awscc_securityhub_configuration_policy: Creation fails with InvalidRequest even with all attrs/args provided

[acwwat]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Affected Resource(s)

• awscc_securityhub_configuration_policy

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

This need to be run on the delegated admin account. I also have omitted awscc_securityhub_policy_association.example from the config for simplicity, although you might see it in the plan in the logs I provided.

resource "awscc_securityhub_finding_aggregator" "example" {
  region_linking_mode = "ALL_REGIONS"
}

resource "awscc_securityhub_organization_configuration" "example" {
  auto_enable           = false
  auto_enable_standards = "NONE"
  configuration_type    = "CENTRAL"
  depends_on            = [awscc_securityhub_finding_aggregator.example]
}

resource "awscc_securityhub_configuration_policy" "example" {
  configuration_policy = {
    security_hub = {
      enabled_standard_identifiers = [
        "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
        "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
      ]
      security_controls_configuration = {
        disabled_control_identifiers       = []
        security_control_custom_parameters = []
      }
      service_enabled = true
    }
  }
  name        = "example"
  description = "An example configuration policy"
  depends_on  = [awscc_securityhub_organization_configuration.example]
}

Debug Output

2024-06-16T23:55:42.140-0400 [INFO]  Starting apply for awscc_securityhub_configuration_policy.example
2024-06-16T23:55:42.140-0400 [DEBUG] skipping FixUpBlockAttrs
2024-06-16T23:55:42.140-0400 [DEBUG] awscc_securityhub_configuration_policy.example: applying the planned Create change
2024-06-16T23:55:42.141-0400 [DEBUG] provider.terraform-provider-awscc_v1.2.0_x5.exe: Request.Plan.Raw: tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-provider-awscc/internal/generic/resource.go:349 @module=awscc tf_provider_addr=registry.terraform.io/hashicorp/awscc tf_resource_type=awscc_securityhub_configuration_policy cfn_type=AWS::SecurityHub::ConfigurationPolicy tf_req_id=f94369c6-7b79-f38f-36e8-53095df71923 value="tftypes.Object[\"arn\":tftypes.String, \"configuration_policy\":tftypes.Object[\"security_hub\":tftypes.Object[\"enabled_standard_identifiers\":tftypes.List[tftypes.String], \"security_controls_configuration\":tftypes.Object[\"disabled_security_control_identifiers\":tftypes.List[tftypes.String], \"enabled_security_control_identifiers\":tftypes.List[tftypes.String], \"security_control_custom_parameters\":tftypes.List[tftypes.Object[\"parameters\":tftypes.Map[tftypes.Object[\"value\":tftypes.Object[\"boolean\":tftypes.Bool, \"double\":tftypes.Number, \"enum\":tftypes.String, \"enum_list\":tftypes.List[tftypes.String], \"integer\":tftypes.Number, \"integer_list\":tftypes.List[tftypes.Number], \"string\":tftypes.String, \"string_list\":tftypes.List[tftypes.String]], \"value_type\":tftypes.String]], \"security_control_id\":tftypes.String]]], \"service_enabled\":tftypes.Bool]], \"configuration_policy_id\":tftypes.String, \"created_at\":tftypes.String, \"description\":tftypes.String, \"id\":tftypes.String, \"name\":tftypes.String, \"service_enabled\":tftypes.Bool, \"tags\":tftypes.Map[tftypes.String], \"updated_at\":tftypes.String]<\"arn\":tftypes.String<unknown>, \"configuration_policy\":tftypes.Object[\"security_hub\":tftypes.Object[\"enabled_standard_identifiers\":tftypes.List[tftypes.String], \"security_controls_configuration\":tftypes.Object[\"disabled_security_control_identifiers\":tftypes.List[tftypes.String], \"enabled_security_control_identifiers\":tftypes