aws_securityhub_standards_control tries to create resource when it already exists

[andyshinn]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

❯ terraform -v                   
Terraform v1.0.2
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v3.57.0

Your version of Terraform is out of date! The latest version
is 1.0.6. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

• aws_securityhub_standards_control

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"

  assume_role {
    role_arn = "arn:aws:iam::000000000000:role/OrganizationAccountAccessRole"
    session_name = "terraform-session"
    external_id = "Terraform"
  }
}

data "aws_region" "current" {}

resource "aws_securityhub_standards_control" "disabled_checks" {
  standards_control_arn = "${aws_securityhub_standards_subscription.fsbp.id}/IAM.1"
  control_status        = "DISABLED"
  disabled_reason       = "Not neeeded"
}

resource "aws_securityhub_standards_subscription" "fsbp" {
  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0"
}

Debug Output

https://gist.github.com/andyshinn/32aa411e57e3fa9ef9563760dc14fcf4

Panic Output

Expected Behavior

Existing resource ignored as it already exists in state (even if it is a special resource).

Actual Behavior

Error occurs:

╷
│ Error: error reading Security Hub Standards Control (arn:aws:securityhub:us-east-1:000000000000:subscription/aws-foundational-security-best-practices/v/1.0.0/IAM.1): Empty result
│ 
│   with aws_securityhub_standards_control.disabled_checks,
│   on main.tf line 22, in resource "aws_securityhub_standards_control" "disabled_checks":
│   22: resource "aws_securityhub_standards_control" "disabled_checks" {
│ 
╵

Steps to Reproduce

1. Set resource control_status to "ENABLED".
2. terraform apply
3. Set resource control_status to "DISABLED".
4. terraform apply

Important Factoids

References

• https://github.com/hashicorp/terraform-provider-aws/issues/20434
• https://github.com/hashicorp/terraform-provider-aws/pull/14714

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[andyshinn]

Not stale.

[Tharsan05]

Yes, Its not stale. The problem continues to persist in the latest version of Terraform. As mentioned earlier, when we enable the SecurityHub control via Terraform and subsequently attempt to disable it using Terraform, an error occurs.

resource "aws_securityhub_standards_subscription" "pci_dss_v_3_2_1" {
  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/pci-dss/v/3.2.1"
}

resource "aws_securityhub_standards_control" "disable_security_control" {
  standards_control_arn = "arn:aws:securityhub:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:control/pci-dss/v/3.2.1/PCI.IAM.4
  control_status        = "DISABLED"
  disabled_reason       = "Disabling control"
  depends_on = [
    aws_securityhub_standards_subscription.pci_dss_v_3_2_1
  ]
}

Steps to Reproduce (This happening randomly - not all time)

1. terraform apply

Error: updating Security Hub Standards Control (arn:aws:securityhub:iiii:iiii:control/pci-dss/v/3.2.1/PCI.IAM.4): ResourceNotFoundException: StandardsControl not found
{
  RespMetadata: {
    StatusCode: 404,
  },
  Code_: "ResourceNotFoundException",
  Message_: "StandardsControl not found"
}