Merge pull request #36740 from sbldevnet/f-aws_securityhub_configurat…

…ion_policy-empty_standars fix: add enabled_standard_arns if service_enabled is true in aws_securityhub_configuration_policy
hashicorp · Apr 5, 2024 · 4e72a2e · 4e72a2e
2 parents 0e40a5e + e6b7466
commit 4e72a2e
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 10 deletions.
diff --git a/.changelog/36740.txt b/.changelog/36740.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_securityhub_configuration_policy: Mark `configuration_policy.enabled_standard_arns` as Optional, fixing `InvalidInputException: Invalid semantics: Enabled standards and security control configurations must be configured when Security Hub is enabled` errors
+```
diff --git a/internal/service/securityhub/configuration_policy.go b/internal/service/securityhub/configuration_policy.go
@@ -184,7 +184,7 @@ func resourceConfigurationPolicy() *schema.Resource {
 						Schema: map[string]*schema.Schema{
 							"enabled_standard_arns": {
 								Type:     schema.TypeSet,
-								Required: true,
+								Optional: true,
 								Elem: &schema.Schema{
 									Type:         schema.TypeString,
 									ValidateFunc: verify.ValidARN,
@@ -432,12 +432,14 @@ func expandPolicyMemberSecurityHub(tfMap map[string]interface{}) *types.PolicyMe
 		SecurityControlsConfiguration: expandSecurityControlsConfiguration(tfMap["security_controls_configuration"]),
 	}
 
-	if v, ok := tfMap["enabled_standard_arns"].(*schema.Set); ok && v.Len() > 0 {
-		apiObject.EnabledStandardIdentifiers = flex.ExpandStringValueSet(v)
-	}
-
 	if v, ok := tfMap["service_enabled"].(bool); ok {
 		apiObject.ServiceEnabled = aws.Bool(v)
+
+		if v {
+			if v, ok := tfMap["enabled_standard_arns"].(*schema.Set); ok {
+				apiObject.EnabledStandardIdentifiers = flex.ExpandStringValueSet(v)
+			}
+		}
 	}
 
 	return &types.PolicyMemberSecurityHub{

diff --git a/internal/service/securityhub/configuration_policy_test.go b/internal/service/securityhub/configuration_policy_test.go
@@ -369,8 +369,7 @@ resource "aws_securityhub_configuration_policy" "test" {
   description = %[2]q
 
   configuration_policy {
-    service_enabled       = false
-    enabled_standard_arns = []
+    service_enabled = false
   }
 
   depends_on = [aws_securityhub_organization_configuration.test]

diff --git a/website/docs/r/securityhub_configuration_policy.html.markdown b/website/docs/r/securityhub_configuration_policy.html.markdown
@@ -58,8 +58,7 @@ resource "aws_securityhub_configuration_policy" "disabled" {
   description = "This is an example of disabled configuration policy"
 
   configuration_policy {
-    service_enabled       = false
-    enabled_standard_arns = []
+    service_enabled = false
   }
 
   depends_on = [aws_securityhub_organization_configuration.example]
@@ -130,7 +129,7 @@ This resource supports the following arguments:
 
 The `configuration_policy` block supports the following:
 
-* `enabled_standard_arns` - (Required) A list that defines which security standards are enabled in the configuration policy.
+* `enabled_standard_arns` - (Optional) A list that defines which security standards are enabled in the configuration policy. It must be defined if `service_enabled` is set to true.
 * `security_controls_configuration` - (Optional) Defines which security controls are enabled in the configuration policy and any customizations to parameters affecting them. See [below](#security_controls_configuration).
 * `service_enabled` - (Required) Indicates whether Security Hub is enabled in the policy.