From 3284a5703e5b6109374c01aafe6252a461ee56b3 Mon Sep 17 00:00:00 2001
From: cahnk <99229283*cahnk@users.noreply.github.com>
Date: Wed, 3 Aug 2022 09:53:43 -0600
Subject: [PATCH 1/4] Adding malware support
---
.bumpversion.cfg | 2 +-
CHANGELOG.md | 10 +++++++
README.md | 8 ++++--
main.tf | 12 ++++++++
modules/member/README.md | 10 +++++--
modules/member/main.tf | 21 +++++++++++++-
modules/member/variables.tf | 28 +++++++++++++++++++
modules/member/versions.tf | 2 +-
modules/org-admin-account/README.md | 3 ++
modules/org-admin-account/main.tf | 14 +++++++++-
modules/org-admin-account/variables.tf | 18 ++++++++++++
outputs.tf | 2 +-
providers.tf | 2 +-
.../main.tf | 6 +++-
tests/create_guardduty_member/main.tf | 7 ++++-
.../main.tf | 3 ++
variables.tf | 12 ++++++++
17 files changed, 146 insertions(+), 14 deletions(-)
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index beafd7c..1366608 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
[bumpversion]
-current_version = 3.0.1
+current_version = 3.1.0
commit = True
message = Bumps version to {new_version}
tag = False
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2db0699..8b2fe34 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
+### 3.1.0
+
+**Released**: 2022.08.03
+
+**Commit Delta**: [Change from 3.0.1 release](https://github.com/plus3it/terraform-aws-tardigrade-guardduty/compare/3.0.1...3.1.0)
+
+**Summary**:
+
+* Adds GuardDuty detector and organization configuration malware protection attributes introduced in aws provider version 4.24
+
### 3.0.1
**Released**: 2022.05.27
diff --git a/README.md b/README.md
index e5c7ccc..0f9dc2c 100644
--- a/README.md
+++ b/README.md
@@ -21,13 +21,13 @@ You can find example implementations of this module in the tests folder (create_
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | >= 3.0 |
+| [aws](#requirement\_aws) | >= 4.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 3.0 |
+| [aws](#provider\_aws) | >= 4.0 |
## Resources
@@ -39,6 +39,8 @@ You can find example implementations of this module in the tests folder (create_
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [enable](#input\_enable) | (Optional) Enable GuardDuty monitoring and feedback reporting. Setting to false is equivalent to 'suspending'GuardDuty. Defaults to true. | `bool` | `true` | no |
+| [enable\_kubernetes\_protection](#input\_enable\_kubernetes\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
+| [enable\_malware\_protection](#input\_enable\_malware\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
| [enable\_s3\_protection](#input\_enable\_s3\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
| [filters](#input\_filters) | GuardDuty filter configuration list | list(object({
name = string # (Required) The name of your filter. SPACES ARE NOT ALOWED
description = string # (Optional) Description of the filter.
rank = number # (Required) Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
action = string # (Required) Specifies the action that is to be applied to the findings that match the filter. Can be one of ARCHIVE or NOOP.
tags = map(string) # (Optional) - The tags that you want to add to the Filter resource. A tag consists of a key and a value.
criterion = list(object({ # (Represents the criteria to be used in the filter for querying findings. Contains one or more criterion blocks
field = string # (Required) The name of the field to be evaluated. The full list of field names can be found in AWS documentation.
equals = list(string) # (Optional) List of string values to be evaluated.
not_equals = list(string) # (Optional) List of string values to be evaluated.
greater_than = string # (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.
greater_than_or_equal = string # (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.
less_than = string # (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.
less_than_or_equal = string # (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.
