[Bug]: Plan generates changes to aws_guardduty_detector_feature when no changes were made to the terraform code

[abezzub]

Terraform Core Version

1.7.4

AWS Provider Version

5.43.0

Affected Resource(s)

• aws_guardduty_detector_feature

Expected Behavior

When I generate terraform plan on workspace with no changes it should show that no changes are to be made.

Actual Behavior

Terraform produces following plan to remove EC2_AGENT_MANAGEMENT feature:

# aws_guardduty_detector_feature.runtime_monitoring must be replaced
-/+ resource "aws_guardduty_detector_feature" "runtime_monitoring" {
        name        = "RUNTIME_MONITORING"
        # (2 unchanged attributes hidden)

      - additional_configuration { # forces replacement
          - name   = "EC2_AGENT_MANAGEMENT" -> null # forces replacement
          - status = "DISABLED" -> null
        }

        # (2 unchanged blocks hidden)
    }

This is current configuration I use:

resource "aws_guardduty_detector_feature" "runtime_monitoring" {
  detector_id = aws_guardduty_detector.main.id
  name        = "RUNTIME_MONITORING"
  status      = "ENABLED"

  additional_configuration {
    name   = "EKS_ADDON_MANAGEMENT"
    status = "DISABLED"
  }

  additional_configuration {
    name   = "ECS_FARGATE_AGENT_MANAGEMENT"
    status = "ENABLED"
  }
}

Adding following block to the resource causes an EC2_AGENT_MANAGEMENT value not supported error.

        additional_configuration {
          name   = "EC2_AGENT_MANAGEMENT"
          status = "DISABLED"
        }

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_guardduty_detector" "main" {
  enable = true
}

resource "aws_guardduty_detector_feature" "runtime_monitoring" {
  detector_id = aws_guardduty_detector.main.id
  name        = "RUNTIME_MONITORING"
  status      = "ENABLED"

  additional_configuration {
    name   = "EKS_ADDON_MANAGEMENT"
    status = "DISABLED"
  }

  additional_configuration {
    name   = "ECS_FARGATE_AGENT_MANAGEMENT"
    status = "ENABLED"
  }
}

Steps to Reproduce

Run terraform plan

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[connorhsm]

This issue also affects the aws_guardduty_organization_configuration_feature resource.

[jesus-vc]

I'm getting similar error when using aws_guardduty_organization_configuration_feature

│ Error: expected additional_configuration.2.name to be one of ["EKS_ADDON_MANAGEMENT" "ECS_FARGATE_AGENT_MANAGEMENT"], got EC2_AGENT_MANAGEMENT

[kquentin]

I'm also getting this error with resource aws_guardduty_detector_feature. Terraform v1.7.4 and OpenTofu v1.6.2. It impacts the resource as it detects a change every time I plan:

Error: expected additional_configuration.2.name to be one of ["EKS_ADDON_MANAGEMENT" "ECS_FARGATE_AGENT_MANAGEMENT"], got EC2_AGENT_MANAGEMENT

[...]
    RUNTIME_MONITORING = {
      status = "ENABLED"
      additional_configuration = [
        { "name" : "EKS_ADDON_MANAGEMENT", "status" : "ENABLED" },
        { "name" : "ECS_FARGATE_AGENT_MANAGEMENT", "status" : "ENABLED" },
        { "name" : "EC2_AGENT_MANAGEMENT", "status" : "ENABLED" }
      ]
    }
[...]

The documentation clearly states that the value is correct:

• Link to documentation