Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: aws_inspector2_enabler breaks plans after being added to an AWS Organization #27639

Closed
kchristensen opened this issue Nov 3, 2022 · 4 comments · Fixed by #31038
Closed

[Bug]: aws_inspector2_enabler breaks plans after being added to an AWS Organization #27639

kchristensen opened this issue Nov 3, 2022 · 4 comments · Fixed by #31038
Assignees
@gdavison
Labels
bug Addresses a defect in current functionality. service/inspector2 Issues and PRs that pertain to the inspector2 service.
Milestone
v4.66.0

Comments

@kchristensen
Copy link

kchristensen commented Nov 3, 2022
edited
Loading

Terraform Core Version

1.2.2

AWS Provider Version

4.37.0

Affected Resource(s)

aws_inspector2_enabler

Expected Behavior

After enabling Inspector v2 on an AWS account, and being added to a parent AWS Organization, plans should not error out.

Actual Behavior

When an AWS Organization is enforcing Inspector v2 usage, plans error out when the AWS provider attempts to POST to the AWS API's disable endpoint, which is used to determine whether or not Inspector v2 is enabled in the absence of a describe or list endpoint.

Relevant code: https://github.com/hashicorp/terraform-provider-aws/pull/27505/files#diff-f2a05e84be3d8209f9d0b950b86986849f406e44b9dff33d5ea60c212aba7c81R260

Despite not actually trying to disable Inspector v2, the post to the disable endpoint is apparently being disallowed by policy in the AWS Organization.

Relevant Error/Panic Output Snippet

│ Error: reading Amazon Inspector V2 Enabler (REDACTED-EC2): calling Disable: operation error Inspector2: Disable, https response error StatusCode: 403, RequestID: REDACTED, AccessDeniedException: Member account REDACTED is not authorized to disable itself.
│
│   with aws_inspector2_enabler.inspector_us-east-1,
│   on inspector.tf line 1, in resource "aws_inspector2_enabler" "inspector_us-east-1":
│    1: resource "aws_inspector2_enabler" "inspector_us-east-1" {

Terraform Configuration Files

resource "aws_inspector2_enabler" "inspector" {
  account_ids    = [data.aws_caller_identity.current.account_id]
  resource_types = ["EC2"]
}

Steps to Reproduce

  1. Enable Inspector v2 in a region:
resource "aws_inspector2_enabler" "inspector" {
  account_ids    = [data.aws_caller_identity.current.account_id]
  resource_types = ["EC2"]
}

  1. Add the account with Inspector v2 enabled to an AWS Organization on another account (for the purpose of aggregating Inspector findings).

  2. Run a plan on the child account.

Debug Output

2022-10-31T11:44:05.022-0400 [DEBUG] provider.terraform-provider-aws_v4.37.0_x5: [DEBUG] [aws-sdk-go-v2] Request
2022-10-31T11:44:05.022-0400 [DEBUG] provider.terraform-provider-aws_v4.37.0_x5: POST /disable HTTP/1.1
2022-10-31T11:44:05.022-0400 [DEBUG] provider.terraform-provider-aws_v4.37.0_x5: Host: inspector2.us-east-1.amazonaws.com
2022-10-31T11:44:05.022-0400 [DEBUG] provider.terraform-provider-aws_v4.37.0_x5: User-Agent: APN/1.0 HashiCorp/1.0 Terraform/1.2.2 (+https://www.terraform.io/) terraform-provider-aws/dev (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.17.1 os/macos lang/go/1.18.4 md/GOOS/darwin md/GOARCH/amd64 api/inspector2/1.8.3

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No
@kchristensen kchristensen added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels Nov 3, 2022
@github-actions github-actions bot added the service/inspector2 Issues and PRs that pertain to the inspector2 service. label Nov 3, 2022
@github-actions
Copy link

github-actions bot commented Nov 3, 2022

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Nov 3, 2022
@justinretzolk justinretzolk mentioned this issue Nov 7, 2022
Closed
@dandelo
Copy link

dandelo commented Mar 29, 2023

Looks to be the same cause as #27644, which describes why this happens.

@gdavison gdavison self-assigned this Apr 17, 2023
@gdavison gdavison mentioned this issue Apr 28, 2023
Merged
@github-actions github-actions bot added this to the v4.66.0 milestone Apr 28, 2023
@github-actions
Copy link

github-actions bot commented May 5, 2023

This functionality has been released in v4.66.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

github-actions bot commented Jun 5, 2023

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 5, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@gdavison gdavison

Labels
bug Addresses a defect in current functionality. service/inspector2 Issues and PRs that pertain to the inspector2 service.
Projects
None yet
Milestone
v4.66.0
Development

Successfully merging a pull request may close this issue.

resource/aws_inspector2_enabler: Fix various errors hashicorp/terraform-provider-aws
4 participants
@kchristensen @gdavison @dandelo @justinretzolk