chore(security-hub): handle SecurityHubNoEnabledRegionsError (#9635)

2026-01-25 02:08:11 +00:00 · 2025-12-22 16:50:36 +01:00
parent 19ceb7db88
commit 0719e31b58
3 changed files with 20 additions and 19 deletions
--- a/api/CHANGELOG.md
+++ b/api/CHANGELOG.md
@@ -9,7 +9,10 @@ All notable changes to the **Prowler API** are documented in this file.

 ---

-## [1.17.1] (Prowler UNRELEASED)
+## [1.17.1] (Prowler v5.16.1)
+
+### Changed
+- Security Hub integration error when no regions [(#9635)](https://github.com/prowler-cloud/prowler/pull/9635)

 ### Fixed
 - Orphan scheduled scans caused by transaction isolation during provider creation [(#9633)](https://github.com/prowler-cloud/prowler/pull/9633)
--- a/api/src/backend/tasks/jobs/integrations.py
+++ b/api/src/backend/tasks/jobs/integrations.py
@@ -19,6 +19,9 @@ from prowler.providers.aws.aws_provider import AwsProvider
 from prowler.providers.aws.lib.s3.s3 import S3
 from prowler.providers.aws.lib.security_hub.security_hub import SecurityHub
 from prowler.providers.common.models import Connection
+from prowler.providers.aws.lib.security_hub.exceptions.exceptions import (
+    SecurityHubNoEnabledRegionsError,
+)

 logger = get_task_logger(__name__)

@@ -222,8 +225,9 @@ def get_security_hub_client_from_integration(
        )
        return True, security_hub
    else:
-        # Reset regions information if connection fails
+        # Reset regions information if connection fails and integration is not connected
        with rls_transaction(tenant_id, using=MainRouter.default_db):
+            integration.connected = False
            integration.configuration["regions"] = {}
            integration.save()

@@ -330,15 +334,18 @@ def upload_security_hub_integration(
                                )

                                if not connected:
-                                    logger.error(
-                                        f"Security Hub connection failed for integration {integration.id}: "
-                                        f"{security_hub.error}"
-                                    )
-                                    with rls_transaction(
-                                        tenant_id, using=MainRouter.default_db
+                                    if isinstance(
+                                        security_hub.error,
+                                        SecurityHubNoEnabledRegionsError,
                                    ):
-                                        integration.connected = False
-                                        integration.save()
+                                        logger.warning(
+                                            f"Security Hub integration {integration.id} has no enabled regions"
+                                        )
+                                    else:
+                                        logger.error(
+                                            f"Security Hub connection failed for integration {integration.id}: "
+                                            f"{security_hub.error}"
+                                        )
                                    break  # Skip this integration

                                security_hub_client = security_hub
@@ -409,22 +416,16 @@ def upload_security_hub_integration(
                            logger.warning(
                                f"Failed to archive previous findings: {str(archive_error)}"
                            )
-
            except Exception as e:
                logger.error(
                    f"Security Hub integration {integration.id} failed: {str(e)}"
                )
-                continue

        result = integration_executions == len(integrations)
        if result:
            logger.info(
                f"All Security Hub integrations completed successfully for provider {provider_id}"
            )
-        else:
-            logger.error(
-                f"Some Security Hub integrations failed for provider {provider_id}"
-            )

        return result

--- a/api/src/backend/tasks/tests/test_integrations.py
+++ b/api/src/backend/tasks/tests/test_integrations.py
@@ -1199,9 +1199,6 @@ class TestSecurityHubIntegrationUploads:
                    )

        assert result is False
-        # Integration should be marked as disconnected
-        integration.save.assert_called_once()
-        assert integration.connected is False

    @patch("tasks.jobs.integrations.ASFF")
    @patch("tasks.jobs.integrations.FindingOutput")