search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.47k stars 3.83k forks source link

Invalid request provided: AWS::GuardDuty::Detector" #30476

Open huyhoang160593 opened 2 months ago

huyhoang160593 commented 2 months ago

Describe the bug

I can't build the cdk app with Detector setting, they always fail no matter which option I throw to them. And the error return is not clear for me to solve the problem

Expected Behavior

build success

Current Behavior

Resource handler returned message: "Invalid request provided: AWS::GuardDuty::Detector" (RequestToken: 386124a9-63b8-fc97-1a1f-df2f79c895c2, HandlerErrorCode: InvalidRequest)

Reproduction Steps

const guardDuty = new CfnDetector(this, GUARD_DUTY_ID, {
     enable: true,
}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.143.0

Framework Version

No response

Node.js Version

20.10.0

OS

Linux

Language

TypeScript

Language Version

Typescript 5.4.5

Other information

No response

pahud commented 2 months ago

This is a L1 construct and is pretty mush 1:1 mapping to the CFN resource.

Are you able to create that with the examples provided in the CFN doc here?

huyhoang160593 commented 2 months ago

@pahud I'm only using CDK and don't know how to use CFN, but with translate to cdk, the same thing happen and I'm stuck with those errors above

beastlyDartfordian commented 2 months ago

This seems to be pretty inconsistent, as I'm having a similar issue. I managed to get a it working for a simple setup like yours no problem, and when I add dataSources it continues to work.

However when I add the "features" section as below I also get an Invalid request provided error:

const guardDuty = new cdk.aws_guardduty.CfnDetector(this, 'GuardDutyDetector', {
            enable: true,
            findingPublishingFrequency: PublishingFrequency.ONE_HOUR,
            dataSources: {
                kubernetes: {
                    auditLogs: {
                        enable: true,
                    },
                },
                malwareProtection: {
                    scanEc2InstanceWithFindings: {
                        ebsVolumes: true,
                    },
                },
                s3Logs: {
                    enable: true,
                },
            },
            features: [
              {
                name: "RUNTIME_MONITORING",
                status: 'ENABLED',
              }
            ],
        });
mparmer commented 2 months ago

I am also having this problem.. I am trying to add features through cloudformation, and getting the same errors as you guys


  Detector:
    Type: AWS::GuardDuty::Detector
    Properties:
      Enable: True
      FindingPublishingFrequency: ONE_HOUR
      DataSources:
        S3Logs:
          Enable: true
      Features:
      - Name: RUNTIME_MONITORING
        Status: ENABLED

`Resource handler returned message: "Invalid request provided: AWS::GuardDuty::Detector" (RequestToken: xxxx, HandlerErrorCode: InvalidRequest)```
mparmer commented 2 months ago

Well.. This is a contradictory error.. I found while digging into cloudtrail that there are some UpdateDetector listings. Looking at those I was able to find this error message. "The request failed because both data sources and features were provided. You can provide only one; it is recommended to use features.". I would guess that if you look at your cloudtrail console and find the UpdateDetector entries, you'll find out what the real error messages are.

MightySepp666 commented 1 month ago

@mparmer thanks for the tip to look into CloudTrail - saved me hours of stupid trial and error 🙏 (as it is usually the case with this 🤬 useless generic error messages of CloudFormation...).

Just in case anyone else stumbles across this issue: there are several different reasons for this generic deployment error (like specifying certain combinations of features together or if you provide feature names, that can be returned but are not allowed as input). Of course there's no decent documentation about that. But after filtering for UpdateDetector events in CloudTrail, you can see the actual error message in responseElements and fix these issues one by one.

It would be really great, if these checks could already be performed upfront in a L2 construct, as it would tremendously reduce the wasted time of developers.

spensireli commented 1 month ago

I am having a similar issue when trying to build an L2 construct. It seems the generated L1 construct is not complete. If you look at the documentation for CfnDetector construct and attempt to use the provided example typescript you will receive:

Object literal may only specify known properties, and 'kubernetes' does not exist in type 'IResolvable | CFNDataSourceConfigurationsProperty'.ts(2353)

Same goes for malware protection and features. If you look at the generated construct guardduty.generated.d.ts code.

export declare namespace CfnDetector {
    /**
     * @external
     * @link http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-guardduty-detector-cfndatasourceconfigurations.html
     */
    interface CFNDataSourceConfigurationsProperty {
        /**
         * `CfnDetector.CFNDataSourceConfigurationsProperty.S3Logs`.
         *
         * @external
         * @link http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-guardduty-detector-cfndatasourceconfigurations.html#cfn-guardduty-detector-cfndatasourceconfigurations-s3logs
         */
        readonly s3Logs?: CfnDetector.CFNS3LogsConfigurationProperty | cdk.IResolvable;
    }
}

You can see that it seems to be missing the properties mentioned in the CloudFormation documentation. I could be mistaken, but any guidance would be appreciated.