Terraform-provider-aws: SecurityHub: Creation of subscriptions stays in loop.

Created on 27 Mar 2019  路  4Comments  路  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

v0.11.11

Affected Resource(s)

  • aws_securityhub_product_subscription

Terraform Configuration Files

resource "aws_securityhub_account" "security_hub" {}

resource "aws_securityhub_product_subscription" "guard_duty_subscription" {
  product_arn = "arn:aws:securityhub:${var.aws_region}::product/aws/guardduty"

  depends_on = ["aws_securityhub_account.security_hub"]
}

Debug Output

https://gist.github.com/echoboomer/4783d7ad64a1750cf870c9e5ef163185

Panic Output

Expected Behavior

The subscription should have been created.

Actual Behavior

The terraform apply runs forever until manually canceled and only indicates the following output:

module.security.aws_securityhub_product_subscription.guard_duty_subscription: Still creating... (9m10s elapsed)

Behind the scenes, this appears to be related to:

Response SecurityHub/EnableImportFindingsForProduct
HTTP/2.0 500 Internal Server Error

Steps to Reproduce

  1. terraform plan (looks normal)
  2. terraform apply (where it hangs)

Important Factoids

References

  • #0000
bug servicsecurityhub upstream
Source
picture echoboomer

Most helpful comment

Thanks for following this up with support @echoboomer! I'd probably suggest this would be a docs issue.

I followed the docs to set up relevant Security Hub resources and while I didn't receive the same loop + timeout you did, I did receive:

* aws_securityhub_product_subscription.main.1: Error enabling Security Hub product subscription for product arn:aws:securityhub:ap-southeast-2::product/aws/inspector: ResourceConflictException: arn:aws:securityhub:ap-southeast-2:xxxxxxxxxxxx:product-subscription/aws/inspector
        status code: 409, request id: xxxx9fff-xxxx-11e9-xxxx-21a478abxxxx

(for all three of the built-in AWS integrations)

Those three checks do appear to be covered automatically by simply enabling Security Hub:

resource "aws_securityhub_account" "main" {}
picture tdmalone on 24 Apr 2019
👍2

All 4 comments

Hi @echoboomer 馃憢 Sorry for the trouble here. Since the Security Hub service is returning a retryable error code, the AWS Go SDK is automatically retrying up to your provider configuration for max_retries (which defaults pretty high). The error message does not seem descriptive enough for us to act on it unless someone is able to discern the issue from your configuration so you will likely need to open an AWS Support case with the request ID from the log to get additional information.

bflad picture bflad on 27 Mar 2019

Will do. Thanks very much for your support!

echoboomer picture echoboomer on 28 Mar 2019
👍1

After opening a case, I received the following response from AWS support:

As per the documentation on AWS findings providers for Security Hub (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-providers.html#securityhub-internal-providers), once you enable Security Hub in an AWS account, it immediately starts aggregating security and resource data across your AWS environment in that account from the following AWS services: Amazon GuardDuty, Amazon Inspector, Amazon Macie. This means Guard duty is already subscribed as the Findings Providers once security hub is enabled.

For someone setting up Security Hub based on the resources listed in the Terraform provider docs, it may be good to mention that you don't actually need to code anything for the 3 AWS products listed in the doc: https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html

While this could be implied by the fact that the example uses a third-party subscription, clarifying it could potentially help others in the future. I also recognize this feature is still in Preview.

This issue can be closed since it isn't really a malfunction, but I'm wondering if there is a better way to handle this so a random timeout isn't encountered in the future for these particular subscriptions.

echoboomer picture echoboomer on 8 Apr 2019
👍1

Thanks for following this up with support @echoboomer! I'd probably suggest this would be a docs issue.

I followed the docs to set up relevant Security Hub resources and while I didn't receive the same loop + timeout you did, I did receive:

* aws_securityhub_product_subscription.main.1: Error enabling Security Hub product subscription for product arn:aws:securityhub:ap-southeast-2::product/aws/inspector: ResourceConflictException: arn:aws:securityhub:ap-southeast-2:xxxxxxxxxxxx:product-subscription/aws/inspector
        status code: 409, request id: xxxx9fff-xxxx-11e9-xxxx-21a478abxxxx

(for all three of the built-in AWS integrations)

Those three checks do appear to be covered automatically by simply enabling Security Hub:

resource "aws_securityhub_account" "main" {}
tdmalone picture tdmalone on 24 Apr 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  路  3Comments
hashibot picture hashibot  路  3Comments
modax picture modax  路  3Comments
dvishniakov picture dvishniakov  路  3Comments
hashibot picture hashibot  路  3Comments