}))
})) | `[]` | no |
| [finding\_publishing\_frequency](#input\_finding\_publishing\_frequency) | (Optional) Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified, otherwise defaults to SIX\_HOURS. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: FIFTEEN\_MINUTES, ONE\_HOUR, SIX\_HOURS. | `string` | `"SIX_HOURS"` | no |
@@ -50,7 +52,7 @@ You can find example implementations of this module in the tests folder (create_
| Name | Description |
|------|-------------|
-| [detector](#output\_detector) | GuardDuty filter |
+| [detector](#output\_detector) | GuardDuty detector |
| [filter](#output\_filter) | GuardDuty filter |
| [ipset](#output\_ipset) | GuardDuty ipset |
| [publishing\_destination](#output\_publishing\_destination) | GuardDuty publishing destination |
diff --git a/main.tf b/main.tf
index 0d2e9e0..ac9ffce 100644
--- a/main.tf
+++ b/main.tf
@@ -18,6 +18,18 @@ resource "aws_guardduty_detector" "this" {
s3_logs {
enable = var.enable_s3_protection
}
+ kubernetes {
+ audit_logs {
+ enable = var.enable_kubernetes_protection
+ }
+ }
+ malware_protection {
+ scan_ec2_instance_with_findings {
+ ebs_volumes {
+ enable = var.enable_malware_protection
+ }
+ }
+ }
}
}
diff --git a/modules/member/README.md b/modules/member/README.md
index b33336f..7367893 100644
--- a/modules/member/README.md
+++ b/modules/member/README.md
@@ -14,14 +14,14 @@ Note: the implementation `tests/create_guardduty_member` will require you to pro
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.15 |
-| [aws](#requirement\_aws) | >= 3.0 |
+| [aws](#requirement\_aws) | >= 4.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 3.0 |
-| [aws.administrator](#provider\_aws.administrator) | >= 3.0 |
+| [aws](#provider\_aws) | >= 4.0 |
+| [aws.administrator](#provider\_aws.administrator) | >= 4.0 |
## Resources
@@ -36,6 +36,10 @@ Note: the implementation `tests/create_guardduty_member` will require you to pro
|------|-------------|------|---------|:--------:|
| [member](#input\_member) | GuardDuty member | object({
email = string # (Required) Email address for member account.
invitation_message = string # (Optional) Message for invitation.
disable_email_notification = bool # (Optional) Boolean whether an email notification is sent to the accounts. Defaults to false.
}) | n/a | yes |
| [enable](#input\_enable) | (Optional) Enable monitoring and feedback reporting. Setting to false is equivalent to 'suspending' GuardDuty. Defaults to true. | `bool` | `true` | no |
+| [enable\_kubernetes\_protection](#input\_enable\_kubernetes\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
+| [enable\_malware\_protection](#input\_enable\_malware\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
+| [enable\_s3\_protection](#input\_enable\_s3\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
+| [finding\_publishing\_frequency](#input\_finding\_publishing\_frequency) | (Optional) Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified, otherwise defaults to SIX\_HOURS. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: FIFTEEN\_MINUTES, ONE\_HOUR, SIX\_HOURS. | `string` | `"SIX_HOURS"` | no |
## Outputs
diff --git a/modules/member/main.tf b/modules/member/main.tf
index 65e0b51..13069d3 100644
--- a/modules/member/main.tf
+++ b/modules/member/main.tf
@@ -7,7 +7,26 @@
# Create GuardDuty detector for the member account
resource "aws_guardduty_detector" "this" {
- enable = var.enable
+ enable = var.enable
+ finding_publishing_frequency = var.finding_publishing_frequency
+
+ datasources {
+ s3_logs {
+ enable = var.enable_s3_protection
+ }
+ kubernetes {
+ audit_logs {
+ enable = var.enable_kubernetes_protection
+ }
+ }
+ malware_protection {
+ scan_ec2_instance_with_findings {
+ ebs_volumes {
+ enable = var.enable_malware_protection
+ }
+ }
+ }
+ }
}
# Create GuardDuty member in the administrator account
diff --git a/modules/member/variables.tf b/modules/member/variables.tf
index 6f7f2fe..13d55e1 100644
--- a/modules/member/variables.tf
+++ b/modules/member/variables.tf
@@ -4,6 +4,34 @@ variable "enable" {
default = true
}
+variable "enable_s3_protection" {
+ description = "(Required) If true, enables S3 Protection. Defaults to true."
