Welcome to Pulumi Registry, your window into the cloud. Read the announcement.

AWS Classic

v4.25.0 published on Friday, Oct 15, 2021 by Pulumi

PublishingDestination

Provides a resource to manage a GuardDuty PublishingDestination. Requires an existing GuardDuty Detector.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var currentCallerIdentity = Output.Create(Aws.GetCallerIdentity.InvokeAsync());
        var currentRegion = Output.Create(Aws.GetRegion.InvokeAsync());
        var gdBucket = new Aws.S3.Bucket("gdBucket", new Aws.S3.BucketArgs
        {
            Acl = "private",
            ForceDestroy = true,
        });
        var bucketPol = Output.Tuple(gdBucket.Arn, gdBucket.Arn).Apply(values =>
        {
            var gdBucketArn = values.Item1;
            var gdBucketArn1 = values.Item2;
            return Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
            {
                Statements = 
                {
                    new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                    {
                        Sid = "Allow PutObject",
                        Actions = 
                        {
                            "s3:PutObject",
                        },
                        Resources = 
                        {
                            $"{gdBucketArn}/*",
                        },
                        Principals = 
                        {
                            new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
                            {
                                Type = "Service",
                                Identifiers = 
                                {
                                    "guardduty.amazonaws.com",
                                },
                            },
                        },
                    },
                    new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                    {
                        Sid = "Allow GetBucketLocation",
                        Actions = 
                        {
                            "s3:GetBucketLocation",
                        },
                        Resources = 
                        {
                            gdBucketArn1,
                        },
                        Principals = 
                        {
                            new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
                            {
                                Type = "Service",
                                Identifiers = 
                                {
                                    "guardduty.amazonaws.com",
                                },
                            },
                        },
                    },
                },
            });
        });
        var kmsPol = Output.Tuple(currentRegion, currentCallerIdentity, currentRegion, currentCallerIdentity, currentCallerIdentity).Apply(values =>
        {
            var currentRegion = values.Item1;
            var currentCallerIdentity = values.Item2;
            var currentRegion1 = values.Item3;
            var currentCallerIdentity1 = values.Item4;
            var currentCallerIdentity2 = values.Item5;
            return Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
            {
                Statements = 
                {
                    new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                    {
                        Sid = "Allow GuardDuty to encrypt findings",
                        Actions = 
                        {
                            "kms:GenerateDataKey",
                        },
                        Resources = 
                        {
                            $"arn:aws:kms:{currentRegion.Name}:{currentCallerIdentity.AccountId}:key/*",
                        },
                        Principals = 
                        {
                            new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
                            {
                                Type = "Service",
                                Identifiers = 
                                {
                                    "guardduty.amazonaws.com",
                                },
                            },
                        },
                    },
                    new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                    {
                        Sid = "Allow all users to modify/delete key (test only)",
                        Actions = 
                        {
                            "kms:*",
                        },
                        Resources = 
                        {
                            $"arn:aws:kms:{currentRegion1.Name}:{currentCallerIdentity1.AccountId}:key/*",
                        },
                        Principals = 
                        {
                            new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
                            {
                                Type = "AWS",
                                Identifiers = 
                                {
                                    $"arn:aws:iam::{currentCallerIdentity2.AccountId}:root",
                                },
                            },
                        },
                    },
                },
            }));
        });
        var testGd = new Aws.GuardDuty.Detector("testGd", new Aws.GuardDuty.DetectorArgs
        {
            Enable = true,
        });
        var gdBucketPolicy = new Aws.S3.BucketPolicy("gdBucketPolicy", new Aws.S3.BucketPolicyArgs
        {
            Bucket = gdBucket.Id,
            Policy = bucketPol.Apply(bucketPol => bucketPol.Json),
        });
        var gdKey = new Aws.Kms.Key("gdKey", new Aws.Kms.KeyArgs
        {
            Description = "Temporary key for AccTest of TF",
            DeletionWindowInDays = 7,
            Policy = kmsPol.Apply(kmsPol => kmsPol.Json),
        });
        var test = new Aws.GuardDuty.PublishingDestination("test", new Aws.GuardDuty.PublishingDestinationArgs
        {
            DetectorId = testGd.Id,
            DestinationArn = gdBucket.Arn,
            KmsKeyArn = gdKey.Arn,
        }, new CustomResourceOptions
        {
            DependsOn = 
            {
                gdBucketPolicy,
            },
        });
    }