.List[tftypes.String], \"security_control_custom_parameters\":tftypes.List[tftypes.Object[\"parameters\":tftypes.Map[tftypes.Object[\"value\":tftypes.Object[\"boolean\":tftypes.Bool, \"double\":tftypes.Number, \"enum\":tftypes.String, \"enum_list\":tftypes.List[tftypes.String], \"integer\":tftypes.Number, \"integer_list\":tftypes.List[tftypes.Number], \"string\":tftypes.String, \"string_list\":tftypes.List[tftypes.String]], \"value_type\":tftypes.String]], \"security_control_id\":tftypes.String]]], \"service_enabled\":tftypes.Bool]]<\"security_hub\":tftypes.Object[\"enabled_standard_identifiers\":tftypes.List[tftypes.String], \"security_controls_configuration\":tftypes.Object[\"disabled_security_control_identifiers\":tftypes.List[tftypes.String], \"enabled_security_control_identifiers\":tftypes.List[tftypes.String], \"security_control_custom_parameters\":tftypes.List[tftypes.Object[\"parameters\":tftypes.Map[tftypes.Object[\"value\":tftypes.Object[\"boolean\":tftypes.Bool, \"double\":tftypes.Number, \"enum\":tftypes.String, \"enum_list\":tftypes.List[tftypes.String], \"integer\":tftypes.Number, \"integer_list\":tftypes.List[tftypes.Number], \"string\":tftypes.String, \"string_list\":tftypes.List[tftypes.String]], \"value_type\":tftypes.String]], \"security_control_id\":tftypes.String]]], \"service_enabled\":tftypes.Bool]<\"enabled_standard_identifiers\":tftypes.List[tftypes.String]<tftypes.String<\"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0\">, tftypes.String<\"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\">>, \"security_controls_configuration\":tftypes.Object[\"disabled_security_control_identifiers\":tftypes.List[tftypes.String], \"enabled_security_control_identifiers\":tftypes.List[tftypes.String], \"security_control_custom_parameters\":tftypes.List[tftypes.Object[\"parameters\":tftypes.Map[tftypes.Object[\"value\":tftypes.Object[\"boolean\":tftypes.Bool, \"double\":tftypes.Number, \"enum\":tftypes.String, \"enum_list\":tftypes.List[tftypes.String], \"integer\":tftypes.Number, \"integer_list\":tftypes.List[tftypes.Number], \"string\":tftypes.String, \"string_list\":tftypes.List[tftypes.String]], \"value_type\":tftypes.String]], \"security_control_id\":tftypes.String]]]<\"disabled_security_control_identifiers\":tftypes.List[tftypes.String]<unknown>, \"enabled_security_control_identifiers\":tftypes.List[tftypes.String]<unknown>, \"security_control_custom_parameters\":tftypes.List[tftypes.Object[\"parameters\":tftypes.Map[tftypes.Object[\"value\":tftypes.Object[\"boolean\":tftypes.Bool, \"double\":tftypes.Number, \"enum\":tftypes.String, \"enum_list\":tftypes.List[tftypes.String], \"integer\":tftypes.Number, \"integer_list\":tftypes.List[tftypes.Number], \"string\":tftypes.String, \"string_list\":tftypes.List[tftypes.String]], \"value_type\":tftypes.String]], \"security_control_id\":tftypes.String]]<>>, \"service_enabled\":tftypes.Bool<\"true\">>>, \"configuration_policy_id\":tftypes.String<unknown>, \"created_at\":tftypes.String<unknown>, \"description\":tftypes.String<\"An example configuration policy\">, \"id\":tftypes.String<unknown>, \"name\":tftypes.String<\"example\">, \"service_enabled\":tftypes.Bool<unknown>, \"tags\":tftypes.Map[tftypes.String]<unknown>, \"updated_at\":tftypes.String<unknown>>" timestamp=2024-06-16T23:55:42.141-0400
