Skip to content

cahnk/terraform-aws-tardigrade-guardduty

BranchesTags
 
 

Repository files navigation

terraform-aws-tardigrade-guardduty

Terraform module to create a standard GuardDuty configuration in a single AWS account. These include a GuardDuty detector, filter, ipset, threatintelset, and publshing destination. GuardDuty configurations that require multiple AWS accounts are not included in this module, and the terraform code for those configurations has been implemented in seperate submodeles (see the modules section of this project).

  • Creates a GuardDuty detector for this account
  • Creates zero or more GuardDuty filters for this account if the filter var is not null.
  • Creates zero or more GuardDuty ipsets for this account if the ipset var is not null.
  • Creates zero or more GuardDuty threatintelsets for this account if the threatintelset var is not null.
  • Creates a GuardDuty publishing_destination for this account if the publishing_destination var is not null.

Prerequisites: This publishing_destination resource assumes the S3 bucket associated with the destination arn exists and the required policies have been created to allow GuardDuty to access the bucket. It also assumes the kms key associated with the kms key arn exists and has a policy that allows GuardDuty to to use it.

Testing

You can find example implementations of this module in the tests folder (create_all_guardduty_standard_resources).

Requirements

Name Version
aws >= 3.0

Providers

Name Version
aws >= 3.0

Resources

Name Type

Inputs

Name Description Type Default Required
enable (Optional) Enable GuardDuty monitoring and feedback reporting. Setting to false is equivalent to 'suspending'GuardDuty. Defaults to true. bool true no
enable_s3_protection (Required) If true, enables S3 Protection. Defaults to true. bool true no
filters GuardDuty filter configuration list 
list(object({
    name        = string                   # (Required) The name of your filter.  SPACES ARE NOT ALOWED
    description = string                   # (Optional) Description of the filter.
    rank        = number                   # (Required) Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
    action      = string                   # (Required) Specifies the action that is to be applied to the findings that match the filter. Can be one of ARCHIVE or NOOP.
    tags        = map(string)              # (Optional) - The tags that you want to add to the Filter resource. A tag consists of a key and a value.
    criterion = list(object({              # (Represents the criteria to be used in the filter for querying findings. Contains one or more criterion blocks
      field                 = string       # (Required) The name of the field to be evaluated. The full list of field names can be found in AWS documentation.
      equals                = list(string) # (Optional) List of string values to be evaluated.
      not_equals            = list(string) # (Optional) List of string values to be evaluated.
      greater_than          = string       # (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.
      greater_than_or_equal = string       # (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.
      less_than             = string       # (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.
      less_than_or_equal    = string       # (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.
    }))
  }))
 [] no
finding_publishing_frequency (Optional) Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS. string "SIX_HOURS" no
ipsets GuardDuty ipset list 
list(object({
    activate = bool        # (Required) Specifies whether GuardDuty is to start using the uploaded IPSet.
    format   = string      # (Required) The format of the file that contains the IPSet. Valid values: TXT
 STIX OTX_CSV
publishing_destination GuardDuty publishing destination 
object({
    destination_arn  = string # (Required) The bucket arn and prefix under which the findings get exported. Bucket-ARN is required, the prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided
    kms_key_arn      = string # (Required) The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces this to be encrypted.
    destination_type = string # (Optional) Currently there is only "S3" available as destination type which is also the default value
  })
 null no
threatintelsets GuardDuty threatintelset list 
list(object({
    activate = bool        # (Required) Specifies whether GuardDuty is to start using the uploaded threatintelset.
    format   = string      # (Required) The format of the file that contains the threatintelset. Valid values: TXT
 STIX OTX_CSV

Outputs

Name Description
detector GuardDuty filter
filter GuardDuty filter
ipset GuardDuty ipset
publishing_destination GuardDuty publishing destination
threatintelset GuardDuty threatintelset

About

Terraform module to setup GuardDuty

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

7 tags

Packages

No packages published

Languages

  • HCL 94.7%
  • Go 4.6%
  • Other 0.7%