Merge pull request #101 from cahnk/Add-malware-protection-attributes

Adding malware and kubernetes support
plus3it · Aug 4, 2022 · 0508f57 · 0508f57
2 parents dba5d42 + c4821e9
commit 0508f57
Show file tree

Hide file tree

Showing 17 changed files with 147 additions and 13 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 3.0.1
+current_version = 3.1.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### 3.1.0
+
+**Released**: 2022.08.03
+
+**Commit Delta**: [Change from 3.0.1 release](https://github.com/plus3it/terraform-aws-tardigrade-guardduty/compare/3.0.1...3.1.0)
+
+**Summary**:
+
+*   Adds GuardDuty detector and organization configuration malware and kubernetes protection attributes introduced in aws provider version 4.24
+
 ### 3.0.1
 
 **Released**: 2022.05.27

diff --git a/README.md b/README.md
@@ -21,13 +21,14 @@ You can find example implementations of this module in the tests folder (create_
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.24.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.24.0 |
 
 ## Resources
 
@@ -39,6 +40,8 @@ You can find example implementations of this module in the tests folder (create_
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_enable"></a> [enable](#input\_enable) | (Optional) Enable GuardDuty monitoring and feedback reporting. Setting to false is equivalent to 'suspending'GuardDuty. Defaults to true. | `bool` | `true` | no |
+| <a name="input_enable_kubernetes_protection"></a> [enable\_kubernetes\_protection](#input\_enable\_kubernetes\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
+| <a name="input_enable_malware_protection"></a> [enable\_malware\_protection](#input\_enable\_malware\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
 | <a name="input_enable_s3_protection"></a> [enable\_s3\_protection](#input\_enable\_s3\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
 | <a name="input_filters"></a> [filters](#input\_filters) | GuardDuty filter configuration list | <pre>list(object({<br>    name        = string                   # (Required) The name of your filter.  SPACES ARE NOT ALOWED<br>    description = string                   # (Optional) Description of the filter.<br>    rank        = number                   # (Required) Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.<br>    action      = string                   # (Required) Specifies the action that is to be applied to the findings that match the filter. Can be one of ARCHIVE or NOOP.<br>    tags        = map(string)              # (Optional) - The tags that you want to add to the Filter resource. A tag consists of a key and a value.<br>    criterion = list(object({              # (Represents the criteria to be used in the filter for querying findings. Contains one or more criterion blocks<br>      field                 = string       # (Required) The name of the field to be evaluated. The full list of field names can be found in AWS documentation.<br>      equals                = list(string) # (Optional) List of string values to be evaluated.<br>      not_equals            = list(string) # (Optional) List of string values to be evaluated.<br>      greater_than          = string       # (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.<br>      greater_than_or_equal = string       # (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.<br>      less_than             = string       # (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.<br>      less_than_or_equal    = string       # (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.<br>    }))<br>  }))</pre> | `[]` | no |
 | <a name="input_finding_publishing_frequency"></a> [finding\_publishing\_frequency](#input\_finding\_publishing\_frequency) | (Optional) Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified, otherwise defaults to SIX\_HOURS. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: FIFTEEN\_MINUTES, ONE\_HOUR, SIX\_HOURS. | `string` | `"SIX_HOURS"` | no |
@@ -50,7 +53,7 @@ You can find example implementations of this module in the tests folder (create_
 
 | Name | Description |
 |------|-------------|
-| <a name="output_detector"></a> [detector](#output\_detector) | GuardDuty filter |
+| <a name="output_detector"></a> [detector](#output\_detector) | GuardDuty detector |
 | <a name="output_filter"></a> [filter](#output\_filter) | GuardDuty filter |
 | <a name="output_ipset"></a> [ipset](#output\_ipset) | GuardDuty ipset |
 | <a name="output_publishing_destination"></a> [publishing\_destination](#output\_publishing\_destination) | GuardDuty publishing destination |

diff --git a/main.tf b/main.tf
@@ -18,6 +18,18 @@ resource "aws_guardduty_detector" "this" {
     s3_logs {
       enable = var.enable_s3_protection
     }
+    kubernetes {
+      audit_logs {
+        enable = var.enable_kubernetes_protection
+      }
+    }
+    malware_protection {
+      scan_ec2_instance_with_findings {
+        ebs_volumes {
+          enable = var.enable_malware_protection
+        }
+      }
+    }
   }
 }
 

diff --git a/modules/member/README.md b/modules/member/README.md
@@ -14,14 +14,14 @@ Note: the implementation `tests/create_guardduty_member` will require you to pro
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.24.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0 |
-| <a name="provider_aws.administrator"></a> [aws.administrator](#provider\_aws.administrator) | >= 3.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.24.0 |
+| <a name="provider_aws.administrator"></a> [aws.administrator](#provider\_aws.administrator) | >= 4.24.0 |
 
