Readme updated

README.md

@@ -5,15 +5,27 @@
 
 <!--- BEGIN_TF_DOCS --->
 
-# AWS CloudTrail Terraform Module
+# AWS CloudTrail Notification Terraform Module
 
-Terraform module to provision an CloudTrail notification.
+Terraform module to provision an CloudTrail with a custom notification.
+
+## Introduction
+- When you get an alarm, you want enough information to decide whether it needs immediate attention or not. You also want to customize the notification message to operational needs. The **CloudWatch Logs Customize Alarms** is a Lambda function that helps in reading the logs from CloudWatch Logs during an alarm and send a customized email through SNS.
+
+## Flow of Events
+
+![Flow of events](./assets/cloudtrail_notification.jpeg)
 
 ## Prerequisites
 
+- [CloudWatch log group](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html) Logs has a Log group with a metric filter.
+* [CloudWatch Alarm](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html)  is created to trigger when that metric exceeds a threshold.
+- [SNS](https://docs.aws.amazon.com/sns/latest/dg/sns-create-topic.html) subscription topic responsible to send the custom notification.
 
+## Triggers
+* The Lambda function is triggered on a SNS event.
+* You need to provide the SNS topic.
 
-## Features
 
 
 
@@ -23,41 +35,64 @@ This example:.
 
 ```terraform
 locals {
- 
- 
+  log_group_name    = "LogGroupName"
+  sns_topic_arn     = "arn:aws:sns:us-east-2:444455556666:MyTopic"
+  cloud_watch_log_group_arn     = "arn:aws:logs:us-east-2:444455556666:MyLog"
 }
 
+module "cloudtrail_custom_alarms" {
+  enabled ? 1 : 0
+  cloudtrail_log_group_name     = local.log_group_name
+  aws_sns_topic_arn             = local.sns_topic_arn
+  lambda_timeout                = 5
+  cloudwatch_log_cloudtrail_arn = local.cloud_watch_log_group_arn
+}
 
 ```
 
-## Examples
-
-
 ## Requirements
 
 | Name | Version |
 |------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | = 3.74.1 |
+
 
 
 ## Resources
 
 | Name | Type |
 |------|------|
-resource |
-resource |
-opendistro_roles_mapping) | resource |
-|  | resource |
-|  | data source |
-|  | data source |
-|  | data source |
-|  | data source |
+| [aws_lambda_function.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_permission.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_cloudwatch_log_group.alarm_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_iam_role.iam_for_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_policy.lambda_cw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role_policy_attachment.lambda_cw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_cloudwatch_event_rule.alarm_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_target.lambda_target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| [aws_iam_policy_document.lambda_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [archive_file.lambda_zip](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/archive_file) | data source |
 
-## Inputs
 
+## Inputs
 
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| lambda_name | The name for the lambda resource for the custom message.  | `string` | `lambda_alarm_notification` | no |
+| cloudtrail_log_group_name | The name of the cloudtrail logGroup that will get information from to create custom message. | `string` | n/a | yes |
+| aws_sns_topic_arn | The ARN of SNS Topic where the notification will be sent | `string` | n/a | yes |
+| lambda_timeout | Set lambda Timeout. | `number` | 3 | no |
+| cloudwatch_log_cloudtrail_arn | Cloudwatch Loggroup ARN | `string` | n/a | yes |
+| tags | A map of tags to add to all resources. | `map(string)` | `{}` | no |
 
 ## Outputs
 
+| Name | Description |
+|------|-------------|
+| lambda_arn | The Lambda ARN. |
+
 
 <!-- END_TF_DOCS -->
 

_outputs.tf

@@ -1,4 +1,4 @@
-# output "alarm_sns_topic" {
-#   description = "The SNS topic to which CloudWatch Alarms will be sent."
-#   value       = aws_sns_topic.alarms
-# }
+output "lambda_arn" {
+  description = "The ARN from lambda custom message"
+  value       = aws_lambda_function.lambda.arn
+}

_variables.tf

@@ -3,7 +3,7 @@ variable "enabled" {
   default     = true
 }
 
-variable "lambda_alarm_name" {
+variable "lambda_name" {
   description = "The name of the lambda which will be notified with a custom message when any alarm is performed."
   default     = "lambda_alarm_notification"
 }
@@ -16,6 +16,15 @@ variable "aws_sns_topic_arn" {
   description = "The ARN of SNS Topic where the notification will be sent"
 }
 
