Guard Duty: "The request is rejected because the input detectorId is not owned by the current account"

[julianbueno]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.15

• provider.aws v2.37.0 and v2.38.0

Affected Resource(s)

• aws_guardduty_detector
• aws_guardduty_member
• aws_guardduty_invite_accepter

Terraform Configuration Files

provider "aws" {
  alias = "child_account"
}

L5: # resource "aws_guardduty_detector" "master" {
#   enable = true
# }

resource "aws_guardduty_detector" "member" {
  provider = aws.child_account
  enable = true
}

L14: resource "aws_guardduty_member" "child_account" {
  account_id  = aws_guardduty_detector.member.account_id
L16:  detector_id = "my master gd detector" #aws_guardduty_detector.master.id
  email       = var.member_email
  invite      = true
}

resource "aws_guardduty_invite_accepter" "member" {
  depends_on = [aws_guardduty_member.child_account]
  provider   = aws.child_account

  detector_id       = aws_guardduty_detector.member.id
L26:  master_account_id = "my master acc id" #aws_guardduty_detector.master.account_id
}

# Guardduty member provider
provider "aws" {
  alias  = "child_account"
  region = "ap-southeast-2"
  assume_role {
    role_arn = "arn:aws:iam::000000000:role/my-deploy-role"
  }
}

Debug Output

Error: Creating GuardDuty Member failed: BadRequestException: The request is rejected because the input detectorId is not owned by the current account. status code: 400, request id: cff90ae4-cecc-4d87-8157-47eb6e4f237b

on ../../modules/guardduty/main.tf line 14, in resource "aws_guardduty_member" "child_account": 14: resource "aws_guardduty_member" "child_account" {

Panic Output

N/A

Expected Behavior

The member account is added to the master account in GD

Actual Behavior

Error: The request is rejected because the input detectorId is not owned by the current account.

Steps to Reproduce

1. terraform apply on the HCL above from you master account

Important Factoids

The master account has already the GD enabled, that's the reason is commented If I uncomment L5-7, L16 and L26 I got:

Error: Creating GuardDuty Member failed: BadRequestException: The request is rejected because the input detectorId is not owned by the current account.
        status code: 400, request id: 27d62ccc-9bf7-42d3-b18e-47d40a33db8a

  on ../../modules/guardduty/main.tf line 14, in resource "aws_guardduty_member" "child_account":
  14: resource "aws_guardduty_member" "child_account" {

References

• https://www.terraform.io/docs/providers/aws/r/guardduty_detector.html
• https://www.terraform.io/docs/providers/aws/r/guardduty_invite_accepter.html
• https://github.com/terraform-providers/terraform-provider-aws/issues/6937

[justinretzolk]

Hey @julianbueno 👋 Thank you for taking the time to file this issue! Given that there's been a number of AWS provider releases since you initially filed it, can you confirm whether you're still experiencing this behavior?