search

digitickets / terraform-aws-cli

Run the AWS CLI, with the ability to run under an assumed role, to access resources and properties missing from the Terraform AWS Provider.
26 stars 10 forks source link

error: Warning: "Input is not a terminal" #18

Open nitrocode opened 1 month ago

nitrocode commented 1 month ago

Thanks for making a reusable awscli module. I've been waiting for something like this for some time.

With the following

module "awscli" {
  source  = "digitickets/cli/aws"
  version = "6.1.0"

  aws_cli_commands = ["securityhub", "batch-update-findings"]
}

I get this error

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Resource postcondition failed
│ 
│   on .terraform/modules/securityhub_batch_update_findings.awscli/main.tf line 35, in data "local_file" "awscli_results_file":
│   35:       condition     = try(jsondecode(self.content).error, false) == false
│     ├────────────────
│     │ self.content is "{\"error\":\"Warning: Input is not a terminal (fd=0).\"}\n"
│ 
│ Warning: Input is not a terminal (fd=0).

How can I run aws securityhub batch-update-findings and avoid this error?

rquadling commented 1 month ago

Hi.

Thank you for raising the question and sorry for the delay.

I've not seen this one before, but based upon the error, I suspect that it is an interactive command so, hopefully, there's a way to supply input.

Will be back shortly!

rquadling commented 1 month ago

Can you provide the full module call please? Replace any IDs/values with x and n (letters and numbers) so I can see how this works. The documentation for aws securityhub batch-update-findings says it requires --finding-identifiers.

 aws securityhub batch-update-findings \
              --finding-identifiers '[{"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub"}, {"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub"}]' \
              --note '{"Text": "Known issue that is not a risk.", "UpdatedBy": "user1"}' \
              --severity '{"Label": "LOW"}' \
              --workflow '{"Status": "RESOLVED"}'

is an example in the help system.

One thing it COULD be is a malformed JSON on the --finding-identifiers. The supplied JSON will need to be escaped.

So, taking the above example, the module call would be ...

module "awscli" {
  source = "../../"
  aws_cli_commands = [
    "securityhub",
    "batch-update-findings",
    format(
      "--finding-identifiers='%s'",
      jsonencode(
        [
          {
            Id         = "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
            ProductArn = "arn:aws:securityhub:us-west-1::product/aws/securityhub"
          },
          {
            Id         = "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
            ProductArn = "arn:aws:securityhub:us-west-1::product/aws/securityhub"
          }
        ]
      )
    ),
    format(
      "--note='%s'",
      jsonencode(
        {
          Text      = "Known issue that is not a risk.",
          UpdatedBy = "user1"
        }
      )
    ),
    format(
      "--severity='%s'",
      jsonencode(
        {
          Label = "Low"
        }
      )
    ),
    format(
      "--workflow='%s'",
      jsonencode(
        {
          Status = "RESOLVED"
        }
      )
    )
  ]
  region        = "eu-west-1"
}

Another way is to escape all the " in the string.

You can also add an environment variable to keep ALL the log files that are made.

export MODULE_TERRAFORM_AWS_CLI_RETAIN_LOGS=true

If you run the exact AWS call at your command line (you'll need the AWS credentials setup), what do you get ? Are you asked for input?