[Bug]: failed to create aws_securityhub_configuration_policy if enabled_standard_arns is empty

[sbldevnet]

Terraform Core Version

1.7.3

AWS Provider Version

5.43.0

Affected Resource(s)

• aws_securityhub_configuration_policy

Expected Behavior

The configuration policy should be created

Actual Behavior

Executing the terraform apply will fail returing the following error:

Enabled standards and security control configurations must be configured when Security Hub is enabled

╷
│ Error: creating Security Hub Configuration Policy (Example): operation error SecurityHub: CreateConfigurationPolicy, https response error StatusCode: 400, RequestID: 1abe50cc-27a0-41bf-9011-570d2863729e, InvalidInputException: Invalid semantics: Enabled standards and security control configurations must be configured when Security Hub is enabled
│
│   with aws_securityhub_configuration_policy.example,
│   on securityhub.tf line 18, in resource "aws_securityhub_configuration_policy" "example":
│   18: resource "aws_securityhub_configuration_policy" "example" {
│
╵

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_securityhub_organization_configuration" "example" {
  auto_enable           = false
  auto_enable_standards = "NONE"
  organization_configuration {
    configuration_type = "CENTRAL"
  }
}

resource "aws_securityhub_configuration_policy" "example" {
  name        = "Example"
  description = "ExampleDescription"

  configuration_policy {
    service_enabled       = true
    enabled_standard_arns = []
    security_controls_configuration {
      disabled_control_identifiers = []
    }
  }

  depends_on = [aws_securityhub_organization_configuration.example]
}

Steps to Reproduce

1. This terraform code must be executed from the root organization account or from a SecurityHub delegated administrator account.
2. SecurityHub must be enabled in the account and region executing this code.
3. terraform apply

