terraform-aws-guardduty: An HCL repository from DOD Infrastructure as Code

Usage

Creates an AWS GuardDuty Detector, KMS Key for encrypting exports to S3, and CloudWatch rule to watch for findings.

module "guardduty" {
  source = "dod-iac/guardduty/aws"

  tags = {
    Application = var.application
    Environment = var.environment
    Automation  = "Terraform"
  }
}

You can customize the finding publishing frequency.

module "guardduty" {
  source = "dod-iac/guardduty/aws"

  enable = true
  finding_publishing_frequency = "SIX_HOURS"
  tags = {
    Application = var.application
    Environment = var.environment
    Automation  = "Terraform"
  }
}

You can exports GuardDuty findings to a S3 bucket using the s3_bucket_name variable.

module "guardduty" {
  source = "dod-iac/guardduty/aws"

  enable = true
  s3_bucket_name = module.logs.aws_logs_bucket
  tags = {
    Application = var.application
    Environment = var.environment
    Automation  = "Terraform"
  }
}

Terraform Version

Terraform 0.12. Pin module version to ~> 1.0.0 . Submit pull-requests to master branch.

Terraform 0.11 is not supported.

This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. See LICENSE file for more information.

Requirements

Name	Version
terraform	>= 0.13
aws	~> 3.0

Providers

Name	Version
aws	~> 3.0

Modules

No Modules.

Resources

Name
aws_caller_identity
aws_cloudwatch_event_rule
aws_guardduty_detector
aws_guardduty_publishing_destination
aws_iam_policy_document
aws_kms_alias
aws_kms_key
aws_partition
aws_s3_bucket
aws_s3_bucket_object

Inputs

Name	Description	Type	Default	Required
enable	Enable monitoring and feedback reporting. Setting to false is equivalent to "suspending" GuardDuty.	`bool`	`true`	no
finding_publishing_frequency	Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty master account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty master accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and master accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS.	`string`	`"FIFTEEN_MINUTES"`	no
kms_alias_name	The display name of the alias of the KMS key used to encrypt exports to S3. The name must start with the word "alias" followed by a forward slash (alias/).	`string`	`"alias/guardduty"`	no
kms_key_tags	Tags to apply to the AWS KMS Key used to encrypt exports to S3.	`map(string)`	`{}`	no
s3_bucket_name	The name of the S3 bucket that receives findings from GuardDuty. If blank, then GuardDuty does not export findings to S3.	`string`	`""`	no
s3_bucket_prefix	The prefix for where findings from GuardDuty are stored in the S3 bucket. Should start with "/" if defined. GuardDuty will build the full destination ARN using this format: <s3_bucket_arn><s3_bucket_prefix>/AWSLogs/<account_id>/GuardDuty/.	`string`	`"/guardduty"`	no

Outputs

Name	Description
aws_cloudwatch_event_rule_name	Name of the CloudWatch rule that watches for AWS GuardDuty findings.
aws_guardduty_detector_id	The ID of the GuardDuty detector.

dod-iac/terraform-aws-guardduty