[Bug]: aws_inspector2_enabler fails to create on 5.6.0 due to incorrect resource type constant

[irth]

Terraform Core Version

1.4.6

AWS Provider Version

5.6.0, 5.6.2, be00acc

Affected Resource(s)

• resource aws_inspector2_enabler

Expected Behavior

data "aws_caller_identity" "this" {}

resource "aws_inspector2_enabler" "this" {
  account_ids = [data.aws_caller_identity.this.account_id]

  resource_types = ["EC2", "ECR", "LAMBDA"]
}

Applying the above configuration should enable Amazon Inspector, enabling scanning EC2 instances, ECR registries and Lambda functions.

Actual Behavior

The provider correctly enables Inspector with EC2/ECR/Lambda scanning, however after enabling the service, the resourceEnablerCreate function (internal/services/inspector2/enabler.go) checks if it needs to disable any type of resource scans:

	st, err := waitEnabled(ctx, conn, accountIDs, d.Timeout(schema.TimeoutCreate))
	if err != nil {
		return append(diags, create.DiagError(names.Inspector2, create.ErrActionWaitingForCreation, ResNameEnabler, d.Id(), err)...)
	}

	var disableAccountIDs []string
	for acctID, acctStatus := range st {
		resourceStatuses := acctStatus.ResourceStatuses
		for _, resourceType := range typeEnable {
			delete(resourceStatuses, resourceType)
		}
		if len(resourceStatuses) > 0 {
			disableAccountIDs = append(disableAccountIDs, acctID)
			in := &inspector2.DisableInput{
				AccountIds:    []string{acctID},
				ResourceTypes: maps.Keys(resourceStatuses),
			}

			_, err := conn.Disable(ctx, in)
			if err != nil {
				return append(diags, create.DiagError(names.Inspector2, create.ErrActionUpdating, ResNameEnabler, id, err)...)
			}
		}
	}

The typeEnable slice contains ["EC2", "ECR", "LAMBDA"] before the for loop runs, the acctStatus.ResourceStatuses map has the keys ["EC2", "ECR", "LAMBDA", "LAMBDACODE"].

After the inner for loop deletes the resource types that should be enabled, we are left with LAMBDACODE, which is then passed to the Disable API call. At this point, the code fails, because the value should be LAMBDA_CODE, so it fails validation on the AWS API side.

This happens because the AccountStatuses function (from the same file) used to fetch the values from the API, gets a struct with a LambdaCode field, and uses strings.ToUpper to convert to a types.ResourceScanType constant from github.com/aws/aws-sdk-go-v2/service/inspector2/types:

		if a.AccountId == nil || a.State == nil {
			continue
		}
		status := AccountResourceStatus{
			Status:           a.State.Status,
			ResourceStatuses: make(map[types.ResourceScanType]types.Status, len(enum.Values[types.ResourceScanType]())),
		}
		var m map[string]*types.State
		e := mapstructure.Decode(a.ResourceState, &m)
		if e != nil {
			err = multierror.Append(err, e)
			continue
		}
		for k, v := range m {
			status.ResourceStatuses[types.ResourceScanType(strings.ToUpper(k))] = v.Status
		}
		results[aws.ToString(a.AccountId)] = status

The correct value for the constant is LAMBDA_CODE.

Relevant Error/Panic Output Snippet

│ Error: updating Amazon Inspector Enabler ([REDACTED]-EC2:ECR:LAMBDA): operation error Inspector2: Disable, https response error StatusCode: 400, RequestID: [REDACTED], ValidationException: 1 validation error detected: Value at 'resourceTypes' failed to satisfy constraint: Member must satisfy constraint: [Member must satisfy enum value set: [LAMBDA_CODE, LAMBDA, ECR, EC2]]

Terraform Configuration Files

data "aws_caller_identity" "this" {}

resource "aws_inspector2_enabler" "this" {
  account_ids = [data.aws_caller_identity.this.account_id]

  resource_types = ["EC2", "ECR", "LAMBDA"]
}

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.6.0"
    }
  }
}

Steps to Reproduce

1. paste the code into a tf file
2. init & apply on an account with Inspector disabled
3. wait for the error

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

Yes

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[irth]

example fix, no time to do a proper pull request currently unfortunately:

diff --git a/internal/service/inspector2/enabler.go b/internal/service/inspector2/enabler.go
index 5ca18829f8..b65d4477fb 100644
--- a/internal/service/inspector2/enabler.go
+++ b/internal/service/inspector2/enabler.go
@@ -536,6 +536,9 @@ func AccountStatuses(ctx context.Context, conn *inspector2.Client, accountIDs []
 			continue
 		}
 		for k, v := range m {
+			if k == "LambdaCode" {
+				k = "LAMBDA_CODE"
+			}
 			status.ResourceStatuses[types.ResourceScanType(strings.ToUpper(k))] = v.Status
 		}
 		results[aws.ToString(a.AccountId)] = status
diff --git a/website/docs/r/inspector2_enabler.html.markdown b/website/docs/r/inspector2_enabler.html.markdown
index 64453a5664..38e2279f74 100644
--- a/website/docs/r/inspector2_enabler.html.markdown
+++ b/website/docs/r/inspector2_enabler.html.markdown
@@ -41,7 +41,7 @@ The following arguments are required:
 * `account_ids` - (Required) Set of account IDs.
   Can contain one of: the Organization's Administrator Account, or one or more Member Accounts.
 * `resource_types` - (Required) Type of resources to scan.
-  Valid values are `EC2`, `ECR`, and `LAMBDA`.
+  Valid values are `EC2`, `ECR`, `LAMBDA` and `LAMBDA_CODE`.
   At least one item is required.
 
