Skip to content

Commit aa03b79

Browse files
adenotadenot
committed
Merging with audit-member by including guardduty
1 parent 9e541ed commit aa03b79

File tree

3 files changed

+51
-3
lines changed

3 files changed

+51
-3
lines changed

_providers.tf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
provider "aws" {}
2+
provider "aws" {
3+
alias = "master"
4+
}

_variables.tf

Lines changed: 19 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,6 @@ variable "org_name" {
1010
description = "Name for this organization"
1111
}
1212

13-
# --------------------------------------------------------------------------------------------------
14-
# Variables for alarm-baseline module.
15-
# --------------------------------------------------------------------------------------------------
1613
variable "enable_config_baseline" {
1714
description = "If true, will create aws config"
1815
default = true
@@ -30,6 +27,25 @@ variable "config_include_global_resource_types" {
3027
default = true
3128
}
3229

30+
variable "account_email" {
31+
type = string
32+
description = "AWS Account email to be used with Guardduty"
33+
}
34+
35+
variable "master_account_id" {
36+
description = "Master account ID"
37+
}
38+
39+
variable "guardduty" {
40+
default = true
41+
description = "Enable/Disables guardduty"
42+
}
43+
44+
variable "guardduty_detector_id" {
45+
default = ""
46+
description = "GuardDuty detector ID in the master account"
47+
}
48+
3349
locals {
3450
config_s3_bucket_name = var.config_s3_bucket_name != "" ? var.config_s3_bucket_name : "${var.org_name}-audit-config-${data.aws_region.current.name}-${data.aws_caller_identity.current.account_id}"
3551
}

guardduty.tf

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
resource "aws_guardduty_detector" "member" {
2+
count = var.guardduty ? 1 : 0
3+
enable = true
4+
}
5+
6+
resource "aws_guardduty_member" "member" {
7+
count = var.guardduty ? 1 : 0
8+
provider = aws.master
9+
10+
account_id = aws_guardduty_detector.member[0].account_id
11+
detector_id = var.guardduty_detector_id
12+
email = var.account_email
13+
invite = true
14+
disable_email_notification = true
15+
16+
lifecycle {
17+
ignore_changes = [email]
18+
}
19+
}
20+
21+
resource "aws_guardduty_invite_accepter" "member" {
22+
count = var.guardduty ? 1 : 0
23+
24+
depends_on = [aws_guardduty_member.member]
25+
26+
detector_id = aws_guardduty_detector.member[0].id
27+
master_account_id = var.master_account_id
28+
}

0 commit comments

Comments
 (0)