#terraform-aws-modules (2021-04)

terraform Terraform Modules

Discussions related to https://github.com/terraform-aws-modules

Archive: https://archive.sweetops.com/terraform-aws-modules/

2021-04-06

Saichovsky avatar
Saichovsky

Hello people,

I am trying to have TF create a GuardDuty trusted IP list in one member account… I have had a look at the docs, but I just cannot figure out how to go about it. I keep getting this error when I run terraform-apply:

Error: BadRequestException: The request is rejected because the input detectorId is not owned by the current account.
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "011a3929-03bc-432d-8899-c4fefd38519f"
  },
  Message_: "The request is rejected because the input detectorId is not owned by the current account.",
  Type: "InvalidInputException"
}

  on guardduty_ipsets.tf line 1, in resource "aws_guardduty_ipset" "wezatele_guardduty_ipset":
   1: resource "aws_guardduty_ipset" "wezatele_guardduty_ipset" {
Saichovsky avatar
Saichovsky

The detector ID had been created by hand (before we started using TF for IaC, so I had already imported the detector id into my state file

Saichovsky avatar
Saichovsky

My file guardduty_[ipsets.tf](http://ipsets.tf) looks as below:

provider "aws" {
  alias  = "member_account"
  region = var.region
  assume_role {
    role_arn     = "arn:aws:iam::123456789012:role/TerraFormExecutionRole"
    session_name = "terraform-security-hub"
  }
}

resource "aws_guardduty_ipset" "my_guardduty_ipset" {
  activate    = true
  detector_id = aws_guardduty_detector.my_guardduty_detector.id
  format      = "TXT"
  location    = "<https://s3.amazonaws.com/${aws_s3_bucket_object.my_guardduty_ipset_object.bucket}/${aws_s3_bucket_object.my_guardduty_ipset_object.key}>"
  name        = "my-trusted-IPSet"
  provider    = aws.security_admin_account
}

resource "aws_guardduty_detector" "my_guardduty_detector" { # imported using "terraform import"
  enable   = true
  provider = aws.member_account
}

module "my_guardduty_ipset_bucket" {
  source         = "[email protected]:myrepo/terraform-modules.git//modules/my-s3-bucket?ref=v1.1.0"
  name           = "my-guardduty-ipsets"
  service_prefix = local.service_prefix
  owner          = local.owner
  service        = local.service
  environment    = var.environment
  region         = var.region

  providers = {
    aws = aws.security_admin_account
  }
}

resource "aws_s3_bucket_object" "my_guardduty_ipset_object" {
  acl      = "public-read"
  content  = "192.168.10.0/24\n"
  bucket   = module.my_guardduty_ipset_bucket.bucket_name
  key      = "guardduty-ipsets.txt"
  provider = aws.security_admin_account
}

2021-04-07

Saichovsky avatar
Saichovsky

I modified the above TF file after seeing what I was doing wrong (I had member_account provider for all resources). Only the detector resource ought to have the member_account provider. All other resources have the security admin account provider now. Now I’m getting this error: BadRequestException: The request is rejected because the input detectorId is not owned by the current account.

I am really confused as to how I ought to approach this

Saichovsky avatar
Saichovsky

The detector already existed in the member_account (it was created by hand before we had terraform, so I imported the ID before running terraform-plan)

    keyboard_arrow_up