terraform-aws-tardigrade-guardduty

Terraform module to create a standard GuardDuty configuration in a single AWS account. These include a GuardDuty detector, filter, ipset, threatintelset, and publshing destination. GuardDuty configurations that require multiple AWS accounts are not included in this module, and the terraform code for those configurations has been implemented in seperate submodeles (see the modules section of this project).

• Creates a GuardDuty detector for this account
• Creates zero or more GuardDuty filters for this account if the filter var is not null.
• Creates zero or more GuardDuty ipsets for this account if the ipset var is not null.
• Creates zero or more GuardDuty threatintelsets for this account if the threatintelset var is not null.
• Creates a GuardDuty publishing_destination for this account if the publishing_destination var is not null.

Prerequisites: This publishing_destination resource assumes the S3 bucket associated with the destination arn exists and the required policies have been created to allow GuardDuty to access the bucket. It also assumes the kms key associated with the kms key arn exists and has a policy that allows GuardDuty to to use it.

Testing

You can find example implementations of this module in the tests folder (create_all_guardduty_standard_resources).

Requirements

Name	Version
terraform	>= 0.15
aws	>= 4.24.0

Providers

Name	Version
aws	>= 4.24.0

Resources

Name	Type

Inputs

Name	Description	Type	Default	Required
enable	(Optional) Enable GuardDuty monitoring and feedback reporting. Setting to false is equivalent to 'suspending'GuardDuty. Defaults to true.	bool	true	no
enable_kubernetes_protection	(Required) If true, enables S3 Protection. Defaults to true.	bool	true	no
enable_malware_protection	(Required) If true, enables S3 Protection. Defaults to true.	bool	true	no
enable_s3_protection	(Required) If true, enables S3 Protection. Defaults to true.	bool	true	no
filters	GuardDuty filter configuration list	list(object({ name = string # (Required) The name of your filter. SPACES ARE NOT ALOWED description = string # (Optional) Description of the filter. rank = number # (Required) Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings. action = string # (Required) Specifies the action that is to be applied to the findings that match the filter. Can be one of ARCHIVE or NOOP. tags = map(string) # (Optional) - The tags that you want to add to the Filter resource. A tag consists of a key and a value. criterion = list(object({ # (Represents the criteria to be used in the filter for querying findings. Contains one or more criterion blocks field = string # (Required) The name of the field to be evaluated. The full list of field names can be found in AWS documentation. equals = list(string) # (Optional) List of string values to be evaluated. not_equals = list(string) # (Optional) List of string values to be evaluated. greater_than = string # (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format. greater_than_or_equal = string # (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format. less_than = string # (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format. less_than_or_equal = string # (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format. })) }))	[]	no
finding_publishing_frequency	(Optional) Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS.	string	"SIX_HOURS"	no
ipsets	GuardDuty ipset list	list(object({ activate = bool # (Required) Specifies whether GuardDuty is to start using the uploaded IPSet. format = string # (Required) The format of the file that contains the IPSet. Valid values: TXT	STIX	OTX_CSV
publishing_destination	GuardDuty publishing destination	object({ destination_arn = string # (Required) The bucket arn and prefix under which the findings get exported. Bucket-ARN is required, the prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided kms_key_arn = string # (Required) The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces this to be encrypted. destination_type = string # (Optional) Currently there is only "S3" available as destination type which is also the default value })	null	no
threatintelsets	GuardDuty threatintelset list	list(object({ activate = bool # (Required) Specifies whether GuardDuty is to start using the uploaded threatintelset. format = string # (Required) The format of the file that contains the threatintelset. Valid values: TXT	STIX	OTX_CSV

Outputs

Name	Description
detector	GuardDuty detector
filter	GuardDuty filter
ipset	GuardDuty ipset
publishing_destination	GuardDuty publishing destination
threatintelset	GuardDuty threatintelset