Add regional delegated administrator for guardduty in region

tedilabs · May 9, 2024 · 019ed6f · 019ed6f
1 parent c5ee660
commit 019ed6f
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 0 deletions.
diff --git a/modules/region/README.md b/modules/region/README.md
@@ -7,6 +7,7 @@ This module creates following resources.
 - `aws_ec2_image_block_public_access`
 - `aws_ec2_instance_metadata_defaults` (optional)
 - `aws_ec2_serial_console_access`
+- `aws_guardduty_organization_admin_account` (optional)
 - `aws_inspector2_delegated_admin_account` (optional)
 - `aws_macie2_organization_admin_account` (optional)
 - `aws_resourceexplorer2_index` (optional)
@@ -43,6 +44,7 @@ This module creates following resources.
 | [aws_ec2_image_block_public_access.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_image_block_public_access) | resource |
 | [aws_ec2_instance_metadata_defaults.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_instance_metadata_defaults) | resource |
 | [aws_ec2_serial_console_access.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_serial_console_access) | resource |
+| [aws_guardduty_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_admin_account) | resource |
 | [aws_inspector2_delegated_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector2_delegated_admin_account) | resource |
 | [aws_macie2_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_organization_admin_account) | resource |
 | [aws_resourceexplorer2_index.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourceexplorer2_index) | resource |
@@ -56,6 +58,7 @@ This module creates following resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_ebs_default_encryption"></a> [ebs\_default\_encryption](#input\_ebs\_default\_encryption) | (Optional) The configuration of the EBS default encryption. `ebs_default_encryption` as defined below.<br>    (Optional) `enabled` - Whether or not default EBS encryption is enabled.<br>    (Optional) `kms_key` - The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume. | <pre>object({<br>    enabled = optional(bool, false)<br>    kms_key = optional(string)<br>  })</pre> | `{}` | no |
 | <a name="input_ec2"></a> [ec2](#input\_ec2) | (Optional) The configuration of EC2 in the current AWS region. `ec2` as defined below.<br>    (Optional) `ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region. Defaults to `false`.<br>    (Optional) `instance_metadata_defaults` - The configuration of the regional instance metadata default settings. `instance_metadata_defaults` as defined below.<br>      (Optional) `http_enabled` - Whether to enable or disable the HTTP metadata endpoint on your instances. Defaults to `null` (No preference).<br>      (Optional) `http_token_required` - Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2 (IMDSv2). Defaults to `false`. Defaults to `null` (No preference).<br>      (Optional) `http_put_response_hop_limit` - A desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Valid values are integer from `1` to `64`. Defaults to `null` (No preference).<br>      (Optional) `instance_tags_enabled` - Whether to enable the access to instance tags from the instance metadata service. Defaults to `null` (No preference).<br>    (Optional) `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. Defaults to `false`. | <pre>object({<br>    ami_public_access_enabled = optional(bool, false)<br>    instance_metadata_defaults = optional(object({<br>      http_enabled                = optional(bool)<br>      http_token_required         = optional(bool)<br>      http_put_response_hop_limit = optional(number)<br>      instance_tags_enabled       = optional(bool)<br>    }), {})<br>    serial_console_enabled = optional(bool, false)<br>  })</pre> | `{}` | no |
+| <a name="input_guardduty"></a> [guardduty](#input\_guardduty) | (Optional) The configuration of GuardDuty in the current AWS region. `guardduty` as defined below.<br>    (Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon GuardDuty administrator account for the organization. The delegated administrator will be assigned the two GuardDuty roles required to administer GuardDuty policy in your organization. Can be used in only management account of the organization. | <pre>object({<br>    delegated_administrator = optional(string)<br>  })</pre> | `{}` | no |
 | <a name="input_inspector"></a> [inspector](#input\_inspector) | (Optional) The configuration of Inspector in the current AWS region. `inspector` as defined below.<br>    (Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Inspector administrator account for the organization. The delegated administrator is granted all of the permissions required to administer Inspector for your organization. When you choose a delegated administrator, Inspector is activated for that account. Can be used in only management account of the organization. | <pre>object({<br>    delegated_administrator = optional(string)<br>  })</pre> | `{}` | no |
 | <a name="input_macie"></a> [macie](#input\_macie) | (Optional) The configuration of Macie in the current AWS region. `macie` as defined below.<br>    (Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization. This can be configured only if Macie is enabled for the organization. The account must be a management account of the organization. | <pre>object({<br>    delegated_administrator = optional(string)<br>  })</pre> | `{}` | no |
 | <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
@@ -76,6 +79,7 @@ This module creates following resources.
 | <a name="output_description"></a> [description](#output\_description) | The description of the current region in this format: `Location (Region name)` |
 | <a name="output_ebs"></a> [ebs](#output\_ebs) | The region-level configurations of EBS service.<br>    `default_encryption` - The configurations for EBS Default Encryption. |
 | <a name="output_ec2"></a> [ec2](#output\_ec2) | The region-level configurations of EC2 service.<br>    `ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region.<br>    `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. |
+| <a name="output_guardduty"></a> [guardduty](#output\_guardduty) | The region-level configurations of GuardDuty service.<br>    `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon GuardDuty administrator account for the organization. |
 | <a name="output_id"></a> [id](#output\_id) | The ID of the current region. |
 | <a name="output_inspector"></a> [inspector](#output\_inspector) | The region-level configurations of Inspector service.<br>    `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Inspector administrator account for the organization. |
 | <a name="output_macie"></a> [macie](#output\_macie) | The region-level configurations of Macie service.<br>    `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization. |

diff --git a/modules/region/guardduty.tf b/modules/region/guardduty.tf
@@ -0,0 +1,10 @@
+###################################################
+# Delegated Administrator for GuardDuty
+###################################################
+
+resource "aws_guardduty_organization_admin_account" "this" {
+  count = var.guardduty.delegated_administrator != null ? 1 : 0
+
+  admin_account_id = var.guardduty.delegated_administrator
+}
+
diff --git a/modules/region/outputs.tf b/modules/region/outputs.tf
@@ -44,6 +44,16 @@ output "ec2" {
   }
 }
 
+output "guardduty" {
+  description = <<EOF
+  The region-level configurations of GuardDuty service.
+    `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon GuardDuty administrator account for the organization.
+  EOF
+  value = {
+    delegated_administrator = one(aws_guardduty_organization_admin_account.this[*].admin_account_id)
+  }
+}
+
 output "inspector" {
   description = <<EOF
   The region-level configurations of Inspector service.

diff --git a/modules/region/variables.tf b/modules/region/variables.tf
@@ -37,6 +37,18 @@ variable "ec2" {
   nullable = false
 }
 
+variable "guardduty" {
+  description = <<EOF
+  (Optional) The configuration of GuardDuty in the current AWS region. `guardduty` as defined below.
+    (Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon GuardDuty administrator account for the organization. The delegated administrator will be assigned the two GuardDuty roles required to administer GuardDuty policy in your organization. Can be used in only management account of the organization.
+  EOF
+  type = object({
+    delegated_administrator = optional(string)
+  })
+  default  = {}
+  nullable = false
+}
+
 variable "inspector" {
   description = <<EOF
   (Optional) The configuration of Inspector in the current AWS region. `inspector` as defined below.