add guardduty for every region

Author: anmolnagpal

main.tf

@@ -335,24 +335,27 @@ module "config" {
 
 #Module      :  GUARD DUTY
 module "guardduty" {
-  source                  = "./modules/guardduty"
-  name                    = "guardduty"
-  application             = var.application
-  environment             = var.environment
-  managedby               = var.managedby
-  label_order             = var.label_order
-  enabled                 = var.enabled && var.guardduty_enable
-  bucket_name             = var.guardduty_s3_bucket_name
-  ipset_format            = "TXT"
-  ipset_iplist            = var.ipset_iplist
-  threatintelset_activate = var.threatintelset_activate
-  threatintelset_format   = "TXT"
-  threatintelset_iplist   = var.threatintelset_iplist
-  target_bucket           = var.target_bucket
-  target_prefix           = var.target_prefix
-  sse_algorithm           = var.sse_algorithm
-  tracing_mode            = var.tracing_mode
-  attach_tracing_policy   = var.attach_tracing_policy
+  source                         = "./modules/guardduty"
+  name                           = "guardduty"
+  application                    = var.application
+  environment                    = var.environment
+  managedby                      = var.managedby
+  label_order                    = var.label_order
+  enabled                        = var.enabled && var.guardduty_enable
+  only_guardduty_enable          = var.only_guardduty_enable
+  ipset_location                 = var.ipset_location
+  threatintelset_iplist_location = var.threatintelset_iplist_location
+  bucket_name                    = var.guardduty_s3_bucket_name
+  ipset_format                   = "TXT"
+  ipset_iplist                   = var.ipset_iplist
+  threatintelset_activate        = var.threatintelset_activate
+  threatintelset_format          = "TXT"
+  threatintelset_iplist          = var.threatintelset_iplist
+  target_bucket                  = var.target_bucket
+  target_prefix                  = var.target_prefix
+  sse_algorithm                  = var.sse_algorithm
+  tracing_mode                   = var.tracing_mode
+  attach_tracing_policy          = var.attach_tracing_policy
 
   is_guardduty_member = var.is_guardduty_member
   member_list         = var.member_list

modules/guardduty/main.tf

@@ -16,7 +16,7 @@ module "labels" {
 }
 
 resource "aws_s3_bucket" "bucket" {
-  count         = var.enabled ? 1 : 0
+  count         = var.enabled && var.only_guardduty_enable ? 1 : 0
   bucket        = var.bucket_name
   acl           = "private"
   force_destroy = true
@@ -46,7 +46,7 @@ resource "aws_guardduty_invite_accepter" "member_accepter" {
 }
 
 resource "aws_s3_bucket_object" "ipset" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.only_guardduty_enable ? 1 : 0
   acl   = "private"
   content = templatefile("${path.module}/templates/ipset.txt.tpl",
   { ipset_iplist = var.ipset_iplist })
@@ -61,12 +61,12 @@ resource "aws_guardduty_ipset" "ipset" {
   activate    = var.ipset_activate
   detector_id = join("", aws_guardduty_detector.detector.*.id)
   format      = var.ipset_format
-  location    = "https://s3.amazonaws.com/${join("", aws_s3_bucket_object.ipset.*.bucket)}/${join("", aws_s3_bucket_object.ipset.*.key)}"
+  location    = var.ipset_location == "" ? "https://s3.amazonaws.com/${join("", aws_s3_bucket_object.ipset.*.bucket)}/${join("", aws_s3_bucket_object.ipset.*.key)}" : var.ipset_location
   name        = format("%s-ipset", module.labels.id)
 }
 
 resource "aws_s3_bucket_object" "threatintelset" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.only_guardduty_enable ? 1 : 0
   acl   = "private"
   content = templatefile("${path.module}/templates/threatintelset.txt.tpl",
   { threatintelset_iplist = var.threatintelset_iplist })
@@ -81,7 +81,7 @@ resource "aws_guardduty_threatintelset" "threatintelset" {
   activate    = var.threatintelset_activate
   detector_id = join("", aws_guardduty_detector.detector.*.id)
   format      = var.threatintelset_format
-  location    = "https://s3.amazonaws.com/${join("", aws_s3_bucket_object.threatintelset.*.bucket)}/${join("", aws_s3_bucket_object.threatintelset.*.key)}"
+  location    = var.threatintelset_iplist_location == "" ? "https://s3.amazonaws.com/${join("", aws_s3_bucket_object.threatintelset.*.bucket)}/${join("", aws_s3_bucket_object.threatintelset.*.key)}" : var.threatintelset_iplist_location
   name        = format("%s-threat", module.labels.id)
 }
 