+ type = bool
+ default = true
+}
+
+variable "enable_kubernetes_protection" {
+ description = "(Required) If true, enables S3 Protection. Defaults to true."
+ type = bool
+ default = true
+}
+
+variable "enable_malware_protection" {
+ description = "(Required) If true, enables S3 Protection. Defaults to true."
+ type = bool
+ default = true
+}
+
+variable "finding_publishing_frequency" {
+ description = "(Optional) Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS."
+ type = string
+ default = "SIX_HOURS"
+ validation {
+ condition = var.finding_publishing_frequency != null ? contains(["FIFTEEN_MINUTES", "ONE_HOUR", "SIX_HOURS"], var.finding_publishing_frequency) : true
+ error_message = "The aws_guardduty_detector finding_publishing_frequency value is not valid. Valid values: FIFTEEN_MINUTES, ONE_HOUR, or SIX_HOURS."
+ }
+}
+
variable "member" {
description = "GuardDuty member"
type = object({
diff --git a/modules/member/versions.tf b/modules/member/versions.tf
index 590163d..29460ab 100644
--- a/modules/member/versions.tf
+++ b/modules/member/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.0"
+ version = ">= 4.0"
configuration_aliases = [aws.administrator]
}
}
diff --git a/modules/org-admin-account/README.md b/modules/org-admin-account/README.md
index b617a2a..f9183ff 100644
--- a/modules/org-admin-account/README.md
+++ b/modules/org-admin-account/README.md
@@ -33,7 +33,10 @@ Prerequisites: The AWS org must already exist
|------|-------------|------|---------|:--------:|
| [delegated\_administrator\_account\_detecter\_id](#input\_delegated\_administrator\_account\_detecter\_id) | (Required) GuardDuty detector ID of the AWS account identifier to designate as a delegated administrator for GuardDuty. | `string` | n/a | yes |
| [delegated\_administrator\_account\_id](#input\_delegated\_administrator\_account\_id) | (Required) AWS account identifier to designate as a delegated administrator for GuardDuty. | `string` | n/a | yes |
+| [auto\_enable\_malware\_protection](#input\_auto\_enable\_malware\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
+| [auto\_enable\_s3\_protection](#input\_auto\_enable\_s3\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
| [enable](#input\_enable) | (Optional) Enable monitoring and feedback reporting. Setting to false is equivalent to 'suspending'GuardDuty. Defaults to true. | `bool` | `true` | no |
+| [enable\_kubernetes\_protection](#input\_enable\_kubernetes\_protection) | (Required) If true, enables S3 Protection. Defaults to true. | `bool` | `true` | no |
## Outputs
diff --git a/modules/org-admin-account/main.tf b/modules/org-admin-account/main.tf
index 04f8227..f095cf7 100644
--- a/modules/org-admin-account/main.tf
+++ b/modules/org-admin-account/main.tf
@@ -19,7 +19,19 @@ resource "aws_guardduty_organization_configuration" "this" {
datasources {
s3_logs {
- auto_enable = true
+ auto_enable = var.auto_enable_s3_protection
+ }
+ kubernetes {
+ audit_logs {
+ enable = var.enable_kubernetes_protection
+ }
+ }
+ malware_protection {
+ scan_ec2_instance_with_findings {
+ ebs_volumes {
+ auto_enable = var.auto_enable_malware_protection
+ }
+ }
}
}
}
diff --git a/modules/org-admin-account/variables.tf b/modules/org-admin-account/variables.tf
index 1107bda..364d3f3 100644
--- a/modules/org-admin-account/variables.tf
+++ b/modules/org-admin-account/variables.tf
@@ -4,6 +4,24 @@ variable "enable" {
default = true
}
+variable "auto_enable_s3_protection" {
+ description = "(Required) If true, enables S3 Protection. Defaults to true."
+ type = bool
+ default = true
+}
+
+variable "enable_kubernetes_protection" {
+ description = "(Required) If true, enables S3 Protection. Defaults to true."
+ type = bool
+ default = true
+}
+
+variable "auto_enable_malware_protection" {
+ description = "(Required) If true, enables S3 Protection. Defaults to true."
