search

cloudposse / terraform-provider-awsutils

Terraform provider to help with various AWS automation tasks (mostly all that stuff we cannot accomplish with the official AWS terraform provider)
https://cloudposse.com/accelerate
Mozilla Public License 2.0
41 stars 12 forks source link

`awsutils_guardduty_organization_settings` Fails to Deploy to Security Account #25

Closed milldr closed 2 years ago

milldr commented 2 years ago

Found a bug? Maybe our Slack Community can help.

Slack Community

Describe the Bug

awsutils_guardduty_organization_settings fails when attempting to deploy to the security account after setting var.guardduty_admin_delegated=true

Expected Behavior

awsutils should deploy awsutils_guardduty_organization_settings successfully

Steps to Reproduce

Steps to reproduce the behavior:

  1. Set up the Cloud Posse compliance and compliance-rootmodules
  2. Apply compliance to security with var.guardduty_admin_delegated=false and securityhub_admin_delegated=false
  3. Apply compliance-root to root
  4. Apply compliance to security with var.guardduty_admin_delegated=true and securityhub_admin_delegated=true
  5. This last apply will fail with the following error:
Plan: 1 to add, 0 to change, 0 to destroy.
awsutils_guardduty_organization_settings.this[0]: Creating...
╷
│ Error: error designating guardduty administrator account members: BadRequestException: The request is rejected because the input detectorId is not owned by the current account.
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "42811a85-80f8-4818-ad87-5bc1a80c462f"
│   },
│   Message_: "The request is rejected because the input detectorId is not owned by the current account.",
│   Type: "InvalidInputException"
│ }
│
│   with awsutils_guardduty_organization_settings.this[0],
│   on main.tf line 44, in resource "awsutils_guardduty_organization_settings" "this":
│   44: resource "awsutils_guardduty_organization_settings" "this" {
│
╵
Releasing state lock. This may take a few moments...
exit status 1

Logs

-----------------------------------------------------: timestamp=2021-12-10T17:59:49.124Z
2021-12-10T17:59:49.533Z [INFO]  provider.terraform-provider-awsutils_v0.11.0: 2021/12/10 17:59:49 [DEBUG] [aws-sdk-go] DEBUG: Response guardduty/CreateMembers Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 400 Bad Request
Access-Control-Allow-Headers: Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-Content-Sha256,X-Amz-User-Agent,*,Date,X-Amz-Target,x-amzn-platform-id,x-amzn-trace-id
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: x-amzn-ErrorType,x-amzn-requestid,x-amzn-errormessage,x-amzn-trace-id,x-amz-apigw-id,Date
Access-Control-Max-Age: 86400
Content-Type: application/json
Date: Fri, 10 Dec 2021 17:59:49 GMT
X-Amz-Apigw-Id: xxx=
X-Amzn-Errortype: BadRequestException
X-Amzn-Requestid: 35150de3-96f7-484d-b599-6da002bd9a67
X-Amzn-Trace

Environment:

Initializing provider plugins...
- terraform.io/builtin/terraform is built in to Terraform
- Reusing previous version of hashicorp/local from the dependency lock file
- Reusing previous version of hashicorp/external from the dependency lock file
- Reusing previous version of cloudposse/utils from the dependency lock file
- Reusing previous version of hashicorp/aws from the dependency lock file
- Reusing previous version of cloudposse/awsutils from the dependency lock file
- Using previously-installed cloudposse/awsutils v0.11.0
- Using previously-installed hashicorp/local v2.1.0
- Using previously-installed hashicorp/external v2.1.1
- Using previously-installed cloudposse/utils v0.17.10
- Using previously-installed hashicorp/aws v3.70.0
Terraform v1.1.2
on linux_amd64

Additional Context

milldr commented 2 years ago

@mcalhoun was able to resolve this issue as not a bug. The awsutils provider needs to have proper credentials given to it in the same way as a typical aws provider.

milldr commented 2 years ago

here is an example provider configuration:

provider "awsutils" {
  region = var.region

  profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
  dynamic "assume_role" {
    for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
    content {
      role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
    }
  }
}

module "iam_roles" {
  source  = "../account-map/modules/iam-roles"
  context = module.this.context
}

variable "import_profile_name" {
  type        = string
  default     = null
  description = "AWS Profile name to use when importing a resource"
}

variable "import_role_arn" {
  type        = string
  default     = null
  description = "IAM Role ARN to use when importing a resource"
}