aws_guardduty_detector attempts to modify settings when account is a member (vs master)

[lorengordon]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

• Terraform v0.11.11

Affected Resource(s)

• aws_guardduty_detector

Terraform Configuration Files

resource "aws_guardduty_detector" "member" {
  enable = true
}

Expected Behavior

Terraform should not attempt to (re)set values that are not specified in the config

Actual Behavior

Because the Guard Duty master account has modified the default finding publishing frequency, terraform detects a difference in the member account config and attempts to change it. This is disallowed, because member accounts cannot change managed settings.

Steps to Reproduce

1. terraform apply
2. Invite/accept the account so it becomes a member of another account's Guard Duty
3. Modify the finding publishing in the master account
4. terraform apply

module.guardduty_member.aws_guardduty_detector.member: Modifying... (ID: XXX)
  finding_publishing_frequency: "ONE_HOUR" => "SIX_HOURS"

Error: Error applying plan:

1 error(s) occurred:

* aws_guardduty_detector.member: 1 error(s) occurred:

* aws_guardduty_detector.member: Updating GuardDuty Detector 'XXX' failed: BadRequestException: The request is rejected because member accounts cannot manage specified resources or properties.
        status code: 400, request id: 17e233d2-3c19-11e9-b1ca-17c471a03d83

[bflad]

Hi @lorengordon 👋 Thanks for reporting this, good find.

We'll likely need to mark that schema attribute as Computed: true with two comments in the resource documentation that it must be configured to detect drift in master accounts and that it should not be specified in member accounts.

[bflad]

Pull request submitted: #7804

[bflad]

The fix for this has been merged and will release with version 2.1.0 of the Terraform AWS Provider, likely middle of this week.

[bflad]

This has been released in version 2.1.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!