Merge pull request #2 from rhythmictech/logging

cdaniluk · web-flow · commit 7239a24cf7ec · 2022-03-14T09:40:25.000-04:00
Logging
diff --git a/README.md b/README.md
@@ -46,8 +46,8 @@ A bit about this module
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 3.74 |
-| <a name="provider_datadog"></a> [datadog](#provider\_datadog) | ~>3.8 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.74.2 |
+| <a name="provider_datadog"></a> [datadog](#provider\_datadog) | 3.8.1 |
 
 ## Modules
 
@@ -60,8 +60,15 @@ A bit about this module
 | Name | Type |
 |------|------|
 | [aws_cloudformation_stack.datadog_forwarder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) | resource |
+| [aws_cloudwatch_event_rule.guardduty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_target.guardduty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_iam_policy.datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.cspm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_lambda_permission.cloudtrail_trigger](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_lambda_permission.guardduty_trigger](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_s3_bucket_notification.cloudtrail_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
 | [aws_secretsmanager_secret.datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
 | [aws_secretsmanager_secret_version.datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [datadog_api_key.datadog](https://registry.terraform.io/providers/datadog/datadog/latest/docs/resources/api_key) | resource |
@@ -75,8 +82,10 @@ A bit about this module
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_cloudtrail_buckets"></a> [cloudtrail\_buckets](#input\_cloudtrail\_buckets) | Bucket(s) to collect CloudTrail logs from | `list(string)` | `[]` | no |
 | <a name="input_datadog_account_id"></a> [datadog\_account\_id](#input\_datadog\_account\_id) | DataDog AWS account ID (should not need changed) | `string` | `"464622532012"` | no |
 | <a name="input_datadog_site_name"></a> [datadog\_site\_name](#input\_datadog\_site\_name) | DataDog site (e.g., datadoghq.com) | `string` | `"datadoghq.com"` | no |
+| <a name="input_enable_guardduty_notifications"></a> [enable\_guardduty\_notifications](#input\_enable\_guardduty\_notifications) | Send GuardDuty notifications to Datadog (`install_log_forwarder` must be true) | `bool` | `true` | no |
 | <a name="input_install_log_forwarder"></a> [install\_log\_forwarder](#input\_install\_log\_forwarder) | controls whether log forwarder lambda should be installed | `bool` | `true` | no |
 | <a name="input_integration_excluded_regions"></a> [integration\_excluded\_regions](#input\_integration\_excluded\_regions) | Regions to exclude from DataDog monitoring | `list(string)` | `[]` | no |
 | <a name="input_integration_filter_tags"></a> [integration\_filter\_tags](#input\_integration\_filter\_tags) | Tags to filter EC2 instances on (see https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_aws) | `list(string)` | `[]` | no |
@@ -89,5 +98,8 @@ A bit about this module
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_iam_role_datadog"></a> [iam\_role\_datadog](#output\_iam\_role\_datadog) | IAM role assumed by Datadog resources |
+| <a name="output_lambda_arn_forwarder"></a> [lambda\_arn\_forwarder](#output\_lambda\_arn\_forwarder) | DataDog Lambda Forwarder ARN |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/cloudtrail.tf b/cloudtrail.tf
@@ -0,0 +1,20 @@
+resource "aws_lambda_permission" "cloudtrail_trigger" {
+  for_each = toset(var.cloudtrail_buckets)
+
+  action        = "lambda:InvokeFunction"
+  function_name = try(aws_cloudformation_stack.datadog_forwarder[0].outputs.DatadogForwarderArn, "")
+  principal     = "s3.amazonaws.com"
+  source_arn    = "arn:aws:s3:::${each.value}"
+  statement_id  = "CloudTrailTrigger"
+}
+
+resource "aws_s3_bucket_notification" "cloudtrail_notification" {
+  for_each = toset(var.cloudtrail_buckets)
+
+  bucket = each.value
+
+  lambda_function {
+    events              = ["s3:ObjectCreated:*"]
+    lambda_function_arn = try(aws_cloudformation_stack.datadog_forwarder[0].outputs.DatadogForwarderArn, "")
+  }
+}
diff --git a/guardduty.tf b/guardduty.tf
@@ -0,0 +1,35 @@
+resource "aws_cloudwatch_event_rule" "guardduty" {
+  count = var.enable_guardduty_notifications ? 1 : 0
+
+  name_prefix = substr("gd-finding-${var.name}", 0, 35)
+  description = "Match on GuardDuty alert (Datadog)"
+
+  event_pattern = <<EOT
+{
+  "detail-type": [
+    "GuardDuty Finding"
+  ],
+  "source": [
+    "aws.guardduty"
+  ]
+}
+EOT
+}
+
+resource "aws_cloudwatch_event_target" "guardduty" {
+  count = var.enable_guardduty_notifications ? 1 : 0
+
+  arn       = try(aws_cloudformation_stack.datadog_forwarder[0].outputs.DatadogForwarderArn, "")
+  rule      = aws_cloudwatch_event_rule.guardduty[0].name
+  target_id = "send-to-datadog"
+}
+
+resource "aws_lambda_permission" "guardduty_trigger" {
+  count = var.enable_guardduty_notifications ? 1 : 0
+
+  action        = "lambda:InvokeFunction"
+  function_name = try(aws_cloudformation_stack.datadog_forwarder[0].outputs.DatadogForwarderArn, "")
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.guardduty[0].arn
+  statement_id  = "GuardDutyTrigger"
+}
diff --git a/main.tf b/main.tf
@@ -11,10 +11,9 @@ module "tags" {
 }
 
