Open stimmerman opened 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
@stimmerman The aws_guardduty_organizations_organization
resource itself isn't responsible for enabling or disabling services at the organization level, and this should be configured with aws_organizations_organization
level. For example, see the following acceptance test:
resource "aws_organizations_organization" "test" {
aws_service_access_principals = [
"guardduty.${data.aws_partition.current.dns_suffix}",
"malware-protection.guardduty.${data.aws_partition.current.dns_suffix}",
]
feature_set = "ALL"
}
@stimmerman : Hello, did you try to add this resource in the Management Account of your Organization:
resource "aws_organizations_resource_policy" "example" {
content = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegatingNecessaryDescribeListActions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:DescribePolicy",
"organizations:DescribeEffectivePolicy",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListTargetsForPolicy",
"organizations:ListTagsForResource"
],
"Resource": "*"
}
]
}
EOF
}
Description
We're using both the
aws_guardduty_organization_admin_account
resource and theaws_guardduty_organization_configuration
resource in a configuration like this:This will result in the following error:
To resolve that error you need to switch on the "Allow delegated administrator to attach relevant permissions to enable Malware Protection for member accounts." option as shown below:
The "Learn more" links to: https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html#configure-malware-protection-multi-account
AWS CLI command for enabling this toggle is:
It would be great if the
aws_guardduty_organization_admin_account
resource could get support for managing this.Affected Resource(s) and/or Data Source(s)
Potential Terraform Configuration
References
Would you like to implement a fix?
No