Skip to content

Commit

Permalink
breaking: update GuardDuty to support runtime monitoring
Browse files Browse the repository at this point in the history
  • Loading branch information
marwinbaumannsbp committed Sep 24, 2024
1 parent b6ace9e commit 4f5003c
Show file tree
Hide file tree
Showing 4 changed files with 48 additions and 30 deletions.
4 changes: 2 additions & 2 deletions examples/basic/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.40.0"
version = ">= 5.54.0"
}
datadog = {
source = "datadog/datadog"
Expand All @@ -13,5 +13,5 @@ terraform {
version = ">= 0.4.2"
}
}
required_version = ">= 1.3"
required_version = ">= 1.6"
}
54 changes: 32 additions & 22 deletions guardduty.tf
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,14 @@ resource "aws_guardduty_organization_admin_account" "audit" {
}

// AWS GuardDuty - Audit account configuration
resource "aws_guardduty_detector" "audit" {
provider = aws.audit

enable = var.aws_guardduty.enabled
finding_publishing_frequency = var.aws_guardduty.finding_publishing_frequency
tags = var.tags
}

resource "aws_guardduty_organization_configuration" "default" {
count = var.aws_guardduty.enabled == true ? 1 : 0
provider = aws.audit
Expand All @@ -16,14 +24,6 @@ resource "aws_guardduty_organization_configuration" "default" {
depends_on = [aws_guardduty_organization_admin_account.audit]
}

resource "aws_guardduty_detector" "audit" {
provider = aws.audit

enable = var.aws_guardduty.enabled
finding_publishing_frequency = var.aws_guardduty.finding_publishing_frequency
tags = var.tags
}

resource "aws_guardduty_organization_configuration_feature" "ebs_malware_protection" {
provider = aws.audit

Expand All @@ -40,20 +40,6 @@ resource "aws_guardduty_organization_configuration_feature" "eks_audit_logs" {
auto_enable = var.aws_guardduty.eks_audit_logs_status == true ? "ALL" : "NONE"
}

resource "aws_guardduty_organization_configuration_feature" "eks_runtime_monitoring" {
provider = aws.audit

detector_id = aws_guardduty_detector.audit.id
name = "EKS_RUNTIME_MONITORING"
auto_enable = var.aws_guardduty.eks_runtime_monitoring_status == true ? "ALL" : "NONE"


additional_configuration {
name = "EKS_ADDON_MANAGEMENT"
auto_enable = var.aws_guardduty.eks_addon_management_status == true ? "ALL" : "NONE"
}
}

resource "aws_guardduty_organization_configuration_feature" "lambda_network_logs" {
provider = aws.audit

Expand All @@ -77,3 +63,27 @@ resource "aws_guardduty_organization_configuration_feature" "s3_data_events" {
name = "S3_DATA_EVENTS"
auto_enable = var.aws_guardduty.s3_data_events_status == true ? "ALL" : "NONE"
}

resource "aws_guardduty_organization_configuration_feature" "runtime_monitoring" {
provider = aws.audit

detector_id = aws_guardduty_detector.audit.id
name = "RUNTIME_MONITORING"
auto_enable = var.aws_guardduty.runtime_monitoring_status.enabled == true ? "ALL" : "NONE"


dynamic "additional_configuration" {
for_each = {
for name, status in {
"EKS_ADDON_MANAGEMENT" = var.aws_guardduty.runtime_monitoring_status.eks_addon_management_status
"ECS_FARGATE_AGENT_MANAGEMENT" = var.aws_guardduty.runtime_monitoring_status.ecs_fargate_agent_management_status
"EC2_AGENT_MANAGEMENT" = var.aws_guardduty.runtime_monitoring_status.ec2_agent_management_status
} : name => status if status == true
}

content {
name = additional_configuration.key
auto_enable = "ALL"
}
}
}
16 changes: 12 additions & 4 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -99,23 +99,31 @@ variable "aws_guardduty" {
enabled = optional(bool, true)
finding_publishing_frequency = optional(string, "FIFTEEN_MINUTES")
ebs_malware_protection_status = optional(bool, true)
eks_addon_management_status = optional(bool, true)
eks_audit_logs_status = optional(bool, true)
eks_runtime_monitoring_status = optional(bool, true)
lambda_network_logs_status = optional(bool, true)
rds_login_events_status = optional(bool, true)
s3_data_events_status = optional(bool, true)
runtime_monitoring_status = optional(object({
enabled = optional(bool, true)
eks_addon_management_status = optional(bool, true)
ecs_fargate_agent_management_status = optional(bool, true)
ec2_agent_management_status = optional(bool, true)
}, {}))
})
default = {
enabled = true
finding_publishing_frequency = "FIFTEEN_MINUTES"
ebs_malware_protection_status = true
eks_addon_management_status = true
eks_audit_logs_status = true
eks_runtime_monitoring_status = true
lambda_network_logs_status = true
rds_login_events_status = true
s3_data_events_status = true
runtime_monitoring_status = {
enabled = true
eks_addon_management_status = true
ecs_fargate_agent_management_status = true
ec2_agent_management_status = true
}
}
description = "AWS GuardDuty settings"
}
Expand Down
4 changes: 2 additions & 2 deletions versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.26.0"
version = ">= 5.54.0"
configuration_aliases = [aws.audit, aws.logging]
}
datadog = {
Expand All @@ -14,5 +14,5 @@ terraform {
version = ">= 0.4.2"
}
}
required_version = ">= 1.3"
required_version = ">= 1.6"
}

0 comments on commit 4f5003c

Please sign in to comment.