adding guardduty module
parent
a5f5c43a72
commit
ebcb1498b0
@ -0,0 +1,8 @@
|
||||
AWSTemplateFormatVersion: "2010-09-09"
|
||||
Description: Simple CFT for enabling Guard Duty
|
||||
Resources:
|
||||
GuardDutyDetector:
|
||||
Type: AWS::GuardDuty::Detector
|
||||
Properties:
|
||||
Enable: true
|
||||
FindingPublishingFrequency: SIX_HOURS
|
@ -0,0 +1,114 @@
|
||||
data "aws_caller_identity" "current" {}
|
||||
|
||||
data "aws_region" "current" {}
|
||||
|
||||
data "local_file" "guardduty_cft" {
|
||||
filename = "${path.module}/files/guardduty.yaml"
|
||||
}
|
||||
|
||||
# Stack Set Admin
|
||||
resource "aws_iam_role" "stack_set_admin_role" {
|
||||
name = "${var.prefix}-guardduty-ss-admin"
|
||||
tags = var.tags
|
||||
assume_role_policy = <<EOF
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Action": "sts:AssumeRole",
|
||||
"Principal": {
|
||||
"Service": "cloudformation.amazonaws.com"
|
||||
},
|
||||
"Effect": "Allow"
|
||||
}
|
||||
]
|
||||
}
|
||||
EOF
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy" "stack_set_admin_policy" {
|
||||
name = aws_iam_role.stack_set_admin_role.name
|
||||
role = aws_iam_role.stack_set_admin_role.name
|
||||
policy = <<EOF
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Action": [
|
||||
"sts:AssumeRole"
|
||||
],
|
||||
"Effect": "Allow",
|
||||
"Resource": "${aws_iam_role.stack_set_execution_role.arn}"
|
||||
}
|
||||
]
|
||||
}
|
||||
EOF
|
||||
}
|
||||
|
||||
# Stack Set Execution
|
||||
resource "aws_iam_role" "stack_set_execution_role" {
|
||||
name = "${var.prefix}-guardduty-ss-exec"
|
||||
assume_role_policy = <<EOF
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Action": "sts:AssumeRole",
|
||||
"Principal": {
|
||||
"AWS": "${aws_iam_role.stack_set_admin_role.arn}"
|
||||
},
|
||||
"Effect": "Allow"
|
||||
}
|
||||
]
|
||||
}
|
||||
EOF
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy" "stack_set_execution_policy" {
|
||||
name = aws_iam_role.stack_set_execution_role.name
|
||||
role = aws_iam_role.stack_set_execution_role.name
|
||||
policy = <<EOF
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Action": [
|
||||
"guardduty:CreateDetector",
|
||||
"guardduty:ListDetectors",
|
||||
"guardduty:DeleteDetector",
|
||||
"guardduty:GetDetector",
|
||||
"cloudformation:CreateStack",
|
||||
"cloudformation:DescribeStacks",
|
||||
"cloudformation:DeleteStack",
|
||||
"SNS:Publish",
|
||||
"iam:CreateServiceLinkedRole"
|
||||
],
|
||||
"Effect": "Allow",
|
||||
"Resource": ["*"]
|
||||
}
|
||||
]
|
||||
}
|
||||
EOF
|
||||
}
|
||||
|
||||
|
||||
# Stack Sets
|
||||
resource "aws_cloudformation_stack_set" "guardduty_stack_set" {
|
||||
administration_role_arn = aws_iam_role.stack_set_admin_role.arn
|
||||
name = "${var.prefix}-guardduty-stackset"
|
||||
template_body = data.local_file.guardduty_cft.content
|
||||
execution_role_name = aws_iam_role.stack_set_execution_role.name
|
||||
tags = var.tags
|
||||
}
|
||||
|
||||
# Stack Set Instances
|
||||
resource "aws_cloudformation_stack_set_instance" "guardduty_stack_set_instance" {
|
||||
count = length(var.regions)
|
||||
account_id = data.aws_caller_identity.current.account_id
|
||||
region = var.regions[count.index]
|
||||
stack_set_name = aws_cloudformation_stack_set.guardduty_stack_set.id
|
||||
|
||||
lifecycle {
|
||||
create_before_destroy = true
|
||||
}
|
||||
}
|
@ -0,0 +1,32 @@
|
||||
variable "regions" {
|
||||
description = "Which regions to deploy Guard Duty into"
|
||||
type = "list"
|
||||
default = [
|
||||
"ap-south-1",
|
||||
"eu-west-3",
|
||||
"eu-west-2",
|
||||
"eu-west-1",
|
||||
"ap-northeast-2",
|
||||
"ap-northeast-1",
|
||||
"sa-east-1",
|
||||
"ca-central-1",
|
||||
"ap-southeast-1",
|
||||
"ap-southeast-2",
|
||||
"eu-central-1",
|
||||
"us-east-1",
|
||||
"us-west-2",
|
||||
"us-east-2",
|
||||
"us-west-1"
|
||||
]
|
||||
}
|
||||
|
||||
variable "tags" {
|
||||
default = {}
|
||||
type = "map"
|
||||
description = "Optional tag mapping to apply to the infrastructure"
|
||||
}
|
||||
|
||||
variable "prefix" {
|
||||
default = ""
|
||||
description = "String to prefix to all resources"
|
||||
}
|
Loading…
Reference in New Issue