[Bug]: aws_guardduty_invite_accepter BadRequestException

[connor-tyndall]

Terraform Core Version

1.5.4

AWS Provider Version

5.62.0

Affected Resource(s)

• aws_guardduty_invite_accepter

Expected Behavior

• The aws_guardduty_invite_accepter resource should successfully accept a GuardDuty invite from a master account when using the latest version of the AWS provider for Terraform.
• The resource creation should complete without errors, establishing the member account's connection to the master GuardDuty account.

Actual Behavior

• The aws_guardduty_invite_accepter resource is failing to accept the GuardDuty invite.
• Terraform is encountering a BadRequestException with the following error message:
  "The request is rejected because an invalid or out-of-range value is specified as an input parameter."
• The resource creation fails, preventing the member account from joining the master GuardDuty account.

Relevant Error/Panic Output Snippet

The request is rejected because an invalid or out-of-range value is specified as an input parameter.

Terraform Configuration Files

data "aws_caller_identity" "current" {}

data "aws_region" "current" {}

data "aws_guardduty_detector" "master" {}

resource "aws_guardduty_detector" "member" {
  provider = aws.member
  enable   = true
}

resource "aws_guardduty_member" "member" {
  account_id = aws_guardduty_detector.member.account_id
  detector_id = data.aws_guardduty_detector.master.id
  email = var.account_email
  invite = true
  disable_email_notification = true
}

resource "aws_guardduty_invite_accepter" "member" {
  provider = aws.member
  depends_on = [aws_guardduty_member.member, aws_guardduty_detector.member]
  detector_id = aws_guardduty_detector.member.id
  master_account_id = data.aws_caller_identity.current.account_id
}

Steps to Reproduce

• Use the latest version (v5.62.0) of the AWS provider for Terraform.
• Run terraform init to initialize the working directory.
• Execute terraform apply to create the resources.
• Observe the BadRequestException error during the apply process.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @connor-tyndall 👋 Thank you for taking the time to raise this! So that we have the information we need to look into this, can you supply a sample Terraform configuration that can be used to reproduce this and, if possible, debug logging (redacted as needed)?

[BartlomiejKrawczykEviden]

I can confirm the same thing started happening for us as well. With no changes to the code we can see the invitation is being sent, but the client can't accept it with the same error as above:

# module.audit-account-setup.module.enable_guardduty[0].aws_guardduty_member.members[6] will be created
  + resource "aws_guardduty_member" "members" {
      + account_id          = "571******"
      + detector_id         = "030e0fa1385f4af29b02a198f69d8de0"
      + email               = "test-account-d506v@dev.****..com"
      + id                  = (known after apply)
      + invitation_message  = "You have to accept the invitation to enable GuardDuty monitoring."
      + invite              = true
      + relationship_status = (known after apply)
}

And the error:

│ Error: accepting GuardDuty Invitation (): operation error GuardDuty: AcceptInvitation, https response error StatusCode: 400, RequestID: 5fb2b96f-8be9-41ef-ac3b-1ff62b2573aa, BadRequestException: The request is rejected because an invalid or out-of-range value is specified as an input parameter.
│ 
│   with module.mgmt-service-setup-customer.module.accept_gd_invitation[0].aws_guardduty_invite_accepter.member_accepter[0],
│   on .terraform/modules/mgmt-service-setup-customer.accept_gd_invitation/main.tf line 51, in resource "aws_guardduty_invite_accepter" "member_accepter":
│   51: resource "aws_guardduty_invite_accepter" "member_accepter" {
│ 

No code changes happened to this area in recent weeks and we notice this behavior now.

[ewbankkit]

Maybe relates #38400?

[ewbankkit]

I can reproduce with our acceptance tests:

% AWS_GUARDDUTY_MEMBER_ACCOUNT_ID=... AWS_GUARDDUTY_MEMBER_EMAIL=... make testacc TESTARGS='-run=TestAccGuardDuty_serial/InviteAccepter' PKG=guardduty
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.23.0 test ./internal/service/guardduty/... -v -count 1 -parallel 20  -run=TestAccGuardDuty_serial/InviteAccepter -timeout 360m
=== RUN   TestAccGuardDuty_serial
=== PAUSE TestAccGuardDuty_serial
=== CONT  TestAccGuardDuty_serial
=== RUN   TestAccGuardDuty_serial/InviteAccepter
=== RUN   TestAccGuardDuty_serial/InviteAccepter/basic
    invite_accepter_test.go:29: Step 1/2 error: Error running apply: exit status 1
        
        Error: accepting GuardDuty Invitation (): operation error GuardDuty: AcceptInvitation, https response error StatusCode: 400, RequestID: 6cf0bab9-d10a-4c58-bb42-040346540c7e, BadRequestException: The request is rejected because an invalid or out-of-range value is specified as an input parameter.
        
          with aws_guardduty_invite_accepter.test,
          on terraform_plugin_test.tf line 37, in resource "aws_guardduty_invite_accepter" "test":
          37: resource "aws_guardduty_invite_accepter" "test" {
        
--- FAIL: TestAccGuardDuty_serial (71.01s)
    --- FAIL: TestAccGuardDuty_serial/InviteAccepter (71.01s)
        --- FAIL: TestAccGuardDuty_serial/InviteAccepter/basic (71.01s)
FAIL
FAIL	github.com/hashicorp/terraform-provider-aws/internal/service/guardduty	75.719s
FAIL
make: *** [testacc] Error 1

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v5.65.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[BartlomiejKrawczykEviden]

I confirm this now works on aws provider v 5.65.0. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.