Merge pull request #226 from IevIe/gd-terraform-fix

Fix for GuardDuty terraform module installation failure
aws-samples · Jul 17, 2024 · 9e9e14e · 9e9e14e
2 parents 9b0e243 + 99ca314
commit 9e9e14e
Show file tree

Hide file tree

Showing 9 changed files with 94 additions and 8 deletions.
diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py
@@ -314,3 +314,30 @@ def lambda_handler(event: Dict[str, Any], context: Context) -> None:
     except Exception:
         LOGGER.exception(UNEXPECTED)
         raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None
+
+
+def terraform_handler(event: Dict[str, Any], context: Context) -> None:
+    """Lambda Handler.
+
+    Args:
+        event: event data
+        context: runtime information
+
+    Raises:
+        ValueError: Unexpected error executing Lambda function
+    """
+    LOGGER.info("....Lambda Handler Started....")
+    event_info = {"Event": event}
+    LOGGER.info(event_info)
+    try:
+        if "Records" not in event and "RequestType" not in event and ("source" not in event and event["source"] != "aws.controltower"):
+            raise ValueError(
+                f"The event did not include Records or RequestType. Review CloudWatch logs '{context.log_group_name}' for details."
+            ) from None
+        elif "Records" in event and event["Records"][0]["EventSource"] == "aws:sns":
+            process_sns_records(event["Records"])
+        elif "RequestType" in event:
+            process_cloudformation_event(event, context)
+    except Exception:
+        LOGGER.exception(UNEXPECTED)
+        raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None
diff --git a/aws_sra_examples/terraform/common/main.tf b/aws_sra_examples/terraform/common/main.tf
@@ -132,7 +132,9 @@ resource "local_file" "config_file_creation" {
     enable_kubernetes_audit_logs         = true
     enable_malware_protection            = true
     enable_rds_login_events              = true
-    enable_eks_runtime_monitoring        = true
+    enable_runtime_monitoring            = true
+    enable_ecs_fargate_agent_management  = true
+    enable_ec2_agent_management          = true
     enable_eks_addon_management          = true
     enable_lambda_network_logs           = true
     guardduty_control_tower_regions_only = true

diff --git a/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/invoke.tf b/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/invoke.tf
@@ -26,7 +26,9 @@ resource "aws_lambda_invocation" "lambda_invoke" {
       "ENABLE_EKS_AUDIT_LOGS" : "${var.enable_kubernetes_audit_logs}",
       "AUTO_ENABLE_MALWARE_PROTECTION" : "${var.enable_malware_protection}",
       "ENABLE_RDS_LOGIN_EVENTS" : "${var.enable_rds_login_events}",
-      "ENABLE_EKS_RUNTIME_MONITORING" : "${var.enable_eks_runtime_monitoring}",
+      "ENABLE_RUNTIME_MONITORING" : "${var.enable_runtime_monitoring}",
+      "ENABLE_ECS_FARGATE_AGENT_MANAGEMENT": "${var.enable_ecs_fargate_agent_management}",
+      "ENABLE_EC2_AGENT_MANAGEMENT": "${var.enable_ec2_agent_management}",
       "ENABLE_EKS_ADDON_MANAGEMENT" : "${var.enable_eks_addon_management}",
       "ENABLE_LAMBDA_NETWORK_LOGS" : "${var.enable_lambda_network_logs}",
     }

diff --git a/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/main.tf b/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/main.tf
@@ -58,6 +58,16 @@ data "aws_iam_policy_document" "sra_guardduty_org_policy_cloudformation" {
   }
 }
 
+data "aws_iam_policy_document" "sra_guardduty_org_policy_acct" {
+  #checkov:skip=CKV_AWS_356: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions
+  statement {
+    sid       = "AcctListRegions"
+    effect    = "Allow"
+    actions   = ["account:ListRegions"]
+    resources = ["*"]
+  }
+}
+
 data "aws_iam_policy_document" "sra_guardduty_org_policy_ssm_access" {
   statement {
     sid    = "SSMAccess"
@@ -233,6 +243,11 @@ resource "aws_iam_policy" "sra_guardduty_org_policy_cloudformation" {
   policy = data.aws_iam_policy_document.sra_guardduty_org_policy_cloudformation.json
 }
 
+resource "aws_iam_policy" "sra_guardduty_org_policy_acct" {
+  name   = "sra-guardduty-org-policy-acct"
+  policy = data.aws_iam_policy_document.sra_guardduty_org_policy_acct.json
+}
+
 resource "aws_iam_policy" "sra_guardduty_org_policy_ssm_access" {
   name   = "ssm-access"
   policy = data.aws_iam_policy_document.sra_guardduty_org_policy_ssm_access.json
@@ -283,6 +298,12 @@ resource "aws_iam_policy_attachment" "sra_guardduty_org_policy_attachment_cloudf
   policy_arn = aws_iam_policy.sra_guardduty_org_policy_cloudformation.arn
 }
 
