diff --git a/examples/basic/versions.tf b/examples/basic/versions.tf index ceefbc2..99a66d5 100644 --- a/examples/basic/versions.tf +++ b/examples/basic/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.40.0" + version = ">= 5.54.0" } datadog = { source = "datadog/datadog" @@ -13,5 +13,5 @@ terraform { version = ">= 0.4.2" } } - required_version = ">= 1.3" + required_version = ">= 1.6" } diff --git a/guardduty.tf b/guardduty.tf index f66b1ee..b5a42be 100644 --- a/guardduty.tf +++ b/guardduty.tf @@ -6,6 +6,14 @@ resource "aws_guardduty_organization_admin_account" "audit" { } // AWS GuardDuty - Audit account configuration +resource "aws_guardduty_detector" "audit" { + provider = aws.audit + + enable = var.aws_guardduty.enabled + finding_publishing_frequency = var.aws_guardduty.finding_publishing_frequency + tags = var.tags +} + resource "aws_guardduty_organization_configuration" "default" { count = var.aws_guardduty.enabled == true ? 1 : 0 provider = aws.audit @@ -16,14 +24,6 @@ resource "aws_guardduty_organization_configuration" "default" { depends_on = [aws_guardduty_organization_admin_account.audit] } -resource "aws_guardduty_detector" "audit" { - provider = aws.audit - - enable = var.aws_guardduty.enabled - finding_publishing_frequency = var.aws_guardduty.finding_publishing_frequency - tags = var.tags -} - resource "aws_guardduty_organization_configuration_feature" "ebs_malware_protection" { provider = aws.audit @@ -40,20 +40,6 @@ resource "aws_guardduty_organization_configuration_feature" "eks_audit_logs" { auto_enable = var.aws_guardduty.eks_audit_logs_status == true ? "ALL" : "NONE" } -resource "aws_guardduty_organization_configuration_feature" "eks_runtime_monitoring" { - provider = aws.audit - - detector_id = aws_guardduty_detector.audit.id - name = "EKS_RUNTIME_MONITORING" - auto_enable = var.aws_guardduty.eks_runtime_monitoring_status == true ? "ALL" : "NONE" - - - additional_configuration { - name = "EKS_ADDON_MANAGEMENT" - auto_enable = var.aws_guardduty.eks_addon_management_status == true ? "ALL" : "NONE" - } -} - resource "aws_guardduty_organization_configuration_feature" "lambda_network_logs" { provider = aws.audit @@ -77,3 +63,27 @@ resource "aws_guardduty_organization_configuration_feature" "s3_data_events" { name = "S3_DATA_EVENTS" auto_enable = var.aws_guardduty.s3_data_events_status == true ? "ALL" : "NONE" } + +resource "aws_guardduty_organization_configuration_feature" "runtime_monitoring" { + provider = aws.audit + + detector_id = aws_guardduty_detector.audit.id + name = "RUNTIME_MONITORING" + auto_enable = var.aws_guardduty.runtime_monitoring_status.enabled == true ? "ALL" : "NONE" + + + dynamic "additional_configuration" { + for_each = { + for name, status in { + "EKS_ADDON_MANAGEMENT" = var.aws_guardduty.runtime_monitoring_status.eks_addon_management_status + "ECS_FARGATE_AGENT_MANAGEMENT" = var.aws_guardduty.runtime_monitoring_status.ecs_fargate_agent_management_status + "EC2_AGENT_MANAGEMENT" = var.aws_guardduty.runtime_monitoring_status.ec2_agent_management_status + } : name => status if status == true + } + + content { + name = additional_configuration.key + auto_enable = "ALL" + } + } +} diff --git a/ses_accounts_mail_alias.tf b/ses_accounts_mail_alias.tf index 0cc76fc..526ca3f 100644 --- a/ses_accounts_mail_alias.tf +++ b/ses_accounts_mail_alias.tf @@ -16,8 +16,7 @@ module "ses-root-accounts-mail-forward" { #checkov:skip=CKV_AWS_19: False positive: https://github.com/bridgecrewio/checkov/issues/3847. The S3 bucket created by this module is encrypted with KMS. #checkov:skip=CKV_AWS_145: False positive: https://github.com/bridgecrewio/checkov/issues/3847. The S3 bucket created by this module is encrypted with KMS. #checkov:skip=CKV_AWS_272: This module does not support lambda code signing at the moment - count = var.ses_root_accounts_mail_forward != null ? 1 : 0 - providers = { aws = aws, aws.lambda = aws } + count = var.ses_root_accounts_mail_forward != null ? 1 : 0 source = "schubergphilis/mcaf-ses-forwarder/aws" version = "~> 0.3.0" diff --git a/variables.tf b/variables.tf index b244d11..3868df4 100644 --- a/variables.tf +++ b/variables.tf @@ -99,23 +99,31 @@ variable "aws_guardduty" { enabled = optional(bool, true) finding_publishing_frequency = optional(string, "FIFTEEN_MINUTES") ebs_malware_protection_status = optional(bool, true) - eks_addon_management_status = optional(bool, true) eks_audit_logs_status = optional(bool, true) - eks_runtime_monitoring_status = optional(bool, true) lambda_network_logs_status = optional(bool, true) rds_login_events_status = optional(bool, true) s3_data_events_status = optional(bool, true) + runtime_monitoring_status = optional(object({ + enabled = optional(bool, true) + eks_addon_management_status = optional(bool, true) + ecs_fargate_agent_management_status = optional(bool, true) + ec2_agent_management_status = optional(bool, true) + })) }) default = { enabled = true finding_publishing_frequency = "FIFTEEN_MINUTES" ebs_malware_protection_status = true - eks_addon_management_status = true eks_audit_logs_status = true - eks_runtime_monitoring_status = true lambda_network_logs_status = true rds_login_events_status = true s3_data_events_status = true + runtime_monitoring_status = { + enabled = true + eks_addon_management_status = true + ecs_fargate_agent_management_status = true + ec2_agent_management_status = true + } } description = "AWS GuardDuty settings" } diff --git a/versions.tf b/versions.tf index 0cb2558..ff18295 100644 --- a/versions.tf +++ b/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.26.0" + version = ">= 5.54.0" configuration_aliases = [aws.audit, aws.logging] } datadog = { @@ -14,5 +14,5 @@ terraform { version = ">= 0.4.2" } } - required_version = ">= 1.3" + required_version = ">= 1.6" }