-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
109 lines (89 loc) · 2.97 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
resource "aws_guardduty_detector" "default" {
enable = true
finding_publishing_frequency = var.finding_publishing_frequency
datasources {
s3_logs {
enable = var.scan_s3_data_events
}
kubernetes {
audit_logs {
enable = var.scan_eks_audit_logs
}
}
malware_protection {
scan_ec2_instance_with_findings {
ebs_volumes {
enable = var.enable_ebs_malware_protection
}
}
}
}
tags = var.tags
}
resource "aws_guardduty_organization_configuration" "default" {
auto_enable_organization_members = var.auto_enable_organization_members
detector_id = aws_guardduty_detector.default.id
datasources {
s3_logs {
auto_enable = var.scan_s3_data_events
}
kubernetes {
audit_logs {
enable = var.scan_eks_audit_logs
}
}
malware_protection {
scan_ec2_instance_with_findings {
ebs_volumes {
auto_enable = var.enable_ebs_malware_protection
}
}
}
}
}
resource "aws_guardduty_organization_configuration_feature" "eks_runtime_monitoring" {
count = var.enable_eks_runtime_monitoring ? 1 : 0
detector_id = aws_guardduty_detector.default.id
name = "EKS_RUNTIME_MONITORING"
auto_enable = var.auto_enable_organization_members
additional_configuration {
name = "EKS_ADDON_MANAGEMENT"
auto_enable = "NEW"
}
}
resource "aws_guardduty_organization_configuration_feature" "eks_audit_logs" {
count = var.scan_eks_audit_logs ? 1 : 0
detector_id = aws_guardduty_detector.default.id
name = "EKS_AUDIT_LOGS"
auto_enable = var.auto_enable_organization_members
}
resource "aws_guardduty_organization_configuration_feature" "s3_data_events" {
count = var.scan_s3_data_events ? 1 : 0
detector_id = aws_guardduty_detector.default.id
name = "S3_DATA_EVENTS"
auto_enable = var.auto_enable_organization_members
}
resource "aws_guardduty_organization_configuration_feature" "ebs_malware_protection" {
count = var.enable_ebs_malware_protection ? 1 : 0
detector_id = aws_guardduty_detector.default.id
name = "EBS_MALWARE_PROTECTION"
auto_enable = var.auto_enable_organization_members
}
resource "aws_guardduty_organization_configuration_feature" "rds_login_events" {
count = var.scan_rds_login_events ? 1 : 0
detector_id = aws_guardduty_detector.default.id
name = "RDS_LOGIN_EVENTS"
auto_enable = var.auto_enable_organization_members
}
resource "aws_guardduty_organization_configuration_feature" "lambda_network_logs" {
count = var.scan_lambda_network_logs ? 1 : 0
detector_id = aws_guardduty_detector.default.id
name = "LAMBDA_NETWORK_LOGS"
auto_enable = var.auto_enable_organization_members
}
resource "aws_guardduty_publishing_destination" "default" {
count = var.publish_destination_s3_arn != "" ? 1 : 0
detector_id = aws_guardduty_detector.default.id
destination_arn = var.publish_destination_s3_arn
kms_key_arn = var.publish_destination_kms_key_arn
}