I’m trying to deploy AWS Guardduty using Organisations to multiple regions.
In my root config I’ve created the following provider:
# If I remove this default provider out i get prompted for a region
provider "aws" {
profile = "default"
region = var.region
}
provider "aws" {
profile = "default"
alias = "eu-west-2"
region = "eu-west-2"
}
provider "aws" {
profile = "default"
alias = "eu-west-3"
region = "eu-west-3"
}
then in my module call I have multiple calls to the module passing in my providers alias’s
module "guardduty_orgs_eu_west_2" {
source = "../../modules/aws_guardduty_organisations"
security_account_id = var.security_account_id
providers = {
aws.alternate = aws.eu-west-2
}
}
module "guardduty_orgs_eu_west_3" {
source = "../../modules/aws_guardduty_organisations"
security_account_id = var.security_account_id
providers = {
aws.alternate = aws.eu-west-3
}
}
In my module I then have the required providers block and ‘configuration_aliases’
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.27"
configuration_aliases = [ aws.alternate ]
}
}
}
and finally my resource
resource "aws_guardduty_organization_admin_account" "gdoaa" {
admin_account_id = var.security_account_id
provider = aws.alternate
}
However, i get an error :
" Error: error enabling GuardDuty Organization Admin Account (123456789): BadRequestException: The request failed because the account is already enabled as the GuardDuty delegated administrator for the organization."
Now, this is correct as the first module call enables the Admin Account for “eu-west-2”, but i would think passing in the 2nd provider for “eu-west-3” would enable the Admin Account for this region as per the Guardduty best practices \ docs.
Any help appreciated
cheers
Paul
this worked for me. hashout guardduty detector as it gets enabled already when you delegate it as a admin account.