Open quixoticmonk opened 4 months ago
Digging into this deeper with the cloudcontrol API
aws cloudcontrol create-resource \
--region us-east-1 \
--type-name "AWS::SecurityHub::FindingAggregator" \
--desired-state '{"RegionLinkingMode":"ALL_REGIONS_EXCEPT_SPECIFIED","Regions":["ap-southeast-1","ap-southeast-2","ap-southeast-3","ap-southeast-4"]}'
{
"ProgressEvent": {
"TypeName": "AWS::SecurityHub::FindingAggregator",
"RequestToken": "9df3b4bb-c886-4533-9f31-fcde5eff6ae8",
"Operation": "CREATE",
"OperationStatus": "IN_PROGRESS",
"EventTime": "2024-07-22T16:05:36.300000-04:00"
}
}
aws cloudcontrol get-resource --type-name AWS::SecurityHub::FindingAggregator --identifier "arn:aws:securityhub:us-east-1:############:finding-aggregator/7cc86e06-5666-6589-402c-ea91d370d796"
{
"TypeName": "AWS::SecurityHub::FindingAggregator",
"ResourceDescription": {
"Identifier": "arn:aws:securityhub:us-east-1:############:finding-aggregator/7cc86e06-5666-6589-402c-ea91d370d796",
"Properties": "{\"RegionLinkingMode\":\"ALL_REGIONS_EXCEPT_SPECIFIED\",\"FindingAggregationRegion\":\"us-east-1\",\"FindingAggregatorArn\":\"arn:aws:securityhub:us-east-1:############:finding-aggregator/7cc86e06-5666-6589-402c-ea91d370d796\",\"Regions\":[\"ap-southeast-1\",\"ap-southeast-2\",\"ap-southeast-3\",\"ap-southeast-4\"]}"
}
}
aws cloudcontrol update-resource --type-name "AWS::SecurityHub::FindingAggregator" \
--identifier "arn:aws:securityhub:us-east-1:############:finding-aggregator/7cc86e06-5666-6589-402c-ea91d370d796" \
--patch-document "[{\"op\":\"replace\",\"path\":\"/RegionLinkingMode\",\"value\":\"ALL_REGIONS\"}]"
{
"ProgressEvent": {
"TypeName": "AWS::SecurityHub::FindingAggregator",
"Identifier": "arn:aws:securityhub:us-east-1:############:finding-aggregator/7cc86e06-5666-6589-402c-ea91d370d796",
"RequestToken": "f77cf32a-c6e8-4f74-8f94-266532656d90",
"Operation": "UPDATE",
"OperationStatus": "IN_PROGRESS",
"EventTime": "2024-07-22T16:09:47.740000-04:00",
"ResourceModel": "{\"RegionLinkingMode\":\"ALL_REGIONS\",\"FindingAggregatorArn\":\"arn:aws:securityhub:us-east-1:############:finding-aggregator/7cc86e06-5666-6589-402c-ea91d370d796\",\"Regions\":[\"ap-southeast-1\",\"ap-southeast-2\",\"ap-southeast-3\",\"ap-southeast-4\"]}"
}
}
aws cloudcontrol get-resource-request-status --request-token "f77cf32a-c6e8-4f74-8f94-266532656d90"
{
"ProgressEvent": {
"TypeName": "AWS::SecurityHub::FindingAggregator",
"Identifier": "arn:aws:securityhub:us-east-1:############:finding-aggregator/7cc86e06-5666-6589-402c-ea91d370d796",
"RequestToken": "f77cf32a-c6e8-4f74-8f94-266532656d90",
"Operation": "UPDATE",
"OperationStatus": "FAILED",
"EventTime": "2024-07-22T16:09:48.240000-04:00",
"StatusMessage": "Regions cannot be passed as input if RegionLinkingMode is set to 'ALL_REGIONS' or 'NO_REGIONS'. (Service: AWSSecurityHub; Status Code: 400; Error Code: InvalidInputException; Request ID: e22a59a0-c17b-47a9-8d86-395604b93ef9; Proxy: null)",
"ErrorCode": "InvalidRequest"
}
}
Opened an internal ticket to Cloud Control API to review if the patch document is expecting the empty regions list for updating RegionLinkingMode.
