Skip to content

Commit 8e3bad0

Browse files
sfreydinsfreydin
committed
feat: guardduty_member ignore fields, alarm-baseline vars for patterns
1 parent 6b2d679 commit 8e3bad0

File tree

3 files changed

+115
-19
lines changed

3 files changed

+115
-19
lines changed

modules/alarm-baseline/main.tf

Lines changed: 15 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls" {
4343
count = var.unauthorized_api_calls_enabled ? 1 : 0
4444

4545
name = "UnauthorizedAPICalls"
46-
pattern = "{(($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\")) && (($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") && ($.eventName!=\"HeadBucket\"))}"
46+
pattern = var.unauthorized_api_calls_pattern
4747
log_group_name = var.cloudtrail_log_group_name
4848

4949
metric_transformation {
@@ -76,10 +76,7 @@ resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin" {
7676
count = var.no_mfa_console_signin_enabled ? 1 : 0
7777

7878
name = "NoMFAConsoleSignin"
79-
pattern = join(" ", [
80-
"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\")",
81-
var.mfa_console_signin_allow_sso ? "&& ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }" : "}",
82-
])
79+
pattern = var.no_mfa_console_signin_pattern
8380
log_group_name = var.cloudtrail_log_group_name
8481

8582
metric_transformation {
@@ -112,7 +109,7 @@ resource "aws_cloudwatch_log_metric_filter" "root_usage" {
112109
count = var.root_usage_enabled ? 1 : 0
113110

114111
name = "RootUsage"
115-
pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
112+
pattern = var.root_usage_pattern
116113
log_group_name = var.cloudtrail_log_group_name
117114

118115
metric_transformation {
@@ -145,7 +142,7 @@ resource "aws_cloudwatch_log_metric_filter" "iam_changes" {
145142
count = var.iam_changes_enabled ? 1 : 0
146143

147144
name = "IAMChanges"
148-
pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"
145+
pattern = var.iam_changes_pattern
149146
log_group_name = var.cloudtrail_log_group_name
150147

151148
metric_transformation {
@@ -178,7 +175,7 @@ resource "aws_cloudwatch_log_metric_filter" "cloudtrail_cfg_changes" {
178175
count = var.cloudtrail_cfg_changes_enabled ? 1 : 0
179176

180177
name = "CloudTrailCfgChanges"
181-
pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"
178+
pattern = var.cloudtrail_cfg_changes_pattern
182179
log_group_name = var.cloudtrail_log_group_name
183180

184181
metric_transformation {
@@ -211,7 +208,7 @@ resource "aws_cloudwatch_log_metric_filter" "console_signin_failures" {
211208
count = var.console_signin_failures_enabled ? 1 : 0
212209

213210
name = "ConsoleSigninFailures"
214-
pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
211+
pattern = var.console_signin_failures_pattern
215212
log_group_name = var.cloudtrail_log_group_name
216213

217214
metric_transformation {
@@ -244,7 +241,7 @@ resource "aws_cloudwatch_log_metric_filter" "disable_or_delete_cmk" {
244241
count = var.disable_or_delete_cmk_enabled ? 1 : 0
245242

246243
name = "DisableOrDeleteCMK"
247-
pattern = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }"
244+
pattern = var.disable_or_delete_cmk_pattern
248245
log_group_name = var.cloudtrail_log_group_name
249246

250247
metric_transformation {
@@ -277,7 +274,7 @@ resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_changes" {
277274
count = var.s3_bucket_policy_changes_enabled ? 1 : 0
278275

279276
name = "S3BucketPolicyChanges"
280-
pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
277+
pattern = var.s3_bucket_policy_changes_pattern
281278
log_group_name = var.cloudtrail_log_group_name
282279

283280
metric_transformation {
@@ -310,7 +307,7 @@ resource "aws_cloudwatch_log_metric_filter" "aws_config_changes" {
310307
count = var.aws_config_changes_enabled ? 1 : 0
311308

312309
name = "AWSConfigChanges"
313-
pattern = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }"
310+
pattern = var.aws_config_changes_pattern
314311
log_group_name = var.cloudtrail_log_group_name
315312

316313
metric_transformation {
@@ -343,7 +340,7 @@ resource "aws_cloudwatch_log_metric_filter" "security_group_changes" {
343340
count = var.security_group_changes_enabled ? 1 : 0
344341

345342
name = "SecurityGroupChanges"
346-
pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}"
343+
pattern = var.security_group_changes_pattern
347344
log_group_name = var.cloudtrail_log_group_name
348345

349346
metric_transformation {
@@ -376,7 +373,7 @@ resource "aws_cloudwatch_log_metric_filter" "nacl_changes" {
376373
count = var.nacl_changes_enabled ? 1 : 0
377374

378375
name = "NACLChanges"
379-
pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
376+
pattern = var.nacl_changes_pattern
380377
log_group_name = var.cloudtrail_log_group_name
381378

382379
metric_transformation {
@@ -409,7 +406,7 @@ resource "aws_cloudwatch_log_metric_filter" "network_gw_changes" {
409406
count = var.network_gw_changes_enabled ? 1 : 0
410407