2024-06-16T23:55:42.141-0400 [DEBUG] provider.terraform-provider-awscc_v1.2.0_x5.exe: CloudControl DesiredState: @caller=github.com/hashicorp/terraform-provider-awscc/internal/generic/resource.go:362 @module=awscc tf_req_id=f94369c6-7b79-f38f-36e8-53095df71923 tf_resource_type=awscc_securityhub_configuration_policy tf_rpc=ApplyResourceChange cfn_type=AWS::SecurityHub::ConfigurationPolicy tf_provider_addr=registry.terraform.io/hashicorp/awscc value="{\"ConfigurationPolicy\":{\"SecurityHub\":{\"EnabledStandardIdentifiers\":[\"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0\",\"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\"],\"ServiceEnabled\":true}},\"Description\":\"An example configuration policy\",\"Name\":\"example\"}" timestamp=2024-06-16T23:55:42.141-0400
2024-06-16T23:55:42.141-0400 [DEBUG] provider.terraform-provider-awscc_v1.2.0_x5.exe: HTTP Request Sent: cfn_type=AWS::SecurityHub::ConfigurationPolicy http.request.header.amz_sdk_invocation_id=fbe2b364-f7c9-4754-a2da-1d68d6570fde http.request.header.x_amz_target=CloudApiService.CreateResource rpc.system=aws-api tf_aws.signing_region="" tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.53/logging/tf_logger.go:45 http.request.header.amz_sdk_request="attempt=1; max=25" http.request.header.x_amz_security_token="*****" http.url=https://cloudcontrolapi.us-east-1.amazonaws.com/ net.peer.name=cloudcontrolapi.us-east-1.amazonaws.com http.method=POST http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************7JZ5/20240617/us-east-1/cloudcontrolapi/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=*****" tf_resource_type=awscc_securityhub_configuration_policy http.request.header.content_type=application/x-amz-json-1.0 tf_aws.sdk=aws-sdk-go-v2 tf_provider_addr=registry.terraform.io/hashicorp/awscc aws.region=us-east-1
  http.request.body=
  | {"ClientToken":"terraform-20240617035542141900000001","DesiredState":"{\"ConfigurationPolicy\":{\"SecurityHub\":{\"EnabledStandardIdentifiers\":[\"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0\",\"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\"],\"ServiceEnabled\":true}},\"Description\":\"An example configuration policy\",\"Name\":\"example\"}","TypeName":"AWS::SecurityHub::ConfigurationPolicy"}
   http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.6.6 (+https://www.terraform.io) terraform-provider-awscc/dev (+https://registry.terraform.io/providers/hashicorp/awscc) aws-sdk-go-v2/1.27.2 os/windows lang/go#1.22.2 md/GOOS#windows md/GOARCH#amd64 api/cloudcontrol#1.18.10" rpc.service=CloudControl tf_req_id=f94369c6-7b79-f38f-36e8-53095df71923 @module=awscc http.request.header.x_amz_date=20240617T035542Z http.request_content_length=464 rpc.method=CreateResource timestamp=2024-06-16T23:55:42.141-0400
2024-06-16T23:55:42.399-0400 [DEBUG] provider.terraform-provider-awscc_v1.2.0_x5.exe: HTTP Response Received: http.response.header.x_amzn_requestid=eabdae96-4c0c-4c0e-b39f-3f1669ff83c7 http.status_code=200 rpc.method=CreateResource tf_resource_type=awscc_securityhub_configuration_policy tf_req_id=f94369c6-7b79-f38f-36e8-53095df71923 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.53/logging/tf_logger.go:45 cfn_type=AWS::SecurityHub::ConfigurationPolicy http.duration=256 http.response.header.connection=keep-alive http.response.header.date="Mon, 17 Jun 2024 03:55:41 GMT" tf_aws.sdk=aws-sdk-go-v2 tf_provider_addr=registry.terraform.io/hashicorp/awscc tf_rpc=ApplyResourceChange @module=awscc
  http.response.body=
  | {"ProgressEvent":{"EventTime":1.718596541846E9,"Operation":"CREATE","OperationStatus":"IN_PROGRESS","RequestToken":"3f2c6efc-bad6-446d-b968-c480158b7d07","TypeName":"AWS::SecurityHub::ConfigurationPolicy"}}
   http.response.header.content_type=application/x-amz-json-1.0 http.response_content_length=206 rpc.service=CloudControl tf_aws.signing_region="" aws.region=us-east-1 rpc.system=aws-api timestamp=2024-06-16T23:55:42.399-0400
