Open Jamie-Leon opened 2 years ago
Voting for Prioritization
Volunteering to Work on This Issue
Hey @Jamie-Leon 👋 Thank you for taking the time to raise this! I suspect that this may be expected behavior, if you're attempting to use the aws_guardduty_invite_accepter
resource to attempt to accept an invite that's been accepted already (automatically or otherwise).
I don't have a quick way of testing this, especially without knowing how your Terraform configuration is structured, but perhaps you use the relationship_status
attribute of a aws_guardduty_member
resource (assuming that's how you're creating the memberships) to conditionally create a the aws_guardduty_invite_accepter
resource?
Admittedly, this might not work, because on the initial creation of the aws_guardduty_member
resource, there may be some delay in that invite being automatically accepted (assuming that's what's happening) that might mean the relationship_status
is incorrectly reflected when the resource is read. I figured I'd mention it anyways, given that I'm not certain that there's a way around this without potentially adding a aws_guardduty_invite
data source.
We're having the same issue. GuardDuty and Security Hub both have tons of similar issues.
Terraform Core Version
0.13
AWS Provider Version
4.28.0
Affected Resource(s)
aws_guardduty_invite_accepter
Expected Behavior
Accepts the invite from the master account
Actual Behavior
Receive the following error and when checking the master account the member account is enabled
I think this is due to the account being a member of the organisation therefor automatically being accepted
Error: error listing GuardDuty Invitations: unable to find pending GuardDuty Invitation for detector ID (80c1c1a16ea7acd335f63483nfgnffb) from master account ID (1111111111)
| | on ../../modules/guardduty/main.tf line 20, in resource "aws_guardduty_invite_accepter" "invite-accepter": | 20: resource "aws_guardduty_invite_accepter" "invite-accepter" {
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
This is not something I can provide due to the business I work for
Steps to Reproduce
Having a member account of the org and enabling guard duty through terraform
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
This is currently breaking our entire AWS code base due to newly vended accounts not requiring the invite_accepter but the existing accounts do.
Would you like to implement a fix?
No