generated from cds-snc/project-template
-
Notifications
You must be signed in to change notification settings - Fork 5
/
main.tf
56 lines (44 loc) · 1.54 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
/* # guardduty
* Adapted from https://github.com/aws-samples/amazon-guardduty-for-aws-organizations-with-terraform
*/
# GuardDuty Detector in the Delegated admin account
resource "aws_guardduty_detector" "this" {
provider = aws.guardduty_region
depends_on = [var.organization_id]
enable = true
finding_publishing_frequency = var.publishing_frequency
# Additional setting to turn on S3 Protection
datasources {
s3_logs {
enable = true
}
}
tags = merge(var.tags, local.common_tags)
}
# Organization GuardDuty configuration in the Management account
resource "aws_guardduty_organization_admin_account" "this" {
provider = aws.management_region
depends_on = [aws_guardduty_detector.this]
admin_account_id = var.delegated_admin_account_id
}
# Organization GuardDuty configuration in the Delegated admin account
resource "aws_guardduty_organization_configuration" "this" {
provider = aws.guarduty_region
depends_on = [aws_guardduty_organization_admin_account.this]
auto_enable = true
detector_id = aws_guardduty_detector.this.id
# Additional setting to turn on S3 Protection
datasources {
s3_logs {
auto_enable = true
}
}
}
# GuardDuty Publishing destination in the Delegated admin account
resource "aws_guardduty_publishing_destination" "pub_dest" {
provider = aws.guardduty_region
depends_on = [aws_guardduty_organization_admin_account.this]
detector_id = aws_guardduty_detector.this.id
destination_arn = var.publishing_bucket_arn
kms_key_arn = var.kms_key_arn
}