2024-06-16T23:55:42.400-0400 [DEBUG] provider.terraform-provider-awscc_v1.2.0_x5.exe: HTTP Request Sent: tf_aws.sdk=aws-sdk-go-v2 http.request.header.content_type=application/x-amz-json-1.0 http.request_content_length=55 tf_resource_type=awscc_securityhub_configuration_policy aws.region=us-east-1 http.request.header.amz_sdk_request="attempt=1; max=25" rpc.service=CloudControl tf_req_id=f94369c6-7b79-f38f-36e8-53095df71923 http.request.header.amz_sdk_invocation_id=65d6a6c8-1f54-456f-b778-1c5c0266dec3 http.request.header.x_amz_target=CloudApiService.GetResourceRequestStatus rpc.method=GetResourceRequestStatus tf_provider_addr=registry.terraform.io/hashicorp/awscc cfn_type=AWS::SecurityHub::ConfigurationPolicy http.request.header.x_amz_date=20240617T035542Z http.url=https://cloudcontrolapi.us-east-1.amazonaws.com/ http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************7JZ5/20240617/us-east-1/cloudcontrolapi/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=*****"
  http.request.body=
  | {"RequestToken":"3f2c6efc-bad6-446d-b968-c480158b7d07"}
   http.request.header.x_amz_security_token="*****" http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.6.6 (+https://www.terraform.io) terraform-provider-awscc/dev (+https://registry.terraform.io/providers/hashicorp/awscc) aws-sdk-go-v2/1.27.2 os/windows lang/go#1.22.2 md/GOOS#windows md/GOARCH#amd64 api/cloudcontrol#1.18.10" tf_rpc=ApplyResourceChange net.peer.name=cloudcontrolapi.us-east-1.amazonaws.com @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.53/logging/tf_logger.go:45 http.method=POST rpc.system=aws-api tf_aws.signing_region="" @module=awscc timestamp=2024-06-16T23:55:42.399-0400
2024-06-16T23:55:42.453-0400 [DEBUG] provider.terraform-provider-awscc_v1.2.0_x5.exe: HTTP Response Received:
  http.response.body=
  | {"ProgressEvent":{"EventTime":1.718596541846E9,"Operation":"CREATE","OperationStatus":"IN_PROGRESS","RequestToken":"3f2c6efc-bad6-446d-b968-c480158b7d07","TypeName":"AWS::SecurityHub::ConfigurationPolicy"}}
   http.response.header.date="Mon, 17 Jun 2024 03:55:41 GMT" http.response.header.x_amzn_requestid=cccc4eb0-d426-4f72-bfe7-b276387c201b tf_aws.sdk=aws-sdk-go-v2 tf_aws.signing_region="" @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.53/logging/tf_logger.go:45 aws.region=us-east-1 tf_provider_addr=registry.terraform.io/hashicorp/awscc tf_req_id=f94369c6-7b79-f38f-36e8-53095df71923 tf_resource_type=awscc_securityhub_configuration_policy http.duration=53 http.response.header.connection=keep-alive rpc.method=GetResourceRequestStatus @module=awscc http.response_content_length=206 http.status_code=200 rpc.service=CloudControl tf_rpc=ApplyResourceChange cfn_type=AWS::SecurityHub::ConfigurationPolicy http.response.header.content_type=application/x-amz-json-1.0 rpc.system=aws-api timestamp=2024-06-16T23:55:42.453-0400
2024-06-16T23:55:47.468-0400 [DEBUG] provider.terraform-provider-awscc_v1.2.0_x5.exe: HTTP Request Sent: http.request_content_length=55 rpc.service=CloudControl tf_aws.sdk=aws-sdk-go-v2 tf_resource_type=awscc_securityhub_configuration_policy aws.region=us-east-1
  http.request.body=
  | {"RequestToken":"3f2c6efc-bad6-446d-b968-c480158b7d07"}
   http.request.header.amz_sdk_invocation_id=af545836-0cbb-40e0-825a-c6320a637bc3 rpc.method=GetResourceRequestStatus rpc.system=aws-api cfn_type=AWS::SecurityHub::ConfigurationPolicy http.request.header.amz_sdk_request="attempt=1; max=25" http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************7JZ5/20240617/us-east-1/cloudcontrolapi/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=*****" http.request.header.content_type=application/x-amz-json-1.0 tf_provider_addr=registry.terraform.io/hashicorp/awscc tf_req_id=f94369c6-7b79-f38f-36e8-53095df71923 