Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: aws_inspector2_member_association did not log access denied #38895

Closed
roynesholen opened this issue Aug 16, 2024 · 7 comments · Fixed by #38254
Closed

[Bug]: aws_inspector2_member_association did not log access denied #38895

roynesholen opened this issue Aug 16, 2024 · 7 comments · Fixed by #38254
Labels
bug Addresses a defect in current functionality. service/inspector2 Issues and PRs that pertain to the inspector2 service.
Milestone
v5.69.0

Comments

@roynesholen
Copy link

roynesholen commented Aug 16, 2024
edited by justinretzolk
Loading

Terraform Core Version

1.9.4

AWS Provider Version

5.63.0

Affected Resource(s)

resource "aws_inspector2_member_association" "members" {
  provider   = aws
  for_each   = toset(local.member_account_ids)
  account_id = each.key
  depends_on = [aws_inspector2_enabler.audit_eu-north-1]
}

Expected Behavior

cloutrail logs for this resource log Access Denied when i miss the correct Allowed inspector2 policy .

Actual Behavior

│ Error: creating Amazon Inspector Member Association (186558567702): waiting for completion: couldn't find resource (21 retries)

│   with aws_inspector2_member_association.members["xxxxxxxxxx"],
│   on inspector.tf line 61, in resource "aws_inspector2_member_association" "members":
│   61: resource "aws_inspector2_member_association" "members" {

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

###########################################
# Enable Amazon Inspector in Audit account in eu-north-1
# Audit account is delegated admin in landingzone repo
###########################################

resource "aws_inspector2_enabler" "audit_eu-north-1" {
  count          = var.org_inspector2_enabled ? 1 : 0
  resource_types = ["ECR", "EC2", "LAMBDA", "LAMBDA_CODE"]
  account_ids    = [data.aws_caller_identity.current.account_id]
}

#Inspector auto-enable on new member accounts in eu-north-1
resource "aws_inspector2_organization_configuration" "eu_north_1" {
  count    = var.org_inspector2_enabled ? 1 : 0
  provider = aws
  auto_enable {
    ec2         = var.enable_ec2
    ecr         = var.enable_ecr
    lambda      = var.enable_lambda
    lambda_code = var.enable_lambda_code && var.enable_lambda
  }
  depends_on = [aws_inspector2_enabler.audit_eu-north-1]
}

# Get all accounts in the organization and we will not set audit account again
data "aws_organizations_organization" "org_eu_north_1" {
  provider = aws
}

locals {
  enabler_resource_types = compact([
    var.enable_ec2 ? "EC2" : null,
    var.enable_ecr ? "ECR" : null,
    var.enable_lambda ? "LAMBDA" : null,
    var.enable_lambda_code && var.enable_lambda ? "LAMBDA_CODE" : null,
  ])

  member_account_ids = [for account in data.aws_organizations_organization.org_eu_north_1.accounts : account.id if account.status == "ACTIVE" && account.id != data.aws_caller_identity.current]
}

#Associate all member accounts with the audit account eu-north-1
resource "aws_inspector2_member_association" "members" {
  provider   = aws
  for_each   = toset(local.member_account_ids)
  account_id = each.key
  depends_on = [aws_inspector2_enabler.audit_eu-north-1]
}


#enable Inspector scans in the member accounts in region eu-north-1
resource "aws_inspector2_enabler" "members_eu_north_1" {
  provider       = aws
  for_each       = toset(local.member_account_ids)
  account_ids    = [each.key]
  resource_types = local.enabler_resource_types
  depends_on     = [aws_inspector2_member_association.members]
}

Steps to Reproduce

Not give the correct inspector2 Allowed policy needed for aws_inspector2_member_association

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None
@roynesholen roynesholen added the bug Addresses a defect in current functionality. label Aug 16, 2024
@github-actions GitHub Actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added service/inspector2 Issues and PRs that pertain to the inspector2 service. service/organizations Issues and PRs that pertain to the organizations service. labels Aug 16, 2024
@terraform-aws-provider terraform-aws-provider bot added the needs-triage Waiting for first response or review from a maintainer. label Aug 16, 2024
@justinretzolk
Copy link
Member

Hey @roynesholen 👋 Thank you for taking the time to raise this! Are you able to provide debug logs (redacted as needed)?

@justinretzolk justinretzolk removed service/organizations Issues and PRs that pertain to the organizations service. needs-triage Waiting for first response or review from a maintainer. labels Aug 19, 2024
@roynesholen
Copy link
Author

@justinretzolk
Hi
I added filtered terraform debug log for this test account in sandbox
terraform Debug log says Access denied reason

debug.log

The normal log says 21 retries...
module.inspector-eu-west-1[0].aws_inspector2_member_association.members["xxxxx"]: Still creating... [2m20s elapsed]
module.inspector-eu-west-1[0].aws_inspector2_member_association.members["xxxxx"]: Still creating... [2m30s elapsed]
module.inspector-eu-north-1[0].aws_inspector2_member_association.members["xxxxx"]: Still creating... [2m31s elapsed]

│ Error: creating Amazon Inspector Member Association (xxxxxx): waiting for completion: couldn't find resource (21 retries)

│ with module.inspector-eu-west-1[0].aws_inspector2_member_association.members["xxxxx"],
│ on modules/inspector/inspector.tf line 37, in resource "aws_inspector2_member_association" "members":
│ 37: resource "aws_inspector2_member_association" "members" {

@roynesholen
Copy link
Author

FYI: The next inspector2 service that also forget in the policy, logged correctly deny reason in standard logs.
module.inspector-eu-west-1[0].aws_inspector2_member_association.members["xxxxxxx"]: Destroying... [id=xxxxxxx]

│ Error: deleting Amazon Inspector Member Association (xxxxxx): operation error Inspector2: DisassociateMember, https response error StatusCode: 403, RequestID: 8e4d0931-3707-45db-aaed-e2b163c0d713, AccessDeniedException: User: arn:aws:sts::xxxxx:assumed-role/xxx/aws-go-sdk-1724414893096856936 is not authorized to perform: inspector2:DisassociateMember on resource: arn:aws:inspector2:eu-north-1:xxxxxx:/members/disassociate

@ewbankkit ewbankkit mentioned this issue Sep 25, 2024
Merged
@github-actions GitHub Actions
Copy link

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

@github-actions github-actions bot added this to the v5.69.0 milestone Sep 25, 2024
@github-actions GitHub Actions
Copy link

This functionality has been released in v5.69.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 28, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/inspector2 Issues and PRs that pertain to the inspector2 service.
Projects
None yet
Milestone
v5.69.0
Development

Successfully merging a pull request may close this issue.

fix: Support inspector2 enabler in regions without LAMBDA_CODE omnibrian/terraform-provider-aws
2 participants
@justinretzolk @roynesholen