 ## Resources
 
@@ -36,6 +36,10 @@ Note: the implementation `tests/create_guardduty_member` will require you to pro
 |------|-------------|------|---------|:--------:|
 | <a name="input_member"></a> [member](#input\_member) | GuardDuty member | <pre>object({<br>    email                      = string # (Required) Email address for member account.<br>    invitation_message         = string # (Optional) Message for invitation.<br>    disable_email_notification = bool   # (Optional) Boolean whether an email notification is sent to the accounts. Defaults to false.<br>  })</pre> | n/a | yes |
 | <a name="input_enable"></a> [enable](#input\_enable) | (Optional) Enable monitoring and feedback reporting. Setting to false is equivalent to 'suspending' GuardDuty. Defaults to true. | `bool` | `true` | no |
+| <a name="input_enable_kubernetes_protection"></a> [enable\_kubernetes\_protection](#input\_enable\_kubernetes\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
+| <a name="input_enable_malware_protection"></a> [enable\_malware\_protection](#input\_enable\_malware\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
+| <a name="input_enable_s3_protection"></a> [enable\_s3\_protection](#input\_enable\_s3\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
+| <a name="input_finding_publishing_frequency"></a> [finding\_publishing\_frequency](#input\_finding\_publishing\_frequency) | (Optional) Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified, otherwise defaults to SIX\_HOURS. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: FIFTEEN\_MINUTES, ONE\_HOUR, SIX\_HOURS. | `string` | `"SIX_HOURS"` | no |
 
 ## Outputs
 

diff --git a/modules/member/main.tf b/modules/member/main.tf
@@ -8,6 +8,24 @@
 # Create GuardDuty detector for the member account
 resource "aws_guardduty_detector" "this" {
   enable = var.enable
+
+  datasources {
+    s3_logs {
+      enable = var.enable_s3_protection
+    }
+    kubernetes {
+      audit_logs {
+        enable = var.enable_kubernetes_protection
+      }
+    }
+    malware_protection {
+      scan_ec2_instance_with_findings {
+        ebs_volumes {
+          enable = var.enable_malware_protection
+        }
+      }
+    }
+  }
 }
 
 # Create GuardDuty member in the administrator account

diff --git a/modules/member/variables.tf b/modules/member/variables.tf
@@ -4,6 +4,34 @@ variable "enable" {
   default     = true
 }
 
+variable "enable_s3_protection" {
+  description = "(Required) If true, enables S3 Protection. Defaults to true."
+  type        = bool
+  default     = true
+}
+
+variable "enable_kubernetes_protection" {
+  description = "(Required) If true, enables S3 Protection. Defaults to true."
+  type        = bool
+  default     = true
+}
+
+variable "enable_malware_protection" {
+  description = "(Required) If true, enables S3 Protection. Defaults to true."
+  type        = bool
+  default     = true
+}
+
+variable "finding_publishing_frequency" {
+  description = "(Optional) Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS."
+  type        = string
+  default     = "SIX_HOURS"
+  validation {
+    condition     = var.finding_publishing_frequency != null ? contains(["FIFTEEN_MINUTES", "ONE_HOUR", "SIX_HOURS"], var.finding_publishing_frequency) : true
+    error_message = "The aws_guardduty_detector finding_publishing_frequency value is not valid. Valid values: FIFTEEN_MINUTES, ONE_HOUR, or SIX_HOURS."
+  }
+}
+
 variable "member" {
   description = "GuardDuty member"
   type = object({

diff --git a/modules/member/versions.tf b/modules/member/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source                = "hashicorp/aws"
-      version               = ">= 3.0"
+      version               = ">= 4.24.0"
       configuration_aliases = [aws.administrator]
     }
   }

diff --git a/modules/org-admin-account/README.md b/modules/org-admin-account/README.md
@@ -33,7 +33,10 @@ Prerequisites:  The AWS org must already exist
 |------|-------------|------|---------|:--------:|
 | <a name="input_delegated_administrator_account_detecter_id"></a> [delegated\_administrator\_account\_detecter\_id](#input\_delegated\_administrator\_account\_detecter\_id) | (Required) GuardDuty detector ID of the AWS account identifier to designate as a delegated administrator for GuardDuty. | `string` | n/a | yes |
 | <a name="input_delegated_administrator_account_id"></a> [delegated\_administrator\_account\_id](#input\_delegated\_administrator\_account\_id) | (Required) AWS account identifier to designate as a delegated administrator for GuardDuty. | `string` | n/a | yes |
+| <a name="input_auto_enable_malware_protection"></a> [auto\_enable\_malware\_protection](#input\_auto\_enable\_malware\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
+| <a name="input_auto_enable_s3_protection"></a> [auto\_enable\_s3\_protection](#input\_auto\_enable\_s3\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
 | <a name="input_enable"></a> [enable](#input\_enable) | (Optional) Enable monitoring and feedback reporting. Setting to false is equivalent to 'suspending'GuardDuty. Defaults to true. | `bool` | `true` | no |
+| <a name="input_enable_kubernetes_protection"></a> [enable\_kubernetes\_protection](#input\_enable\_kubernetes\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
 
