Securityhub recent MemberStatus changes

[reactiveinactive]

AWS released changes today to SecurityHub that changed the MemberStatus fields to contain a few different values then is currently supported by the terraform AWS provider. Because of this change the "invited" field is not correctly calculated when retrieving the current SecurityHub member subscription

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform: v0.12.29
AWS Provider: 3.17.0

Affected Resource(s)

• aws_securityhub_member

Terraform Configuration Files

resource "aws_securityhub_member" "member" {
  account_id = 00000000000
  email      = my.email@email.com
  invite     = true
}

Debug Output

https://gist.github.com/reactiveinactive/862d8b3e4928918b95c06983e7418f1b

Panic Output

Expected Behavior

After the Securityhub invite is accepted by the master the terraform run should run without any changes

Actual Behavior

After accepting the securityhub invitation the resource assumes the invitation is not performed yet and tries to perform a new one.
-/+ resource "aws_securityhub_member" "member" {
account_id = "00000000000"
email = "my.email@email.com"
~ id = "00000000000" -> (known after apply)
~ invite = false -> true # forces replacement
~ master_id = "11111111111111" -> (known after apply)
~ member_status = "Enabled" -> (known after apply)
}

Steps to Reproduce

1. Create a plan with a securityhub member
2. Run the plan
3. Accept the invitation
4. Run the plan again

Important Factoids

Issue is occurring since today due to recent AWS API changes
https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_Member.html
https://github.com/aws/aws-sdk-java/blame/a23c826512114220ff623b9d449489c3822b058e/aws-java-sdk-securityhub/src/main/java/com/amazonaws/services/securityhub/model/Member.java#L71

References

[pjaudiomv]

I am also facing this issue on GovCloud

[lorengordon]

I'm seeing this also. The MemberStatus value of aws securityhub get-members has changed... Seems to have changed from Associated to Enabled (though only guessing at the prior value from the code in the aws provider).

$ aws securityhub get-members --account-ids redacted
{
    "Members": [
        {
            "AccountId": "redacted",
            "Email": "redacted",
            "MasterId": "redacted",
            "MemberStatus": "Enabled",
            "UpdatedAt": "2020-11-18T00:26:55.193Z"
        }
    ],
    "UnprocessedAccounts": []
}

[bflad]

Has anyone opened an AWS Support case to confirm if this change was planned and permanent?

[lorengordon]

@bflad No support case yet, but the change is in the docs... https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_Member.html

MemberStatus
The status of the relationship between the member account and its master account.

The status can have one of the following values:

CREATED - Indicates that the master account added the member account, but has not yet invited the member account.
INVITED - Indicates that the master account invited the member account. The member account has not yet responded to the invitation.
ENABLED - Indicates that the member account is currently active. For manually invited member accounts, indicates that the member account accepted the invitation.
REMOVED - Indicates that the master account disassociated the member account.
RESIGNED - Indicates that the member account disassociated themselves from the master account.
DELETED - Indicates that the master account deleted the member account.

Type: String

Pattern: .\S.

Required: No

[pjaudiomv]

https://awsapichanges.info/archive/changes/d2b896-securityhub.html

they must of updated it in support of https://aws.amazon.com/about-aws/whats-new/2020/11/aws-security-hub-integrates-with-aws-organizations-for-simplified-security-posture-management/

[lorengordon]

I just opened a support case to confirm this change to the MemberStatus value was intentional.

[donaldjarmstrongbremer]

Highlights from our support ticket response

https://aws.amazon.com/about-aws/whats-new/2020/11/aws-security-hub-integrates-with-aws-organizations-for-simplified-security-posture-management/

With this launch there has been a few minor changes to SecurityHub multi-account configuration behaviors, 
one of them which are the following:
-Member accounts in Security Hub were previously ASSOCIATED with a master account (which is now renamed
to the administrator account). We have changed the terminology to align with GuardDuty's. ASSOCIATED has been
replaced with ENABLED. The Enabled status has now been introduced with the Organizations integration to AWS
Security Hub.

This is mentioned in the following announcement:
https://forums.aws.amazon.com/ann.jspa?annID=8164

[bflad]

Okay, thank you for that very helpful information. I have requested that the fix include both the old and new values, since Organizations support is not available in all regions. I would expect that we can get something out later today or tomorrow.

[lorengordon]

@bflad Just confirming AWS Support responded to me with the same information.

In short: Yes, it is intentional and permanent. Let me explain:

The reason for this change of our 'MemberStatus' from "Associated" to "Enabled"[1] is due to our new launch As of 23rd November 2020, AWS Security Hub is now integrated with AWS Organizations to simplify security posture management across all of your existing and future AWS accounts in an organization. With this launch, new and existing Security Hub customers can delegate any account in their organization as the Security Hub administrator and centrally view security findings from up to 5,000 AWS accounts among other features. You can check out the link below [2] for further information regarding this launch.

With this launch there has been a few minor changes to SecurityHub multi-account configuration behaviors, one of them which are the following:

-Member accounts in Security Hub were previously ASSOCIATED with a master account (which is now renamed to the administrator account). We have changed the terminology to align with GuardDuty. ASSOCIATED has been replaced with ENABLED. The Enabled status has now been introduced with the Organizations integration to AWS Security Hub.

This is mentioned in the announcement here as well [3].
1: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_Member.html
2: https://aws.amazon.com/about-aws/whats-new/2020/11/aws-security-hub-integrates-with-aws-organizations-for-simplified-security-posture-management/
3: https://forums.aws.amazon.com/ann.jspa?annID=8164

[bflad]

The fix to support both the old and new member status values has been merged and will release with version 3.18.0 of the Terraform AWS Provider, likely within the next 24 hours. Thank you to @reactiveinactive for the quick implementation work. 👍

[ghost]

This has been released in version 3.18.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[lorengordon]

Well, I just updated to 3.18.0, but I'm still seeing the resource cycle... 🤔

-/+ resource "aws_securityhub_member" "this" {
        account_id    = "redacted"
        email         = "redacted"
      ~ id            = "redacted" -> (known after apply)
      ~ invite        = false -> true # forces replacement
      ~ master_id     = "redacted" -> (known after apply)
      ~ member_status = "Enabled" -> (known after apply)
    }

[lorengordon]

False alarm, all is well. Had to clear out the terraform cache for some reason. /shrug

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!