Provides a resource to manage a GuardDuty PublishingDestination. Requires an existing GuardDuty Detector.
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
data "aws_iam_policy_document" "bucket_pol" {
statement {
sid = "Allow PutObject"
actions = [
"s3:PutObject"
]
resources = [
"${aws_s3_bucket.gd_bucket.arn}/*"
]
principals {
type = "Service"
identifiers = ["guardduty.amazonaws.com"]
}
}
statement {
sid = "Allow GetBucketLocation"
actions = [
"s3:GetBucketLocation"
]
resources = [
aws_s3_bucket.gd_bucket.arn
]
principals {
type = "Service"
identifiers = ["guardduty.amazonaws.com"]
}
}
}
data "aws_iam_policy_document" "kms_pol" {
statement {
sid = "Allow GuardDuty to encrypt findings"
actions = [
"kms:GenerateDataKey"
]
resources = [
"arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/*"
]
principals {
type = "Service"
identifiers = ["guardduty.amazonaws.com"]
}
}
statement {
sid = "Allow all users to modify/delete key (test only)"
actions = [
"kms:*"
]
resources = [
"arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/*"
]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
}
}
resource "aws_guardduty_detector" "test_gd" {
enable = true
}
resource "aws_s3_bucket" "gd_bucket" {
bucket = "example"
force_destroy = true
}
resource "aws_s3_bucket_acl" "gd_bucket_acl" {
bucket = aws_s3_bucket.gd_bucket.id
acl = "private"
}
resource "aws_s3_bucket_policy" "gd_bucket_policy" {
bucket = aws_s3_bucket.gd_bucket.id
policy = data.aws_iam_policy_document.bucket_pol.json
}
resource "aws_kms_key" "gd_key" {
description = "Temporary key for AccTest of TF"
deletion_window_in_days = 7
policy = data.aws_iam_policy_document.kms_pol.json
}
resource "aws_guardduty_publishing_destination" "test" {
detector_id = aws_guardduty_detector.test_gd.id
destination_arn = aws_s3_bucket.gd_bucket.arn
kms_key_arn = aws_kms_key.gd_key.arn
depends_on = [
aws_s3_bucket_policy.gd_bucket_policy,
]
}
This resource supports the following arguments:
detector_id
- (Required) The detector ID of the GuardDuty.destination_arn
- (Required) The bucket arn and prefix under which the findings get exported. Bucket-ARN is required, the prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/
if not providedkms_key_arn
- (Required) The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces this to be encrypted.destination_type
- (Optional) Currently there is only "S3" available as destination type which is also the default valueThis resource exports the following attributes in addition to the arguments above:
id
- The ID of the GuardDuty PublishingDestination and the detector ID. Format: <DetectorID>:<PublishingDestinationID>
In Terraform v1.5.0 and later, use an import
block to import GuardDuty PublishingDestination using the master GuardDuty detector ID and PublishingDestinationID. For example:
import {
to = aws_guardduty_publishing_destination.test
id = "a4b86f26fa42e7e7cf0d1c333ea77777:a4b86f27a0e464e4a7e0516d242f1234"
}
Using terraform import
, import GuardDuty PublishingDestination using the master GuardDuty detector ID and PublishingDestinationID. For example:
% terraform import aws_guardduty_publishing_destination.test a4b86f26fa42e7e7cf0d1c333ea77777:a4b86f27a0e464e4a7e0516d242f1234