Merging with audit-member by including guardduty

DNXLabs · Jan 14, 2021 · aa03b79 · aa03b79
1 parent 9e541ed
commit aa03b79
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 3 deletions.
diff --git a/_providers.tf b/_providers.tf
@@ -0,0 +1,4 @@
+provider "aws" {}
+provider "aws" {
+  alias = "master"
+}
diff --git a/_variables.tf b/_variables.tf
@@ -10,9 +10,6 @@ variable "org_name" {
   description = "Name for this organization"
 }
 
-# --------------------------------------------------------------------------------------------------
-# Variables for alarm-baseline module.
-# --------------------------------------------------------------------------------------------------
 variable "enable_config_baseline" {
   description = "If true, will create aws config"
   default     = true
@@ -30,6 +27,25 @@ variable "config_include_global_resource_types" {
   default     = true
 }
 
+variable "account_email" {
+  type        = string
+  description = "AWS Account email to be used with Guardduty"
+}
+
+variable "master_account_id" {
+  description = "Master account ID"
+}
+
+variable "guardduty" {
+  default     = true
+  description = "Enable/Disables guardduty"
+}
+
+variable "guardduty_detector_id" {
+  default     = ""
+  description = "GuardDuty detector ID in the master account"
+}
+
 locals {
   config_s3_bucket_name = var.config_s3_bucket_name != "" ? var.config_s3_bucket_name : "${var.org_name}-audit-config-${data.aws_region.current.name}-${data.aws_caller_identity.current.account_id}"
 }
diff --git a/guardduty.tf b/guardduty.tf
@@ -0,0 +1,28 @@
+resource "aws_guardduty_detector" "member" {
+  count  = var.guardduty ? 1 : 0
+  enable = true
+}
+
+resource "aws_guardduty_member" "member" {
+  count    = var.guardduty ? 1 : 0
+  provider = aws.master
+
+  account_id                 = aws_guardduty_detector.member[0].account_id
+  detector_id                = var.guardduty_detector_id
+  email                      = var.account_email
+  invite                     = true
+  disable_email_notification = true
+
+  lifecycle {
+    ignore_changes = [email]
+  }
+}
+
+resource "aws_guardduty_invite_accepter" "member" {
+  count = var.guardduty ? 1 : 0
+
+  depends_on = [aws_guardduty_member.member]
+
+  detector_id       = aws_guardduty_detector.member[0].id
+  master_account_id = var.master_account_id
+}