migrate resources from v1 (alarms, SNS topic)

DNXLabs · May 6, 2022 · 094a0bc · 094a0bc
1 parent 3fc919f
commit 094a0bc
Show file tree

Hide file tree

Showing 10 changed files with 717 additions and 11 deletions.
diff --git a/_data.tf b/_data.tf
@@ -0,0 +1,3 @@
+data "aws_cloudwatch_log_group" "cloudtrail" {
+  name = var.cloudtrail_log_group_name
+}
diff --git a/_outputs.tf b/_outputs.tf
@@ -2,3 +2,8 @@ output "lambda_arn" {
   description = "The ARN from lambda custom message"
   value       = aws_lambda_function.lambda.arn
 }
+
+output "alarm_sns_topic" {
+  description = "The SNS topic to which CloudWatch Alarms will be sent."
+  value       = aws_sns_topic.alarms
+}
diff --git a/_variables.tf b/_variables.tf
@@ -12,17 +12,23 @@ variable "cloudtrail_log_group_name" {
   description = "The name of the loggroup that will get information from"
 }
 
-variable "aws_sns_topic_arn" {
-  description = "The ARN of SNS Topic where the notification will be sent"
-}
-
 variable "lambda_timeout" {
   description = "Set lambda Timeout"
   default = 3
 }
 
-variable "cloudwatch_log_cloudtrail_arn" {
-  description = "Cloudwatch Loggroup ARN"
+variable "sns_topic_name" {
+  description = "The name of the SNS Topic which will be notified when any alarm is performed."
+  default     = "CISAlarmV2"
+} 
+
+variable "alarm_account_ids" {
+  default = []
+}
+
+variable "alarm_mode" {
+  default     = "light"
+  description = "Version of alarms to use. 'light' or 'full' available"
 }
 
 variable "tags" {
@@ -31,3 +37,4 @@ variable "tags" {
     "Terraform" = true
   }
 }
+
diff --git a/alarms.tf b/alarms.tf
@@ -0,0 +1,100 @@
+# --------------------------------------------------------------------------------------------------
+# The SNS topic to which CloudWatch alarms send events.
+# --------------------------------------------------------------------------------------------------
+data "aws_caller_identity" "current" {}
+
+resource "aws_sns_topic" "alarms" {
+  count             = var.enabled ? 1 : 0
+  name              = var.sns_topic_name
+  kms_master_key_id = aws_kms_key.sns[0].id # default key does not allow cloudwatch alarms to publish
+  tags              = var.tags
+}
+
+data "aws_iam_policy_document" "kms_policy_sns" {
+  count = var.enabled ? 1 : 0
+  statement {
+    sid    = "Enable IAM User Permissions"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
+  statement {
+    actions = ["kms:Decrypt", "kms:GenerateDataKey*"]
+    principals {
+      type        = "Service"
+      identifiers = ["cloudwatch.amazonaws.com"]
+    }
+    resources = ["*"]
+    sid       = "allow-cloudwatch-kms"
+  }
+}
+
+resource "aws_kms_key" "sns" {
+  count                   = var.enabled ? 1 : 0
+  deletion_window_in_days = 7
+  description             = "SNS CMK Encryption Key"
+  enable_key_rotation     = true
+  policy                  = data.aws_iam_policy_document.kms_policy_sns[0].json
+}
+
+resource "aws_sns_topic_policy" "alarms" {
+  count  = var.enabled ? 1 : 0
+  arn    = aws_sns_topic.alarms[0].arn
+  policy = data.aws_iam_policy_document.alarms_policy[0].json
+}
+
+data "aws_iam_policy_document" "alarms_policy" {
+  count     = var.enabled ? 1 : 0
+  policy_id = "allow-org-accounts"
+
+  statement {
+    actions = [
+      "SNS:GetTopicAttributes",
+      "SNS:SetTopicAttributes",
+      "SNS:AddPermission",
+      "SNS:RemovePermission",
+      "SNS:DeleteTopic",
+      "SNS:Subscribe",
+      "SNS:ListSubscriptionsByTopic",
+      "SNS:Publish",
+      "SNS:Receive"
+    ]
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceOwner"
+      values   = var.alarm_account_ids
+    }
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    resources = [
+      aws_sns_topic.alarms[0].arn,
+    ]
+    sid = "allow-org-accounts"
+  }
+}
+
+resource "random_string" "cloudtrail_alarm_suffix" {
+  count   = var.enabled ? 1 : 0
+  length  = 8
+  special = false
+  lower   = true
+  upper   = false
+  number  = false
+}
+
+resource "aws_cloudformation_stack" "cloudtrail_alarm" {
+  count         = var.enabled ? 1 : 0
+  name          = "cloudtrail-alarm-${random_string.cloudtrail_alarm_suffix[0].result}"
+  template_body = var.alarm_mode == "full" ? file("${path.module}/cloudtrail-alarms-full.cf.json") : file("${path.module}/cloudtrail-alarms-light.cf.yml")
+
+  parameters = {
+    CloudTrailLogGroupName = data.aws_cloudwatch_log_group.cloudtrail.name
+    AlarmNotificationTopic = aws_sns_topic.alarms[0].id
+  }
+}