Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: aws_inspector2_enabler uses wrong status api #27644

Closed
aa-ron-arnott opened this issue Nov 3, 2022 · 5 comments · Fixed by #31038
Closed

[Bug]: aws_inspector2_enabler uses wrong status api #27644

aa-ron-arnott opened this issue Nov 3, 2022 · 5 comments · Fixed by #31038
Assignees
@gdavison
Labels
bug Addresses a defect in current functionality. service/inspector2 Issues and PRs that pertain to the inspector2 service.
Milestone
v4.66.0

Comments

@aa-ron-arnott
Copy link

Terraform Core Version

1.1.9

AWS Provider Version

4.37.0

Affected Resource(s)

aws_inspector2_enabler

Expected Behavior

The resource should enable, the specified resource scanning, AND inspector2 in the designated accounts. The resource should be using the BatchGetAccountStatus api instead of the Disable api.

Actual Behavior

The status checks using the Disable api make it so that the resource scanning ends up enabled, but the inspector2 status is disabled in the target account.

We see the response from this part of the get status code.

terraform-provider-aws/internal/service/inspector2/enabler.go

Lines 260 to 266 in 3cf15a2

// there's no describe/list but calling disable without a resource type returns an error
// and information about state
in := &inspector2.DisableInput{}
if len(accountIDs) > 0 {
in.AccountIds = accountIDs
}

It starts as this

    "responseElements": {
        "failedAccounts": [],
        "accounts": [
            {
                "accountId": "--REDACTED--",
                "resourceStatus": {
                    "ec2": "ENABLING",
                    "ecr": "ENABLING"
                },
                "status": "ENABLING"
            }
        ]
    },

And the response to the final Disable request shows like this

        "failedAccounts": [
            {
                "accountId": "--REDACTED--",
                "errorCode": "RESOURCE_SCAN_NOT_DISABLED",
                "errorMessage": "Resource level scanning must be disabled before Inspector can be disabled.",
                "resourceStatus": {
                    "ec2": "ENABLED",
                    "ecr": "ENABLED"
                },
                "status": "DISABLED"
            }
        ],

Note that status has gone from ENABLING to DISABLED.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

data "aws_caller_identity" "current" {}

resource "aws_inspector2_enabler" "this" {
  account_ids    = [data.aws_caller_identity.current.account_id]
  resource_types = ["ECR", "EC2"]
}

Steps to Reproduce

  1. Have an account where Inspector V2 is disabled
  2. Run the terraform config against it.
  3. Inspect the CloudTrail events for the Disable event, they should show the resource progressing from ENABLING to ENABLED to DISABLING and DISABLED though the ec2 and ecr resource status will finalize on ENABLED

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

The resource status checks in question:

terraform-provider-aws/internal/service/inspector2/enabler.go

Lines 260 to 266 in 3cf15a2

// there's no describe/list but calling disable without a resource type returns an error
// and information about state
in := &inspector2.DisableInput{}
if len(accountIDs) > 0 {
in.AccountIds = accountIDs
}

The recommended AWS API: https://docs.aws.amazon.com/inspector/v2/APIReference/API_BatchGetAccountStatus.html

Would you like to implement a fix?

No
@aa-ron-arnott aa-ron-arnott added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels Nov 3, 2022
@github-actions
Copy link

github-actions bot commented Nov 3, 2022

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added service/inspector2 Issues and PRs that pertain to the inspector2 service. service/sts Issues and PRs that pertain to the sts service. labels Nov 3, 2022
@justinretzolk
Copy link
Member

Related #27639

@justinretzolk justinretzolk removed service/sts Issues and PRs that pertain to the sts service. needs-triage Waiting for first response or review from a maintainer. labels Nov 7, 2022
@jesus-vc
Copy link

jesus-vc commented Mar 8, 2023
edited
Loading

Hello @aa-ron-arnott , I'm encountering this issue as well. This ticket is shown as "open", so I supposed you weren't able to get this work on your end? Would appreciate any feedback/workarounds you can share.

I'm inclined to just use the AWS console to deploy Inspector2 via Organizations, as it seems there are still bugs in these Terraform resource types for Inspector2.

@hannes-ucsc hannes-ucsc mentioned this issue Mar 19, 2023
Merged
82 tasks
@dandelo dandelo mentioned this issue Mar 29, 2023
Closed
@gdavison gdavison self-assigned this Apr 17, 2023
This was referenced Apr 17, 2023
Closed
Closed
@gdavison gdavison mentioned this issue Apr 28, 2023
Merged
@github-actions github-actions bot added this to the v4.66.0 milestone Apr 28, 2023
@github-actions
Copy link

github-actions bot commented May 5, 2023

This functionality has been released in v4.66.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

github-actions bot commented Jun 5, 2023

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 5, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@gdavison gdavison

Labels
bug Addresses a defect in current functionality. service/inspector2 Issues and PRs that pertain to the inspector2 service.
Projects
None yet
Milestone
v4.66.0
Development

Successfully merging a pull request may close this issue.

resource/aws_inspector2_enabler: Fix various errors hashicorp/terraform-provider-aws
4 participants
@gdavison @justinretzolk @jesus-vc @aa-ron-arnott