Issue delegating admin account

[jmreicha]

I am attempting to import manually created settings and manage them using this module. I am running into an issue where I am unable to import the guardduty admin account.

Here is the config.

  ...
  admin_account_id = data.aws_caller_identity.current.account_id

  auto_enable_organization_members = "NEW"

  enable_kubernetes_protection = true
  enable_malware_protection    = true
  enable_s3_protection         = true

  guardduty_detector_id = module.guardduty_detector.guardduty_detector.id
  ...

Here is the error.

terragrunt import 'aws_guardduty_organization_admin_account.this[0]' '1234567890'
aws_guardduty_organization_admin_account.this[0]: Importing from ID "1234567890"...
aws_guardduty_organization_admin_account.this[0]: Import prepared!
  Prepared aws_guardduty_organization_admin_account for import
aws_guardduty_organization_admin_account.this[0]: Refreshing state... [id=1234567890]
╷
│ Error: reading GuardDuty Organization Admin Account (1234567890): BadRequestException: The request failed because you are not the master account for your AWS Organization.
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "e2db002a-e1d1-49af-93b9-cc4bde0b146f"
│   },
│   Message_: "The request failed because you are not the master account for your AWS Organization.",
│   Type: "InvalidInputException"
│ }

I am not seeing a way in this module to skip the admin account resource creation and only import the org configuration, which I was able to import successfully. The account was delegated via the root account originally but I would like to manage all the config in the delegated account. Hopefully I am missing something?

[jmreicha]

Likewise, if I try to import the account id and and org configuration in the root account, the import works for the account id but not the config. Seems like a chicken and egg issue.

terragrunt import 'aws_guardduty_organization_configuration.this[0]' 'abcd1637470477d59eacb0ed2bc6f149'
aws_guardduty_organization_configuration.this[0]: Importing from ID "abcd1637470477d59eacb0ed2bc6f149"...
aws_guardduty_organization_configuration.this[0]: Import prepared!
  Prepared aws_guardduty_organization_configuration for import
aws_guardduty_organization_configuration.this[0]: Refreshing state... [id=abcd1637470477d59eacb0ed2bc6f140]
╷
│ Error: Cannot import non-existent remote object
│
│ While attempting to import an existing object to
│ "aws_guardduty_organization_configuration.this[0]", the provider detected
│ that no object exists with the given id. Only pre-existing objects can be
│ imported; check that the id is correct and that it is associated with the
│ provider's configured region or endpoint, or use "terraform apply" to
│ create a new remote object for this resource.

[rodrigobersa]

Hi @jmreicha!

Thanks for raising this concern. If I understand correctly, you are trying to import the GuardDuty delegated admin out of the Organizations Admin account. Correct?

You may need to import the delegated admin using the Organizations Admin account, and then the configuration using the Delegated Admin Account.

Assumed the Org Admin Role

$ terraform import module.delegated_admin.aws_guardduty_organization_admin_account.this "<delegated_admin_account_id>" 
data.aws_caller_identity.current: Reading...
module.guardduty_detector.data.aws_region.current: Reading...
module.guardduty_detector.data.aws_caller_identity.current: Reading...
module.guardduty_detector.data.aws_region.current: Read complete after 0s [id=us-east-1]
data.aws_caller_identity.current: Read complete after 0s [id=<org_admin_account_id>]
module.guardduty_detector.data.aws_caller_identity.current: Read complete after 0s [id=<org_admin_account_id>]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

Assumed the Delegated Admin Role

$ terraform import module.delegated_admin.aws_guardduty_organization_configuration.this  "<delegated_admin_account_id>"
module.guardduty_detector.data.aws_caller_identity.current: Reading...
module.guardduty_detector.data.aws_region.current: Reading...
data.aws_caller_identity.current: Reading...
module.guardduty_detector.data.aws_region.current: Read complete after 0s [id=us-east-1]
module.guardduty_detector.data.aws_caller_identity.current: Read complete after 0s [id=<delegated_admin_account_id>]
data.aws_caller_identity.current: Read complete after 0s [id=<delegated_admin_account_id>]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

