Closed be-aws-architect closed 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
This should probably also include not just the runtime, but also the runtime agent deployment:
As EKS Runtime Monitoring is an EKS add-on, I'm wondering if the deployment of the runtime agent would be done by using the existing aws_eks_addon
resource? It looks like that's designed in a pretty generic way so maybe it won't need changes.
That said, it would be helpful to have a bit of documentation on how to configure the monitoring agent, as it seems like there are at least a few config options and it would be good to have an example. Perhaps the config would sit under the aws_guardduty_organization_configuration
resource, or perhaps some might end up under aws_eks_addon
, it would be good to understand where it would go and what it would look like.
As EKS Runtime Monitoring is an EKS add-on, I'm wondering if the deployment of the runtime agent would be done by using the existing
aws_eks_addon
resource? It looks like that's designed in a pretty generic way so maybe it won't need changes.That said, it would be helpful to have a bit of documentation on how to configure the monitoring agent, as it seems like there are at least a few config options and it would be good to have an example. Perhaps the config would sit under the
aws_guardduty_organization_configuration
resource, or perhaps some might end up underaws_eks_addon
, it would be good to understand where it would go and what it would look like.
The add-on needs to be enabled for the agent to gather events and send them to Guardduty but the Guardduty feature needs to be enabled nevertheless.
Example CLI command:
aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --acount-ids 555555555555 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED"}] ]'
As EKS Runtime Monitoring is an EKS add-on, I'm wondering if the deployment of the runtime agent would be done by using the existing
aws_eks_addon
resource? It looks like that's designed in a pretty generic way so maybe it won't need changes.That said, it would be helpful to have a bit of documentation on how to configure the monitoring agent, as it seems like there are at least a few config options and it would be good to have an example. Perhaps the config would sit under the
aws_guardduty_organization_configuration
resource, or perhaps some might end up underaws_eks_addon
, it would be good to understand where it would go and what it would look like.
No, that is something else. This is the org wide auto enablement of the deployment of that EKS addon and is a guardduty setting. You can of course manually deploy it, but that is not what we are talking about here.
You will be able to use the upcoming aws_guardduty_detector_feature
resource (https://github.com/hashicorp/terraform-provider-aws/pull/31463):
resource "aws_guardduty_detector" "example" {
enable = true
}
resource "aws_guardduty_detector_feature" "example" {
detector_id = aws_guardduty_detector.example.id
name = "EKS_RUNTIME_MONITORING"
status = "ENABLED"
additional_configuration {
name = "EKS_ADDON_MANAGEMENT"
status = "ENABLED"
}
}
This functionality has been released in v5.20.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Description
Guard Duty now supports EKS Runtime monitoring, but it is not configurable in Terraform at the moment.
Affected Resource(s) and/or Data Source(s)
Potential Terraform Configuration
References
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-eks-runtime-monitoring.html
Would you like to implement a fix?
None