hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.82k stars 9.16k forks source link

[Bug]: aws_inspector2_member_association did not log access denied #38895

Closed roynesholen closed 1 month ago

roynesholen commented 2 months ago

Terraform Core Version

1.9.4

AWS Provider Version

5.63.0

Affected Resource(s)

resource "aws_inspector2_member_association" "members" {
  provider   = aws
  for_each   = toset(local.member_account_ids)
  account_id = each.key
  depends_on = [aws_inspector2_enabler.audit_eu-north-1]
}

Expected Behavior

cloutrail logs for this resource log Access Denied when i miss the correct Allowed inspector2 policy .

Actual Behavior

│ Error: creating Amazon Inspector Member Association (186558567702): waiting for completion: couldn't find resource (21 retries)
│ 
│   with aws_inspector2_member_association.members["xxxxxxxxxx"],
│   on inspector.tf line 61, in resource "aws_inspector2_member_association" "members":
│   61: resource "aws_inspector2_member_association" "members" {
│ 
╵

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

###########################################
# Enable Amazon Inspector in Audit account in eu-north-1
# Audit account is delegated admin in landingzone repo
###########################################

resource "aws_inspector2_enabler" "audit_eu-north-1" {
  count          = var.org_inspector2_enabled ? 1 : 0
  resource_types = ["ECR", "EC2", "LAMBDA", "LAMBDA_CODE"]
  account_ids    = [data.aws_caller_identity.current.account_id]
}

#Inspector auto-enable on new member accounts in eu-north-1
resource "aws_inspector2_organization_configuration" "eu_north_1" {
  count    = var.org_inspector2_enabled ? 1 : 0
  provider = aws
  auto_enable {
    ec2         = var.enable_ec2
    ecr         = var.enable_ecr
    lambda      = var.enable_lambda
    lambda_code = var.enable_lambda_code && var.enable_lambda
  }
  depends_on = [aws_inspector2_enabler.audit_eu-north-1]
}

# Get all accounts in the organization and we will not set audit account again
data "aws_organizations_organization" "org_eu_north_1" {
  provider = aws
}

locals {
  enabler_resource_types = compact([
    var.enable_ec2 ? "EC2" : null,
    var.enable_ecr ? "ECR" : null,
    var.enable_lambda ? "LAMBDA" : null,
    var.enable_lambda_code && var.enable_lambda ? "LAMBDA_CODE" : null,
  ])

  member_account_ids = [for account in data.aws_organizations_organization.org_eu_north_1.accounts : account.id if account.status == "ACTIVE" && account.id != data.aws_caller_identity.current]
}

#Associate all member accounts with the audit account eu-north-1
resource "aws_inspector2_member_association" "members" {
  provider   = aws
  for_each   = toset(local.member_account_ids)
  account_id = each.key
  depends_on = [aws_inspector2_enabler.audit_eu-north-1]
}

#enable Inspector scans in the member accounts in region eu-north-1
resource "aws_inspector2_enabler" "members_eu_north_1" {
  provider       = aws
  for_each       = toset(local.member_account_ids)
  account_ids    = [each.key]
  resource_types = local.enabler_resource_types
  depends_on     = [aws_inspector2_member_association.members]
}

Steps to Reproduce

Not give the correct inspector2 Allowed policy needed for aws_inspector2_member_association

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

github-actions[bot] commented 2 months ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

justinretzolk commented 2 months ago

Hey @roynesholen 👋 Thank you for taking the time to raise this! Are you able to provide debug logs (redacted as needed)?

roynesholen commented 2 months ago

@justinretzolk Hi I added filtered terraform debug log for this test account in sandbox terraform Debug log says Access denied reason

debug.log

The normal log says 21 retries... module.inspector-eu-west-1[0].aws_inspector2_member_association.members["xxxxx"]: Still creating... [2m20s elapsed] module.inspector-eu-west-1[0].aws_inspector2_member_association.members["xxxxx"]: Still creating... [2m30s elapsed] module.inspector-eu-north-1[0].aws_inspector2_member_association.members["xxxxx"]: Still creating... [2m31s elapsed] ╷ │ Error: creating Amazon Inspector Member Association (xxxxxx): waiting for completion: couldn't find resource (21 retries) │ │ with module.inspector-eu-west-1[0].aws_inspector2_member_association.members["xxxxx"], │ on modules/inspector/inspector.tf line 37, in resource "aws_inspector2_member_association" "members": │ 37: resource "aws_inspector2_member_association" "members" { │ ╵

roynesholen commented 2 months ago

FYI: The next inspector2 service that also forget in the policy, logged correctly deny reason in standard logs. module.inspector-eu-west-1[0].aws_inspector2_member_association.members["xxxxxxx"]: Destroying... [id=xxxxxxx] ╷ │ Error: deleting Amazon Inspector Member Association (xxxxxx): operation error Inspector2: DisassociateMember, https response error StatusCode: 403, RequestID: 8e4d0931-3707-45db-aaed-e2b163c0d713, AccessDeniedException: User: arn:aws:sts::xxxxx:assumed-role/xxx/aws-go-sdk-1724414893096856936 is not authorized to perform: inspector2:DisassociateMember on resource: arn:aws:inspector2:eu-north-1:xxxxxx:/members/disassociate

github-actions[bot] commented 1 month ago

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

github-actions[bot] commented 1 month ago

This functionality has been released in v5.69.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

github-actions[bot] commented 2 days ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.