$ terraform import module.guardduty_detector.aws_guardduty_detector.primary  "<detector_id>"
module.guardduty_detector.aws_guardduty_detector.primary: Importing from ID "<detector_id>"...
module.guardduty_detector.data.aws_region.current: Reading...
module.guardduty_detector.data.aws_caller_identity.current: Reading...
data.aws_caller_identity.current: Reading...
module.guardduty_detector.aws_guardduty_detector.primary: Import prepared!
  Prepared aws_guardduty_detector for import
module.guardduty_detector.aws_guardduty_detector.primary: Refreshing state... [id=<detector_id>]
module.guardduty_detector.data.aws_region.current: Read complete after 0s [id=us-east-1]
data.aws_caller_identity.current: Read complete after 0s [id=<delegated_admin_account_id>]
module.guardduty_detector.data.aws_caller_identity.current: Read complete after 0s [id=<delegated_admin_account_id>]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

Let me know if this works.

[jmreicha]

Huh yeah thought I tried that, let me take another look.

[jmreicha]

Looked a little more. In my mind both of the operations would happen against the same account if they are part of the same module. Otherwise it breaks some workflows, like Terragrunt, which is expecting the auth to happen from one account.

Maybe I’m not thinking about this the same way or confusing myself.

[rodrigobersa]

Hey @jmreicha

Were you able to evolve this a little bit more? I'm not following if your Organizations admin and GuardDuty delegated admin are in the same account or Terragrunt is authenticating needs them to be the same? If this last is the case, are you able to switch to terraform import just to create the state file and them move from there?

[jmreicha]

Sorry, I did a terrible job explaining the scenario 😅 The issue is the way Terragrunt is configured (in some cases). In this case the GuarDuty delegated admin is in a different account so hits the second case you mentioned and is not able to auth across the 2 different accounts with a single config, due to the way the configs are structured.

From the org admin account, I am able to do the import for the delegated admin account, but then attempting to import the guardduty_organization_configuration I get an error because it needs to auth against against the GuardDuty delegated admin account, which presumably indicates that config is unavailable in the account I'm authed against?

terragrunt import 'aws_guardduty_organization_configuration.this[0]' '69bc166a3160f50db5857ccc9d475e7a'
aws_guardduty_organization_configuration.this[0]: Importing from ID "69bc166a3160f50db5857ccc9d475e7a"...
aws_guardduty_organization_configuration.this[0]: Import prepared!
  Prepared aws_guardduty_organization_configuration for import
aws_guardduty_organization_configuration.this[0]: Refreshing state... [id=69bc166a3160f50db5857ccc9d475e7a]
╷
│ Error: reading GuardDuty Organization Configuration (69bc166a3160f50db5857ccc9d475e7a): BadRequestException: The request is rejected because an invalid or out-of-range value is specified as an input parameter.
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "0728bfea-fecc-4887-a7e7-b2c23187aba7"
│   },
│   Message_: "The request is rejected because an invalid or out-of-range value is specified as an input parameter.",
│   Type: "InvalidInputException"
│ }
│

And here is the Terragrunt config (authing against the org admin account).

terraform {
  source = "git::https://github.com/aws-ia/terraform-aws-guardduty//modules/organizations_admin?ref=v0.0.2"
}

include "root" {
  path = find_in_parent_folders()
}

inputs = {
  admin_account_id = "1234567890" # guardduty-admin

  auto_enable_organization_members = "NEW"

  enable_kubernetes_protection = true
  enable_malware_protection    = true
  enable_s3_protection         = true

  guardduty_detector_id = "69bc166a3160f50db5857ccc9d475e7a" # gaurduty detector

  tags = { Name = "guardduty" }
}

Hopefully, I'm either missing something silly or this helps paint a clearer picture of the issue.

[jmreicha]

If this last is the case, are you able to switch to terraform import just to create the state file and them move from there?

Unfortunately, this setup is writing to different state files in different buckets so I think this will be difficult to accomplish.

One thought that went through my head was setting a toggle for either the delegator or delegated account to flip the different required resources, which works but I don't know I the extra complexity would be worth it.

[rodrigobersa]

Hi @jmreicha!

I;m sorry about the late response. So if I understand correctly, your Org Admin Account is different from the GuardDuty Delegated Admin account? And what we should be able to do is make it flexible to run each resource with different accounts, right?

[jmreicha]

Hey no worries. Not saying you need to make it more flexible if you don’t think it’s the right thing to do here, but yeah I think that is the crux of the problem, at least for my use case.

[jmreicha]

This one came up again, wanted to check in and see if a decision was made. Happy to open a PR that will conditionalize the resources if you'd like!