tf_rpc=ApplyResourceChange @module=awscc http.request.header.x_amz_security_token="*****" http.url=https://cloudcontrolapi.us-east-1.amazonaws.com/ @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.53/logging/tf_logger.go:45 http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.6.6 (+https://www.terraform.io) terraform-provider-awscc/dev (+https://registry.terraform.io/providers/hashicorp/awscc) aws-sdk-go-v2/1.27.2 os/windows lang/go#1.22.2 md/GOOS#windows md/GOARCH#amd64 api/cloudcontrol#1.18.10" tf_aws.signing_region="" http.request.header.x_amz_target=CloudApiService.GetResourceRequestStatus http.method=POST http.request.header.x_amz_date=20240617T035547Z net.peer.name=cloudcontrolapi.us-east-1.amazonaws.com timestamp=2024-06-16T23:55:47.468-0400
2024-06-16T23:55:47.521-0400 [DEBUG] provider.terraform-provider-awscc_v1.2.0_x5.exe: HTTP Response Received: tf_resource_type=awscc_securityhub_configuration_policy http.response_content_length=460 http.status_code=200 rpc.method=GetResourceRequestStatus tf_aws.signing_region="" @module=awscc http.duration=51 tf_rpc=ApplyResourceChange rpc.system=aws-api tf_aws.sdk=aws-sdk-go-v2 aws.region=us-east-1 cfn_type=AWS::SecurityHub::ConfigurationPolicy
  http.response.body=
  | {"ProgressEvent":{"ErrorCode":"InvalidRequest","EventTime":1.718596542292E9,"Operation":"CREATE","OperationStatus":"FAILED","RequestToken":"3f2c6efc-bad6-446d-b968-c480158b7d07","StatusMessage":"Invalid semantics: Enabled standards and security control configurations must be configured when Security Hub is enabled (Service: SecurityHub, Status Code: 400, Request ID: 085c1c34-27a5-4e1a-921e-1ab59b39c6cb)","TypeName":"AWS::SecurityHub::ConfigurationPolicy"}}
   http.response.header.content_type=application/x-amz-json-1.0 http.response.header.date="Mon, 17 Jun 2024 03:55:47 GMT" rpc.service=CloudControl tf_provider_addr=registry.terraform.io/hashicorp/awscc @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.53/logging/tf_logger.go:45 http.response.header.connection=keep-alive http.response.header.x_amzn_requestid=724c67a4-92f0-4bcf-b37e-5a655c89156d tf_req_id=f94369c6-7b79-f38f-36e8-53095df71923 timestamp=2024-06-16T23:55:47.521-0400
2024-06-16T23:55:47.521-0400 [ERROR] provider.terraform-provider-awscc_v1.2.0_x5.exe: Response contains error diagnostic: tf_req_id=f94369c6-7b79-f38f-36e8-53095df71923 diagnostic_detail="Waiting for Cloud Control API service CreateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: Invalid semantics: Enabled standards and security control configurations must be configured when Security Hub is enabled (Service: SecurityHub, Status Code: 400, Request ID: 085c1c34-27a5-4e1a-921e-1ab59b39c6cb). ErrorCode: InvalidRequest" diagnostic_severity=ERROR tf_proto_version=6.6 tf_provider_addr=registry.terraform.io/hashicorp/awscc @caller=github.com/hashicorp/terraform-plugin-go@v0.23.0/tfprotov6/internal/diag/diagnostics.go:58 tf_resource_type=awscc_securityhub_configuration_policy @module=sdk.proto diagnostic_summary="AWS SDK Go Service Operation Incomplete" tf_rpc=ApplyResourceChange timestamp=2024-06-16T23:55:47.521-0400
2024-06-16T23:55:47.522-0400 [DEBUG] State storage *statemgr.Filesystem declined to persist a state snapshot
2024-06-16T23:55:47.522-0400 [ERROR] vertex "awscc_securityhub_configuration_policy.example" error: AWS SDK Go Service Operation Incomplete
2024-06-16T23:55:47.524-0400 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-06-16T23:55:47.546-0400 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/awscc/1.2.0/windows_amd64/terraform-provider-awscc_v1.2.0_x5.exe pid=20336
2024-06-16T23:55:47.546-0400 [DEBUG] provider: plugin exited

