[Bug]: GuardDuty GovCloud `BadRequestException`

[d-christie]

Terraform Core Version

0.12.31

AWS Provider Version

5.24

Affected Resource(s)

aws_guardduty_organization_configuration deployed in GovCloud partition.

Expected Behavior

Terraform configuration has a aws_guardduty_detector resource and a aws_guardduty_organization_configuration resource. A targeted apply creates the detector successfully. A targeted apply creates the configuration successfully. The plan shows the set of features described in the aws_guardduty_organization_configuration code. malware_protection is not mentioned in code or in the plans.

Actual Behavior

A targeted apply creates aws_guardduty_detector resource successfully. A targeted apply of the aws_guardduty_organization_configuration resource throws a BadRequestException error. The error message refers to the first line of this resource. The plan shows malware_protection in the configuration with auto_enable = (known after apply) indicating the default values will be used. No mention of malware_protection in the Terraform configuration because this feature is not available in GovCloud partition.

When GuardDuty is configured through the console and imported into the state, the apply runs with no errors. any modifications result in the same BadRequestException error.

This behaviour is not seen in commercial partition accounts. The fact that malware_protection is show in the GovCloud plans, whether disabled or using default values, suggests that Terraform is sending an API request with attributes invalid for the GovCloud partition.

Relevant Error/Panic Output Snippet

Error: updating GuardDuty Organization Configuration (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx): BadRequestException: The request is rejected because an invalid or out-of-range value is specified as an input parameter.
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "2229a69a-1cd9-4637-b200-a07bd81cb8f7"
  },
  Message_: "The request is rejected because an invalid or out-of-range value is specified as an input parameter.",
  Type: "InvalidInputException"
}

  on ../guardduty/main.tf line 24, in resource "aws_guardduty_organization_configuration" "govcloud_config":
  24: resource "aws_guardduty_organization_configuration" "govcloud_config" {

Terraform Configuration Files

resource "aws_guardduty_detector" "master" {
  enable = true
}

resource "aws_guardduty_organization_configuration" "comm_config" {
  count                            = var.govcloud ? 0 : 1
  auto_enable_organization_members = "ALL"
  detector_id                      = aws_guardduty_detector.master.id

  datasources {
    s3_logs {
      auto_enable = true
    }
    malware_protection {
      scan_ec2_instance_with_findings {
        ebs_volumes {
          auto_enable = true
        }
      }
    }
  }
}

resource "aws_guardduty_organization_configuration" "govcloud_config" {
  count                            = var.govcloud ? 1 : 0
  auto_enable_organization_members = "ALL"
  detector_id                      = aws_guardduty_detector.master.id

  datasources {
    kubernetes {
      audit_logs {
        enable = true
        }
    }
    s3_logs {
      auto_enable = true
    }
  }
}

Steps to Reproduce

1. Ran a destroy in two GovCloud regions to start from the start.
2. Set up GuardDuty through the console for us-gov-west-1.
3. Imported detector and configuration resources into the state.
4. Ran targeted apply on detector and configuration resources. Plans showed no changes. This validates the Terraform code as being in line with what I need deployed on AWS platform.
5. Ran targeted apply on detector and configuration resources in us-gov-east-1 without first setting it up in the console and importing. Detector created successfully, configuration throws BadRequestException error.

Debug Output

No response

Panic Output

No response

Important Factoids

Problem is seen in GovCloud regions, not in commercial regions.

References

https://registry.terraform.io/providers/hashicorp/aws/5.24.0/docs/resources/guardduty_detector https://registry.terraform.io/providers/hashicorp/aws/5.24.0/docs/resources/guardduty_organization_configuration

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ChristopherEdwardsNTC]

I had the same issue and found that I didn't have

resource "aws_guardduty_organization_admin_account" "guardduty_admin_account" {
admin_account_id = aws_organizations_account.admin_account.id
}

set to the account I tried to run "aws_guardduty_organization_configuration" on.