 ## Attributes Reference

[daveshepherd]

I'm seeing this issue with provider 5.7.0.

[faaizzcr]

Same issue still occurs with provider 5.8.0.

[ScottCruzen0]

Also happens with provider 5.10.0

[ScottCruzen0]

example fix, no time to do a proper pull request currently unfortunately:
...

This fix worked for me.

[CyrusTC]

Also happens in provider 5.16.1

[nwalters512]

This is also occurring with 5.17.0. In fact, the AWS provider crashes completely:

│ Error: updating Amazon Inspector Enabler (769954110362-EC2): operation error Inspector2: Disable, https response error StatusCode: 400, RequestID: f4969d73-6767-4945-93fb-2f6768c100c5, ValidationException: 1 validation error detected: Value at 'resourceTypes' failed to satisfy constraint: Member must satisfy constraint: [Member must satisfy enum value set: [LAMBDA_CODE, LAMBDA, ECR, EC2]]
│ 
│   with aws_inspector2_enabler.us-east-2,
│   on inspector.tf line 1, in resource "aws_inspector2_enabler" "us-east-2":
│    1: resource "aws_inspector2_enabler" "us-east-2" {
│ 
╵
╷
│ Error: Plugin did not respond
│ 
│   with aws_inspector2_enabler.ca-central-1,
│   on inspector.tf line 6, in resource "aws_inspector2_enabler" "ca-central-1":
│    6: resource "aws_inspector2_enabler" "ca-central-1" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵

Stack trace from the terraform-provider-aws_v5.17.0_x5 plugin:

panic: interface conversion: interface {} is nil, not map[string]inspector2.AccountResourceStatus

goroutine 369 [running]:
github.com/hashicorp/terraform-provider-aws/internal/service/inspector2.waitEnabled({0xed81520, 0xc001667620}, 0x10?, {0xc0056032d0?, 0x0?, 0x0?}, 0x45d964b800)
	github.com/hashicorp/terraform-provider-aws/internal/service/inspector2/enabler.go:423 +0x165
github.com/hashicorp/terraform-provider-aws/internal/service/inspector2.resourceEnablerCreate({0xed81520?, 0xc001667620}, 0xc000cbd300, {0xd9f0700?, 0xc0020cb180})
	github.com/hashicorp/terraform-provider-aws/internal/service/inspector2/enabler.go:164 +0x425
github.com/hashicorp/terraform-provider-aws/internal/provider.interceptedHandler[...].func1(0x0?, {0xd9f0700?, 0xc0020cb180?})
	github.com/hashicorp/terraform-provider-aws/internal/provider/intercept.go:111 +0x34b
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0xed81520?, {0xed81520?, 0xc001666660?}, 0xd?, {0xd9f0700?, 0xc0020cb180?})
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:773 +0x87
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc00145f880, {0xed81520, 0xc001666660}, 0xc00174e340, 0xc000cbd180, {0xd9f0700, 0xc0020cb180})
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:909 +0xa7e
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0xc0031ff7a0, {0xed81520?, 0xc001666540?}, 0xc0005427d0)
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:1060 +0xe8d
github.com/hashicorp/terraform-plugin-mux/tf5muxserver.(*muxServer).ApplyResourceChange(0xed81478?, {0xed81520?, 0xc001666210?}, 0xc0005427d0)
	github.com/hashicorp/[email protected]/tf5muxserver/mux_server_ApplyResourceChange.go:36 +0x1b5
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0xc0009d60a0, {0xed81520?, 0xc001641800?}, 0xc000370b60)
	github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:859 +0x574
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0xd77c840?, 0xc0009d60a0}, {0xed81520, 0xc001641800}, 0xc000370a80, 0x0)
	github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:467 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc00005a780, {0xed8e9e0, 0xc0022041a0}, 0xc00163db00, 0xc0021766c0, 0x1512a4f8, 0x0)
	google.golang.org/[email protected]/server.go:1360 +0xe23
google.golang.org/grpc.(*Server).handleStream(0xc00005a780, {0xed8e9e0, 0xc0022041a0}, 0xc00163db00, 0x0)
	google.golang.org/[email protected]/server.go:1737 +0xa36
google.golang.org/grpc.(*Server).serveStreams.func1.1()
	google.golang.org/[email protected]/server.go:982 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
	google.golang.org/[email protected]/server.go:980 +0x18c

Error: The terraform-provider-aws_v5.17.0_x5 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Operation failed: failed running terraform apply (exit 1)

[statlus]

I'm also seeing this with provider 5.20.0.

[github-actions]

This functionality has been released in v5.22.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.