}
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws"
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/guardduty"
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/kms"
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/s3"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		currentCallerIdentity, err := aws.GetCallerIdentity(ctx, nil, nil)
		if err != nil {
			return err
		}
		currentRegion, err := aws.GetRegion(ctx, nil, nil)
		if err != nil {
			return err
		}
		gdBucket, err := s3.NewBucket(ctx, "gdBucket", &s3.BucketArgs{
			Acl:          pulumi.String("private"),
			ForceDestroy: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		kmsPol, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				iam.GetPolicyDocumentStatement{
					Sid: "Allow GuardDuty to encrypt findings",
					Actions: []string{
						"kms:GenerateDataKey",
					},
					Resources: []string{
						fmt.Sprintf("%v%v%v%v%v", "arn:aws:kms:", currentRegion.Name, ":", currentCallerIdentity.AccountId, ":key/*"),
					},
					Principals: []iam.GetPolicyDocumentStatementPrincipal{
						iam.GetPolicyDocumentStatementPrincipal{
							Type: "Service",
							Identifiers: []string{
								"guardduty.amazonaws.com",
							},
						},
					},
				},
				iam.GetPolicyDocumentStatement{
					Sid: "Allow all users to modify/delete key (test only)",
					Actions: []string{
						"kms:*",
					},
					Resources: []string{
						fmt.Sprintf("%v%v%v%v%v", "arn:aws:kms:", currentRegion.Name, ":", currentCallerIdentity.AccountId, ":key/*"),
					},
					Principals: []iam.GetPolicyDocumentStatementPrincipal{
						iam.GetPolicyDocumentStatementPrincipal{
							Type: "AWS",
							Identifiers: []string{
								fmt.Sprintf("%v%v%v", "arn:aws:iam::", currentCallerIdentity.AccountId, ":root"),
							},
						},
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		testGd, err := guardduty.NewDetector(ctx, "testGd", &guardduty.DetectorArgs{
			Enable: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		gdBucketPolicy, err := s3.NewBucketPolicy(ctx, "gdBucketPolicy", &s3.BucketPolicyArgs{
			Bucket: gdBucket.ID(),
			Policy: bucketPol.ApplyT(func(bucketPol iam.GetPolicyDocumentResult) (string, error) {
				return bucketPol.Json, nil
			}).(pulumi.StringOutput),
		})
		if err != nil {
			return err
		}
		gdKey, err := kms.NewKey(ctx, "gdKey", &kms.KeyArgs{
			Description:          pulumi.String("Temporary key for AccTest of TF"),
			DeletionWindowInDays: pulumi.Int(7),
			Policy:               pulumi.String(kmsPol.Json),
		})
		if err != nil {
			return err
		}
		_, err = guardduty.NewPublishingDestination(ctx, "test", &guardduty.PublishingDestinationArgs{
			DetectorId:     testGd.ID(),
			DestinationArn: gdBucket.Arn,
			KmsKeyArn:      gdKey.Arn,
		}, pulumi.DependsOn([]pulumi.Resource{
			gdBucketPolicy,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_aws as aws

