Terraform-provider-aws: Add GuardDuty Support
AWS has announced support for managing a new intelligent threat detection service called GuardDuty: https://aws.amazon.com/about-aws/whats-new/2017/11/announcing-amazon-guardduty-intelligent-threat-detection/
Prerequisite: aws-sdk-go v1.12.36 (#2474)
Terraform Version
terraform 0.10+
terraform-provider-aws 1.5.0
Affected Resource(s)
These are new resources.
aws_guardduty_detectoraws_guardduty_inviteaws_guardduty_invite_accepter(similar toaws_vpc_peering_connection_accepter)aws_guardduty_ipsetaws_guardduty_memberaws_guardduty_threatintelset
Expected Behavior
Create, update, delete, and import GuardDuty resources. e.g.
# Enable GuardDuty
resource "aws_guardduty_detector" "master" {
enable = true
}
# Manage IPSets/ThreatIntelSets
resource "aws_s3_bucket" "bucket" {
acl = "private"
}
resource "aws_s3_bucket_object" "MyIPSet" {
acl = "public-read"
content = "10.0.0.0/8\n"
bucket = "${aws_s3_bucket.bucket.id}"
key = "MyIPSet"
}
resource "aws_s3_bucket_object" "MyThreatIntelSet" {
acl = "public-read"
content = "192.168.1.1/32\n"
bucket = "${aws_s3_bucket.bucket.id}"
key = "MyThreatIntelSet"
}
resource "aws_guardduty_ipset" "MyIPSet" {
activate = true
detector_id = "${aws_guardduty_detector.master.id}"
format = "TXT"
location = "https://s3.amazonaws.com/${aws_s3_bucket_object.MyIPSet.bucket}/${aws_s3_bucket_object.MyIPSet.key}"
name = "MyIPSet"
}
resource "aws_guardduty_threatintelset" "MyThreatIntelSet" {
activate = true
detector_id = "${aws_guardduty_detector.master.id}"
format = "TXT"
location = "https://s3.amazonaws.com/${aws_s3_bucket_object.MyThreatIntelSet.bucket}/${aws_s3_bucket_object.MyThreatIntelSet.key}"
name = "MyThreatIntelSet"
}
# Monitor GuardDuty in another account
resource "aws_guardduty_detector" "member" {
provider = "aws.member_account"
enable = true
}
resource "aws_guardduty_member" "member" {
account_id = "${aws_guardduty_detector.member.account_id}"
detector_id = "${aws_guardduty_detector.master.id}"
email = "[email protected]"
}
resource "aws_guardduty_invite" "master_to_member" {
account_id = "${aws_guardduty_member.member.account_id}"
detector_id = "${aws_guardduty_member.member.detector_id}"
message = "optional"
}
resource "aws_guardduty_invite_accepter" "member_from_master" {
provider = "aws.member_account"
detector_id = "${aws_guardduty_detector.member.id}"
invite_id = "${aws_guardduty_invite.master_to_member.id}"
master_id = "${aws_guardduty_detector.master.account_id}"
}
References
https://docs.aws.amazon.com/guardduty/latest/ug/
http://docs.aws.amazon.com/sdk-for-go/api/service/guardduty/
bflad
All 27 comments
PR submitted for first resource, aws_guardduty_detector: #2524
bflad
on 4 Dec 2017
Support for enabling GuardDuty for an AWS account (via new aws_guardduty_detector resource) will be available in 1.7.0. I'll be implementing aws_guardduty_member next.
bflad
on 8 Jan 2018
PR submitted for managing member resources (invites/acceptance will be handled separately), aws_guardduty_member: #2911
bflad
on 9 Jan 2018
The aws_guardduty_detector and aws_guardduty_member resources have been released in terraform-provider-aws version 1.7.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
bflad
on 12 Jan 2018
@bflad Cloud I take over aws_guardduty_ipset and aws_guardduty_threatintelset?
atsushi-ishibashi
on 27 Jan 2018
@atsushi-ishibashi go for it ๐
bflad
on 27 Jan 2018
+1
jonathanhle
on 12 Feb 2018
@bflad
Anyone working on aws_guardduty_invite and aws_guardduty_invite_accepter ?
ken5scal
on 4 Apr 2018
No one from HashiCorp is working on or planning on working those two resources at this time. I'm not aware of any community members either. The invite resource should be pretty straightforward and probably can get merged in fairly quickly. The accepter resource will require some acceptance test magic to handle cross-account and should definitely be pull requested separately.
bflad
on 4 Apr 2018
Thanks for the response
May I give a shot on aws_guardduty_invite resource first?
ken5scal
on 4 Apr 2018
Go for it! ๐
bflad
on 4 Apr 2018
@ken5scal Did you manage to make any progress?
josjaf
on 18 Apr 2018
@josjaf Hey, sorry for late response, but I just started. Let me try this week
ken5scal
on 21 Apr 2018
Thanks to @ken5scal, the aws_guardduty_member resource will now support inviting the member account on creation (#4357), which will release with v1.20.0 of the AWS provider later this week. Turns out it made more sense to bake the invite handling into the existing resource instead of creating a new one. I just submitted #4604 to allow member invite/disassociation to occur on update of the aws_guardduty_member resource. ๐
bflad
on 22 May 2018
Invite/disassociate on aws_guardduty_member resource update is now supported and will release with v1.20.0 of the AWS provider later this week.
I took a stab at the invite accepter resource and have an initial implementation working except for with the provider acceptance testing framework as we need to work with a second set of credentials. I'll probably post the work in progress pull request in a bit.
bflad
on 22 May 2018
Here's the work in progress pull request for final new resource (naming to be determined): #4610
bflad
on 22 May 2018
Is there any plan to add GuardDuty data sources?
nusnewob
on 25 Jun 2018
@nusnewob not at the moment -- I'd suggest creating new feature request issue(s) for what you're looking for ๐
bflad
on 25 Jun 2018
@bflad any plans of merging into main release?
mnikhil-git
on 12 Mar 2019
The aws_guardduty_invite_accepter resource will be merged this week (or next) and this particular GitHub issue will be closed out. Additional feature requests should have new GitHub issues created.
Sorry for being ambiguous with the timing, we are trying to determine when we will release Terraform 0.12 support for the provider, which will be separate from other functionality.
bflad
on 12 Mar 2019
awesome and thanks @bflad
I will be happy to test and provide any feedback around it.
mnikhil-git
on 12 Mar 2019
The aws_guardduty_invite_accepter resource has been merged and will release with version 2.2.0 of the Terraform AWS Provider, likely later today.
For any future bug reports or feature requests with GuardDuty, please create new GitHub issues following the issue templates. Thanks.
bflad
on 14 Mar 2019
Super!! thank you much @bflad
will give out a try as soon as there is a release and let you know how it goes.
mnikhil-git
on 14 Mar 2019
The aws_guardduty_invite_accepter resource has been released in version 2.2.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
bflad
on 15 Mar 2019
@bflad I think the docs might need updating as well - they currently reference this issue in regards to member acceptance not being available yet.
tdmalone
on 24 Apr 2019
@tdmalone great call. Submitted https://github.com/terraform-providers/terraform-provider-aws/pull/8423
bflad
on 24 Apr 2019
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 30 Mar 2020
Related issues
ccslamstack
ยท
3Comments
hashibot
ยท
3Comments
hashibot
ยท
3Comments
hashibot
ยท
3Comments
EmmN
ยท
3Comments
Most helpful comment
The
aws_guardduty_invite_accepterresource has been released in version 2.2.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.