mirror of
https://github.com/empayre/fleet.git
synced 2024-11-07 09:18:59 +00:00
159 lines
3.8 KiB
Terraform
159 lines
3.8 KiB
Terraform
|
terraform {
|
||
|
required_providers {
|
||
|
aws = {
|
||
|
source = "hashicorp/aws"
|
||
|
version = "~> 4.10.0"
|
||
|
}
|
||
|
}
|
||
|
backend "s3" {
|
||
|
bucket = "fleet-terraform-state20220408141538466600000002"
|
||
|
key = "root/guardduty/findings/terraform.tfstate" # This should be set to account_alias/unique_key/terraform.tfstate
|
||
|
workspace_key_prefix = "root" # This should be set to the account alias
|
||
|
region = "us-east-2"
|
||
|
encrypt = true
|
||
|
kms_key_id = "9f98a443-ffd7-4dbe-a9c3-37df89b2e42a"
|
||
|
dynamodb_table = "tf-remote-state-lock"
|
||
|
role_arn = "arn:aws:iam::353365949058:role/terraform-root"
|
||
|
}
|
||
|
}
|
||
|
|
||
|
provider "aws" {
|
||
|
region = "us-east-2"
|
||
|
assume_role {
|
||
|
role_arn = "arn:aws:iam::353365949058:role/admin"
|
||
|
}
|
||
|
default_tags {
|
||
|
tags = {
|
||
|
environment = "guardduty-${terraform.workspace}"
|
||
|
terraform = "https://github.com/fleetdm/fleet/tree/main/infrastructure/guardduty/findings"
|
||
|
state = "s3://fleet-terraform-state20220408141538466600000002/root/guardduty/findings/terraform.tfstate"
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
data "aws_caller_identity" "current" {}
|
||
|
|
||
|
data "aws_region" "current" {}
|
||
|
|
||
|
data "aws_iam_policy_document" "bucket_pol" {
|
||
|
statement {
|
||
|
sid = "Allow PutObject"
|
||
|
actions = [
|
||
|
"s3:PutObject"
|
||
|
]
|
||
|
|
||
|
resources = [
|
||
|
"${aws_s3_bucket.gd_bucket.arn}/*"
|
||
|
]
|
||
|
|
||
|
principals {
|
||
|
type = "Service"
|
||
|
identifiers = ["guardduty.amazonaws.com"]
|
||
|
}
|
||
|
}
|
||
|
|
||
|
statement {
|
||
|
sid = "Allow GetBucketLocation"
|
||
|
actions = [
|
||
|
"s3:GetBucketLocation"
|
||
|
]
|
||
|
|
||
|
resources = [
|
||
|
aws_s3_bucket.gd_bucket.arn
|
||
|
]
|
||
|
|
||
|
principals {
|
||
|
type = "Service"
|
||
|
identifiers = ["guardduty.amazonaws.com"]
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
data "aws_iam_policy_document" "kms_pol" {
|
||
|
|
||
|
statement {
|
||
|
sid = "Allow GuardDuty to encrypt findings"
|
||
|
actions = [
|
||
|
"kms:GenerateDataKey"
|
||
|
]
|
||
|
|
||
|
resources = [
|
||
|
"arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/*"
|
||
|
]
|
||
|
|
||
|
principals {
|
||
|
type = "Service"
|
||
|
identifiers = ["guardduty.amazonaws.com"]
|
||
|
}
|
||
|
}
|
||
|
|
||
|
statement {
|
||
|
sid = "Allow all users to modify/delete key (test only)"
|
||
|
actions = [
|
||
|
"kms:*"
|
||
|
]
|
||
|
|
||
|
resources = [
|
||
|
"arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/*"
|
||
|
]
|
||
|
|
||
|
principals {
|
||
|
type = "AWS"
|
||
|
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
|
||
|
}
|
||
|
}
|
||
|
|
||
|
}
|
||
|
|
||
|
resource "aws_s3_bucket" "gd_bucket" {
|
||
|
bucket = "fleet-guardduty-findings"
|
||
|
force_destroy = true
|
||
|
}
|
||
|
|
||
|
resource "aws_s3_bucket_acl" "gd_bucket_acl" {
|
||
|
bucket = aws_s3_bucket.gd_bucket.id
|
||
|
acl = "private"
|
||
|
}
|
||
|
|
||
|
resource "aws_s3_bucket_policy" "gd_bucket_policy" {
|
||
|
bucket = aws_s3_bucket.gd_bucket.id
|
||
|
policy = data.aws_iam_policy_document.bucket_pol.json
|
||
|
}
|
||
|
|
||
|
resource "aws_kms_key" "gd_key" {
|
||
|
description = "Temporary key for AccTest of TF"
|
||
|
deletion_window_in_days = 7
|
||
|
policy = data.aws_iam_policy_document.kms_pol.json
|
||
|
}
|
||
|
|
||
|
output "kms_key" {
|
||
|
value = aws_kms_key.gd_key
|
||
|
}
|
||
|
|
||
|
resource "aws_s3_bucket_public_access_block" "access_good_1" {
|
||
|
bucket = aws_s3_bucket.gd_bucket.id
|
||
|
|
||
|
block_public_acls = true
|
||
|
block_public_policy = true
|
||
|
ignore_public_acls = true
|
||
|
restrict_public_buckets = true
|
||
|
}
|
||
|
|
||
|
resource "aws_s3_bucket_server_side_encryption_configuration" "main" {
|
||
|
bucket = aws_s3_bucket.gd_bucket.bucket
|
||
|
|
||
|
rule {
|
||
|
apply_server_side_encryption_by_default {
|
||
|
kms_master_key_id = aws_kms_key.gd_key.arn
|
||
|
sse_algorithm = "aws:kms"
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
resource "aws_s3_bucket_versioning" "main" {
|
||
|
bucket = aws_s3_bucket.gd_bucket.id
|
||
|
versioning_configuration {
|
||
|
status = "Enabled"
|
||
|
}
|
||
|
}
|