Publishing
data class PublishingDestinationArgs(val destinationArn: Output<String>? = null, val destinationType: Output<String>? = null, val detectorId: Output<String>? = null, val kmsKeyArn: Output<String>? = null) : ConvertibleToJava<PublishingDestinationArgs>
Provides a resource to manage a GuardDuty PublishingDestination. Requires an existing GuardDuty Detector.
Example Usage
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetRegionArgs;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.guardduty.Detector;
import com.pulumi.aws.guardduty.DetectorArgs;
import com.pulumi.aws.s3.BucketAclV2;
import com.pulumi.aws.s3.BucketAclV2Args;
import com.pulumi.aws.s3.BucketPolicy;
import com.pulumi.aws.s3.BucketPolicyArgs;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.guardduty.PublishingDestination;
import com.pulumi.aws.guardduty.PublishingDestinationArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var currentCallerIdentity = AwsFunctions.getCallerIdentity();
final var currentRegion = AwsFunctions.getRegion();
var gdBucket = new BucketV2("gdBucket", BucketV2Args.builder()
.forceDestroy(true)
.build());
final var bucketPol = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.sid("Allow PutObject")
.actions("s3:PutObject")
.resources(gdBucket.arn().applyValue(arn -> String.format("%s/*", arn)))
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("guardduty.amazonaws.com")
.build())
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("Allow GetBucketLocation")
.actions("s3:GetBucketLocation")
.resources(gdBucket.arn())
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("guardduty.amazonaws.com")
.build())
.build())
.build());
final var kmsPol = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.sid("Allow GuardDuty to encrypt findings")
.actions("kms:GenerateDataKey")
.resources(String.format("arn:aws:kms:%s:%s:key/*", currentRegion.applyValue(getRegionResult -> getRegionResult.name()),currentCallerIdentity.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("guardduty.amazonaws.com")
.build())
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("Allow all users to modify/delete key (test only)")
.actions("kms:*")
.resources(String.format("arn:aws:kms:%s:%s:key/*", currentRegion.applyValue(getRegionResult -> getRegionResult.name()),currentCallerIdentity.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers(String.format("arn:aws:iam::%s:root", currentCallerIdentity.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
.build())
.build())
.build());
var testGd = new Detector("testGd", DetectorArgs.builder()
.enable(true)
.build());
var gdBucketAcl = new BucketAclV2("gdBucketAcl", BucketAclV2Args.builder()
.bucket(gdBucket.id())
.acl("private")
.build());
var gdBucketPolicy = new BucketPolicy("gdBucketPolicy", BucketPolicyArgs.builder()
.bucket(gdBucket.id())
.policy(bucketPol.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(bucketPol -> bucketPol.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
.build());
var gdKey = new Key("gdKey", KeyArgs.builder()
.description("Temporary key for AccTest of TF")
.deletionWindowInDays(7)
.policy(kmsPol.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
var test = new PublishingDestination("test", PublishingDestinationArgs.builder()
.detectorId(testGd.id())
.destinationArn(gdBucket.arn())
.kmsKeyArn(gdKey.arn())
.build(), CustomResourceOptions.builder()
.dependsOn(gdBucketPolicy)
.build());
}
}Content copied to clipboard
Import
GuardDuty PublishingDestination can be imported using the master GuardDuty detector ID and PublishingDestinationID, e.g.,
$ pulumi import aws:guardduty/publishingDestination:PublishingDestination test a4b86f26fa42e7e7cf0d1c333ea77777:a4b86f27a0e464e4a7e0516d242f1234Content copied to clipboard
Properties
Link copied to clipboard
The bucket arn and prefix under which the findings get exported. Bucket-ARN is required, the prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided
Link copied to clipboard
Currently there is only "S3" available as destination type which is also the default value
Link copied to clipboard
The detector ID of the GuardDuty.