sysdiglabs · kmvachhani · Feb 20, 2025 · Feb 19, 2025 · Feb 19, 2025 · Feb 19, 2025
@@ -32,6 +32,7 @@ var validatePolicyType = validation.StringInSlice([]string{
 	"drift",
 	"aws_machine_learning",
 	"machine_learning",
+	"guardduty",
 }, false)
 
 func resourceSysdigSecurePolicy() *schema.Resource {

@@ -56,6 +56,7 @@ func TestAccPolicy(t *testing.T) {
 				resource.TestStep{Config: policiesForFalcoCloudAWSCloudtrail(rText())},
 				resource.TestStep{Config: policiesForOkta(rText())},
 				resource.TestStep{Config: policiesForGithub(rText())},
+				resource.TestStep{Config: policiesForGuardDuty(rText())},
 			)
 		}
 	}
@@ -254,3 +255,14 @@ resource "sysdig_secure_policy" "sample9" {
 }
 `, name, name)
 }
+
+func policiesForGuardDuty(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_policy" "sample10" {
+  name = "TERRAFORM TEST 4 %s"
+  description = "TERRAFORM TEST %s"
+  type = "guardduty"
+  actions {}
+}
+`, name, name)
+}
@@ -18,7 +18,7 @@ import (
 	"github.com/spf13/cast"
 )
 
-var validateFalcoRuleSource = validation.StringInSlice([]string{"syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github"}, false)
+var validateFalcoRuleSource = validation.StringInSlice([]string{"syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", "guardduty"}, false)
 
 func resourceSysdigSecureRuleFalco() *schema.Resource {
 	timeout := 5 * time.Minute

@@ -285,6 +285,24 @@ func TestRuleGithubAppends(t *testing.T) {
 	runTest(steps, t)
 }
 
+func TestRuleGuardDuty(t *testing.T) {
+	steps := []resource.TestStep{
+		{
+			Config: ruleGuardDuty(randomString()),
+		},
+	}
+	runTest(steps, t)
+}
+
+func TestRuleGuardDutyAppends(t *testing.T) {
+	steps := []resource.TestStep{
+		{
+			Config: ruleGuardDutyWithAppend(),
+		},
+	}
+	runTest(steps, t)
+}
+
 func randomString() string { return acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum) }
 
 func runTest(steps []resource.TestStep, t *testing.T) {
@@ -564,3 +582,32 @@ resource "sysdig_secure_rule_falco" "github_append" {
    }
 }`
 }
+
+func ruleGuardDuty(name string) string {
+	return fmt.Sprintf(`
+	resource "sysdig_secure_rule_falco" "guardduty" {
+	  name = "TERRAFORM TEST %[1]s - GuardDuty"
+	  description = "TERRAFORM TEST %[1]s"
+	  tags = ["guardduty"]
+
+	  condition = "guardduty.resourceType=\"Container\""
+	  output = "GuardDuty Event received (account ID=%%guardduty.accountId)"
+	  priority = "debug"
+	  source = "guardduty"
+	}`, name, name)
+}
+
+func ruleGuardDutyWithAppend() string {
+	return `
+	resource "sysdig_secure_rule_falco" "guardduty_append" {
+	  name = "GuardDuty High Severity Finding on Container"
+	  source = "guardduty"
+	  append = true
+	  exceptions {
+		name = "resource_type_tf"
+		fields = ["guardduty.resourceType"]
+		comps = ["="]
+		values = jsonencode([ ["Amazon S2"] ])
+	   }
+	}`
+}
@@ -26,7 +26,7 @@ data "sysdig_secure_custom_policy" "example" {
 * `name` - (Required) The name of the Secure custom policy.
 
 * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`,
-  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`.
+  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`.
 
 ## Attributes Reference
 

@@ -26,7 +26,7 @@ data "sysdig_secure_managed_policy" "example" {
 * `name` - (Required) The name of the Secure managed policy.
 
 * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`,
-  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`.
+  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`.
 
 ## Attributes Reference
 

@@ -26,7 +26,7 @@ data "sysdig_secure_managed_ruleset" "example" {
 * `name` - (Required) The name of the Secure managed ruleset.
 
 * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`,
-  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`.
+  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`.
 
 ## Attributes Reference
 

@@ -60,7 +60,7 @@ resource "sysdig_secure_custom_policy" "write_apt_database" {
 * `enabled` - (Optional) Will secure process with this rule?. By default this is true.
 
 * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`,
-  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`.
+  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`.
 
 * `runbook` - (Optional) Customer provided url that provides a runbook for a given policy. 
 - - -

@@ -51,7 +51,7 @@ resource "sysdig_secure_managed_policy" "sysdig_runtime_threat_detection" {
 * `name` - (Required) The name of the Secure managed policy. It must match the name of an existing managed policy.
 
 * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`,
-  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`.
+  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`.
 
 * `enabled` - (Optional) Will secure process with this policy?. By default this is true.
 

@@ -59,7 +59,7 @@ resource "sysdig_secure_managed_ruleset" "sysdig_runtime_threat_detection_manage
 
 * `enabled` - (Optional) Will secure process with this rule?. By default this is true.
 
-* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, `aws_cloudtrail`, `awscloudtrail`, `okta`, `github`. By default it is `falco`.
+* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, `aws_cloudtrail`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`.
 
 * `runbook` - (Optional) Customer provided url that provides a runbook for a given policy. 
 - - -
@@ -70,7 +70,7 @@ The `inherited_from` block is required and identifies the managed policy that th
 
 * `name` - (Required) The name of the Secure managed policy. It must match the name of an existing managed policy.
 
-* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, `aws_cloudtrail`, `awscloudtrail`, `okta`, `github`. By default it is `falco`.
+* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, `aws_cloudtrail`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`.
 
 - - -
 

@@ -60,7 +60,7 @@ resource "sysdig_secure_policy" "write_apt_database" {
 * `enabled` - (Optional) Will secure process with this rule?. By default this is true.
 
 * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`,
-  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`.
+  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`.
 
 * `runbook` - (Optional) Customer provided url that provides a runbook for a given policy. 
 - - -

@@ -23,7 +23,7 @@ resource "sysdig_secure_rule_falco" "example" {
   condition = "spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint"
   output    = "A shell was spawned in a container with an attached terminal (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)"
   priority  = "notice"
-  source    = "syscall" // syscall, k8s_audit, aws_cloudtrail, gcp_auditlog, azure_platformlogs, awscloudtrail okta, github
+  source    = "syscall" // syscall, k8s_audit, aws_cloudtrail, gcp_auditlog, azure_platformlogs, awscloudtrail, okta, github, guardduty
 
 
   exceptions {
@@ -64,7 +64,7 @@ The following arguments are supported:
 * `condition` - (Required) A [Falco condition](https://falco.org/docs/rules/) is simply a Boolean predicate on Sysdig events expressed using the Sysdig [filter syntax](http://www.sysdig.org/wiki/sysdig-user-guide/#filtering) and macro terms. 
 * `output` - (Optional) Add additional information to each Falco notification's output. Required if append is false.
 * `priority` - (Optional) The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning".
-* `source` - (Optional) The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", or "github". Required if append is false.
+* `source` - (Optional) The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", or "guardduty". Required if append is false.
 * `exceptions` - (Optional) The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details.
 * `append` - (Optional) This indicates that the rule being created appends the condition to an existing Sysdig-provided
   rule. By default this is false. Appending to user-created rules is not supported by the API.