+variable "lambda_timeout" {
+  description = "Set lambda Timeout"
+  default = 3
+}
+
+variable "cloudwatch_log_cloudtrail_arn" {
+  description = "Cloudwatch Loggroup ARN"
+}
+
 variable "tags" {
   description = "Specifies object tags key and value. This applies to all resources created by this module."
   default = {

iam.tf

@@ -13,34 +13,28 @@ data "aws_iam_policy_document" "lambda_assume_role" {
 resource "aws_iam_role" "iam_for_lambda" {
   name               = "iam_for_lambda"
   assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
+  tags = var.tags
 }
 
 resource "aws_iam_policy" "lambda_cw" {
   name        = "lambda_cw"
   path        = "/"
   description = "IAM policy for logging from a lambda"
-
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
       {
-        Action = [
+        Action : [
           "cloudwatch:GetMetricData",
           "cloudwatch:ListMetrics",
-          "cloudwatch:DescribeAlarms"
-        ]
-        Effect   = "Allow"
-        Resource = ["arn:aws:lambda:*:*:*", "arn:aws:logs:*:*:*","arn:aws:cloudwatch:*:*:*"]
-      },
-      {
-        Action : [
+          "cloudwatch:DescribeAlarms",
           "logs:CreateLogGroup",
           "logs:CreateLogStream",
           "logs:PutLogEvents",
           "logs:DescribeMetricFilters",
           "logs:FilterLogEvents"
         ],
-        Resource : "arn:aws:logs:*:*:*",
+        Resource : [aws_lambda_function.lambda.arn,"arn:aws:logs:*:*:*","arn:aws:cloudwatch:*:*:*"]
         Effect : "Allow"
       },
       {
@@ -64,6 +58,7 @@ resource "aws_iam_policy" "lambda_cw" {
 resource "aws_iam_role_policy_attachment" "lambda_cw" {
   role       = aws_iam_role.iam_for_lambda.name
   policy_arn = aws_iam_policy.lambda_cw.arn
+  tags = var.tags
 }
 
 

lambda/index.js

@@ -81,10 +81,9 @@ function getMetricsFilter(metricName, metricNamespace, fn) {
 function getFilterLogEvents(logGroupName, filterPattern, time, fn) {
     var startTime = new Date(time);
     var endTime = new Date(time);
-    startTime.setSeconds(startTime.getSeconds() - 180);
+    startTime.setSeconds(startTime.getSeconds() - process.env.OFFSET);
     console.error(startTime)
     console.error(endTime)
-    // var offset = process.env.OFFSET;
     var parameters = {
         'logGroupName': logGroupName,
         'filterPattern': filterPattern,

main.tf

@@ -1,21 +1,17 @@
 resource "aws_lambda_function" "lambda" {
   filename      = data.archive_file.lambda_zip.output_path
-  function_name = var.lambda_alarm_name
+  function_name = var.lambda_name
   role          = aws_iam_role.iam_for_lambda.arn
   handler       = "index.handler"
-  timeout = 5
-  # The filebase64sha256() function is available in Terraform 0.11.12 and later
-  # For Terraform 0.11.11 and earlier, use the base64sha256() function and the file() function:
-  # source_code_hash = "${base64sha256(file("lambda_function_payload.zip"))}"
+  timeout       = var.lambda_timeout
   source_code_hash = filebase64sha256(data.archive_file.lambda_zip.output_path)
-
   runtime = "nodejs12.x"
-
+  tags = var.tags
   environment {
     variables = {
       LOG_GROUP = var.cloudtrail_log_group_name,
       TOPIC_ARN=var.aws_sns_topic_arn,
-      OFFSET=400000
+      OFFSET=180
     }
   }
 }
@@ -26,16 +22,17 @@ resource "aws_lambda_permission" "default" {
   function_name = aws_lambda_function.lambda.function_name
   principal     = "events.amazonaws.com"
   source_arn    = aws_cloudwatch_event_rule.alarm_notification.arn
+  tags = var.tags
 }
 
 data "archive_file" "lambda_zip" {
   type = "zip"
-
   source_dir  = "${path.module}/lambda"
   output_path = "${path.module}/lambda.zip"
 }
 
 resource "aws_cloudwatch_log_group" "alarm_lambda" {
-  name = "/aws/lambda/${var.lambda_alarm_name}"
+  name = "/aws/lambda/${var.lambda_name}"
   retention_in_days = 14
+  tags = var.tags
 }