aws cloudcontrol update-resource --type-name "AWS::SecurityHub::FindingAggregator" \
--identifier "arn:aws:securityhub:us-east-1:############:finding-aggregator/7cc86e06-5666-6589-402c-ea91d370d796" \
--patch-document "[{\"op\":\"replace\",\"path\":\"/RegionLinkingMode\",\"value\":\"ALL_REGIONS\"},{\"op\":\"remove\",\"path\":\"Regions\"}]"
{
"ProgressEvent": {
"TypeName": "AWS::SecurityHub::FindingAggregator",
"Identifier": "arn:aws:securityhub:us-east-1:############:finding-aggregator/7cc86e06-5666-6589-402c-ea91d370d796",
"RequestToken": "cbdd01c6-dbf5-4507-bf3d-7e4eed2a6648",
"Operation": "UPDATE",
"OperationStatus": "IN_PROGRESS",
"EventTime": "2024-07-22T16:53:42.198000-04:00",
"ResourceModel": "{\"RegionLinkingMode\":\"ALL_REGIONS\",\"FindingAggregatorArn\":\"arn:aws:securityhub:us-east-1:############:finding-aggregator/7cc86e06-5666-6589-402c-ea91d370d796\"}"
}
}
aws cloudcontrol get-resource-request-status --request-token "cbdd01c6-dbf5-4507-bf3d-7e4eed2a6648"
{
"ProgressEvent": {
"TypeName": "AWS::SecurityHub::FindingAggregator",
"Identifier": "arn:aws:securityhub:us-east-1:############:finding-aggregator/7cc86e06-5666-6589-402c-ea91d370d796",
"RequestToken": "cbdd01c6-dbf5-4507-bf3d-7e4eed2a6648",
"Operation": "UPDATE",
"OperationStatus": "SUCCESS",
"EventTime": "2024-07-22T16:53:42.794000-04:00"
}
}
The problem somewhat stemmed from how AWSCC construct the patch document.
Modifying resource configuration from:
before
resource "awscc_securityhub_finding_aggregator" "example" {
region_linking_mode = "ALL_REGIONS_EXCEPT_SPECIFIED"
regions = [
"ap-southeast-1",
"ap-southeast-2",
"ap-southeast-3",
"ap-southeast-4"
]
}
to after:
resource "awscc_securityhub_finding_aggregator" "example" {
region_linking_mode = "ALL_REGIONS"
}
will yield the following plan output: (see that there's no marker to remove the regions
attribute.
Terraform will perform the following actions:
# awscc_securityhub_finding_aggregator.example will be updated in-place
~ resource "awscc_securityhub_finding_aggregator" "example" {
id = "arn:aws:securityhub:us-east-1:204034886740:finding-aggregator/cac8beee-5eec-e65d-7663-fcc2de52bd5b"
~ region_linking_mode = "ALL_REGIONS_EXCEPT_SPECIFIED" -> "ALL_REGIONS"
# NOTICE HERE THAT THE REGIONS ATTRIBUTE UNCHANGED
}
Upon checking the PlanResourceChange output:
PlanResourceChange_Request_PriorState
{
"finding_aggregation_region": "us-east-1",
"finding_aggregator_arn": "arn:aws:securityhub:us-east-1:204034886740:finding-aggregator/cac8beee-5eec-e65d-7663-fcc2de52bd5b",
"id": "arn:aws:securityhub:us-east-1:204034886740:finding-aggregator/cac8beee-5eec-e65d-7663-fcc2de52bd5b",
"region_linking_mode": "ALL_REGIONS_EXCEPT_SPECIFIED",
"regions": [
"ap-southeast-1",
"ap-southeast-2",
"ap-southeast-3",
"ap-southeast-4"
]
}
PlanResourceChange_Request_ProposedNewState
Notice how the regions
are still included!
{
"finding_aggregation_region": "us-east-1",
"finding_aggregator_arn": "arn:aws:securityhub:us-east-1:204034886740:finding-aggregator/cac8beee-5eec-e65d-7663-fcc2de52bd5b",
"id": "arn:aws:securityhub:us-east-1:204034886740:finding-aggregator/cac8beee-5eec-e65d-7663-fcc2de52bd5b",
"region_linking_mode": "ALL_REGIONS",
"regions": [
"ap-southeast-1",
"ap-southeast-2",
"ap-southeast-3",
"ap-southeast-4"
]
}
Because the attribute regions
is currently marked in AWSCC as optional
and computed
, the default plan modifiers will use the previous state when the configuration is empty / unknown. In this case, by not specifying the regions
in the after section above, we basically trigger the regions
value to unknown, which then pre-filled with the value from the previous state file.
Trying to set the attribute value region
to null
didn't help
resource "awscc_securityhub_finding_aggregator" "example" {
region_linking_mode = "ALL_REGIONS"
regions = null
}
related to #1546
one possible solution will be to remove the plan modifiers or set a default value in the schema.
Community Note
Terraform CLI and Terraform AWS Cloud Control Provider Version
Affected Resource(s)
Terraform Configuration Files
Debug Output
Planned state
Panic Output
Expected Behavior
The security aggregator should be modified or replace to ensure all regions are covered.
Actual Behavior
The terraform apply step fails with the below error message
Steps to Reproduce
terraform apply
terraform apply
Important Factoids
References