Closed hamza15 closed 1 year ago
@hamza15 thank you for reporting this issue. I did a check at my end, but I couldn't replicate this issue. I would suggest checking at your end the following:
Hello,
I got the same error. It failed to add the management account (the organization was deployed using AWS Control Tower). GuardDuty was never enabled in the management account.
TF trace logs are not really useful:
[DEBUG] [aws-sdk-go] {"members":[],"unprocessedAccounts":[{"result":"Internal error","accountId":"<MANAGEMENT-ACCOUNT-ID"}]}
How could I troubleshoot?
@fl42 If you have been testing a dew times, perhaps GuardDuty was partially enabled in few accounts. This error happens next time round, due to the GuardDuty detector not being deleted in member accounts, after a previous run. The method to fix would be to go to each account and disable GuardDuty in the region you are deploying to. I will add a clean-up option to clear GuardDuty detector in existing accounts as part of the repo. Meanwhile pls clear manually via Console or using CLI before proceeding to re-deploy the pattern.
Indeed, I have run the Terraform several times (as it seems idempotent).
I checked using the console and CLI that GuardDuty is not enabled in the account where deployment is failing (here the management account). Also, it worked fine with all other accounts in the organisation in all regions. And it does not work in any region of the management account. Is it supported to deploy GD in the management account (organization administrator)?
For the management account: Using the console, I got "Enable GuardDuty page" (so GD is disabled, right?) Using the CLI:
AWS_REGION=eu-west-3 aws guardduty list-detectors
{
"DetectorIds" : []
}
(for all regions defined in target_regions
of configuration.json
)
So it seems there is no detector in the member account.
Any other clues?
Thanks for your support, much appreciated!
Finally I solved the issue by manually enabling GuardDuty in the management account. Then from the security account I added the management account as GuardDuty member. Now it works. Not sure why GD was not automatically enabled for management account but ok for others.
Anyway, thanks again for your support!
I also experienced the same issue but I can validate the solution @fl42 provided. After manually enabled on the management account, the script worked like a charm.
Description: Running the base template as per documentation and it seems like TF errors out on the last step as part of creating GuardDuty members.
Process followed (as documented):
Error logs:
Expected Behavior: GuardDuty should be auto-enablesd in delegated admin account and all member accounts once deployment is kicked-off. There should be no need to do email verification.