From b8cd6a562cdff1a805486694b06481de43f3fe00 Mon Sep 17 00:00:00 2001
From: marta <marta.susek@aplaceformom.com>
Date: Fri, 28 Jun 2024 18:29:00 +0200
Subject: [PATCH 1/2] feat: add support for guardduty detector features

---
 main.tf                                  | 18 ++++++++++++++++++
 modules/organizations_admin/main.tf      | 19 +++++++++++++++++++
 modules/organizations_admin/variables.tf | 11 +++++++++++
 variables.tf                             | 13 +++++++++++++
 4 files changed, 61 insertions(+)

diff --git a/main.tf b/main.tf
index 650b6e5..d0f486e 100644
--- a/main.tf
+++ b/main.tf
@@ -43,6 +43,24 @@ resource "aws_guardduty_detector" "primary" {
   }
 }
 
+##################################################
+# GuardDuty Features Configuration
+##################################################
+resource "aws_guardduty_detector_feature" "this" {
+  for_each    = var.configuration_features
+  detector_id = aws_guardduty_detector.primary.id
+  name        = each.name
+  status      = each.status ? "ENABLED" : "DISABLED"
+
+  dynamic "additional_configuration" {
+    for_each = each.additional_configuration
+    content {
+      name   = additional_configuration.name
+      status = each.status ? "ENABLED" : "DISABLED"
+    }
+  }
+}
+
 ##################################################
 # GuardDuty Filter
 ##################################################
diff --git a/modules/organizations_admin/main.tf b/modules/organizations_admin/main.tf
index 4f712da..7a47c1e 100644
--- a/modules/organizations_admin/main.tf
+++ b/modules/organizations_admin/main.tf
@@ -31,3 +31,22 @@ resource "aws_guardduty_organization_configuration" "this" {
     }
   }
 }
+
+##################################################
+# GuardDuty Organizations Features Configuration
+##################################################
+resource "aws_guardduty_organization_configuration_feature" "this" {
+  for_each    = var.organization_configuration_features
+  detector_id = var.guardduty_detector_id
+  name        = each.name
+  auto_enable = each.auto_enable
+
+  dynamic "additional_configuration" {
+    for_each = each.additional_configuration
+    content {
+      name        = additional_configuration.name
+      auto_enable = additional_configuration.auto_enable
+    }
+  }
+}
+
diff --git a/modules/organizations_admin/variables.tf b/modules/organizations_admin/variables.tf
index 619af02..9577937 100644
--- a/modules/organizations_admin/variables.tf
+++ b/modules/organizations_admin/variables.tf
@@ -41,3 +41,14 @@ variable "auto_enable_organization_members" {
   type        = string
   default     = "NEW"
 }
+
+variable "organization_configuration_features" {
+  type = map(object({
+    name        = string
+    auto_enable = string # NEW | ALL | NONE
+    additional_configuration = list(object({
+      name        = string # EKS_ADDON_MANAGEMENT | ECS_FARGATE_AGENT_MANAGEMENT | EC2_AGENT_MANAGEMENT
+      auto_enable = string
+    }))
+  }))
+}
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 915b115..1cca687 100644
--- a/variables.tf
+++ b/variables.tf
@@ -43,6 +43,19 @@ variable "finding_publishing_frequency" {
   default     = "FIFTEEN_MINUTES"
 }
 
+variable "configuration_features" {
+  description = "Enable new GuardDuty protections only available as features"
+  type = map(object({
+    name   = string # S3_DATA_EVENTS | EKS_AUDIT_LOGS | EBS_MALWARE_PROTECTION | RDS_LOGIN_EVENTS | EKS_RUNTIME_MONITORING | LAMBDA_NETWORK_LOGS | RUNTIME_MONITORING
+    enable = bool
+    additional_configuration = list(object({ # EKS_ADDON_MANAGEMENT | ECS_FARGATE_AGENT_MANAGEMENT | EC2_AGENT_MANAGEMENT
+      name   = string
+      enable = bool
+    }))
+  }))
+  default = {}
+}
+
 
 ##################################################
 # GuardDuty Filter

From 160fbfca1ebbb267811006536e053d609f679f69 Mon Sep 17 00:00:00 2001
From: marta <marta.susek@aplaceformom.com>
Date: Mon, 1 Jul 2024 10:53:07 +0200
Subject: [PATCH 2/2] feat: change variables shape, add validations

---
 main.tf                                  |  8 ++++----
 modules/organizations_admin/main.tf      |  4 ++--
 modules/organizations_admin/variables.tf | 26 +++++++++++++++++++-----
 variables.tf                             | 16 +++++++++------
 4 files changed, 37 insertions(+), 17 deletions(-)

diff --git a/main.tf b/main.tf
index d0f486e..cde84bd 100644
--- a/main.tf
+++ b/main.tf
@@ -49,14 +49,14 @@ resource "aws_guardduty_detector" "primary" {
 resource "aws_guardduty_detector_feature" "this" {
   for_each    = var.configuration_features
   detector_id = aws_guardduty_detector.primary.id
-  name        = each.name
-  status      = each.status ? "ENABLED" : "DISABLED"
+  name        = each.key
+  status      = each.enabled ? "ENABLED" : "DISABLED"
 