current_caller_identity = aws.get_caller_identity()
current_region = aws.get_region()
gd_bucket = aws.s3.Bucket("gdBucket",
    acl="private",
    force_destroy=True)
bucket_pol = pulumi.Output.all(gd_bucket.arn, gd_bucket.arn).apply(lambda gdBucketArn, gdBucketArn1: aws.iam.get_policy_document(statements=[
    aws.iam.GetPolicyDocumentStatementArgs(
        sid="Allow PutObject",
        actions=["s3:PutObject"],
        resources=[f"{gd_bucket_arn}/*"],
        principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
            type="Service",
            identifiers=["guardduty.amazonaws.com"],
        )],
    ),
    aws.iam.GetPolicyDocumentStatementArgs(
        sid="Allow GetBucketLocation",
        actions=["s3:GetBucketLocation"],
        resources=[gd_bucket_arn1],
        principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
            type="Service",
            identifiers=["guardduty.amazonaws.com"],
        )],
    ),
]))
kms_pol = aws.iam.get_policy_document(statements=[
    aws.iam.GetPolicyDocumentStatementArgs(
        sid="Allow GuardDuty to encrypt findings",
        actions=["kms:GenerateDataKey"],
        resources=[f"arn:aws:kms:{current_region.name}:{current_caller_identity.account_id}:key/*"],
        principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
            type="Service",
            identifiers=["guardduty.amazonaws.com"],
        )],
    ),
    aws.iam.GetPolicyDocumentStatementArgs(
        sid="Allow all users to modify/delete key (test only)",
        actions=["kms:*"],
        resources=[f"arn:aws:kms:{current_region.name}:{current_caller_identity.account_id}:key/*"],
        principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
            type="AWS",
            identifiers=[f"arn:aws:iam::{current_caller_identity.account_id}:root"],
        )],
    ),
])
test_gd = aws.guardduty.Detector("testGd", enable=True)
gd_bucket_policy = aws.s3.BucketPolicy("gdBucketPolicy",
    bucket=gd_bucket.id,
    policy=bucket_pol.json)
gd_key = aws.kms.Key("gdKey",
    description="Temporary key for AccTest of TF",
    deletion_window_in_days=7,
    policy=kms_pol.json)
test = aws.guardduty.PublishingDestination("test",
    detector_id=test_gd.id,
    destination_arn=gd_bucket.arn,
    kms_key_arn=gd_key.arn,
    opts=pulumi.ResourceOptions(depends_on=[gd_bucket_policy]))
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const currentCallerIdentity = aws.getCallerIdentity({});
const currentRegion = aws.getRegion({});
const gdBucket = new aws.s3.Bucket("gdBucket", {
    acl: "private",
    forceDestroy: true,
});
const bucketPol = pulumi.all([gdBucket.arn, gdBucket.arn]).apply(([gdBucketArn, gdBucketArn1]) => aws.iam.getPolicyDocument({
    statements: [
        {
            sid: "Allow PutObject",
            actions: ["s3:PutObject"],
            resources: [`${gdBucketArn}/*`],
            principals: [{
                type: "Service",
                identifiers: ["guardduty.amazonaws.com"],
            }],
        },
        {
            sid: "Allow GetBucketLocation",
            actions: ["s3:GetBucketLocation"],
            resources: [gdBucketArn1],
            principals: [{
                type: "Service",
                identifiers: ["guardduty.amazonaws.com"],
            }],
        },
    ],
}));
const kmsPol = Promise.all([currentRegion, currentCallerIdentity, currentRegion, currentCallerIdentity, currentCallerIdentity]).then(([currentRegion, currentCallerIdentity, currentRegion1, currentCallerIdentity1, currentCallerIdentity2]) => aws.iam.getPolicyDocument({
    statements: [
        {
            sid: "Allow GuardDuty to encrypt findings",
            actions: ["kms:GenerateDataKey"],
            resources: [`arn:aws:kms:${currentRegion.name}:${currentCallerIdentity.accountId}:key/*`],
            principals: [{
                type: "Service",
                identifiers: ["guardduty.amazonaws.com"],
            }],
        },
        {
            sid: "Allow all users to modify/delete key (test only)",
            actions: ["kms:*"],
            resources: [`arn:aws:kms:${currentRegion1.name}:${currentCallerIdentity1.accountId}:key/*`],
            principals: [{
                type: "AWS",
                identifiers: [`arn:aws:iam::${currentCallerIdentity2.accountId}:root`],
            }],
        },
    ],
}));
const testGd = new aws.guardduty.Detector("testGd", {enable: true});
const gdBucketPolicy = new aws.s3.BucketPolicy("gdBucketPolicy", {
    bucket: gdBucket.id,
    policy: bucketPol.apply(bucketPol => bucketPol.json),
});
const gdKey = new aws.kms.Key("gdKey", {
    description: "Temporary key for AccTest of TF",
    deletionWindowInDays: 7,
    policy: kmsPol.then(kmsPol => kmsPol.json),
});
const test = new aws.guardduty.PublishingDestination("test", {
    detectorId: testGd.id,
    destinationArn: gdBucket.arn,
    kmsKeyArn: gdKey.arn,
}, {
    dependsOn: [gdBucketPolicy],
});

