Open lorengordon opened 5 years ago
I still see this issue in Terraform v1.0.4, with provider v3.54.0.
In my case I haven't accepted an invite through other means, but I'm trying out code, and enabling and disabling GuardDuty in an organisation.
When adding the member with invite = false
the member gets added to the account and is active.
When the invite-accepter is create, it fails because there is no invite, because the invitation has been automagically accepted when creating the aws_guardduty_member
resource.
My code:
resource "aws_guardduty_detector" "member" {
provider = aws.root
depends_on = [
aws_guardduty_organization_admin_account.audit
]
}
resource "aws_guardduty_member" "member" {
provider = aws
account_id = data.terraform_remote_state.root.outputs.master_account.id
detector_id = aws_guardduty_detector.audit.id
email = data.terraform_remote_state.root.outputs.master_account.email
invite = false
disable_email_notification = false
depends_on = [
aws_guardduty_detector.member
]
lifecycle {
ignore_changes = [
email,
invite,
disable_email_notification
]
}
}
resource "aws_guardduty_invite_accepter" "member" {
depends_on = [aws_guardduty_member.member]
provider = aws.root
detector_id = aws_guardduty_detector.member.id
master_account_id = aws_guardduty_detector.audit.account_id
}
Resource aws_guardduty_invite_accepter.member
fails on create, and as a result, the member will not be disassociated on a destroy.
The member is listed in my tfstate as follows:
$ tf console
> aws_guardduty_member.member
{
"account_id" = "123456789012"
"detector_id" = "9876543210987654fedcba3210987654"
"disable_email_notification" = false
"email" = "user@domain.tld"
"id" = "9876543210987654fedcba3210987654:123456789012"
"invitation_message" = tostring(null)
"invite" = false
"relationship_status" = "Created"
"timeouts" = null /* object */
}
Status in the AWS Console for the member is Enabled
.
Resource aws_guardduty_invite_accepter.member
errors out after the default 1m create timeout with the following message:
Error: error listing GuardDuty Invitations: unable to find pending GuardDuty Invitation for detector ID (543210987654fedcba32109876543210) from master account ID (210987654321)
Setting invite
to true
on aws_guardduty_member.member
give the same results.
Just noticed that on a subsequent apply, the resource was changed:
Terraform detected the following changes made outside of Terraform since the last "terraform apply":
# aws_guardduty_member.member has been changed
~ resource "aws_guardduty_member" "member" {
- email = "user@domain.tld" -> null
id = "9876543210987654fedcba3210987654:123456789012"
~ invite = false -> true
~ relationship_status = "Created" -> "Enabled"
# (3 unchanged attributes hidden)
}
Community Note
Terraform Version
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
Before the aws provider added support for accepting a guard duty invite, we started using the CFN resource to accept the invite. Now, we are changing over to use the Terraform resource. I used a targeted destroy to delete the CFN stack, which also "unaccepted" the guard duty invite (as expected). This changed the
RelationshipStatus
toResigned
in the master account.I then expected terraform apply would re-accept the invite, using the new
aws_guardduty_invite_accepter
resource.Actual Behavior
Terraform detected that the
invite
attribute wasfalse
and attempted to resend the invite. However, this is not necessary when the status isResigned
. The member account can simply re-accept and it works.Steps to Reproduce
terraform apply
Workaround
I was able to workaround the problem by using
ignore_changes
on theinvite
attribute: