This module creates a Lambda that gets notified on new GuardDuty log files being created in the S3 bucket and alerts Slack.
Version 1 worked through CloudWatch rule events with a corresponding lambda being configured into each region. This means there were 17 duplicate resources for all the regions. Version 2 has been made to be notified of the logs from the central S3 bucket, which means only one lambda and no work is needed to add regions. In order to upgrade a bucket name is required.
module "notify_slack" {
source = "git::https://github.com/UKHomeOffice/acp-tf-guardduty-notify-slack?ref=v2.1.1"
slack_webhook_url = var.slack_webhook
slack_channel = "GuardDuty-ALerts"
slack_username = "testing"
lambda_variable_kms_key = "arn:aws:kms:eu-west-2:XXXX:key/XXX"
bucket_name = "guardduty-bucket"
bucket_kms_key = "arn:aws:kms:eu-west-2:XXXX:key/XXX"
alert_emails = ["[email protected]"]
lambda_function_name = "guardduty_notify_slack"
}
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| archive | ~> 2.2 |
| aws | ~> 3.70 |
| Name | Version |
|---|---|
| archive | 2.2.0 |
| aws | 3.72.0 |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.lambda_function | resource |
| aws_cloudwatch_metric_alarm.errorRate | resource |
| aws_iam_role.lambda | resource |
| aws_iam_role_policy.lambda | resource |
| aws_lambda_function.notify_slack | resource |
| aws_lambda_permission.allow_bucket | resource |
| aws_s3_bucket_notification.bucket_notification | resource |
| aws_sns_topic.alert | resource |
| aws_sns_topic_subscription.alert-email | resource |
| archive_file.notify_slack | data source |
| aws_iam_policy_document.assume_role | data source |
| aws_iam_policy_document.lambda | data source |
| aws_s3_bucket.guardduty | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alert_emails | Emails to alert on if there is an error in the lambda | list |
[] |
no |
| bucket_kms_key | KMS key arn used to decrypt the GuardDuty s3 events | any |
n/a | yes |
| bucket_name | Bucket name of GuardDuty event logs | any |
n/a | yes |
| ignore_sample_events | Flag to toggle whether to ignore sample events | string |
"false" |
no |
| lambda_function_name | The name of the Lambda function to create | string |
"guardduty_notify_slack" |
no |
| lambda_variable_kms_key | ARN of the KM keys used for decryption of lambda variables | any |
n/a | yes |
| slack_channel | The name of the channel in Slack for notifications | any |
n/a | yes |
| slack_emoji | A custom emoji that will appear on Slack messages | string |
":aws:" |
no |
| slack_username | The username that will appear on Slack messages | any |
n/a | yes |
| slack_webhook_url | The URL of the Slack webhook | any |
n/a | yes |
No outputs.