+resource "aws_iam_policy_attachment" "sra_guardduty_org_policy_attachment_acct" {
+  name       = "sra-guardduty-org-policy-attachment-acct"
+  roles      = [aws_iam_role.guardduty_lambda_role.name]
+  policy_arn = aws_iam_policy.sra_guardduty_org_policy_acct.arn
+}
+
 resource "aws_iam_policy_attachment" "sra_guardduty_org_policy_attachment_ssm_access" {
   name       = "sra-guardduty-org-policy-attachment-ssm-access"
   roles      = [aws_iam_role.guardduty_lambda_role.name]
@@ -465,4 +486,4 @@ resource "aws_sns_topic_subscription" "guardduty_dlq_alarm_subscription" {
   topic_arn = aws_sns_topic.guardduty_dlq_alarm_topic[0].arn
   protocol  = "email"
   endpoint  = var.sra_alarm_email
-}
+}
diff --git a/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/variables.tf b/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/variables.tf
@@ -125,11 +125,21 @@ variable "enable_rds_login_events" {
   type        = string
 }
 
-variable "enable_eks_runtime_monitoring" {
+variable "enable_runtime_monitoring" {
   description = "Auto enable EKS Runtime Monitoring"
   type        = string
 }
 
+variable "enable_ecs_fargate_agent_management" {
+  description = "Auto enable ECS Fargate Agent Management"
+  type        = string
+}
+
+variable "enable_ec2_agent_management" {
+  description = "Auto EC2 Agent Management"
+  type        = string
+}
+
 variable "enable_eks_addon_management" {
   description = "Auto enable EKS Add-on Management"
   type        = string

diff --git a/aws_sra_examples/terraform/solutions/guard_duty/main.tf b/aws_sra_examples/terraform/solutions/guard_duty/main.tf
@@ -77,7 +77,9 @@ module "guardduty_configuration" {
   enable_kubernetes_audit_logs         = var.enable_kubernetes_audit_logs
   enable_malware_protection            = var.enable_malware_protection
   enable_rds_login_events              = var.enable_rds_login_events
-  enable_eks_runtime_monitoring        = var.enable_eks_runtime_monitoring
+  enable_runtime_monitoring            = var.enable_runtime_monitoring
+  enable_ecs_fargate_agent_management  = var.enable_ecs_fargate_agent_management
+  enable_ec2_agent_management          = var.enable_ec2_agent_management
   enable_eks_addon_management          = var.enable_eks_addon_management
   enable_lambda_network_logs           = var.enable_lambda_network_logs
   finding_publishing_frequency         = var.finding_publishing_frequency

diff --git a/aws_sra_examples/terraform/solutions/guard_duty/variables.tf b/aws_sra_examples/terraform/solutions/guard_duty/variables.tf
@@ -57,11 +57,21 @@ variable "enable_rds_login_events" {
   type        = string
 }
 
-variable "enable_eks_runtime_monitoring" {
+variable "enable_runtime_monitoring" {
   description = "Auto enable EKS Runtime Monitoring"
   type        = string
 }
 
+variable "enable_ecs_fargate_agent_management" {
+  description = "Auto enable ECS Fargate Agent Management"
+  type        = string
+}
+
+variable "enable_ec2_agent_management" {
+  description = "Auto EC2 Agent Management"
+  type        = string
+}
+
 variable "enable_eks_addon_management" {
   description = "Auto enable EKS Add-on Management"
   type        = string

diff --git a/aws_sra_examples/terraform/solutions/main.tf b/aws_sra_examples/terraform/solutions/main.tf
@@ -42,7 +42,9 @@ module "guard_duty" {
   enable_kubernetes_audit_logs         = var.enable_kubernetes_audit_logs
   enable_malware_protection            = var.enable_malware_protection
   enable_rds_login_events              = var.enable_rds_login_events
-  enable_eks_runtime_monitoring        = var.enable_eks_runtime_monitoring
+  enable_runtime_monitoring            = var.enable_runtime_monitoring
+  enable_ecs_fargate_agent_management  = var.enable_ecs_fargate_agent_management
+  enable_ec2_agent_management          = var.enable_ec2_agent_management
   enable_eks_addon_management          = var.enable_eks_addon_management
   enable_lambda_network_logs           = var.enable_lambda_network_logs
   finding_publishing_frequency         = var.finding_publishing_frequency

diff --git a/aws_sra_examples/terraform/solutions/variables.tf b/aws_sra_examples/terraform/solutions/variables.tf
@@ -152,11 +152,21 @@ variable "enable_rds_login_events" {
   type        = string
 }
 
-variable "enable_eks_runtime_monitoring" {
+variable "enable_runtime_monitoring" {
   description = "Auto enable EKS Runtime Monitoring"
   type        = string
 }
 
+variable "enable_ecs_fargate_agent_management" {
+  description = "Auto enable ECS Fargate Agent Management"
+  type        = string
+}
+
+variable "enable_ec2_agent_management" {
+  description = "Auto EC2 Agent Management"
+  type        = string
+}
+
 variable "enable_eks_addon_management" {
   description = "Auto enable EKS Add-on Management"
   type        = string