411408
name = "NetworkGWChanges"
412-
pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
409+
pattern = var.network_gw_changes_pattern
413410
log_group_name = var.cloudtrail_log_group_name
414411

415412
metric_transformation {
@@ -442,7 +439,7 @@ resource "aws_cloudwatch_log_metric_filter" "route_table_changes" {
442439
count = var.route_table_changes_enabled ? 1 : 0
443440

444441
name = "RouteTableChanges"
445-
pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"
442+
pattern = var.route_table_changes_pattern
446443
log_group_name = var.cloudtrail_log_group_name
447444

448445
metric_transformation {
@@ -475,7 +472,7 @@ resource "aws_cloudwatch_log_metric_filter" "vpc_changes" {
475472
count = var.vpc_changes_enabled ? 1 : 0
476473

477474
name = "VPCChanges"
478-
pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
475+
pattern = var.vpc_changes_pattern
479476
log_group_name = var.cloudtrail_log_group_name
480477

481478
metric_transformation {
@@ -508,7 +505,7 @@ resource "aws_cloudwatch_log_metric_filter" "organizations_changes" {
508505
count = var.organizations_changes_enabled ? 1 : 0
509506

510507
name = "OrganizationsChanges"
511-
pattern = "{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName= \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName =\"UpdateOrganizationalUnit\")) }"
508+
pattern = var.organizations_changes_pattern
512509
log_group_name = var.cloudtrail_log_group_name
513510

514511
metric_transformation {

modules/alarm-baseline/variables.tf

Lines changed: 94 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,100 @@ variable "sns_topic_kms_master_key_id" {
120120
variable "tags" {
121121
description = "Specifies object tags key and value. This applies to all resources created by this module."
122122
type = map(string)
123-
default = {
123+
default = {
124124
"Terraform" = "true"
125125
}
126126
}
127+
128+
variable "unauthorized_api_calls_pattern" {
129+
description = "Pattern for unauthorized api calls"
130+
type = string
131+
default = "{(($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\")) && (($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") && ($.eventName!=\"HeadBucket\"))}"
132+
}
133+
134+
variable "no_mfa_console_signin_pattern" {
135+
description = "Pattern for No MFA console signin"
136+
type = string
137+
default = join(" ", [
138+
"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\")",
139+
var.mfa_console_signin_allow_sso ? "&& ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }" : "}",
140+
])
141+
}
142+
143+
variable "root_usage_pattern" {
144+
description = "Pattern for root usage"
145+
type = string
146+
default = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
147+
}
148+
149+
variable "iam_changes_pattern" {
150+
description = ""
151+
type = string
152+
default = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"
153+
}
154+
155+
variable "cloudtrail_cfg_changes_pattern" {
156+
description = "Pattern for CloudTrail config changes"
157+
type = string
158+
default = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"
159+
}
160+
161+
variable "console_signin_failures_pattern" {
162+
description = "Pattern for Console signin failures"
163+
type = string
164+
default = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
165+
}
166+
167+
variable "disable_or_delete_cmk_pattern" {
168+
description = "Pattern for Disable or Delete cmk"
169+
type = string
170+
default = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }"
171+
}
172+
173+
variable "s3_bucket_policy_changes_pattern" {
174+
description = "Pattern for S3 Bucket Policy changes"
175+
type = string
176+
default = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
177+
}
178+
179+
variable "aws_config_changes_pattern" {
180+
description = "Pattern for AWS Config changes"
181+
type = string
182+
default = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }"
183+
}
184+
185+
variable "security_group_changes_pattern" {
186+
description = "Pattern for Security Group changes"
187+
type = string
188+
default = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}"
189+
}
190+
191+
variable "nacl_changes_pattern" {
192+
description = "Pattern for NACL changes"
193+
type = string
194+
default = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
195+
}
196+
197+
variable "network_gw_changes_pattern" {
198+
description = "Pattern for Network GW changes"
199+
type = string
200+
default = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
201+
}
202+
203+
variable "route_table_changes_pattern" {
204+
description = "Pattern for Route Table changes"
205+
type = string
206+
default = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"
207+
}
208+
209+
variable "vpc_changes_pattern" {
210+
description = "Pattern for VPC changes"
211+
type = string
212+
default = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
213+
}
214+
215+
variable "organizations_changes_pattern" {
216+
description = "Pattern for Organizations changes"
217+
type = string
218+
default = "{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName= \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName =\"UpdateOrganizationalUnit\")) }"
219+
}

modules/guardduty-baseline/main.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,12 @@ resource "aws_guardduty_member" "members" {
2525
disable_email_notification = var.disable_email_notification
2626
email = var.member_accounts[count.index].email
2727
invitation_message = var.invitation_message
28+
# because of https://github.com/hashicorp/terraform-provider-aws/issues/13906#issuecomment-653613521
29+
lifecycle {
30+
ignore_changes = [
31+
email
32+
]
33+
}
2834
}
2935

3036
resource "aws_guardduty_invite_accepter" "master" {

0 commit comments

Comments
 (0)