aws_guardduty_detector import uses wrong region

[armsnyder]

Terraform and AWS Provider Version

Terraform v1.14.8
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v6.41.0

Affected Resource(s) or Data Source(s)

• aws_guardduty_detector

Expected Behavior

When importing a aws_guardduty_detector with a region attribute that differs from the provider config block's region, importing should succeed.

Actual Behavior

Import fails with error Error: Cannot import non-existent remote object. I can see from the debug logs that the provider is using the incorrect region when calling GetDetector.

Relevant Error/Panic Output

terraform import 'aws_guardduty_detector.eu_west_1' 'redacted'

aws_guardduty_detector.eu_west_1: Importing from ID "redacted"...
aws_guardduty_detector.eu_west_1: Import prepared!
  Prepared aws_guardduty_detector for import
aws_guardduty_detector.eu_west_1: Refreshing state... [id=redacted]
  | {
  |   "message" : "The request is rejected because the input detectorId is not owned by the current account.",
  |   "__type" : "InvalidInputException",
  |   "type" : "InvalidInputException"
  | }
╷
│ Error: Cannot import non-existent remote object
│
│ While attempting to import an existing object to "aws_guardduty_detector.eu_west_1", the provider detected that no object exists with the given id. Only pre-existing objects can be imported; check that the id is correct and that it is
│ associated with the provider's configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.
╵

Sample Terraform Configuration

Click to expand configuration

provider "aws" {
  region = "us-west-2"
}

resource "aws_guardduty_detector" "eu_west_1" {
  region = "eu-west-1"
  enable = true
}

Steps to Reproduce

With the above configuration, run terraform import aws_guardduty_detector.eu_west_1 <my-eu-west-1-detector-id>

Debug Logging

Click to expand log output

2026-05-04T13:48:30.308-0700 [DEBUG] provider.terraform-provider-aws_v6.41.0_x5: HTTP Request Sent: http.method=GET http.request.body="" http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.14.8 (+https://www.terraform.io) terraform-provider-aws/6.41.0 (+ht
tps://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.41.5 ua/2.1 os/macos lang/go#1.25.9 md/GOOS#darwin md/GOARCH#arm64 api/guardduty#1.75.0 m/r,t,u" tf_mux_provider="*schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashi
corp/aws tf_req_id=0b8ba7ad-8d65-79c0-ca4f-5e437be5dac0 tf_rpc=ReadResource @module=aws http.request.header.amz_sdk_invocation_id=b29433a8-00b2-4f4b-bd22-bc2fcbe23563 http.request.header.x_amz_security_token="*****" rpc.method=GuardDuty/GetDetector tf_aws
.signing_region="" http.request.header.amz_sdk_request="attempt=1; max=25" http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************JVDW/20260504/us-west-2/guardduty/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;h
ost;x-amz-date;x-amz-security-token, Signature=*****" tf_aws.sdk=aws-sdk-go-v2 tf_resource_type=aws_guardduty_detector @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.72/logging/tf_logger.go:45 aws.region=us-west-2 http.request.header.x_amz_da
te=20260504T204830Z http.url=https://guardduty.us-west-2.amazonaws.com/detector/redacted net.peer.name=guardduty.us-west-2.amazonaws.com rpc.system.name=aws-api timestamp=2026-05-04T13:48:30.308-0700
2026-05-04T13:48:30.523-0700 [DEBUG] provider.terraform-provider-aws_v6.41.0_x5: HTTP Response Received: tf_provider_addr=registry.terraform.io/hashicorp/aws http.response.header.content_type=application/json http.response.header.access_control_allow_head
ers="Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-Content-Sha256,X-Amz-User-Agent,*,Date,X-Amz-Target,x-amzn-platform-id,x-amzn-trace-id" http.response.header.access_control_expose_headers="x-amzn-ErrorType,x-amzn-requestid,x
-amzn-errormessage,x-amzn-trace-id,x-amz-apigw-id,Date" http.response.header.access_control_max_age=86400 rpc.system.name=aws-api tf_mux_provider="*schema.GRPCProviderServer" http.response.header.x_amzn_requestid=6da9de7a-b28d-4026-9a12-ea8c9f825ea7 @modu
le=aws tf_rpc=ReadResource @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.72/logging/tf_logger.go:45 http.response.header.date="Mon, 04 May 2026 20:48:30 GMT" tf_resource_type=aws_guardduty_detector tf_req_id=0b8ba7ad-8d65-79c0-ca4f-5e437be5d
ac0
  http.response.body=
  | {
  |   "message" : "The request is rejected because the input detectorId is not owned by the current account.",
  |   "__type" : "InvalidInputException",
  |   "type" : "InvalidInputException"
  | }
   http.response.header.x_amz_apigw_id=c23k0EZrvHcETTA= aws.region=us-west-2 tf_aws.sdk=aws-sdk-go-v2 http.duration=215 http.response.header.access_control_allow_origin="*" tf_aws.signing_region="" http.response.header.x_amzn_errortype=BadRequestException
 http.response.header.x_amzn_trace_id=Root=1-69f9061e-7ca298bd48d57b632a5cf060;Parent=181d3a1e92ad0b09;Sampled=0;Lineage=1:ba5c7a0e:0 http.response_content_length=183 http.status_code=400 rpc.method=GuardDuty/GetDetector timestamp=2026-05-04T13:48:30.523-
0700
2026-05-04T13:48:30.524-0700 [DEBUG] provider.terraform-provider-aws_v6.41.0_x5: request failed with unretryable error https response error StatusCode: 400, RequestID: 6da9de7a-b28d-4026-9a12-ea8c9f825ea7, BadRequestException: The request is rejected beca
use the input detectorId is not owned by the current account.: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.72/logging/tf_logger.go:45 @module=aws aws.region=us-west-2 rpc.method=GuardDuty/GetDetector rpc.system.name=aws-api tf_aws.sdk=aws-
sdk-go-v2 tf_mux_provider="*schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=0b8ba7ad-8d65-79c0-ca4f-5e437be5dac0 tf_resource_type=aws_guardduty_detector tf_rpc=ReadResource timestamp=2026-05-04T13:48:30.524-0700

GenAI / LLM Assisted Development

n/a

Important Facts and References

No response

Would you like to implement a fix?

No

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.

[dosubot]

Hey @armsnyder 👋 Thank you for taking the time to raise this!

This is the same issue reported in #47505 — during import, the provider doesn't yet know about the resource-level region override, so it uses the provider's configured region (us-west-2 in your case) instead of eu-west-1.

The workaround is to append @<region> to the import ID. For your case:

terraform import 'aws_guardduty_detector.eu_west_1' '<detector-id>@eu-west-1'

If you're using an import block instead, you can also specify the provider argument to point to an alias configured for the correct region — but the @<region> suffix on the import ID is simpler.

This syntax is documented in the Enhanced Region Support guide.

Written by @dosu, edited by justinretzolk

To reply, just mention @dosu.

---

Docs are dead. Just use Dosu.