Guard Duty: "The request is rejected because the input detectorId is not owned by the current account"

julianbueno commented 5 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.15

provider.aws v2.37.0 and v2.38.0

Affected Resource(s)

aws_guardduty_detector
aws_guardduty_member
aws_guardduty_invite_accepter

Terraform Configuration Files

provider "aws" {
  alias = "child_account"
}

L5: # resource "aws_guardduty_detector" "master" {
#   enable = true
# }

resource "aws_guardduty_detector" "member" {
  provider = aws.child_account
  enable = true
}

L14: resource "aws_guardduty_member" "child_account" {
  account_id  = aws_guardduty_detector.member.account_id
L16:  detector_id = "my master gd detector" #aws_guardduty_detector.master.id
  email       = var.member_email
  invite      = true
}

resource "aws_guardduty_invite_accepter" "member" {
  depends_on = [aws_guardduty_member.child_account]
  provider   = aws.child_account

  detector_id       = aws_guardduty_detector.member.id
L26:  master_account_id = "my master acc id" #aws_guardduty_detector.master.account_id
}

# Guardduty member provider
provider "aws" {
  alias  = "child_account"
  region = "ap-southeast-2"
  assume_role {
    role_arn = "arn:aws:iam::000000000:role/my-deploy-role"
  }
}

Debug Output

Error: Creating GuardDuty Member failed: BadRequestException: The request is rejected because the input detectorId is not owned by the current account. status code: 400, request id: cff90ae4-cecc-4d87-8157-47eb6e4f237b

on ../../modules/guardduty/main.tf line 14, in resource "aws_guardduty_member" "child_account": 14: resource "aws_guardduty_member" "child_account" {

Panic Output

N/A

Expected Behavior

The member account is added to the master account in GD

Actual Behavior

Error: The request is rejected because the input detectorId is not owned by the current account.

Steps to Reproduce

terraform apply on the HCL above from you master account

Important Factoids

The master account has already the GD enabled, that's the reason is commented If I uncomment L5-7, L16 and L26 I got:

Error: Creating GuardDuty Member failed: BadRequestException: The request is rejected because the input detectorId is not owned by the current account.
        status code: 400, request id: 27d62ccc-9bf7-42d3-b18e-47d40a33db8a

  on ../../modules/guardduty/main.tf line 14, in resource "aws_guardduty_member" "child_account":
  14: resource "aws_guardduty_member" "child_account" {

References

justinretzolk commented 2 years ago

Hey @julianbueno 👋 Thank you for taking the time to file this issue! Given that there's been a number of AWS provider releases since you initially filed it, can you confirm whether you're still experiencing this behavior?

github-actions[bot] commented 4 days ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

hashicorp / terraform-provider-aws