Open acwwat opened 1 week ago
Can reproduce the same with CloudFormation config below as well.
AWSTemplateFormatVersion: 2010-09-09
Description: Example template to create a Security Hub configuration policy
Resources:
SecurityHubConfigurationPolicy:
Type: AWS::SecurityHub::ConfigurationPolicy
Properties:
Name: SecurityHubConfigurationPolicyExample
Description: Example template to create SecurityHub Configuration Policy
ConfigurationPolicy:
SecurityHub:
ServiceEnabled: true
EnabledStandardIdentifiers:
- !Sub arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0
The corresponding AWS CLI command does work.
aws securityhub create-configuration-policy \
--name "My Security Hub Configuration Policy" \
--description "Configuration policy with all controls enabled" \
--configuration-policy '{
"SecurityHub": {
"ServiceEnabled": true,
"EnabledStandardIdentifiers": [
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"
],
"SecurityControlsConfiguration": {
"DisabledSecurityControlIdentifiers": []
}
}
}'
Will open a service ticket to check on this.
Still reviewing this. The SecurityHub policy is expecting an empty list to ascertain the enabled/disabled controls. Provider is not passing the empty lists in the configuration in the request as mentioned in the original note in the issue.
Community Note
Terraform CLI and Terraform AWS Cloud Control Provider Version
Affected Resource(s)
awscc_securityhub_configuration_policy
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
This need to be run on the delegated admin account. I also have omitted
awscc_securityhub_policy_association.example
from the config for simplicity, although you might see it in the plan in the logs I provided.Debug Output
Panic Output
n/a
Expected Behavior
The
awscc_securityhub_configuration_policy
resource is created successfully.Actual Behavior
The
awscc_securityhub_configuration_policy
resource fails to create with the error below. It seems that thesecurity_controls_configuration
attribute and its children aren't provided in the request per the debug log, even if I explicitly set them to empty arrays like how I observed in the CloudTrail event when I created it in the Security Hub console.Steps to Reproduce
terraform apply
Important Factoids
n/a
References
n/a