feat: add support for guardduty detector features

main.tf

@@ -3,6 +3,18 @@ locals {
   tags = {
     Repository = "https://github.com/aws-ia/terraform-aws-guardduty"
   }
+
+  configuration_features = {
+    "RDS_LOGIN_EVENTS" = { enabled = var.enable_rds_login_events }
+    "EKS_RUNTIME_MONITORING" = { enabled = var.enable_eks_runtime_monitoring
+      additional_configuration = {
+    "EKS_ADDON_MANAGEMENT" = { enabled = var.enable_eks_addon_management } } }
+    "RUNTIME_MONITORING" = { enabled = var.enable_runtime_monitoring
+      additional_configuration = {
+        "EKS_ADDON_MANAGEMENT" = { enabled = var.enable_eks_addon_management }
+        "EC2_AGENT_MANAGEMENT" = { enabled = var.enable_ec2_agent_management }
+    "ECS_FARGATE_AGENT_MANAGEMENT" = { enabled = var.enable_ecs_fargate_agent_management } } }
+  }
 }
 
 ##################################################
@@ -43,6 +55,24 @@ resource "aws_guardduty_detector" "primary" {
   }
 }
 
+##################################################
+# GuardDuty Features Configuration
+##################################################
+resource "aws_guardduty_detector_feature" "this" {
+  for_each    = { for k, v in local.configuration_features : k => v if v.enabled }
+  detector_id = aws_guardduty_detector.primary.id
+  name        = each.key
+  status      = each.value.enabled ? "ENABLED" : "DISABLED"
+
+  dynamic "additional_configuration" {
+    for_each = { for k, v in each.value.additional_configuration : k => v if v.enabled }
+    content {
+      name   = each.key
+      status = each.value.enabled ? "ENABLED" : "DISABLED"
+    }
+  }
+}
+
 ##################################################
 # GuardDuty Filter
 ##################################################

modules/organizations_admin/main.tf

@@ -1,6 +1,21 @@
 ##################################################
 # GuardDuty Organizations Delegated Admin
 ##################################################
+
+locals {
+  organization_configuration_features = {
+    "RDS_LOGIN_EVENTS" = { auto_enable = var.auto_enable_rds_login_events }
+    "EKS_RUNTIME_MONITORING" = { auto_enable = var.auto_enable_eks_runtime_monitoring
+      additional_configuration = {
+    "EKS_ADDON_MANAGEMENT" = { auto_enable = var.auto_enable_eks_addon_management } } }
+    "RUNTIME_MONITORING" = { auto_enable = var.auto_enable_runtime_monitoring
+      additional_configuration = {
+        "EKS_ADDON_MANAGEMENT" = { auto_enable = var.auto_enable_eks_addon_management }
+        "EC2_AGENT_MANAGEMENT" = { auto_enable = var.auto_enable_ec2_agent_management }
+    "ECS_FARGATE_AGENT_MANAGEMENT" = { auto_enable = var.auto_enable_ecs_fargate_agent_management } } }
+  }
+}
+
 resource "aws_guardduty_organization_admin_account" "this" {
   count            = var.admin_account_id == null ? 0 : 1
   admin_account_id = var.admin_account_id
@@ -31,3 +46,21 @@ resource "aws_guardduty_organization_configuration" "this" {
     }
   }
 }
+
+##################################################
+# GuardDuty Organizations Features Configuration
+##################################################
+resource "aws_guardduty_organization_configuration_feature" "this" {
+  for_each    = { for k, v in local.organization_configuration_features : k => v if v.auto_enable != null }
+  detector_id = var.guardduty_detector_id
+  name        = each.key
+  auto_enable = each.value.auto_enable
+
+  dynamic "additional_configuration" {
+    for_each = { for k, v in each.value.additional_configuration : k => v if v.auto_enable != null }
+    content {
+      name        = additional_configuration.key
+      auto_enable = additional_configuration.value.auto_enable
+    }
+  }
+}

modules/organizations_admin/variables.tf

@@ -24,6 +24,76 @@ variable "enable_malware_protection" {
   default     = true
 }
 
