-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathmain.tf
231 lines (210 loc) · 7.5 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
# GuardDuty is a monitoring service that analyzes
# AWS CloudTrail management and Amazon S3 data events, VPC Flow Logs,
# and DNS logs
# https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
# Data Sources
# CloudTrail
# DNS Logs
# Kubernetes
# S3
# VPC Flow Logs
# aws guardduty enable-organization-admin-account --admin-account-id 11111111111
# aws guardduty enable-organization-admin-account --admin-account-id 11111111111 --region us-west-2
# aws guardduty create-members --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-details AccountId=123456789012,[email protected]
# aws organizations list-accounts
# aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --auto-enable
# aws guardduty describe-organization-configuration —detector-id 12abc34d567e8fa901bc2d34e56789f0
# aws guardduty create-detector
# aws guardduty create-filter
# aws guardduty create-ip-set
# aws guardduty create-members
# aws guardduty create-publishing-destination
# aws guardduty create-sample-findings
# aws guardduty create-threat-intel-set
locals {
}
# for each region
# detector_id=$(aws guardduty list-detectors --region ${aws_region} --query DetectorIds | jq -r .[0])
# terraform import -var-file=environments/${env}/env.tfvars module.guardduty-${aws_region}.aws_guardduty_detector.self[0] ${detector_id}
# Kubernetes
# aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 123456789012 --data-sources '{"Kubernetes":{"AuditLogs":{"Enable":true}}}'
# S3
# aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 123456789012 --data-sources '{"S3Logs":{"Enable":true}}'
# Regional - Organization Master
# This will create a detector, if one doesn't exist
# Run terraform for administrator account first
#resource "aws_guardduty_organization_admin_account" "self" {
# count = var.enable && var.account_type == "master" ? 1 : 0
# #count = var.enable && var.account_type == "master" && data.aws_region.current.name == var.org_primary_region ? 1 : 0
# #count = 0
# admin_account_id = var.security_administrator_account_id
#}
## Run in admin account
# Detector
# Findings -> CW & S3 (KMS symmetric)
# S3 Protection - enable
# Kubernetes Protection - enable (tf not supported yet)
# SNS
# Trusted IP lists:
# Appzen Trusted https://s3.amazonaws.com/appzen-trusted/trusted.txt
# aws guardduty get-detector --detector-id
# aws guardduty list-detectors
# Add detector only on delegated admin
resource "aws_guardduty_detector" "self" {
count = var.enable && var.account_type == "administrator" ? 1 : 0
enable = var.enable
finding_publishing_frequency = var.finding_publishing_frequency
datasources {
s3_logs {
enable = true
}
kubernetes {
audit_logs {
enable = true
}
}
malware_protection {
scan_ec2_instance_with_findings {
ebs_volumes {
enable = true
}
}
}
}
tags = var.tags
}
resource "aws_guardduty_organization_configuration" "self" {
count = var.enable && var.account_type == "administrator" ? 1 : 0
auto_enable = var.enable
detector_id = aws_guardduty_detector.self[0].id
datasources {
s3_logs {
auto_enable = true
}
kubernetes {
audit_logs {
enable = true
}
}
malware_protection {
scan_ec2_instance_with_findings {
ebs_volumes {
auto_enable = true
}
}
}
}
}
## Below adding member fails with the below error. Loops of destroy and create. After create it throw the below error
/*
Error: Provider produced inconsistent result after apply
│
│ When applying changes to module.secure-base.module.guardduty-us-east-1[0].aws_guardduty_member.member["206178260240"], provider
│ "provider[\"registry.terraform.io/hashicorp/aws\"].us-east-1" produced an unexpected new value: Root resource was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
*/
resource "aws_guardduty_member" "member" {
for_each = var.enable && var.account_type == "administrator" ? { for k, v in var.org_account_active_map : tostring(k) => tostring(v.Email) if tonumber(k) != var.security_administrator_account_id } : {}
account_id = tostring(each.key)
detector_id = aws_guardduty_detector.self[0].id
email = each.value
invite = true
disable_email_notification = true
}
#resource "aws_guardduty_invite_accepter" "member" {
# depends_on = [aws_guardduty_member.member]
# provider = aws.member
#
# detector_id = aws_guardduty_detector.member.id
# master_account_id = aws_guardduty_detector.primary.account_id
#}
/*
# Security account to manage all members
# Regional - Administrator
## Think members need to exist before this can apply successfully
## Error: error reading GuardDuty Organization Configuration (): BadRequestException: The request is rejected because an invalid or out-of-range value is specified as an input parameter.
resource "aws_guardduty_organization_configuration" "self" {
count = var.enable && var.account_type == "administrator" ? 1 : 0
auto_enable = true
detector_id = aws_guardduty_detector.self[0].id
datasources {
s3_logs {
auto_enable = true
}
kubernetes {
audit_logs {
enable = true
}
}
malware_protection {
scan_ec2_instance_with_findings {
ebs_volumes {
auto_enable = true
}
}
}
}
depends_on = [aws_guardduty_member.member]
}
*/
#resource "aws_guardduty_detector" "member" {
# provider = aws.dev
# enable = true
#}
#dynamic "datasources" {
# for_each = var.datasources
# content {
# datasources.value["source"] {
# enable = datasources.value["enable"]
# }
# }
#}
#variable "datasources" {
# description = "Detector data sources"
# type = list(map(any))
# default = [
# {
# source = "s3_logs"
# enable = true
# }
# ]
#}
# Sent findings to S3
# Regional - All accounts
#resource "aws_guardduty_publishing_destination" "self" {
# count = var.enable ? 1 : 0
# detector_id = aws_guardduty_detector.self[0].id
# destination_arn = aws_s3_bucket.gd_bucket.arn
# kms_key_arn = aws_kms_key.gd_key.arn
#
# depends_on = [
# aws_s3_bucket_policy.gd_bucket_policy,
# ]
#}
# Trusted IP lists:
# Appzen Trusted https://s3.amazonaws.com/appzen-trusted/trusted.txt
# Regional - Administrator
#resource "aws_guardduty_ipset" "example" {
# count = var.enable && var.account_type == "administrator" ? 1 : 0
# activate = true
# detector_id = aws_guardduty_detector.self[0].id
# format = "TXT"
# location = "https://s3.amazonaws.com/${aws_s3_object.MyIPSet.bucket}/${aws_s3_object.MyIPSet.key}"
# name = "MyIPSet"
#}
/*
resource "aws_guardduty_member" "member" {
for_each = var.account_type == "administrator" ? { for record in local.org_account_active : record.Id => record } : {}
account_id = each.key
detector_id = aws_guardduty_detector.self.id
email = each.value.Email
}
*/
#resource "aws_guardduty_invite_accepter" "member" {
# depends_on = [aws_guardduty_member.member]
# #provider = aws.member
# detector_id = aws_guardduty_detector.member.id
# master_account_id = aws_guardduty_detector.primary.account_id
#}
#