[Bug]: "aws_guardduty_invite_accepter" not working as expected in AWS organisations

[Jamie-Leon]

Terraform Core Version

0.13

AWS Provider Version

4.28.0

Affected Resource(s)

aws_guardduty_invite_accepter

Expected Behavior

Accepts the invite from the master account

Actual Behavior

Receive the following error and when checking the master account the member account is enabled

I think this is due to the account being a member of the organisation therefor automatically being accepted

Error: error listing GuardDuty Invitations: unable to find pending GuardDuty Invitation for detector ID (80c1c1a16ea7acd335f63483nfgnffb) from master account ID (1111111111)

  |     | on ../../modules/guardduty/main.tf line 20, in resource "aws_guardduty_invite_accepter" "invite-accepter":   | 20: resource "aws_guardduty_invite_accepter" "invite-accepter" {

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

This is not something I can provide due to the business I work for

Steps to Reproduce

Having a member account of the org and enabling guard duty through terraform

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

This is currently breaking our entire AWS code base due to newly vended accounts not requiring the invite_accepter but the existing accounts do.

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @Jamie-Leon 👋 Thank you for taking the time to raise this! I suspect that this may be expected behavior, if you're attempting to use the aws_guardduty_invite_accepter resource to attempt to accept an invite that's been accepted already (automatically or otherwise).

I don't have a quick way of testing this, especially without knowing how your Terraform configuration is structured, but perhaps you use the relationship_status attribute of a aws_guardduty_member resource (assuming that's how you're creating the memberships) to conditionally create a the aws_guardduty_invite_accepter resource?

Admittedly, this might not work, because on the initial creation of the aws_guardduty_member resource, there may be some delay in that invite being automatically accepted (assuming that's what's happening) that might mean the relationship_status is incorrectly reflected when the resource is read. I figured I'd mention it anyways, given that I'm not certain that there's a way around this without potentially adding a aws_guardduty_invite data source.

[nikolay]

We're having the same issue. GuardDuty and Security Hub both have tons of similar issues.