Terraform-provider-aws: Securityhub recent MemberStatus changes

I am also facing this issue on GovCloud

I'm seeing this also. The MemberStatus value of aws securityhub get-members has changed... Seems to have changed from Associated to Enabled (though only guessing at the prior value from the code in the aws provider).

$ aws securityhub get-members --account-ids redacted
{
    "Members": [
        {
            "AccountId": "redacted",
            "Email": "redacted",
            "MasterId": "redacted",
            "MemberStatus": "Enabled",
            "UpdatedAt": "2020-11-18T00:26:55.193Z"
        }
    ],
    "UnprocessedAccounts": []
}

Has anyone opened an AWS Support case to confirm if this change was planned and permanent?

@bflad No support case yet, but the change is in the docs... https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_Member.html

MemberStatus
The status of the relationship between the member account and its master account.

The status can have one of the following values:

CREATED - Indicates that the master account added the member account, but has not yet invited the member account.
INVITED - Indicates that the master account invited the member account. The member account has not yet responded to the invitation.
ENABLED - Indicates that the member account is currently active. For manually invited member accounts, indicates that the member account accepted the invitation.
REMOVED - Indicates that the master account disassociated the member account.
RESIGNED - Indicates that the member account disassociated themselves from the master account.
DELETED - Indicates that the master account deleted the member account.

Type: String

Pattern: .\S.

Required: No

https://awsapichanges.info/archive/changes/d2b896-securityhub.html

they must of updated it in support of https://aws.amazon.com/about-aws/whats-new/2020/11/aws-security-hub-integrates-with-aws-organizations-for-simplified-security-posture-management/

I just opened a support case to confirm this change to the MemberStatus value was intentional.

Highlights from our support ticket response

https://aws.amazon.com/about-aws/whats-new/2020/11/aws-security-hub-integrates-with-aws-organizations-for-simplified-security-posture-management/

With this launch there has been a few minor changes to SecurityHub multi-account configuration behaviors, 
one of them which are the following:
-Member accounts in Security Hub were previously ASSOCIATED with a master account (which is now renamed
to the administrator account). We have changed the terminology to align with GuardDuty's. ASSOCIATED has been
replaced with ENABLED. The Enabled status has now been introduced with the Organizations integration to AWS
Security Hub.

This is mentioned in the following announcement:
https://forums.aws.amazon.com/ann.jspa?annID=8164

Okay, thank you for that very helpful information. I have requested that the fix include both the old and new values, since Organizations support is not available in all regions. I would expect that we can get something out later today or tomorrow.

@bflad Just confirming AWS Support responded to me with the same information.

In short: Yes, it is intentional and permanent. Let me explain:

The reason for this change of our 'MemberStatus' from "Associated" to "Enabled"[1] is due to our new launch As of 23rd November 2020, AWS Security Hub is now integrated with AWS Organizations to simplify security posture management across all of your existing and future AWS accounts in an organization. With this launch, new and existing Security Hub customers can delegate any account in their organization as the Security Hub administrator and centrally view security findings from up to 5,000 AWS accounts among other features. You can check out the link below [2] for further information regarding this launch.

With this launch there has been a few minor changes to SecurityHub multi-account configuration behaviors, one of them which are the following:

-Member accounts in Security Hub were previously ASSOCIATED with a master account (which is now renamed to the administrator account). We have changed the terminology to align with GuardDuty. ASSOCIATED has been replaced with ENABLED. The Enabled status has now been introduced with the Organizations integration to AWS Security Hub.

This is mentioned in the announcement here as well [3].
1: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_Member.html
2: https://aws.amazon.com/about-aws/whats-new/2020/11/aws-security-hub-integrates-with-aws-organizations-for-simplified-security-posture-management/
3: https://forums.aws.amazon.com/ann.jspa?annID=8164

The fix to support both the old and new member status values has been merged and will release with version 3.18.0 of the Terraform AWS Provider, likely within the next 24 hours. Thank you to @reactiveinactive for the quick implementation work. 👍

This has been released in version 3.18.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

Well, I just updated to 3.18.0, but I'm still seeing the resource cycle... 🤔

-/+ resource "aws_securityhub_member" "this" {
        account_id    = "redacted"
        email         = "redacted"
      ~ id            = "redacted" -> (known after apply)
      ~ invite        = false -> true # forces replacement
      ~ master_id     = "redacted" -> (known after apply)
      ~ member_status = "Enabled" -> (known after apply)
    }

False alarm, all is well. Had to clear out the terraform cache for some reason. /shrug