feat(account): support guardduty regional delegated administration

posquit0 · posquit0 · commit ea47854c42e5 · 2025-09-24T12:06:56.000-07:00
diff --git a/modules/account/README.md b/modules/account/README.md
@@ -8,10 +8,10 @@ This module creates following resources.
 - `aws_cloudtrail_organization_delegated_admin_account` (optional)
 - `aws_fms_admin_account` (optional)
 - `aws_guardduty_organization_admin_account` (optional)
+- `aws_inspector2_delegated_admin_account` (optional)
+- `aws_macie2_organization_admin_account` (optional)
 - `aws_securityhub_organization_admin_account` (optional)
 - `aws_vpc_ipam_organization_admin_account` (optional)
-- `aws_macie2_organization_admin_account` (optional)
-- `aws_inspector2_delegated_admin_account` (optional)
 - `aws_account_primary_contact` (optional)
 - `aws_account_alternate_contact` (optional)
 - `aws_account_region` (optional)
diff --git a/modules/account/delegated-administrators.tf b/modules/account/delegated-administrators.tf
@@ -11,6 +11,7 @@ locals {
     "securityhub.amazonaws.com",
   ]
   regional_services = [
+    "guardduty.amazonaws.com",
     "inspector2.amazonaws.com",
     "macie.amazonaws.com",
   ]
@@ -75,12 +76,6 @@ resource "aws_fms_admin_account" "this" {
   account_id = aws_organizations_account.this.id
 }
 
-resource "aws_guardduty_organization_admin_account" "this" {
-  count = contains(local.delegated_service_names, "guardduty.amazonaws.com") ? 1 : 0
-
-  admin_account_id = aws_organizations_account.this.id
-}
-
 resource "aws_securityhub_organization_admin_account" "this" {
   count = contains(local.delegated_service_names, "securityhub.amazonaws.com") ? 1 : 0
 
@@ -93,6 +88,20 @@ resource "aws_vpc_ipam_organization_admin_account" "this" {
   delegated_admin_account_id = aws_organizations_account.this.id
 }
 
+resource "aws_guardduty_organization_admin_account" "this" {
+  for_each = toset(contains(local.delegated_service_names, "guardduty.amazonaws.com")
+    ? (length(local.delegated_services_map["guardduty.amazonaws.com"].regions) > 0
+      ? local.delegated_services_map["guardduty.amazonaws.com"].regions
+      : local.all_available_regions
+    )
+    : []
+  )
+
+  region = each.key
+
+  admin_account_id = aws_organizations_account.this.id
+}
+
 resource "aws_macie2_organization_admin_account" "this" {
   for_each = toset(contains(local.delegated_service_names, "macie.amazonaws.com")
     ? (length(local.delegated_services_map["macie.amazonaws.com"].regions) > 0
