Open nitrocode opened 1 month ago
Hi.
Thank you for raising the question and sorry for the delay.
I've not seen this one before, but based upon the error, I suspect that it is an interactive command so, hopefully, there's a way to supply input.
Will be back shortly!
Can you provide the full module call please? Replace any IDs/values with x
and n
(letters and numbers) so I can see how this works. The documentation for aws securityhub batch-update-findings
says it requires --finding-identifiers
.
aws securityhub batch-update-findings \
--finding-identifiers '[{"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub"}, {"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub"}]' \
--note '{"Text": "Known issue that is not a risk.", "UpdatedBy": "user1"}' \
--severity '{"Label": "LOW"}' \
--workflow '{"Status": "RESOLVED"}'
is an example in the help system.
One thing it COULD be is a malformed JSON on the --finding-identifiers
. The supplied JSON will need to be escaped.
So, taking the above example, the module call would be ...
module "awscli" {
source = "../../"
aws_cli_commands = [
"securityhub",
"batch-update-findings",
format(
"--finding-identifiers='%s'",
jsonencode(
[
{
Id = "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
ProductArn = "arn:aws:securityhub:us-west-1::product/aws/securityhub"
},
{
Id = "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
ProductArn = "arn:aws:securityhub:us-west-1::product/aws/securityhub"
}
]
)
),
format(
"--note='%s'",
jsonencode(
{
Text = "Known issue that is not a risk.",
UpdatedBy = "user1"
}
)
),
format(
"--severity='%s'",
jsonencode(
{
Label = "Low"
}
)
),
format(
"--workflow='%s'",
jsonencode(
{
Status = "RESOLVED"
}
)
)
]
region = "eu-west-1"
}
Another way is to escape all the "
in the string.
You can also add an environment variable to keep ALL the log files that are made.
export MODULE_TERRAFORM_AWS_CLI_RETAIN_LOGS=true
If you run the exact AWS call at your command line (you'll need the AWS credentials setup), what do you get ? Are you asked for input?
Thanks for making a reusable awscli module. I've been waiting for something like this for some time.
With the following
I get this error
How can I run
aws securityhub batch-update-findings
and avoid this error?