+variable "auto_enable_rds_login_events" {
+  description = "Auto-enable RDS login events monitoring for the member accounts within the organization."
+  type        = string
+  default     = null
+   validation {
+    condition     = var.auto_enable_rds_login_events == null || contains(["ALL", "NONE", "NEW"], coalesce(var.auto_enable_rds_login_events, 0))
+    error_message = "The auto_enable value must be one of: ALL, NONE, NEW."
+  }
+}
+
+variable "auto_enable_lambda_network_logs" {
+  description = "Auto-enable Lambda network logs monitoring for the member accounts within the organization."
+  type        = string
+  default     = null
+  validation {
+    condition     = var.auto_enable_lambda_network_logs == null || contains(["ALL", "NONE", "NEW"], coalesce(var.auto_enable_lambda_network_logs, 0))
+    error_message = "The auto_enable value must be one of: ALL, NONE, NEW."
+  }
+}
+
+variable "auto_enable_eks_runtime_monitoring" {
+  description = "Auto-enable EKS Runtime Monitoring for the member accounts within the organization."
+  type        = string
+  default     = null
+  validation {
+    condition     = var.auto_enable_eks_runtime_monitoring == null || contains(["ALL", "NONE", "NEW"], coalesce(var.auto_enable_eks_runtime_monitoring, 0))
+    error_message = "The auto_enable value must be one of: ALL, NONE, NEW."
+  }
+}
+
+variable "auto_enable_runtime_monitoring" {
+  description = "Auto-enable Runtime Monitoring for the member accounts within the organization."
+  type        = string
+  default     = null
+  validation {
+    condition     = var.auto_enable_runtime_monitoring == null || contains(["ALL", "NONE", "NEW"], coalesce(var.auto_enable_runtime_monitoring, 0))
+    error_message = "The auto_enable value must be one of: ALL, NONE, NEW."
+  }
+}
+
+variable "auto_enable_eks_addon_management" {
+  description = "Auto-enable EKS Addon Management additional configuration of EKS Runtime Monitoring/Runtime Monitoring for the member accounts within the organization."
+  type        = string
+  default     = null
+  validation {
+    condition     = var.auto_enable_eks_addon_management == null || contains(["ALL", "NONE", "NEW"], coalesce(var.auto_enable_eks_addon_management, 0))
+    error_message = "The auto_enable value must be one of: ALL, NONE, NEW."
+  }
+}
+
+variable "auto_enable_ecs_fargate_agent_management" {
+  description = "Auto-enable ECS Fargate Agent Management  additional configuration of Runtime Monitoring for the member accounts within the organization."
+  type        = string
+  default     = null
+  validation {
+    condition     = var.auto_enable_ecs_fargate_agent_management == null || contains(["ALL", "NONE", "NEW"], coalesce(var.auto_enable_ecs_fargate_agent_management, 0))
+    error_message = "The auto_enable value must be one of: ALL, NONE, NEW."
+  }
+}
+
+variable "auto_enable_ec2_agent_management" {
+  description = "Auto-enable EC2 Agent Management additional configuration of Runtime Monitoring for the member accounts within the organization."
+  type        = string
+  default     = null
+  validation {
+    condition     = var.auto_enable_ec2_agent_management == null || contains(["ALL", "NONE", "NEW"], coalesce(var.auto_enable_ec2_agent_management, 0))
+    error_message = "The auto_enable value must be one of: ALL, NONE, NEW."
+  }
+}
+
 variable "admin_account_id" {
   description = "AWS Organizations Admin Account Id. Defaults to `null`"
   type        = string

variables.tf

@@ -31,6 +31,48 @@ variable "enable_malware_protection" {
   default     = true
 }
 
+variable "enable_rds_login_events" {
+  description = "Configure and enable RDS Login Events Monitoring. Defaults to `false`."
+  type        = bool
+  default     = false
+}
+
+variable "enable_lambda_network_logs" {
+  description = "Configure and enable Lambda Newtork Logs Monitoring. Defaults to `false`."
+  type        = bool
+  default     = false
+}
+
+variable "enable_eks_runtime_monitoring" {
+  description = "Configure and enable EKS Runtime Montoring. Specifying both EKS Runtime Monitoring and Runtime Monitoring will cause an error. Defaults to `false`."
+  type        = bool
+  default     = false
+}
+
+variable "enable_runtime_monitoring" {
+  description = "Configure and enable Runtime Monitoring. Specifying both EKS Runtime Monitoring and Runtime Monitoring  will cause an error. Defaults to `false`."
+  type        = bool
+  default     = false
+}
+
+variable "enable_eks_addon_management" {
+  description = "Configure and enable EKS Addon Mangement  additional configuration of EKS Runtime Monitoring/Runtime Monitoring. Defaults to `false`."
+  type        = bool
+  default     = false
+}
+
+variable "enable_ecs_fargate_agent_management" {
+  description = "Configure and enable ECS Fargate Agent Management additional configuration of Runtime Monitoring. Defaults to `false`."
+  type        = bool
+  default     = false
+}
+
+variable "enable_ec2_agent_management" {
+  description = "Configure and enable EC2 Agent Management additional configuration of Runtime Monitoring. Defaults to `false`."
+  type        = bool
+  default     = false
+}
+
 variable "enable_snapshot_retention" {
   description = "Enable EBS Snaptshot retention for 30 days, if any Findings exists. Defaults to `false`."
   type        = bool