Terraform-provider-aws: Error: GuardDuty Master Account: empty response

Created on 9 Apr 2019 · 3Comments · Source: hashicorp/terraform-provider-aws

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.11

Affected Resource(s)

aws_guardduty_invite_accepter

Terraform Configuration Files

This issue can be reproduced using the example code given in the Terraform documentation page for aws_guardduty_invite_accepter.

Expected Behavior

Terraform should identify that the aws_guardduty_invite_accepter.member resource is essentially tainted and needs to be re-created.

Actual Behavior

The plan errors out with the following message:

Error: Error refreshing state: 1 error(s) occurred:

aws_guardduty_invite_accepter.member: 1 error(s) occurred:

aws_guardduty_invite_accepter.member: aws_guardduty_invite_accepter.member: error reading GuardDuty Detector (b6b501fEXAMPLEHASHVALUE36e9c1faa) GuardDuty Master Account: empty response

Steps to Reproduce

terraform apply
Go into the AWS Console in the member account
Manually toggle the Accept slider, and click Update
terraform apply

Important Factoids

Seems to be an issue with idempotency for this resource. I'm not proficient in golang, but I think this is near the right area in the code:
https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_guardduty_invite_accepter.go#L129

When the member account manually removes the invitation acceptance, my guess is that's what triggers this output.Master == nil condition. Hoping that could be handled the same as if the aws_guardduty_invite_accepter.member is absent and needs to be (re-)created.

References

#2489

bug servicguardduty

Source

erikpaasonen

👍13

Most helpful comment

Confirmed this issue still occurs with Terraform v0.11.13

erikpaasonen on 10 Apr 2019

👍5

All 3 comments

Confirmed this issue still occurs with Terraform v0.11.13

erikpaasonen on 10 Apr 2019

👍5

Confirmed this issue still occurs with Terraform v0.12.8

raolivei on 17 Sep 2019

I believe this issue might stem from the AWS guardduty API itself. Normally when calling GetMasterAccount with a detector id that doesn't belong to your account or doesn't exist you get the error:

An error occurred (BadRequestException) when calling the GetMasterAccount operation: The request is rejected because the input detectorId is not owned by the current account.

That error, looking at the provider code appears to be handled. However I'm noticing when I put in an old detector that used to exist I just get a response {"master": "null"}.

So in this case my understanding is when two terraform modules to set up GuardDuty on the master and member accounts it goes like this:

On master: Terraform creates GuardDuty detector and invite to member account is created.
On member: Terraform runs GuardDuty api calls to fetch information regarding the invite and creates in its state information about the detector and invite.

In our case we have a situation where we had where we had run the above process and the member account was registered and then when changing stuff it caused GuardDuty detector to be destroyed and created from the master. However when rerunning from the member account it would error out with:

aws_guardduty_invite_accepter.member: aws_guardduty_invite_accepter.member: error reading GuardDuty Detector (b6b501fEXAMPLEHASHVALUE36e9c1faa) GuardDuty Master Account: empty response

It's unclear to me, and don't have access to AWS support at the moment to know if {"master": "null"} is a valid response. If it is terraform should taint the resource. If it isn't supposed to be a valid response it should return an error which terraform appears to already manage.

If it is a valid response I'm willing to fix the provider to handle it.