -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/CustomParameters
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/ControlIdentifiers
--- PASS: TestAccSecurityHub_serial (252.20s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (252.20s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/CustomParameters (168.85s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/ControlIdentifiers (83.34s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	256.842s

Copy link

github-actions bot commented Apr 4, 2024

Community Note

Voting for Prioritization

  • Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added size/XS Managed by automation to categorize the size of a PR. service/securityhub Issues and PRs that pertain to the securityhub service. labels Apr 4, 2024
@terraform-aws-provider terraform-aws-provider bot added the needs-triage Waiting for first response or review from a maintainer. label Apr 4, 2024
@sbldevnet
Copy link
Contributor Author

sbldevnet commented Apr 5, 2024

I changed the parameter enabled_standard_arns to optional to have the same as the AWS API, but it can be reverted as the logic is handled inside the expandPolicyMemberSecurityHub function.

@sbldevnet sbldevnet changed the title [WIP] fix: add enabled_standard_arns also if empty in aws_securityhub_configuration_policy [WIP] fix: add enabled_standard_arns if service_enabled is true in aws_securityhub_configuration_policy Apr 5, 2024
@github-actions github-actions bot added documentation Introduces or discusses updates to documentation. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Apr 5, 2024
@sbldevnet sbldevnet marked this pull request as ready for review April 5, 2024 02:25
@sbldevnet sbldevnet changed the title [WIP] fix: add enabled_standard_arns if service_enabled is true in aws_securityhub_configuration_policy fix: add enabled_standard_arns if service_enabled is true in aws_securityhub_configuration_policy Apr 5, 2024
@ewbankkit ewbankkit removed the needs-triage Waiting for first response or review from a maintainer. label Apr 5, 2024
@ewbankkit ewbankkit self-assigned this Apr 5, 2024
@terraform-aws-provider terraform-aws-provider bot added the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Apr 5, 2024
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccSecurityHub_serial/ConfigurationPolicy' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.21.8 test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/ConfigurationPolicy -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation/disappears
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/disappears
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/CustomParameters
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/ControlIdentifiers
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/basic
--- PASS: TestAccSecurityHub_serial (812.81s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation (416.64s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic (344.39s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/disappears (72.25s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (396.17s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/disappears (58.53s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/CustomParameters (172.15s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/ControlIdentifiers (84.52s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/basic (80.98s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	823.850s

@ewbankkit
Copy link
Contributor

@sbldevnet Thanks for the contribution 🎉 👏.

@ewbankkit ewbankkit merged commit 4e72a2e into hashicorp:main Apr 5, 2024
62 checks passed
@github-actions github-actions bot added this to the v5.45.0 milestone Apr 5, 2024
@github-actions github-actions bot removed the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Apr 11, 2024
Copy link

This functionality has been released in v5.45.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 12, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
documentation Introduces or discusses updates to documentation. service/securityhub Issues and PRs that pertain to the securityhub service. size/XS Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug]: failed to create aws_securityhub_configuration_policy if enabled_standard_arns is empty
2 participants