Create a PublishingDestination Resource

new PublishingDestination(name: string, args: PublishingDestinationArgs, opts?: CustomResourceOptions);
@overload
def PublishingDestination(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          destination_arn: Optional[str] = None,
                          destination_type: Optional[str] = None,
                          detector_id: Optional[str] = None,
                          kms_key_arn: Optional[str] = None)
@overload
def PublishingDestination(resource_name: str,
                          args: PublishingDestinationArgs,
                          opts: Optional[ResourceOptions] = None)
func NewPublishingDestination(ctx *Context, name string, args PublishingDestinationArgs, opts ...ResourceOption) (*PublishingDestination, error)
public PublishingDestination(string name, PublishingDestinationArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args PublishingDestinationArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args PublishingDestinationArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args PublishingDestinationArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args PublishingDestinationArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

PublishingDestination Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The PublishingDestination resource accepts the following input properties:

DestinationArn string
The bucket arn and prefix under which the findings get exported. Bucket-ARN is required, the prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided
DetectorId string
The detector ID of the GuardDuty.
KmsKeyArn string
The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces this to be encrypted.
DestinationType string
Currently there is only “S3” available as destination type which is also the default value
DestinationArn string
The bucket arn and prefix under which the findings get exported. Bucket-ARN is required, the prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided
DetectorId string
The detector ID of the GuardDuty.
KmsKeyArn string
The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces this to be encrypted.
DestinationType string
Currently there is only “S3” available as destination type which is also the default value
destinationArn string
The bucket arn and prefix under which the findings get exported. Bucket-ARN is required, the prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided
detectorId string
The detector ID of the GuardDuty.
kmsKeyArn string
The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces this to be encrypted.
destinationType string
Currently there is only “S3” available as destination type which is also the default value
destination_arn str
The bucket arn and prefix under which the findings get exported. Bucket-ARN is required, the prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided
detector_id str
The detector ID of the GuardDuty.
kms_key_arn str
The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces this to be encrypted.
destination_type str
Currently there is only “S3” available as destination type which is also the default value

Outputs

All input properties are implicitly available as output properties. Additionally, the PublishingDestination resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Id string
The provider-assigned unique ID for this managed resource.
id string
The provider-assigned unique ID for this managed resource.
id str
The provider-assigned unique ID for this managed resource.

Look up an Existing PublishingDestination Resource

Get an existing PublishingDestination resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: PublishingDestinationState, opts?: CustomResourceOptions): PublishingDestination
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        destination_arn: Optional[str] = None,
        destination_type: Optional[str] = None,
        detector_id: Optional[str] = None,
        kms_key_arn: Optional[str] = None) -> PublishingDestination
func GetPublishingDestination(ctx *Context, name string, id IDInput, state *PublishingDestinationState, opts ...ResourceOption) (*PublishingDestination, error)
public static PublishingDestination Get(string name, Input<string> id, PublishingDestinationState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

DestinationArn string
The bucket arn and prefix under which the findings get exported. Bucket-ARN is required, the prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided
DestinationType string
Currently there is only “S3” available as destination type which is also the default value
DetectorId string
The detector ID of the GuardDuty.
KmsKeyArn string
The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces this to be encrypted.
DestinationArn string
The bucket arn and prefix under which the findings get exported. Bucket-ARN is required, the prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided
DestinationType string
Currently there is only “S3” available as destination type which is also the default value
DetectorId string
The detector ID of the GuardDuty.
KmsKeyArn string
The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces this to be encrypted.
destinationArn string
The bucket arn and prefix under which the findings get exported. Bucket-ARN is required, the prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided
destinationType string
Currently there is only “S3” available as destination type which is also the default value
detectorId string
The detector ID of the GuardDuty.
kmsKeyArn string
The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces this to be encrypted.
destination_arn str
The bucket arn and prefix under which the findings get exported. Bucket-ARN is required, the prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided
destination_type str
Currently there is only “S3” available as destination type which is also the default value
detector_id str
The detector ID of the GuardDuty.
kms_key_arn str
The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces this to be encrypted.

Import

GuardDuty PublishingDestination can be imported using the the master GuardDuty detector ID and PublishingDestinationID, e.g.

 $ pulumi import aws:guardduty/publishingDestination:PublishingDestination test a4b86f26fa42e7e7cf0d1c333ea77777:a4b86f27a0e464e4a7e0516d242f1234

Package Details

Repository
https://github.com/pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.