Open vermamanoj opened 2 years ago
A similar issue was reported on a different channel earlier, pls refer (https://github.com/hashicorp/terraform/issues/30285) as well
Hey @vermamanoj π Thank you for taking the time to raise this! So that we have all of the information necessary to look into this, would it be possible in include (sanitized as needed) debug logs as well?
I'd also be curious as to how you're passing credentials into the provider, in case there's any chance that different credentials are being picked up than you're using with the aws
CLI command that you mentioned worked.
my provider.tf file:
`provider "aws" { alias = "audit_account" region = var.Deployment_Region assume_role { role_arn = "arn:aws:iam::${var.Deployment_Account}:role/${var.Terraform_Role_Name}" } }
provider "aws" { alias = "management_account" region = var.Deployment_Region assume_role { role_arn = "arn:aws:iam::${var.management_account}:role/${var.Terraform_Role_Name}" }`
main.tf
` data "aws_organizations_organization" "myorg" { provider =aws.management_account }
module "guardduty_enabler_audit" { source = "../../../Modules/logging_guardduty_enabler_audit"
providers = { aws.org = aws.audit_account } gd_finding_publishing_frequency = var.finding_publishing_frequency delegated_admin_account_id = var.Deployment_Region gd_my_org = data.aws_organizations_organization.myorg }
module "securityhub_enabler_audit" { providers = { aws.org = aws.audit_account } source = "../../../Modules/logging_securityhub_enabler_audit"
Deployment_Region = var.Deployment_Region delegated_admin_account_id = var.Deployment_Region my_org = data.aws_organizations_organization.myorg linking_mode = var.linking_mode specified_regions = var.securityhub_aggregation_source_regions finding_aggregation_region = var.securityhub_finding_aggregation_region securityhub_products_integration = var.securityhub_products_integration } `
tfvars file
`# AUDIT ACCOUNT Deployment_Account = "111111111111β Deployment_Region = "us-west-1"
Terraform_Role_Name = "assume_role_nameβ
# Enter account ID of the Delegated admin account.
management_account = "222222222222β
finding_publishing_frequency = "FIFTEEN_MINUTES"
# SecurityHub specific code
linking_mode = "SPECIFIED_REGIONS"
securityhub_finding_aggregation_region = "us-east-1"
securityhub_aggregation_source_regions = ["us-east-2", "ap-south-1", "us-west-1"]
securityhub_products_integration = ["guardduty", "inspector", "macie"]
`
Debug logs attached tf_debug_copy_2.txt
111111111111 - delegated admin account 222222222222 - org mgmt. account 333333333333 & 444444444444 - member accounts
before running this code, I have run another in management account to delegate audit account as admin for securityhub and guardduty
Hey @vermamanoj π Thank you for the additional information. I've marked this as a bug so that we can take a look into it as soon as time allows.
@vermamanoj After enabling aws_securityhub_organization_admin_account organization configuration is delegated to the member account, so you will need to execute aws_securityhub_organization_configuration
under member account's provider:
resource "aws_securityhub_organization_admin_account" "admin_account_id" {
admin_account_id = local.lz_info_sec_account.id
}
resource "aws_securityhub_organization_configuration" "enable_config_automatically" {
provider = aws.lz_info_sec_account
auto_enable = true
depends_on = [aws_securityhub_organization_admin_account.admin_account_id]
}
Hey @vermamanoj π Were you able to test using the information provided above to see if it resolves your issue?
I just encountered this problem.
aws_securityhub_organization_admin_account
did not work when the security hub admin account was not the AWS main organization account. I could enable the security hub organization admin account on non AWS main organization account through console and the rest of configurations (aws_securityhub_member and aws_securityhub_finding_aggregator) could be configured through terraform.
Would be great to do aws_securityhub_organization_admin_account through terraform too though so this bug is still active.
I have just encountered this same problem
`β Error: updating Security Hub Organization Configuration (): InvalidAccessException: Account * is not an administrator for this organization β { β RespMetadata: { β StatusCode: 401, β RequestID: "c3e94889-7aea-4e8d-aaa1-ae101de7231d" β }, β Code: "InvalidAccessException", β Message: "Account *** is not an administrator for this organization" β }
i was attempting to assign the aws_securityhub_organization_configuration block to a sub account in the organisation.
@ADobrodey is right. The same works for us. In the organization management account we create the main resouces - aws_securityhub_account; aws_securityhub_organization_admin_account to delegate another account as an administrator of security hub. And than in the other account run the rest of the terraform resources like - aws_securityhub_finding_aggregator; aws_securityhub_organization_configuration; aws_securityhub_standards_subscription.
To handle this in a single Terraform module we use acount conditionals to be able to call the same module in each account with different functionality, example :
resource "aws_securityhub_account" "itgix_primary" {
count = var.enable_security_hub && var.management_account_run ? 1 : 0
}
# Designate a security hub admin account
resource "aws_securityhub_organization_admin_account" "itgix_primary" {
count = var.enable_security_hub && var.management_account_run ? 1 : 0
admin_account_id = var.organization_delegated_admin_account_id
depends_on = [aws_securityhub_account.itgix_primary]
}
resource "aws_securityhub_finding_aggregator" "itgix_primary" {
count = var.enable_security_hub && var.security_account_run ? 1 : 0
linking_mode = "ALL_REGIONS"
}
# Auto enable security hub in organization member accounts
resource "aws_securityhub_organization_configuration" "itgix_primary" {
count = var.enable_security_hub && var.security_account_run ? 1 : 0
auto_enable = true
}
Community Note
Terraform CLI and Terraform AWS Provider Version
Terraform v1.1.0 on darwin_amd64
Terraform Configuration Files
Output:
Expected Behavior
When enabling SecurityHub and delegating the account, the request should have been successful considering the account is the management account for Organizations.
Note that using
aws securityhub enable-organization-admin-account --admin-account-id=<redacted>
does work using the exact same privileges.Actual Behavior
An error is raised stating that the account is not authorized to delegate the SecurityHub administrator to another account within the organization.
Steps to Reproduce
terraform init
terraform apply