Support for GuardDuty Member Detector Features

[autero1]

Description

This PR adds support for configuring AWS GuardDuty Member Detector Features, e.g.

resource "aws_guardduty_detector" "example" {
  enable = true
}

resource "aws_guardduty_member_detector_feature" "runtime_monitoring" {
  detector_id = aws_guardduty_detector.example.id
  account_id  = "123456789012"
  name        = "RUNTIME_MONITORING"
  status      = "ENABLED"

  additional_configuration {
    name   = "EKS_ADDON_MANAGEMENT"
    status = "ENABLED"
  }

  additional_configuration {
    name   = "ECS_FARGATE_AGENT_MANAGEMENT"
    status = "ENABLED"
  }
}

Gotchas

Deleting the resource
When deleted (as many other existing GuarDuty Org features, such as guardduty_organization_configuration_feature), just removes the resource from state without disabling the resource.

Eventual consistency
When you use aws_guardduty_organization_configuration and set auto_enable_organization_members = "ALL" and try to use the resource for configuring member features, you keep hitting this:

{"unprocessedAccounts":[{"result":"The request is rejected because the given account ID is not an associated member of account the current account.","accountId":"123456789012"}]}

This is likely due to eventual consistency with the member accounts. My original test strategy was exactly this, but I just gave up. This definitely has serious implications on the usability as you most likely would use these resources together. Ended up testing with a prepared env where you already have an existing member account.

Random order of additional configuration

I keep hitting an issue where the API returns the additional configuration in random order and you get a perpetual diff - causing test failures and general annoyance 😅 . This is why the tests have some checks disabled atm.

Relations

Closes #26168

References

https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMemberDetectors.html

Output from Acceptance Testing

❯ make testacc TESTS=TestAccGuardDuty_serial/MemberDetectorFeature PKG=guardduty
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/guardduty/... -v -count 1 -parallel 20 -run='TestAccGuardDuty_serial/MemberDetectorFeature'  -timeout 360m
=== RUN   TestAccGuardDuty_serial
=== PAUSE TestAccGuardDuty_serial
=== CONT  TestAccGuardDuty_serial
=== RUN   TestAccGuardDuty_serial/MemberDetectorFeature
=== RUN   TestAccGuardDuty_serial/MemberDetectorFeature/basic
=== RUN   TestAccGuardDuty_serial/MemberDetectorFeature/additional_configuration
=== RUN   TestAccGuardDuty_serial/MemberDetectorFeature/multiple
--- PASS: TestAccGuardDuty_serial (46.67s)
    --- PASS: TestAccGuardDuty_serial/MemberDetectorFeature (46.67s)
        --- PASS: TestAccGuardDuty_serial/MemberDetectorFeature/basic (18.96s)
        --- PASS: TestAccGuardDuty_serial/MemberDetectorFeature/additional_configuration (12.75s)
        --- PASS: TestAccGuardDuty_serial/MemberDetectorFeature/multiple (14.96s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/guardduty	52.627s

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

• Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
• Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

[github-actions]

Welcome @autero1 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTOR guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

[autero1]

Oh... looks like I should've read this first: #32917
Back to the drawing board 🤦

[github-actions]

Thank you for your contribution! 🚀

Please note that typically Go dependency changes are handled in this repository by dependabot or the maintainers. This is to prevent pull request merge conflicts and further delay reviews of contributions. Remove any changes to the go.mod or go.sum files and commit them into this pull request.

Additional details:

• Check open pull requests with the dependencies label to view other dependency updates.
• If this pull request includes an update the AWS Go SDK (or any other dependency) version, only updates submitted via dependabot will be merged. This pull request will need to remove these changes and will need to be rebased after the existing dependency update via dependabot has been merged for this pull request to be reviewed.
• If this pull request is for supporting a new AWS service:
  • Ensure the new AWS service changes are following the Contributing Guide section on new services, in particular that the dependency addition and initial provider support are in a separate pull request from other changes (e.g. new resources). Contributions not following this item will not be reviewed until the changes are split.
  • If this pull request is already a separate pull request from the above item, you can ignore this message.

[autero1]

Output from acc tests after refactor:

❯ make testacc TESTS=TestAccGuardDuty_serial/MemberDetectorFeature PKG=guardduty
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/guardduty/... -v -count 1 -parallel 20 -run='TestAccGuardDuty_serial/MemberDetectorFeature'  -timeout 360m
=== RUN   TestAccGuardDuty_serial
=== PAUSE TestAccGuardDuty_serial
=== CONT  TestAccGuardDuty_serial
=== RUN   TestAccGuardDuty_serial/MemberDetectorFeature
=== RUN   TestAccGuardDuty_serial/MemberDetectorFeature/basic
=== RUN   TestAccGuardDuty_serial/MemberDetectorFeature/additional_configuration
=== RUN   TestAccGuardDuty_serial/MemberDetectorFeature/multiple
--- PASS: TestAccGuardDuty_serial (40.05s)
    --- PASS: TestAccGuardDuty_serial/MemberDetectorFeature (40.05s)
        --- PASS: TestAccGuardDuty_serial/MemberDetectorFeature/basic (14.59s)
        --- PASS: TestAccGuardDuty_serial/MemberDetectorFeature/additional_configuration (12.15s)
        --- PASS: TestAccGuardDuty_serial/MemberDetectorFeature/multiple (13.32s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/guardduty	46.064s

[allyman17]

Seeing some traction on this issue would be greatly appreciated, I have some accounts where we'd prefer guard duty not to inspect the s3 logs, while for others this is needed and to be able to control it via terrafrom would be great

[autero1]

Seeing some traction on this issue would be greatly appreciated, I have some accounts where we'd prefer guard duty not to inspect the s3 logs, while for others this is needed and to be able to control it via terrafrom would be great

Happy to finish this up. Don't really know if something is expected of me or is it just queued for approval.

[aplunk-nydig]

@ewbankkit would you have time to review this change?

[ewbankkit]

LGTM 🚀.

% AWS_GUARDDUTY_MEMBER_ACCOUNT_ID=123456789012 make testacc TESTARGS='-run=TestAccGuardDuty_serial/^MemberDetectorFeature$$' PKG=guardduty
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.23.5 test ./internal/service/guardduty/... -v -count 1 -parallel 20  -run=TestAccGuardDuty_serial/^MemberDetectorFeature$ -timeout 360m -vet=off
2025/01/30 10:56:27 Initializing Terraform AWS Provider...
=== RUN   TestAccGuardDuty_serial
=== PAUSE TestAccGuardDuty_serial
=== CONT  TestAccGuardDuty_serial
=== RUN   TestAccGuardDuty_serial/MemberDetectorFeature
=== RUN   TestAccGuardDuty_serial/MemberDetectorFeature/basic
=== RUN   TestAccGuardDuty_serial/MemberDetectorFeature/additional_configuration
=== RUN   TestAccGuardDuty_serial/MemberDetectorFeature/multiple
--- PASS: TestAccGuardDuty_serial (46.66s)
    --- PASS: TestAccGuardDuty_serial/MemberDetectorFeature (46.66s)
        --- PASS: TestAccGuardDuty_serial/MemberDetectorFeature/basic (22.11s)
        --- PASS: TestAccGuardDuty_serial/MemberDetectorFeature/additional_configuration (11.61s)
        --- PASS: TestAccGuardDuty_serial/MemberDetectorFeature/multiple (12.94s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/guardduty	52.202s

[jar-b]

LGTM 🚀

[ewbankkit]

@autero1 Thanks for the contribution 🎉 👏.

[github-actions]

This functionality has been released in v5.85.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.