adding guardduty module

guardduty/files/guardduty.yaml

@@ -0,0 +1,8 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: Simple CFT for enabling Guard Duty
+Resources:
+  GuardDutyDetector:
+    Type: AWS::GuardDuty::Detector
+    Properties:
+      Enable: true
+      FindingPublishingFrequency: SIX_HOURS

guardduty/main.tf

@@ -0,0 +1,114 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
+data "local_file" "guardduty_cft" {
+  filename = "${path.module}/files/guardduty.yaml"
+}
+
+# Stack Set Admin
+resource "aws_iam_role" "stack_set_admin_role" {
+  name               = "${var.prefix}-guardduty-ss-admin"
+  tags               = var.tags
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "cloudformation.amazonaws.com"
+      },
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "stack_set_admin_policy" {
+  name   = aws_iam_role.stack_set_admin_role.name
+  role   = aws_iam_role.stack_set_admin_role.name
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "sts:AssumeRole"
+      ],
+      "Effect": "Allow",
+      "Resource": "${aws_iam_role.stack_set_execution_role.arn}"
+    }
+  ]
+}
+EOF
+}
+
+# Stack Set Execution
+resource "aws_iam_role" "stack_set_execution_role" {
+  name               = "${var.prefix}-guardduty-ss-exec"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "AWS": "${aws_iam_role.stack_set_admin_role.arn}"
+      },
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "stack_set_execution_policy" {
+  name   = aws_iam_role.stack_set_execution_role.name
+  role   = aws_iam_role.stack_set_execution_role.name
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "guardduty:CreateDetector",
+        "guardduty:ListDetectors",
+        "guardduty:DeleteDetector",
+        "guardduty:GetDetector",
+        "cloudformation:CreateStack",
+        "cloudformation:DescribeStacks",
+        "cloudformation:DeleteStack",
+        "SNS:Publish",
+        "iam:CreateServiceLinkedRole"
+      ],
+      "Effect": "Allow",
+      "Resource": ["*"]
+    }
+  ]
+}
+EOF
+}
+
+
+# Stack Sets
+resource "aws_cloudformation_stack_set" "guardduty_stack_set" {
+  administration_role_arn = aws_iam_role.stack_set_admin_role.arn
+  name                    = "${var.prefix}-guardduty-stackset"
+  template_body           = data.local_file.guardduty_cft.content
+  execution_role_name     = aws_iam_role.stack_set_execution_role.name
+  tags                    = var.tags
+}
+
+# Stack Set Instances
+resource "aws_cloudformation_stack_set_instance" "guardduty_stack_set_instance" {
+  count          = length(var.regions)
+  account_id     = data.aws_caller_identity.current.account_id
+  region         = var.regions[count.index]
+  stack_set_name = aws_cloudformation_stack_set.guardduty_stack_set.id
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}

guardduty/variables.tf

@@ -0,0 +1,32 @@
+variable "regions" {
+  description = "Which regions to deploy Guard Duty into"
+  type        = "list"
+  default = [
+    "ap-south-1",
+    "eu-west-3",
+    "eu-west-2",
+    "eu-west-1",
+    "ap-northeast-2",
+    "ap-northeast-1",
+    "sa-east-1",
+    "ca-central-1",
+    "ap-southeast-1",
+    "ap-southeast-2",
+    "eu-central-1",
+    "us-east-1",
+    "us-west-2",
+    "us-east-2",
+    "us-west-1"
+  ]
+}
+
+variable "tags" {
+  default     = {}
+  type        = "map"
+  description = "Optional tag mapping to apply to the infrastructure"
+}
+
+variable "prefix" {
+  default     = ""
+  description = "String to prefix to all resources"
+}