@@ -98,7 +98,7 @@ resource "aws_guardduty_member" "member" {
 #Module      : CLOUD WATCH EVENT RULE
 #Description : Event rule for cloud watch events.
 resource "aws_cloudwatch_event_rule" "default" {
-  count       = var.enabled ? 1 : 0
+  count       = var.enabled && var.only_guardduty_enable ? 1 : 0
   name        = format("%s-er", module.labels.id)
   description = "Event rule for AWS Guarddduty."
   role_arn    = var.rule_iam_role_arn
@@ -120,7 +120,7 @@ resource "aws_cloudwatch_event_rule" "default" {
 #Module      : CLOUD WATCH EVENT TARGET
 #Description : Attaching event rule and lambda function to targets.
 resource "aws_cloudwatch_event_target" "default" {
-  count     = var.enabled ? 1 : 0
+  count     = var.enabled && var.only_guardduty_enable ? 1 : 0
   rule      = join("", aws_cloudwatch_event_rule.default.*.name)
   target_id = "Guardduty"
   arn       = module.slack-lambda.arn # ARN of the Lambda Function, write after including lambda function
@@ -136,7 +136,7 @@ module "slack-lambda" {
   environment = var.environment
   label_order = ["name"]
   managedby   = var.managedby
-  enabled     = var.enabled
+  enabled     = var.enabled && var.only_guardduty_enable
 
   filename = format("%s/slack", path.module)
   handler  = "index.handler"

modules/guardduty/variables.tf

@@ -36,6 +36,12 @@ variable "guardduty_enable" {
   description = "Enable monitoring and feedback reporting. Setting to false is equivalent to `suspending` GuardDuty. Defaults to true"
 }
 
+variable "only_guardduty_enable" {
+  type        = bool
+  default     = true
+  description = "Enable monitoring and feedback reporting. Setting to false is equivalent to `suspending` GuardDuty. Defaults to true"
+}
+
 variable "ipset_iplist" {
   type        = list(any)
   description = "IPSet list of trusted IP addresses"
@@ -48,6 +54,18 @@ variable "target_bucket" {
   description = "The name of the bucket that will receive the log objects."
 }
 
+variable "ipset_location" {
+  type        = string
+  default     = ""
+  description = "Location of ipset in s3."
+}
+
+variable "threatintelset_iplist_location" {
+  type        = string
+  default     = ""
+  description = "Location of threatintelset ipset in s3."
+}
+
 variable "target_prefix" {
   type        = string
   default     = ""

variables.tf

@@ -226,6 +226,12 @@ variable "guardduty_enable" {
   description = "Enable monitoring and feedback reporting. Setting to false is equivalent to `suspending` GuardDuty. Defaults to true"
 }
 
+variable "only_guardduty_enable" {
+  type        = bool
+  default     = true
+  description = "Enable monitoring and feedback reporting. Setting to false is equivalent to `suspending` GuardDuty. Defaults to true"
+}
+
 variable "guardduty_s3_bucket_name" {
   type        = string
   description = "The name of the S3 bucket which will store guardduty files."
@@ -1829,3 +1835,15 @@ variable "config_role_arn" {
   default     = ""
   description = "config role arn"
 }
+
+variable "ipset_location" {
+  type        = string
+  default     = ""
+  description = "Location of ipset in s3."
+}
+
+variable "threatintelset_iplist_location" {
+  type        = string
+  default     = ""
+  description = "Location of threatintelset ipset in s3."
+}