[Enhancement]: Add AWS Resource Tagging Standard ARN reference to `aws_securityhub_standards_subscription` resource doc

[acwwat]

Description

AWS has recently added a new AWS Resource Tagging Standard which can be used to identify if any of your AWS Resources are missing tag keys required by your organization. To save users from having to look up the ARN, it would be great to have the ARN for this new standard added to the list that already exist in the aws_securityhub_standards_subscription resource doc.

Affected Resource(s) and/or Data Source(s)

aws_securityhub_standards_subscription

Potential Terraform Configuration

n/a

References

• https://aws.amazon.com/about-aws/whats-new/2024/04/aws-security-hub-resource-tagging-standard/
• https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html

Would you like to implement a fix?

Yes

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions[bot]]

This functionality has been released in v5.49.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[rymancl]

@acwwat / @justinretzolk - Isn't there more that needs to be done for this new subscription to be fully implemented in the provider? This standard takes in the requiredTagKeys parameter, which goes in via the StandardsInput.

https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchEnableStandards.html

It seems the provider only allows for the standards ARN to be passed in.

[acwwat]

@rymancl You are correct. I have a separate branch in my local with the update, but forgot to follow through with opening a new issue when I was working on other issues. I'll circle back to this one shortly.

[acwwat]

I've looked into the requirements in more details and determined that adding StandardInput would not help set custom parameters for the security controls. The map parameter pertains to standards not security controls, and it actually just gets reverted to an empty map in the BatchEnableStandards response anyway since it's not in use. There's no way to pass the parameters when enabling a standard. Since the "enhancement" is not useful and the behavior would cause confusion, I won't check it in.

Meanwhile, what we need is actually #35447, specifically to have a new aws_securityhub_security_control resource to set custom parameters using UpdateSecurityControl.

As a workaround, you could use SHCPs via the aws_securityhub_configuration_policy resource which supports setting security_control_custom_parameter. SHCPs can be used in both for both local and central configuration.

[rymancl]

I confirmed what you're seeing. Hopefully not getting too off-topic here... I find it odd you have to configure those parameters per control and not at the standard level, especially for something like tagging. Am I correct that the only way to set the required tags parameter across all controls in the standard is to explicitly list out each control and set it that way? There are no data sources for SH to pull in a list of all controls for a standard; it isn't an attribute off of the standard resource either.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.