+ type = bool
+ default = true
+}
+
variable "delegated_administrator_account_id" {
description = "(Required) AWS account identifier to designate as a delegated administrator for GuardDuty."
type = string
diff --git a/outputs.tf b/outputs.tf
index ab88590..267530c 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,5 +1,5 @@
output "detector" {
- description = "GuardDuty filter"
+ description = "GuardDuty detector"
value = aws_guardduty_detector.this
}
output "filter" {
diff --git a/providers.tf b/providers.tf
index bdc9873..9bcc73a 100644
--- a/providers.tf
+++ b/providers.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.0"
+ version = ">= 4.0"
}
}
}
diff --git a/tests/create_all_guardduty_standard_resources/main.tf b/tests/create_all_guardduty_standard_resources/main.tf
index ca4b926..5a0c590 100644
--- a/tests/create_all_guardduty_standard_resources/main.tf
+++ b/tests/create_all_guardduty_standard_resources/main.tf
@@ -7,7 +7,11 @@
module "guardduty_standard_resources" {
source = "../../"
- enable = true
+ enable = true
+ enable_s3_protection = true
+ enable_kubernetes_protection = true
+ enable_malware_protection = true
+ finding_publishing_frequency = "SIX_HOURS"
filters = [
{
diff --git a/tests/create_guardduty_member/main.tf b/tests/create_guardduty_member/main.tf
index 450d49e..ffbe62a 100644
--- a/tests/create_guardduty_member/main.tf
+++ b/tests/create_guardduty_member/main.tf
@@ -24,7 +24,11 @@ resource "aws_guardduty_detector" "administrator" {
module "guardduty_member" {
source = "../../modules/member"
- enable = true
+ enable = true
+ enable_s3_protection = true
+ enable_kubernetes_protection = true
+ enable_malware_protection = true
+ finding_publishing_frequency = "SIX_HOURS"
providers = {
aws = aws
@@ -45,4 +49,5 @@ module "guardduty_member" {
variable "member_email" {
description = "Email address associated with the member account. Required input for the Guardduty member invitation."
type = string
+ default = "john.doe@dummy.com"
}
diff --git a/tests/create_guardduty_org_admin_account/main.tf b/tests/create_guardduty_org_admin_account/main.tf
index 4c7f832..2b90021 100644
--- a/tests/create_guardduty_org_admin_account/main.tf
+++ b/tests/create_guardduty_org_admin_account/main.tf
@@ -39,6 +39,9 @@ module "guardduty_org_admin_account" {
enable = true
delegated_administrator_account_id = data.aws_caller_identity.administrator.account_id
delegated_administrator_account_detecter_id = aws_guardduty_detector.guardduty_administrator.id
+ auto_enable_s3_protection = true
+ enable_kubernetes_protection = true
+ auto_enable_malware_protection = true
depends_on = [aws_organizations_organization.this]
}
diff --git a/variables.tf b/variables.tf
index 0f02925..34426ef 100644
--- a/variables.tf
+++ b/variables.tf
@@ -10,6 +10,18 @@ variable "enable_s3_protection" {
default = true
}
+variable "enable_kubernetes_protection" {
+ description = "(Required) If true, enables S3 Protection. Defaults to true."
+ type = bool
+ default = true
+}
+
+variable "enable_malware_protection" {
+ description = "(Required) If true, enables S3 Protection. Defaults to true."
+ type = bool
+ default = true
+}
+
variable "finding_publishing_frequency" {
description = "(Optional) Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS."