   dynamic "additional_configuration" {
     for_each = each.additional_configuration
     content {
-      name   = additional_configuration.name
-      status = each.status ? "ENABLED" : "DISABLED"
+      name   = additional_configuration.key
+      status = each.enabled ? "ENABLED" : "DISABLED"
     }
   }
 }
diff --git a/modules/organizations_admin/main.tf b/modules/organizations_admin/main.tf
index 7a47c1e..2634eed 100644
--- a/modules/organizations_admin/main.tf
+++ b/modules/organizations_admin/main.tf
@@ -38,13 +38,13 @@ resource "aws_guardduty_organization_configuration" "this" {
 resource "aws_guardduty_organization_configuration_feature" "this" {
   for_each    = var.organization_configuration_features
   detector_id = var.guardduty_detector_id
-  name        = each.name
+  name        = each.key
   auto_enable = each.auto_enable
 
   dynamic "additional_configuration" {
     for_each = each.additional_configuration
     content {
-      name        = additional_configuration.name
+      name        = additional_configuration.key
       auto_enable = additional_configuration.auto_enable
     }
   }
diff --git a/modules/organizations_admin/variables.tf b/modules/organizations_admin/variables.tf
index 9577937..1bd477b 100644
--- a/modules/organizations_admin/variables.tf
+++ b/modules/organizations_admin/variables.tf
@@ -43,12 +43,28 @@ variable "auto_enable_organization_members" {
 }
 
 variable "organization_configuration_features" {
+  description = "Enable new organization GuardDuty protections only available as features"
   type = map(object({
-    name        = string
-    auto_enable = string # NEW | ALL | NONE
-    additional_configuration = list(object({
-      name        = string # EKS_ADDON_MANAGEMENT | ECS_FARGATE_AGENT_MANAGEMENT | EC2_AGENT_MANAGEMENT
+    auto_enable = string
+    additional_configuration = map(object({
       auto_enable = string
     }))
   }))
-}
\ No newline at end of file
+  validation {
+    condition     = alltrue([for k in var.organization_configuration_features : contains(["S3_DATA_EVENTS", "EKS_AUDIT_LOGS", "EBS_MALWARE_PROTECTION", "RDS_LOGIN_EVENTS", "EKS_RUNTIME_MONITORING", "LAMBDA_NETWORK_LOGS", "RUNTIME_MONITORING"], k)])
+    error_message = "The organization_configuration_features key must be one of: S3_DATA_EVENTS, EKS_AUDIT_LOGS, EBS_MALWARE_PROTECTION, RDS_LOGIN_EVENTS, EKS_RUNTIME_MONITORING, LAMBDA_NETWORK_LOGS, RUNTIME_MONITORING."
+  }
+  validation {
+    condition     = alltrue([for k, v in var.organization_configuration_features : contains(["ALL", "NONE", "NEW"], v.auto_enable)])
+    error_message = "The auto_enable value must be one of: ALL, NONE, NEW."
+  }
+  validation {
+    condition     = alltrue([for k, v in var.organization_configuration_features : [for a in v.additional_configuration : contains(["EKS_ADDON_MANAGEMENT", "ECS_FARGATE_AGENT_MANAGEMENT", "EC2_AGENT_MANAGEMENT"], a)]])
+    error_message = "The additional_configuration key must be one of: EKS_ADDON_MANAGEMENT, ECS_FARGATE_AGENT_MANAGEMENT, EC2_AGENT_MANAGEMENT."
+  }
+  validation {
+    condition     = alltrue([for k, v in var.organization_configuration_features : [for ak, av in v.additional_configuration : contains(["ALL", "NONE", "NEW"], av.auto_enable)]])
+    error_message = "The auto_enable value must be one of: ALL, NONE, NEW."
+  }
+  default = {}
+}
diff --git a/variables.tf b/variables.tf
index 1cca687..ac842a5 100644
--- a/variables.tf
+++ b/variables.tf
@@ -46,13 +46,17 @@ variable "finding_publishing_frequency" {
 variable "configuration_features" {
   description = "Enable new GuardDuty protections only available as features"
   type = map(object({
-    name   = string # S3_DATA_EVENTS | EKS_AUDIT_LOGS | EBS_MALWARE_PROTECTION | RDS_LOGIN_EVENTS | EKS_RUNTIME_MONITORING | LAMBDA_NETWORK_LOGS | RUNTIME_MONITORING
-    enable = bool
-    additional_configuration = list(object({ # EKS_ADDON_MANAGEMENT | ECS_FARGATE_AGENT_MANAGEMENT | EC2_AGENT_MANAGEMENT
-      name   = string
-      enable = bool
-    }))
+    enabled                  = bool
+    additional_configuration = map(bool)
   }))
+  validation {
+    condition     = alltrue([for k in var.configuration_features : contains(["S3_DATA_EVENTS", "EKS_AUDIT_LOGS", "EBS_MALWARE_PROTECTION", "RDS_LOGIN_EVENTS", "EKS_RUNTIME_MONITORING", "LAMBDA_NETWORK_LOGS", "RUNTIME_MONITORING"], k)])
+    error_message = "The configuration_features key must be one of: S3_DATA_EVENTS, EKS_AUDIT_LOGS, EBS_MALWARE_PROTECTION, RDS_LOGIN_EVENTS, EKS_RUNTIME_MONITORING, LAMBDA_NETWORK_LOGS, RUNTIME_MONITORING."
+  }
+  validation {
+    condition     = alltrue([for k, v in var.configuration_features : [for a in v.additional_configuration : contains(["EKS_ADDON_MANAGEMENT", "ECS_FARGATE_AGENT_MANAGEMENT", "EC2_AGENT_MANAGEMENT"], a)]])
+    error_message = "The additional_configuration key must be one of: EKS_ADDON_MANAGEMENT, ECS_FARGATE_AGENT_MANAGEMENT, EC2_AGENT_MANAGEMENT."
+  }
   default = {}
 }