Panic Output

n/a

Expected Behavior

The awscc_securityhub_configuration_policy resource is created successfully.

Actual Behavior

The awscc_securityhub_configuration_policy resource fails to create with the error below. It seems that the security_controls_configuration attribute and its children aren't provided in the request per the debug log, even if I explicitly set them to empty arrays like how I observed in the CloudTrail event when I created it in the Security Hub console.

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # awscc_securityhub_configuration_policy.example will be created
  + resource "awscc_securityhub_configuration_policy" "example" {
      + arn                     = (known after apply)
      + configuration_policy    = {
          + security_hub = {
              + enabled_standard_identifiers    = [
                  + "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
                  + "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
                ]
              + security_controls_configuration = {
                  + disabled_security_control_identifiers = (known after apply)
                  + enabled_security_control_identifiers  = (known after apply)
                  + security_control_custom_parameters    = []
                }
              + service_enabled                 = true
            }
        }
      + configuration_policy_id = (known after apply)
      + created_at              = (known after apply)
      + description             = "An example configuration policy"
      + id                      = (known after apply)
      + name                    = "example"
      + service_enabled         = (known after apply)
      + tags                    = (known after apply)
      + updated_at              = (known after apply)
    }

  # awscc_securityhub_policy_association.example will be created
  + resource "awscc_securityhub_policy_association" "example" {
      + association_identifier     = (known after apply)
      + association_status         = (known after apply)
      + association_status_message = (known after apply)
      + association_type           = (known after apply)
      + configuration_policy_id    = (known after apply)
      + id                         = (known after apply)
      + target_id                  = "111111111111"
      + target_type                = "ACCOUNT"
      + updated_at                 = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

awscc_securityhub_configuration_policy.example: Creating...
╷
│ Error: AWS SDK Go Service Operation Incomplete
│
│   with awscc_securityhub_configuration_policy.example,
│   on main.tf line 17, in resource "awscc_securityhub_configuration_policy" "example":
│   17: resource "awscc_securityhub_configuration_policy" "example" {
│
│ Waiting for Cloud Control API service CreateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: Invalid semantics:   
│ Enabled standards and security control configurations must be configured when Security Hub is enabled (Service: SecurityHub, Status Code: 400, Request ID:   
│ 6cc39026-9e3d-4687-826f-c68bdef07661). ErrorCode: InvalidRequest

Steps to Reproduce

1. terraform apply

Important Factoids

n/a

References

n/a

[quixoticmonk]

Can reproduce the same with CloudFormation config below as well.

AWSTemplateFormatVersion: 2010-09-09

Description: Example template to create a Security Hub configuration policy
Resources:
  SecurityHubConfigurationPolicy:
    Type: AWS::SecurityHub::ConfigurationPolicy
    Properties:
      Name: SecurityHubConfigurationPolicyExample
      Description: Example template to create SecurityHub Configuration Policy
      ConfigurationPolicy:
        SecurityHub:
          ServiceEnabled: true
          EnabledStandardIdentifiers:
            - !Sub arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0

The corresponding AWS CLI command does work.

aws securityhub create-configuration-policy \
  --name "My Security Hub Configuration Policy" \
  --description "Configuration policy with all controls enabled" \
  --configuration-policy '{
    "SecurityHub": {
      "ServiceEnabled": true,
      "EnabledStandardIdentifiers": [
     "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"
      ],
      "SecurityControlsConfiguration": {
        "DisabledSecurityControlIdentifiers": []
      }
    }
  }'

Will open a service ticket to check on this.

[quixoticmonk]

Still reviewing this. The SecurityHub policy is expecting an empty list to ascertain the enabled/disabled controls. Provider is not passing the empty lists in the configuration in the request as mentioned in the original note in the issue.