BadRequestException for log groups and GuardDuty about terraform-aws-secure-baseline HOT 7 CLOSED

@nozaq we figured out what went wrong with our implementation. we did not include the regions.tf file to our implementation. once that was in, it worked pretty darn good.

we love your work and we appreciate you for making this module. thank you!

from terraform-aws-secure-baseline.

@nazroll ah, that explains much🤓 feel free to open an issue anytime if you have any comments/feedbacks!

from terraform-aws-secure-baseline.

@nazroll Those errors mean that terraform-aws-secure-baseline module tried to create new resources (CloudWatch Log Group and GuardDuty Detector) but your account already had conflicting resources.

You can tell Terraform to refer existing resources instead of creating new ones by importing them into your state file.
The exact instruction to import specific resource type can be found in the terraform document.

• Importing aws_guardduty_detector
• Importing aws_cloudwatch_log_group

You need to specify GuardDuty Detector ID when importing it, which can be found at AWS Management Console > GuardDuty > Settings > About GuardDuty.

Hope it helps, please let me know if you have further questions :)

from terraform-aws-secure-baseline.

@nozaq thanks for your response!

We don't have any resources provisioned related to cloudwatch log groups and guardduty for this account, before we ran terraform apply.

This what boggled us. it's a completely new AWS account.

from terraform-aws-secure-baseline.

@nazroll Hmm, that's strange 🤔 I'll test with my empty account, let's see if we can reproduce the same errors.

from terraform-aws-secure-baseline.

@nazroll
I've run this example with my empty account, and it succeeded.

One thing I noticed was providers are missing in your configuration.
Did you pass providers like this?

from terraform-aws-secure-baseline.

@nozaq We did pass in the providers.

module "secure-baseline" {
  source  = "nozaq/secure-baseline/aws"
  version = "0.8.0"

  audit_log_bucket_name          = "${var.audit_s3_bucket_name}"
  aws_account_id                 = "${data.aws_caller_identity.current.account_id}"
  region                         = "${var.region}"
  support_iam_role_principal_arn = "${var.support_iam_role_principal_arn}"

  providers = {
    "aws"                = "aws"
    "aws.ap-northeast-1" = "aws.ap-northeast-1"
    "aws.ap-northeast-2" = "aws.ap-northeast-2"
    "aws.ap-south-1"     = "aws.ap-south-1"
    "aws.ap-southeast-1" = "aws.ap-southeast-1"
    "aws.ap-southeast-2" = "aws.ap-southeast-2"
    "aws.ap-southeast-2" = "aws.ap-southeast-2"
    "aws.ca-central-1"   = "aws.ca-central-1"
    "aws.eu-central-1"   = "aws.eu-central-1"
    "aws.eu-north-1"     = "aws.eu-north-1"
    "aws.eu-west-1"      = "aws.eu-west-1"
    "aws.eu-west-2"      = "aws.eu-west-2"
    "aws.eu-west-3"      = "aws.eu-west-3"
    "aws.sa-east-1"      = "aws.sa-east-1"
    "aws.us-east-1"      = "aws.us-east-1"
    "aws.us-east-2"      = "aws.us-east-2"
    "aws.us-west-1"      = "aws.us-west-1"
    "aws.us-west-2"      = "aws.us-west-2"
  }
}

This is the error message after we ran that plan.

Error: module “secure-baseline”: cannot pass non-existent provider “aws.us-east-1"

Terraform version: 0.11.13
Active AWS region: eu-west-1

from terraform-aws-secure-baseline.