[Bug]: aws_inspector2_enabler does not work in ca-central-1 region

[nwalters512]

Terraform Core Version

1.6.2

AWS Provider Version

5.22.0

Affected Resource(s)

• aws_inspector2_enabler

Expected Behavior

I would expect aws_inspector2_enabler to work in the ca-central-1 region.

Actual Behavior

aws_inspector2_enabler does not work in the ca-central-1 region.

Relevant Error/Panic Output Snippet

Error: updating Amazon Inspector Enabler (769954110362-EC2): operation error Inspector2: Disable, https response error StatusCode: 403, RequestID: dfeb4791-b3c3-4ceb-ada4-8021518def55, AccessDeniedException: Lambda code scanning is not supported in ca-central-1

Terraform Configuration Files

provider "aws" {
  region = "ca-central-1"
}

resource "aws_inspector2_enabler" "ca-central-1" {
  account_ids    = ["XXXXX"]
  resource_types = ["EC2"]
}

Steps to Reproduce

Try to terraform apply the above Terraform configuration and observe that it errors.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

The following page documents the regions where Inspector Lambda code scanning is supported: https://docs.aws.amazon.com/inspector/latest/user/inspector_regions.html#ins-regional-feature-availability. This does not include ca-central-1 and many other regions.

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[rbchasesc]

This same issue also occurs with provider version 5.23.1 for the us-west-1 region, which also does not support LAMBDA. From this resource:

resource "aws_inspector2_enabler" "inspector_usw1" {
  count          = local.enabled_usw1 ? 1 : 0
  provider       = aws.usw1
  account_ids    = [data.aws_caller_identity.current.account_id]
  resource_types = ["ECR", "EC2"] 
}

We get this error (obfuscated values with *):

Error: updating Amazon Inspector Enabler (*********-EC2:ECR): operation error Inspector2: Disable, https response error StatusCode: 403, RequestID: ********-****-*****-****-************, AccessDeniedException: Lambda code scanning is not supported in us-west-1

[jdstuart]

Also happens with provider v 5.24.0.

The following is the only terraform resources we're trying to deploy

data "aws_caller_identity" "default" {
  provider = aws.ca-central-1
}

resource "aws_inspector2_enabler" "ca-central-1" {
  provider = aws.ca-central-1

  account_ids    = [data.aws_caller_identity.default.account_id]
  resource_types = ["EC2"]
}

Terraform apply output

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Using previously-installed hashicorp/aws v5.24.0

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
terraform apply tfplan
aws_inspector2_enabler.ca-central-1: Creating...
aws_inspector2_enabler.ca-central-1: Still creating... [10s elapsed]
╷
│ Error: updating Amazon Inspector Enabler (XXXXXXXXXXXX-EC2): operation error Inspector2: Disable, https response error StatusCode: 403, RequestID: 30362957-XXXX-XXXX-XXXX-c394218e6013, AccessDeniedException: Lambda code scanning is not supported in ca-central-1
│
│   with aws_inspector2_enabler.ca-central-1,
│   on main.tf line 30, in resource "aws_inspector2_enabler" "ca-central-1":
│   30: resource "aws_inspector2_enabler" "ca-central-1" {
│

[abezzub]

This issue still happens. aws_inspector2_enabler should be aware of what resources are available for a region and not call delete for a resource type that is not available.

[stefano-franco]

AWS provider version 5.5 was the last provider where aws_inspector2_enabler could be provisioned in a region that does not support LAMBDA_CODE.

The resource aws_inspector2_enabler first activates inspector with the defined resource_types (e.g. ECR, EC2 & LAMBDA).
As soon as inspector is enabled, a second step is performed in which all missing resource types are explicitly disabled (e.g. LAMBDA_CODE). Since LAMBDA_CODE is not supported in some regions, this action will cause an error.