Debug Output

aws_securityhub_configuration_policy.example: Creating...
2024-04-05T09:11:42.101+1030 [INFO]  Starting apply for aws_securityhub_configuration_policy.example
2024-04-05T09:11:42.102+1030 [DEBUG] aws_securityhub_configuration_policy.example: applying the planned Create change
2024-04-05T09:11:42.103+1030 [DEBUG] provider.terraform-provider-aws_v5.43.0_x5: HTTP Request Sent: http.request.header.x_amz_security_token="*****" rpc.method=CreateConfigurationPolicy @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.50/logging/tf_logger.go:45 net.peer.name=securityhub.us-west-2.amazonaws.com tf_aws.signing_region="" tf_mux_provider="*schema.GRPCProviderServer" http.request.header.amz_sdk_request="attempt=1; max=25" tf_req_id=2467d392-dcd1-256a-bc53-b2ffb8ae4227 tf_provider_addr=registry.terraform.io/hashicorp/aws @module=aws http.request.header.amz_sdk_invocation_id=139f041f-65be-4ed1-9579-671906df05d1 http.request.header.content_type=application/json http.request.header.x_amz_date=20240404T224142Z rpc.service=SecurityHub tf_aws.sdk=aws-sdk-go-v2 tf_resource_type=aws_securityhub_configuration_policy tf_rpc=ApplyResourceChange http.request_content_length=189 http.method=POST aws.region=us-west-2
  http.request.body=
  | {"ConfigurationPolicy":{"SecurityHub":{"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers":[]},"ServiceEnabled":true}},"Description":"ExampleDescription","Name":"Example"}
   http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.7.3 (+https://www.terraform.io) terraform-provider-aws/5.43.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.26.0 os/macos lang/go#1.21.8 md/GOOS#darwin md/GOARCH#arm64 api/securityhub#1.47.0" rpc.system=aws-api http.url=https://securityhub.us-west-2.amazonaws.com/configurationPolicy/create http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************SYFV/20240404/us-west-2/securityhub/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*****" timestamp="2024-04-05T09:11:42.103+1030"
2024-04-05T09:11:43.099+1030 [DEBUG] provider.terraform-provider-aws_v5.43.0_x5: HTTP Response Received: http.response.header.x_amz_apigw_id=VuPqIFhivHcEm2A= tf_req_id=2467d392-dcd1-256a-bc53-b2ffb8ae4227 http.response.header.content_type=application/json http.response.header.x_amzn_trace_id=Root=1-660f2ca6-1cd4ab5502ad318230d7bc29 tf_aws.signing_region="" @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.50/logging/tf_logger.go:45 @module=aws http.status_code=400 http.response.header.x_amzn_requestid=1abe50cc-27a0-41bf-9011-570d2863729e tf_mux_provider="*schema.GRPCProviderServer" tf_resource_type=aws_securityhub_configuration_policy tf_rpc=ApplyResourceChange
  http.response.body=
  | {"Code":"InvalidInputException","Type":"InvalidInputException","RequestId":"8094ff6c-090c-4d78-8ac2-a93fab49f020","Message":"Invalid semantics: Enabled standards and security control configurations must be configured when Security Hub is enabled"}
   http.response.header.access_control_expose_headers="x-amzn-errortype,x-amzn-requestid,x-amzn-errormessage,x-amzn-trace-id,x-amz-apigw-id,date" http.response.header.date="Thu, 04 Apr 2024 22:41:43 GMT" http.duration=994 http.response.header.cache_control=no-cache tf_provider_addr=registry.terraform.io/hashicorp/aws http.response_content_length=247 rpc.method=CreateConfigurationPolicy rpc.system=aws-api tf_aws.sdk=aws-sdk-go-v2 aws.region=us-west-2 http.response.header.access_control_allow_origin="*" http.response.header.access_control_max_age=86400 rpc.service=SecurityHub http.response.header.access_control_allow_headers="Authorization,Date,X-Amz-Date,X-Amz-Security-Token,X-Amz-Target,content-type,x-amz-content-sha256,x-amz-user-agent,x-amzn-platform-id,x-amzn-trace-id" http.response.header.access_control_allow_methods="GET,POST,OPTIONS,PUT,PATCH,DELETE" http.response.header.x_amzn_errortype=InvalidInputException timestamp="2024-04-05T09:11:43.097+1030"
2024-04-05T09:11:43.100+1030 [DEBUG] provider.terraform-provider-aws_v5.43.0_x5: request failed with unretryable error https response error StatusCode: 400, RequestID: 1abe50cc-27a0-41bf-9011-570d2863729e, InvalidInputException: Invalid semantics: Enabled standards and security control configurations must be configured when Security Hub is enabled: rpc.service=SecurityHub tf_resource_type=aws_securityhub_configuration_policy @module=aws rpc.method=CreateConfigurationPolicy tf_aws.sdk=aws-sdk-go-v2 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.50/logging/tf_logger.go:45 tf_req_id=2467d392-dcd1-256a-bc53-b2ffb8ae4227 tf_rpc=ApplyResourceChange aws.region=us-west-2 rpc.system=aws-api tf_mux_provider="*schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp="2024-04-05T09:11:43.098+1030"
2024-04-05T09:11:43.101+1030 [ERROR] provider.terraform-provider-aws_v5.43.0_x5: Response contains error diagnostic: tf_provider_addr=registry.terraform.io/hashicorp/aws @caller=github.com/hashicorp/terraform-plugin-go@v0.22.1/tfprotov5/internal/diag/diagnostics.go:58 tf_proto_version=5.4 tf_req_id=2467d392-dcd1-256a-bc53-b2ffb8ae4227 tf_rpc=ApplyResourceChange diagnostic_detail="" diagnostic_severity=ERROR diagnostic_summary="creating Security Hub Configuration Policy (Example): operation error SecurityHub: CreateConfigurationPolicy, https response error StatusCode: 400, RequestID: 1abe50cc-27a0-41bf-9011-570d2863729e, InvalidInputException: Invalid semantics: Enabled standards and security control configurations must be configured when Security Hub is enabled" tf_resource_type=aws_securityhub_configuration_policy @module=sdk.proto timestamp="2024-04-05T09:11:43.098+1030"
2024-04-05T09:11:43.109+1030 [DEBUG] State storage *statemgr.Filesystem declined to persist a state snapshot
2024-04-05T09:11:43.109+1030 [ERROR] vertex "aws_securityhub_configuration_policy.example" error: creating Security Hub Configuration Policy (Example): operation error SecurityHub: CreateConfigurationPolicy, https response error StatusCode: 400, RequestID: 1abe50cc-27a0-41bf-9011-570d2863729e, InvalidInputException: Invalid semantics: Enabled standards and security control configurations must be configured when Security Hub is enabled

Panic Output

No response

Important Factoids

No response

References

https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_SecurityHubPolicy.html
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/securityhub/create-configuration-policy.html

Would you like to implement a fix?

Yes

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v5.45.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.