 locals {
-  account_id          = data.aws_caller_identity.current.account_id
-  managed_policy_arns = var.use_cspm_permissions ? ["arn:aws:iam::aws:policy/SecurityAudit"] : []
-  policy_file_path    = var.use_full_permissions ? "${path.module}/iam-fullperms.json" : "${path.module}/iam-partialperms.json"
-  tags                = module.tags.tags_no_name
+  account_id       = data.aws_caller_identity.current.account_id
+  policy_file_path = var.use_full_permissions ? "${path.module}/iam-fullperms.json" : "${path.module}/iam-partialperms.json"
+  tags             = module.tags.tags_no_name
 }
 
 resource "datadog_api_key" "datadog" {
@@ -30,7 +29,7 @@ resource "datadog_integration_aws" "datadog" {
 }
 
 resource "aws_secretsmanager_secret" "datadog" {
-  name        = "${var.name}-api-key"
+  name_prefix = "${var.name}-api-key"
   description = "Datadog API Key"
 }
 
@@ -58,10 +57,9 @@ data "aws_iam_policy_document" "assume" {
 
 resource "aws_iam_role" "datadog" {
   # this cannot be a prefix or it will create a cycle with the DD integration
-  name                = "DatadogIntegrationRole"
-  assume_role_policy  = data.aws_iam_policy_document.assume.json
-  managed_policy_arns = local.managed_policy_arns
-  tags                = local.tags
+  name               = "DatadogIntegrationRole"
+  assume_role_policy = data.aws_iam_policy_document.assume.json
+  tags               = local.tags
 }
 
 resource "aws_iam_policy" "datadog" {
@@ -71,6 +69,18 @@ resource "aws_iam_policy" "datadog" {
   tags        = local.tags
 }
 
+resource "aws_iam_role_policy_attachment" "cspm" { #tfsec:ignore:AVD-AWS-0057
+  count = var.use_cspm_permissions ? 1 : 0
+
+  role       = aws_iam_role.datadog.name
+  policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
+}
+
+resource "aws_iam_role_policy_attachment" "datadog" {
+  role       = aws_iam_role.datadog.name
+  policy_arn = aws_iam_policy.datadog.arn
+}
+
 resource "aws_cloudformation_stack" "datadog_forwarder" {
   count = var.install_log_forwarder ? 1 : 0
 
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,9 @@
+output "iam_role_datadog" {
+  description = "IAM role assumed by Datadog resources"
+  value       = aws_iam_role.datadog.name
+}
+
+output "lambda_arn_forwarder" {
+  description = "DataDog Lambda Forwarder ARN"
+  value       = try(aws_cloudformation_stack.datadog_forwarder[0].outputs.DatadogForwarderArn, "")
+}
diff --git a/variables.tf b/variables.tf
@@ -10,6 +10,12 @@ variable "tags" {
   type        = map(string)
 }
 
+variable "cloudtrail_buckets" {
+  default     = []
+  description = "Bucket(s) to collect CloudTrail logs from"
+  type        = list(string)
+}
+
 variable "datadog_account_id" {
   default     = "464622532012"
   description = "DataDog AWS account ID (should not need changed)"
@@ -22,6 +28,12 @@ variable "datadog_site_name" {
   type        = string
 }
 
+variable "enable_guardduty_notifications" {
+  default     = true
+  description = "Send GuardDuty notifications to Datadog (`install_log_forwarder` must be true)"
+  type        = bool
+}
+
 variable "install_log_forwarder" {
   default     = true
   description = "controls whether log forwarder lambda should be installed"
