EventBridge API Destinationsを使ってGuardDuty検知をBacklogに自動起票してみた

main.tf

### Provider
provider "aws" {
  region = "ap-northeast-1"
}

### Locals
locals {
  prefix = "test"
}

### Variables
variable backlog_issues_url {}
variable backlog_project_id {}
variable backlog_issue_type_id {}
variable backlog_priority_id {}

### Resources(IAMロール)
resource aws_iam_role backlog {
  name = "${local.prefix}-backlog-events-role"

  assume_role_policy = <<-EOF
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Principal": {
            "Service": "events.amazonaws.com"
          },
          "Effect": "Allow"
        }
      ]
    }
  EOF

  inline_policy {
    name   = "aws-actions"
    policy =  <<-EOF
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "events:InvokeApiDestination"
            ],
            "Resource": "${aws_cloudwatch_event_api_destination.backlog.arn}"
          },
          {
              "Effect": "Allow",
              "Action": [
                  "secretsmanager:CreateSecret",
                  "secretsmanager:UpdateSecret",
                  "secretsmanager:DescribeSecret",
                  "secretsmanager:DeleteSecret",
                  "secretsmanager:GetSecretValue",
                  "secretsmanager:PutSecretValue"
              ],
              "Resource": "arn:aws:secretsmanager:*:*:secret:events!connection/*"
          }
        ]
      }
    EOF
  }
}

### Resources(EventBridge)
# Connection
resource aws_cloudwatch_event_connection backlog {
  name               = "${local.prefix}-backlog"
  authorization_type = "API_KEY"

  auth_parameters {
    api_key {
      key   = "dummy-key"
      value = "dummy-value"
    }
  }
}

# API Destination
resource aws_cloudwatch_event_api_destination backlog {
  name                             = "${local.prefix}-backlog-issues"
  invocation_endpoint              = var.backlog_issues_url
  http_method                      = "POST"
  invocation_rate_limit_per_second = 2
  connection_arn                   = aws_cloudwatch_event_connection.backlog.arn
}

# EventBridgeルール
resource aws_cloudwatch_event_rule guardduty {
  name           = "${local.prefix}-security-events-guardduty"
  event_bus_name = "default"

  event_pattern = <<-EOF
    {
      "detail-type": ["Security Hub Findings - Imported"],
      "source": ["aws.securityhub"],
      "detail": {
        "findings": {
          "ProductName": ["GuardDuty"],
          "RecordState": ["ACTIVE"],
          "Workflow": {
            "Status": ["NEW"]
          },
          "Severity": {
            "Label": ["LOW", "MEDIUM", "HIGH", "CRITICAL"]
          }
        }
      }
    }
  EOF
}

resource aws_cloudwatch_event_target guardduty {
  event_bus_name = "default"
  rule           = aws_cloudwatch_event_rule.guardduty.name
  target_id      = "backlog"
  arn            = aws_cloudwatch_event_api_destination.backlog.arn
  role_arn       = aws_iam_role.backlog.arn

  input_transformer {
    input_paths = {
      Description  = "$.detail.findings[0].Description",
      Id           = "$.detail.findings[0].Id",
      Title        = "$.detail.findings[0].Title",
      Severity     = "$.detail.findings[0].Severity.Label",
      SourceUrl    = "$.detail.findings[0].SourceUrl",
      FindingType  = "$.detail.findings[0].Types[0]",
      AwsAccountId = "$.detail.findings[0].AwsAccountId"
    }
    input_template = <<-EOF
      {
        "projectId": "${var.backlog_project_id}",
        "summary": "<FindingType> found at AWS account <AwsAccountId>",
        "description": "<Title><br /><br />Description:<br /><Description><br /><br />Severity:<br /><Severity><br /><br />Links:<br />[GuardDuty](<SourceUrl>)",
        "issueTypeId": "${var.backlog_issue_type_id}",
        "priorityId": "${var.backlog_priority_id}"
      }
    EOF
  }
}