This behavior can be reproduced with the following steps:

1. use aws provider with a region that doesn't support LAMBDA_CODE e.g. eu-central-2
2. terraform apply with aws provider 5.5 -> success
3. terraform destroy and update aws provider
4. terraform apply with latest aws provider -> failure

terraform {
  required_version = "1.7.0"

  required_providers {
    aws = {
      source                = "hashicorp/aws"
      version               = "5.5"
      # version               = "> 5.5"
      configuration_aliases = []
    }
  }
}

provider "aws" {
  region = "eu-central-2"
}

data "aws_caller_identity" "current" {}

resource "aws_inspector2_enabler" "example" {
  account_ids    = [data.aws_caller_identity.current.account_id]
  resource_types = ["ECR", "EC2", "LAMBDA"]
}

This will affect regions not listed under "Lambda code scanning Regions":
https://docs.aws.amazon.com/inspector/latest/user/inspector_regions.html#ins-regional-feature-availability

This issue could be avoided by not explicitly deactivating resource types that are already deactivated by default.
Example response of enabling inspector:

{
    "accounts": [
        {
            "accountId": "111111111111",
            "resourceState": {
                "ec2": {
                    "status": "ENABLED"
                },
                "ecr": {
                    "status": "ENABLED"
                },
                "lambda": {
                    "status": "ENABLED"
                },
                "lambdaCode": {
                    "status": "DISABLED" # LAMBDA_CODE is already disabled -> DO NOT DISABLE AGAIN
                }
            },
            "state": {
                "status": "ENABLED"
            }
        }
    ],
    "failedAccounts": []
}

[githubkannadhasan]

Any update on this issue on the latest aws provider also 5.47.0 for ex.

[githubkannadhasan]

The workaround from @stefano-franco is not applicable if the inspector2 is enabled in the region earlier with other provider, and not disabling with latest providers. Need support on this.

[DhilipkumarGnanamurthy]

This issues only works with 5.5 provider, but it's not with latest version of provider. When it will be fixed and closed any deadline or plan. Kindly share it will be helpful.

[Maxi3315]

Hello, I have same problem in eu-west-3 region. Only works with 5.5.0 AWS Provider and not with last version at this time (5.56.1).

Could you provide soon a quick fix ? That is very impacting in our production deployment.

[boris-yakimov]

same issue in ap-south-1 for me, trying to enable only EC2 and ECR scanning but getting error that Lambda scanning is not supported in the region (we don't need lambda scanning, just to enable aws inspector on the organization for EC2 and ECR)

  # module.amazon_inspector[0].aws_inspector2_enabler.itgix_primary[0] will be created
  + resource "aws_inspector2_enabler" "itgix_primary" {
      + account_ids    = [
          + "<redacted>",
        ]
      + id             = (known after apply)
      + resource_types = [
          + "EC2",
          + "ECR",
        ]
    }

error

╷
│ Error: updating AWS Inspector Enabler (<redacted>>-EC2:ECR): operation error Inspector2: Disable, https response error StatusCode: 403, RequestID: 3ecff391-85ea-42d2-b4cf-3dfb85ed72d6, AccessDeniedException: Lambda code scanning is not supported in ap-south-1
│
│   with module.amazon_inspector[0].aws_inspector2_enabler.itgix_primary[0],
│   on .terraform/modules/amazon_inspector/main.tf line 6, in resource "aws_inspector2_enabler" "itgix_primary":
│    6: resource "aws_inspector2_enabler" "itgix_primary" {

strangely when I remove the resource after this failure it tries to destroy it and fails with the same error :

  # module.amazon_inspector[0].aws_inspector2_enabler.itgix_primary[0] will be destroyed
  # (because aws_inspector2_enabler.itgix_primary is not in configuration)
  - resource "aws_inspector2_enabler" "itgix_primary" {
      - account_ids    = [
          - "<redacted>",
        ] -> null
      - id             = "<redacted>-EC2:ECR" -> null
      - resource_types = [
          - "EC2",
          - "ECR",
        ] -> null
    }

│ Error: deleting AWS Inspector Enabler (<redacted>-EC2:ECR): operation error Inspector2: Disable, https response error StatusCode: 403, RequestID: c8fa7ee7-4472-4be8-8413-d0b36ab24362, AccessDeniedException: Lambda code scanning is not supported in ap-south-1

[michalz-rely]

Any progress on that? I'm encountering similar issue in the following regions:

• ap-northeast-2
• sa-east-1
• ca-central-1
• ap-south-1
• ap-northeast-3
• us-west-1
• eu-west-3

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v5.69.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.