 ## Outputs
 

diff --git a/modules/org-admin-account/main.tf b/modules/org-admin-account/main.tf
@@ -19,7 +19,19 @@ resource "aws_guardduty_organization_configuration" "this" {
 
   datasources {
     s3_logs {
-      auto_enable = true
+      auto_enable = var.auto_enable_s3_protection
+    }
+    kubernetes {
+      audit_logs {
+        enable = var.enable_kubernetes_protection
+      }
+    }
+    malware_protection {
+      scan_ec2_instance_with_findings {
+        ebs_volumes {
+          auto_enable = var.auto_enable_malware_protection
+        }
+      }
     }
   }
 }
diff --git a/modules/org-admin-account/variables.tf b/modules/org-admin-account/variables.tf
@@ -4,6 +4,24 @@ variable "enable" {
   default     = true
 }
 
+variable "auto_enable_s3_protection" {
+  description = "(Required) If true, enables S3 Protection. Defaults to true."
+  type        = bool
+  default     = true
+}
+
+variable "enable_kubernetes_protection" {
+  description = "(Required) If true, enables S3 Protection. Defaults to true."
+  type        = bool
+  default     = true
+}
+
+variable "auto_enable_malware_protection" {
+  description = "(Required) If true, enables S3 Protection. Defaults to true."
+  type        = bool
+  default     = true
+}
+
 variable "delegated_administrator_account_id" {
   description = "(Required) AWS account identifier to designate as a delegated administrator for GuardDuty."
   type        = string

diff --git a/outputs.tf b/outputs.tf
@@ -1,5 +1,5 @@
 output "detector" {
-  description = "GuardDuty filter"
+  description = "GuardDuty detector"
   value       = aws_guardduty_detector.this
 }
 output "filter" {

diff --git a/tests/create_all_guardduty_standard_resources/main.tf b/tests/create_all_guardduty_standard_resources/main.tf
@@ -7,7 +7,11 @@
 module "guardduty_standard_resources" {
   source = "../../"
 
-  enable = true
+  enable                       = true
+  enable_s3_protection         = true
+  enable_kubernetes_protection = true
+  enable_malware_protection    = true
+  finding_publishing_frequency = "SIX_HOURS"
 
   filters = [
     {

diff --git a/tests/create_guardduty_member/main.tf b/tests/create_guardduty_member/main.tf
@@ -24,7 +24,11 @@ resource "aws_guardduty_detector" "administrator" {
 module "guardduty_member" {
   source = "../../modules/member"
 
-  enable = true
+  enable                       = true
+  enable_s3_protection         = true
+  enable_kubernetes_protection = true
+  enable_malware_protection    = true
+  finding_publishing_frequency = "SIX_HOURS"
 
   providers = {
     aws               = aws
@@ -45,4 +49,5 @@ module "guardduty_member" {
 variable "member_email" {
   description = "Email address associated with the member account. Required input for the Guardduty member invitation."
   type        = string
+  default     = "[email protected]"
 }
diff --git a/tests/create_guardduty_org_admin_account/main.tf b/tests/create_guardduty_org_admin_account/main.tf
@@ -39,6 +39,9 @@ module "guardduty_org_admin_account" {
   enable                                      = true
   delegated_administrator_account_id          = data.aws_caller_identity.administrator.account_id
   delegated_administrator_account_detecter_id = aws_guardduty_detector.guardduty_administrator.id
+  auto_enable_s3_protection                   = true
+  enable_kubernetes_protection                = true
+  auto_enable_malware_protection              = true
 
   depends_on = [aws_organizations_organization.this]
 }
diff --git a/variables.tf b/variables.tf
@@ -10,6 +10,18 @@ variable "enable_s3_protection" {
   default     = true
 }
 
+variable "enable_kubernetes_protection" {
+  description = "(Required) If true, enables S3 Protection. Defaults to true."
+  type        = bool
+  default     = true
+}
+
+variable "enable_malware_protection" {
+  description = "(Required) If true, enables S3 Protection. Defaults to true."
+  type        = bool
+  default     = true
+}
+
 variable "finding_publishing_frequency" {
   description = "(Optional) Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS."
   type        = string

diff --git a/providers.tf → versions.tf b/providers.tf → versions.tf
@@ -1,8 +1,10 @@
 terraform {
+  required_version = ">= 0.15"
+
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.0"
+      version = ">= 4.24.0"
     }
   }
 }