Skip to content

aws_guardduty_organization_configuration_feature additional_configuration perpetual diff recreating resource #44822

New issue
New issue
Open
Open
aws_guardduty_organization_configuration_feature additional_configuration perpetual diff recreating resource#44822
Labels
bugAddresses a defect in current functionality.service/guarddutyIssues and PRs that pertain to the guardduty service.
@dpiddock

Description

@dpiddock
dpiddock
opened on Oct 27, 2025

Terraform and AWS Provider Version

Terraform v1.13.4
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v6.18.0

Affected Resource(s) or Data Source(s)

  • aws_guardduty_organization_configuration_feature

Expected Behavior

"No changes. Your infrastructure matches the configuration."

Actual Behavior

A diff is produced on every plan, wanting to replace the resource:

  # aws_guardduty_organization_configuration_feature.guardduty must be replaced
-/+ resource "aws_guardduty_organization_configuration_feature" "guardduty" {
      ~ id          = "<<redacted>>/RUNTIME_MONITORING" -> (known after apply)
        name        = "RUNTIME_MONITORING"
        # (3 unchanged attributes hidden)

      ~ additional_configuration {
          ~ name        = "ECS_FARGATE_AGENT_MANAGEMENT" -> "EC2_AGENT_MANAGEMENT" # forces replacement
            # (1 unchanged attribute hidden)
        }
      ~ additional_configuration {
          ~ name        = "EC2_AGENT_MANAGEMENT" -> "ECS_FARGATE_AGENT_MANAGEMENT" # forces replacement
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

Relevant Error/Panic Output

No response

Sample Terraform Configuration

Click to expand configuration 
resource "aws_guardduty_detector" "guardduty" {}

resource "aws_guardduty_organization_configuration" "guardduty" {
  # Gets a bit messy with Terraform
  auto_enable_organization_members = "NONE"

  detector_id = aws_guardduty_detector.guardduty.id
}

resource "aws_guardduty_organization_configuration_feature" "runtime_monitoring" {
  detector_id = aws_guardduty_detector.guardduty.id
  name        = "RUNTIME_MONITORING"
  auto_enable = "NONE"

  dynamic "additional_configuration" {
    for_each = toset(["EC2_AGENT_MANAGEMENT", "ECS_FARGATE_AGENT_MANAGEMENT", "EKS_ADDON_MANAGEMENT"])
    iterator = ac
    content {
      name        = ac.key
      auto_enable = "NONE"
    }
  }

  depends_on = [aws_guardduty_organization_configuration.guardduty]
}

Steps to Reproduce

  1. Have an AWS organization
  2. Apply the plan
  3. Plan again to see a diff recreating the aws_guardduty_organization_configuration_feature resource

Debug Logging

Click to expand log output 




GenAI / LLM Assisted Development


n/a


Important Facts and References


Having the additional_configuration blocks in the "correct" order removes the diff:


resource "aws_guardduty_organization_configuration_feature" "runtime_monitoring" {
  detector_id = aws_guardduty_detector.guardduty.id
  name        = "RUNTIME_MONITORING"
  auto_enable = "NONE"

  additional_configuration {
    name        = "ECS_FARGATE_AGENT_MANAGEMENT"
    auto_enable = "NONE"
  }

  additional_configuration {
    name        = "EC2_AGENT_MANAGEMENT"
    auto_enable = "NONE"
  }

  additional_configuration {
    name        = "EKS_ADDON_MANAGEMENT"
    auto_enable = "NONE"
  }

  depends_on = [aws_guardduty_organization_configuration.guardduty]
}


Similar issue was fixed for aws_guardduty_detector_feature in #44627


Would you like to implement a fix?


No
Metadata
Metadata
Assignees
No one assigned
    Labels
    bugAddresses a defect in current functionality.service/guarddutyIssues and PRs that pertain to the guardduty service.
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions