[Bug]: `aws_guardduty_detector_feature` `additional_configuration` blocks must be in a particular order, else they force replacement on every run

[eide]

Terraform Core Version

1.7.5

AWS Provider Version

5.41.0

Affected Resource(s)

• aws_guardduty_detector_feature

Expected Behavior

"No changes. Your infrastructure matches the configuration."

Actual Behavior

Terraform wants to do the following state changes every time:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # aws_guardduty_detector_feature.runtime_monitoring must be replaced
-/+ resource "aws_guardduty_detector_feature" "runtime_monitoring" {
      ~ id          = "<redacted>/RUNTIME_MONITORING" -> (known after apply)
        name        = "RUNTIME_MONITORING"
        # (2 unchanged attributes hidden)

      ~ additional_configuration {
          ~ name   = "EKS_ADDON_MANAGEMENT" -> "ECS_FARGATE_AGENT_MANAGEMENT" # forces replacement
            # (1 unchanged attribute hidden)
        }
      ~ additional_configuration {
          ~ name   = "ECS_FARGATE_AGENT_MANAGEMENT" -> "EKS_ADDON_MANAGEMENT" # forces replacement
            # (1 unchanged attribute hidden)
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_guardduty_detector" "this" {
  enable = true
}

resource "aws_guardduty_detector_feature" "this" {
  for_each = toset([
    "S3_DATA_EVENTS",
    "EKS_AUDIT_LOGS",
    "EBS_MALWARE_PROTECTION",
    "RDS_LOGIN_EVENTS",
    "LAMBDA_NETWORK_LOGS"
  ])

  detector_id = aws_guardduty_detector.this.id
  name        = each.value
  status      = "ENABLED"
}

resource "aws_guardduty_detector_feature" "runtime_monitoring" {
  detector_id = aws_guardduty_detector.this.id
  name        = "RUNTIME_MONITORING"
  status      = "ENABLED"

  additional_configuration {
    name   = "ECS_FARGATE_AGENT_MANAGEMENT"
    status = "ENABLED"
  }

  additional_configuration {
    name   = "EKS_ADDON_MANAGEMENT"
    status = "ENABLED"
  }
}

Steps to Reproduce

In a AWS account with GuardDuty disabled, run terraform apply to apply the changes. Then re-run terraform apply. Every invocation will see state changes.

Debug Output

No response

Panic Output

No response

Important Factoids

Re-ordering the additional_configuration blocks makes the state happy:

resource "aws_guardduty_detector_feature" "runtime_monitoring" {
  detector_id = aws_guardduty_detector.this.id
  name        = "RUNTIME_MONITORING"
  status      = "ENABLED"

  additional_configuration {
    name   = "EKS_ADDON_MANAGEMENT"
    status = "ENABLED"
  }

  additional_configuration {
    name   = "ECS_FARGATE_AGENT_MANAGEMENT"
    status = "ENABLED"
  }
}

This configuration, ordered "EKS_ADDON_MANAGEMENT" first and then "ECS_FARGATE_AGENT_MANAGEMENT", will be stable and say "No changes. Your infrastructure matches the configuration." on subsequent runs of terraform apply

References

No response

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[connorhsm]

This is likely to also be an issue for the similar resource aws_guardduty_organization_configuration_feature.

[joelmccoy]

I would like to take a stab at fixing this.

[roynesholen]

@joelmccoy Is there any plan to fix this issue?

[alexkimin]

@joelmccoy @justinretzolk @connorhsm PR was raised a few months ago. Is there any plan to release it?

[connorhsm]

@roynesholen @alexkimin Please simply use the prioritisation system and react with 👍 to the top comment here and the PR.

[sashasimkin]

#36400 (comment)

Yes, it is an issue there too. And the fun part is that the order is different between aws_guardduty_detector_feature and aws_guardduty_organization_configuration_feature.

[matthewbarreiro]

#36400 (comment)

Yes, it is an issue there too. And the fun part is that the order is different between aws_guardduty_detector_feature and aws_guardduty_organization_configuration_feature.

I can confirm this is the case.

[grumpper]

As a workaround until this is fixed I am doing lifecycle ignore changes like this:

resource "aws_guardduty_organization_configuration_feature" "org" {
  for_each   = var.organization_features : {}

  detector_id = aws_guardduty_detector.detector.id
  name        = each.key
  auto_enable = each.value

  dynamic "additional_configuration" {
    for_each = each.key == "RUNTIME_MONITORING" ? var.advanced_config : {}
    content {
      name        = additional_configuration.key
      auto_enable = additional_configuration.value
    }
  }

  lifecycle {
    ignore_changes = [
      additional_configuration[0].name,
      additional_configuration[1].name,
      additional_configuration[2].name
    ]
  }
}

where the variables are defined as follows:

variable "organization_features" {
  description = "List of GuardDuty features to enable on organization level"
  type = object({
    S3_DATA_EVENTS         = optional(string, "NONE")
    EKS_AUDIT_LOGS         = optional(string, "NONE")
    EBS_MALWARE_PROTECTION = optional(string, "NONE")
    RDS_LOGIN_EVENTS       = optional(string, "NONE")
    LAMBDA_NETWORK_LOGS    = optional(string, "NONE")
    RUNTIME_MONITORING     = optional(string, "NONE")
  })
  default = {}
}

variable "advanced_config" {
  description = "Configuration for the runtime monitoring feature on organization level"
  type = object({
    EC2_AGENT_MANAGEMENT         = optional(string, "NONE")
    EKS_ADDON_MANAGEMENT         = optional(string, "NONE")
    ECS_FARGATE_AGENT_MANAGEMENT = optional(string, "NONE")
  })
  default = {}
}

The additional configuration can be for one of three things so it's kinda hardcoded so you can just ignore them like the above using indices (sadly [*] is not allowed yet).
Hope this helps someone...