In this specific case, it looks like changing the member email address causes a new member resource. So to prevent this, you need to ensure that the value in your code exactly matches what's in AWS.

You could also see if the invite property is at fault, but that's less likely. The docs don't imply that: the property is correctly mutable.

This is for the organization master account...I wonder if this has something to do with from the master account, you enabled GD and then delegate to another account to be the GD master account...and now the GD master account is trying to add the org master as a GD member??

I create an array of accounts and then map() over them,

// loop over the accounts to add the GD member
accounts.map(
	account =>
		new aws.guardduty.Member(account.name, {
			detectorId: primaryDetectorId,
			accountId: account.accountId,
			email: account.email,
			invite: false
		})
);

I have like 15 accounts in the array and it's only an issue for this one.

I would check the email address for exact-sameness.

hmm...here's a difference...not sure how S3 protection got enabled there as I have not set that. and I don't see an option to set that in Member.

Here's the CLI to do it, it looks like it can be done in Pulumi too: https://docs.aws.amazon.com/guardduty/latest/ug/s3_detection.html

Yea, the console text and the api property name don't seem in any way related, but there you go. Pulumi property for that CLI config is here: https://www.pulumi.com/registry/packages/aws/api-docs/guardduty/detector/#detectordatasourcess3logs

@little-cartoon-10569 I tried some things and I don't think it was related to default values. I removed that account from the list of accounts to create a Member ran

pulumi up

and it "deleted" the account. I use quotes because Pulumi says it deleted yet, I still see that member in AWS console. Now whene I do

pulumi preview

(or

up

) I see no changes as expected. I think this must have something to do with when the master AWS org account creates the GD master account, it must add itself as a member at that point.

hmm...actually I just ran the code to add the accounts for another region and getting this issue of diffs on 4 other accounts. So I think it's just a bug at this point.

@little-cartoon-10569 Just to close the loop on this. I created a ticket with Pulumi support and they had me send a log file. On reviewing the file they said "..it looks like a bug in the upstream provider. I would use

ignoreChanges

...." So I changed the code to

// loop over the accounts to add the GD member
accounts.map(
	account =>
		new aws.guardduty.Member(account.name, {
			detectorId: primaryDetector.id,
			accountId: account.accountId,
			email: account.email,
			invite: false
		},{ignoreChanges: ["email","invite"]})
);

and I no longer get diffs.

and here is the github issue in terraform https://github.com/hashicorp/terraform-provider-aws/issues/8206