type = string
From a33b8517d21d4a2d95b5394156ad2b78a173c153 Mon Sep 17 00:00:00 2001
From: cahnk <99229283*cahnk@users.noreply.github.com>
Date: Wed, 3 Aug 2022 10:23:28 -0600
Subject: [PATCH 2/4] Addressing comments
---
CHANGELOG.md | 2 +-
modules/member/main.tf | 3 +--
modules/member/versions.tf | 2 +-
versions.tf | 10 ++++++++++
4 files changed, 13 insertions(+), 4 deletions(-)
create mode 100644 versions.tf
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8b2fe34..63bb22a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,7 +12,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
**Summary**:
-* Adds GuardDuty detector and organization configuration malware protection attributes introduced in aws provider version 4.24
+* Adds GuardDuty detector and organization configuration malware and kubernetes protection attributes introduced in aws provider version 4.24
### 3.0.1
diff --git a/modules/member/main.tf b/modules/member/main.tf
index 13069d3..243be54 100644
--- a/modules/member/main.tf
+++ b/modules/member/main.tf
@@ -7,8 +7,7 @@
# Create GuardDuty detector for the member account
resource "aws_guardduty_detector" "this" {
- enable = var.enable
- finding_publishing_frequency = var.finding_publishing_frequency
+ enable = var.enable
datasources {
s3_logs {
diff --git a/modules/member/versions.tf b/modules/member/versions.tf
index 29460ab..87ca1b9 100644
--- a/modules/member/versions.tf
+++ b/modules/member/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.0"
+ version = ">= 4.24.0"
configuration_aliases = [aws.administrator]
}
}
diff --git a/versions.tf b/versions.tf
new file mode 100644
index 0000000..d65a4ec
--- /dev/null
+++ b/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 0.15"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 4.24.0"
+ }
+ }
+}
From c390962397c8d8e483e0d0211b95be3d2d8a67a0 Mon Sep 17 00:00:00 2001
From: cahnk <99229283*cahnk@users.noreply.github.com>
Date: Wed, 3 Aug 2022 10:34:28 -0600
Subject: [PATCH 3/4] Fix linting error
---
README.md | 4 +++-
modules/member/README.md | 6 +++---
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
index 0f9dc2c..f1d7671 100644
--- a/README.md
+++ b/README.md
@@ -21,13 +21,15 @@ You can find example implementations of this module in the tests folder (create_
| Name | Version |
|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.15 |
| [aws](#requirement\_aws) | >= 4.0 |
+| [aws](#requirement\_aws) | >= 4.24.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.0 |
+| [aws](#provider\_aws) | >= 4.0 >= 4.24.0 |
## Resources
diff --git a/modules/member/README.md b/modules/member/README.md
index 7367893..b5eb0a3 100644
--- a/modules/member/README.md
+++ b/modules/member/README.md
@@ -14,14 +14,14 @@ Note: the implementation `tests/create_guardduty_member` will require you to pro
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.15 |
-| [aws](#requirement\_aws) | >= 4.0 |
+| [aws](#requirement\_aws) | >= 4.24.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.0 |
-| [aws.administrator](#provider\_aws.administrator) | >= 4.0 |
+| [aws](#provider\_aws) | >= 4.24.0 |
+| [aws.administrator](#provider\_aws.administrator) | >= 4.24.0 |
## Resources
From c4821e90ad8d8dc3385b4b0d025838a1f9748b03 Mon Sep 17 00:00:00 2001
From: cahnk <99229283*cahnk@users.noreply.github.com>
Date: Wed, 3 Aug 2022 12:06:54 -0600
Subject: [PATCH 4/4] Removed providers.tf and updated README.md
---
README.md | 3 +--
providers.tf | 8 --------
2 files changed, 1 insertion(+), 10 deletions(-)
delete mode 100644 providers.tf
diff --git a/README.md b/README.md
index f1d7671..88d0556 100644
--- a/README.md
+++ b/README.md
@@ -22,14 +22,13 @@ You can find example implementations of this module in the tests folder (create_
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.15 |
-| [aws](#requirement\_aws) | >= 4.0 |
| [aws](#requirement\_aws) | >= 4.24.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.0 >= 4.24.0 |
+| [aws](#provider\_aws) | >= 4.24.0 |
## Resources
diff --git a/providers.tf b/providers.tf
deleted file mode 100644
index 9bcc73a..0000000
--- a/providers.tf
+++ /dev/null
@@ -1,8 +0,0 @@
-terraform {
- required_providers {
- aws = {
- source = "hashicorp/aws"
- version = ">= 4.0"
- }
- }
-}