forked from cloudposse/terraform-aws-guardduty
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
96 lines (83 loc) · 3.47 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#-----------------------------------------------------------------------------------------------------------------------
# Subscribe the Acccount to GuardDuty
#-----------------------------------------------------------------------------------------------------------------------
resource "aws_guardduty_detector" "guardduty" {
enable = module.this.enabled
finding_publishing_frequency = var.finding_publishing_frequency
datasources {
s3_logs {
enable = var.s3_protection_enabled
}
}
}
#-----------------------------------------------------------------------------------------------------------------------
# Optionally configure Event Bridge Rules and SNS subscriptions
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-integration-types.html
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/resource-based-policies-cwe.html#sns-permissions
#-----------------------------------------------------------------------------------------------------------------------
module "sns_topic" {
source = "cloudposse/sns-topic/aws"
version = "0.20.1"
count = local.create_sns_topic ? 1 : 0
subscribers = var.subscribers
sqs_dlq_enabled = false
attributes = concat(module.this.attributes, ["guardduty"])
context = module.this.context
}
module "findings_label" {
source = "cloudposse/label/null"
version = "0.25.0"
attributes = concat(module.this.attributes, ["guardduty", "findings"])
context = module.this.context
}
resource "aws_sns_topic_policy" "sns_topic_publish_policy" {
count = module.this.enabled && local.create_sns_topic ? 1 : 0
arn = local.findings_notification_arn
policy = data.aws_iam_policy_document.sns_topic_policy[0].json
}
data "aws_iam_policy_document" "sns_topic_policy" {
count = module.this.enabled && local.create_sns_topic ? 1 : 0
policy_id = "GuardDutyPublishToSNS"
statement {
sid = ""
actions = [
"sns:Publish"
]
principals {
type = "Service"
identifiers = ["cloudwatch.amazonaws.com"]
}
resources = [module.sns_topic[0].sns_topic.arn]
effect = "Allow"
}
}
resource "aws_cloudwatch_event_rule" "findings" {
count = local.enable_cloudwatch == true ? 1 : 0
name = module.findings_label.id
description = "GuardDuty Findings"
tags = module.this.tags
event_pattern = jsonencode(
{
"source" : [
"aws.guardduty"
],
"detail-type" : [
var.cloudwatch_event_rule_pattern_detail_type
]
}
)
}
resource "aws_cloudwatch_event_target" "imported_findings" {
count = local.enable_notifications == true ? 1 : 0
rule = aws_cloudwatch_event_rule.findings[0].name
arn = local.findings_notification_arn
}
#-----------------------------------------------------------------------------------------------------------------------
# Locals and Data References
#-----------------------------------------------------------------------------------------------------------------------
locals {
enable_cloudwatch = module.this.enabled && (var.enable_cloudwatch || local.enable_notifications)
enable_notifications = module.this.enabled && (var.create_sns_topic || var.findings_notification_arn != null)
create_sns_topic = module.this.enabled && var.create_sns_topic
findings_notification_arn = local.enable_notifications ? (var.findings_notification_arn != null ? var.findings_notification_arn : module.sns_topic[0].sns_topic.arn) : null
}