#terraform-aws-modules (2021-04)
Terraform Modules
Discussions related to https://github.com/terraform-aws-modules
Archive: https://archive.sweetops.com/terraform-aws-modules/
2021-04-06
Hello people,
I am trying to have TF create a GuardDuty trusted IP list in one member account… I have had a look at the docs, but I just cannot figure out how to go about it. I keep getting this error when I run terraform-apply:
Error: BadRequestException: The request is rejected because the input detectorId is not owned by the current account.
{
RespMetadata: {
StatusCode: 400,
RequestID: "011a3929-03bc-432d-8899-c4fefd38519f"
},
Message_: "The request is rejected because the input detectorId is not owned by the current account.",
Type: "InvalidInputException"
}
on guardduty_ipsets.tf line 1, in resource "aws_guardduty_ipset" "wezatele_guardduty_ipset":
1: resource "aws_guardduty_ipset" "wezatele_guardduty_ipset" {
The detector ID had been created by hand (before we started using TF for IaC, so I had already imported the detector id into my state file
My file guardduty_[ipsets.tf](http://ipsets.tf) looks as below:
provider "aws" {
alias = "member_account"
region = var.region
assume_role {
role_arn = "arn:aws:iam::123456789012:role/TerraFormExecutionRole"
session_name = "terraform-security-hub"
}
}
resource "aws_guardduty_ipset" "my_guardduty_ipset" {
activate = true
detector_id = aws_guardduty_detector.my_guardduty_detector.id
format = "TXT"
location = "<https://s3.amazonaws.com/${aws_s3_bucket_object.my_guardduty_ipset_object.bucket}/${aws_s3_bucket_object.my_guardduty_ipset_object.key}>"
name = "my-trusted-IPSet"
provider = aws.security_admin_account
}
resource "aws_guardduty_detector" "my_guardduty_detector" { # imported using "terraform import"
enable = true
provider = aws.member_account
}
module "my_guardduty_ipset_bucket" {
source = "[email protected]:myrepo/terraform-modules.git//modules/my-s3-bucket?ref=v1.1.0"
name = "my-guardduty-ipsets"
service_prefix = local.service_prefix
owner = local.owner
service = local.service
environment = var.environment
region = var.region
providers = {
aws = aws.security_admin_account
}
}
resource "aws_s3_bucket_object" "my_guardduty_ipset_object" {
acl = "public-read"
content = "192.168.10.0/24\n"
bucket = module.my_guardduty_ipset_bucket.bucket_name
key = "guardduty-ipsets.txt"
provider = aws.security_admin_account
}
2021-04-07
I modified the above TF file after seeing what I was doing wrong (I had member_account provider for all resources). Only the detector resource ought to have the member_account provider. All other resources have the security admin account provider now. Now I’m getting this error: BadRequestException: The request is rejected because the input detectorId is not owned by the current account.
I am really confused as to how I ought to approach this
The detector already existed in the member_account (it was created by hand before we had terraform, so I imported the ID before running terraform-plan)