Terraform should auto-enable GuardDuty

[hamza15]

Description: Running the base template as per documentation and it seems like TF errors out on the last step as part of creating GuardDuty members.

Process followed (as documented):

• Update configuration.json
• Create CloudFormation stacks deployed inside security, logging and designated admin. (as documented)
• Assume management-account-role previously created through CloudFormation.
• Deploy using: bash scripts/full-setup.sh

Error logs:

Error: Creating GuardDuty Detector failed: UnrecognizedClientException: 
│       status code: 403, request id: xxx-xxx-xxx
│ 
│   with module.guardduty_baseline_<region>.aws_guardduty_detector.MyDetector[0],
│   on modules/guardduty-baseline/main.tf line 28, in resource "aws_guardduty_detector" "MyDetector":
│   28: resource "aws_guardduty_detector" "MyDetector" {
│ 
╵
╷
│ Error: error waiting for GuardDuty Member "<member-id>" invite: Error waiting for GuardDuty email verification: error reading GuardDuty Member "<account-id>": member missing from response
│ 
│   with module.guardduty_baseline_<region>.aws_guardduty_member.members[1],
│   on modules/guardduty-baseline/main.tf line 76, in resource "aws_guardduty_member" "members":
│   76: resource "aws_guardduty_member" "members" {

Expected Behavior: GuardDuty should be auto-enablesd in delegated admin account and all member accounts once deployment is kicked-off. There should be no need to do email verification.

[aarthkan]

@hamza15 thank you for reporting this issue. I did a check at my end, but I couldn't replicate this issue. I would suggest checking at your end the following:

1. Please ensure if all the steps have been followed as per the prescribed guidance here: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html
2. Please check if your solution has met with all the prerequisites & product versions as well as complies with limitations as described in the prescriptive guidance provided in (1), especially the one where Amazon GuardDuty should not be enabled in any of the accounts in any Target Regions. If by chance GuardDuty is already enabled using the older member-invite method, please take necessary steps to dissociate the members before trying to use this pattern to enable GuardDuty via the Organizations method.

[fl42]

Hello,

I got the same error. It failed to add the management account (the organization was deployed using AWS Control Tower). GuardDuty was never enabled in the management account.

TF trace logs are not really useful: [DEBUG] [aws-sdk-go] {"members":[],"unprocessedAccounts":[{"result":"Internal error","accountId":"<MANAGEMENT-ACCOUNT-ID"}]}

How could I troubleshoot?

[aarthkan]

@fl42 If you have been testing a dew times, perhaps GuardDuty was partially enabled in few accounts. This error happens next time round, due to the GuardDuty detector not being deleted in member accounts, after a previous run. The method to fix would be to go to each account and disable GuardDuty in the region you are deploying to. I will add a clean-up option to clear GuardDuty detector in existing accounts as part of the repo. Meanwhile pls clear manually via Console or using CLI before proceeding to re-deploy the pattern.

[fl42]

Indeed, I have run the Terraform several times (as it seems idempotent).

I checked using the console and CLI that GuardDuty is not enabled in the account where deployment is failing (here the management account). Also, it worked fine with all other accounts in the organisation in all regions. And it does not work in any region of the management account. Is it supported to deploy GD in the management account (organization administrator)?

For the management account: Using the console, I got "Enable GuardDuty page" (so GD is disabled, right?) Using the CLI:

AWS_REGION=eu-west-3 aws guardduty list-detectors 
{
    "DetectorIds" : []
}

(for all regions defined in target_regions of configuration.json) So it seems there is no detector in the member account.

Any other clues?

Thanks for your support, much appreciated!

[fl42]

Finally I solved the issue by manually enabling GuardDuty in the management account. Then from the security account I added the management account as GuardDuty member. Now it works. Not sure why GD was not automatically enabled for management account but ok for others.

Anyway, thanks again for your support!

[Mirdrack]

I also experienced the same issue but I can validate the solution @fl42 provided. After manually enabled on the management account, the script worked like a charm.