Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

awscc_inspectorv2_filter: support for vulnerable_packages.file_path criteria #2123

Open
srsapient opened this issue Dec 9, 2024 · 2 comments

Comments

@srsapient
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
  • The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Terraform v1.8.3
AWS CC Provider v1.23.0

Affected Resource(s)

  • awscc_inspectorv2_filter

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "awscc_inspectorv2_filter" "this" {
  name               = "something"
  description     = "something"
  filter_action    = "SUPPRESS"
  filter_criteria   = {
      resource_type = [
        {
          comparison = "EQUALS",
          value      = "AWS_ECR_CONTAINER_IMAGE"
        }
      ],
      vulnerable_packages = [
        {
          file_path = {
            comparison = "PREFIX",
            value      = "databricks/"
          }
        }
      ]
    }
}

Debug Output

Panic Output

Expected Behavior

The filter is correctly created

To get the full picture, we manually created the filter on AWS Console and wanted to import it in Terraform. I noticed that in resource documentation vulnerable_packages.file_path is not a valid input, but when executing aws inspector2 list-filters we can see its value so it should be supported by AWS API.

Actual Behavior

Terraform fails to create resource with an error

Error: AWS SDK Go Service Operation Incomplete
with awscc_inspectorv2_filter.this["Databricks internal packages"]
on filters.tf line 172, in resource "awscc_inspectorv2_filter" "this":
resource "awscc_inspectorv2_filter" "this" {
Waiting for Cloud Control API service UpdateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: Must specify at least 1 attribute in PackageFilter (Service: Inspector2, Status Code: 400, Request ID: xxxx). ErrorCode: InvalidRequest

Steps to Reproduce

  1. terraform apply

Important Factoids

References

@quixoticmonk
Copy link
Collaborator

Thank you for opening the issue @srsapient . The AWSCC provider is auto generated based on the CloudFormation schema AWS::InspectorV2::Filter which currently doesn't support a filePath under the VulnerablePackages input. This will need to be present on the CloudFormation schema for the AWSCC provider to have support.

Having said that, I have reached out to the service team to check on the CloudFormation schema here. If and when the schema includes this filter reference, AWSCC will include that. I will leave the issue open for any additional question for the time being. The issue might get closed as this is an enhancement request which should ideally be on the CloudFormation schema.

@quixoticmonk
Copy link
Collaborator

Confirmed that the CloudFormation schema update is yet to happen for these changes. The provider will pick those PackageFilter updates once the schema is published and picked up by the build on the AWSCC provider side. I will leave this open for a few more days in case you have any more questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants