Skip to content

Commit

Permalink
enable generic msg back to sns
Browse files Browse the repository at this point in the history
  • Loading branch information
renato-dnx committed Aug 20, 2024
1 parent 16ec64a commit 585ef51
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 17 deletions.
7 changes: 5 additions & 2 deletions _variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,14 @@ variable "alarm_notification_sns_topic" {
default = ""
}

variable "emails" {
variable "endpoints" {
default = []
type = list(string)
}

variable "alarm_protocol" {
default = "email"
type = string
}
variable "alarm_mode" {
default = "light"
type = string
Expand Down
6 changes: 3 additions & 3 deletions event_bridge.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
resource "aws_cloudwatch_event_rule" "alarm_notification" {
count = length(var.emails) > 0 ? 1 : 0
count = length(var.endpoints) > 0 ? 1 : 0
name = "cloudtrail_alarm_custom_notifications"
description = "Will be notified with a custom message when any alarm is performed"

Expand All @@ -23,8 +23,8 @@ resource "aws_cloudwatch_event_rule" "alarm_notification" {
}

resource "aws_cloudwatch_event_target" "lambda_target" {
count = length(var.emails) > 0 ? 1 : 0
count = length(var.endpoints) > 0 ? 1 : 0
rule = aws_cloudwatch_event_rule.alarm_notification[0].name
target_id = "NotifyLambda"
arn = aws_lambda_function.lambda[0].arn
arn = var.alarm_protocol == "email" ? aws_lambda_function.lambda[0].arn : aws_sns_topic.alarms[0].arn
}
8 changes: 4 additions & 4 deletions iam.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
data "aws_iam_policy_document" "lambda_assume_role" {
count = length(var.emails) > 0 ? 1 : 0
count = length(var.endpoints) > 0 ? 1 : 0
statement {
actions = ["sts:AssumeRole"]
principals {
Expand All @@ -10,14 +10,14 @@ data "aws_iam_policy_document" "lambda_assume_role" {
}

resource "aws_iam_role" "iam_for_lambda" {
count = length(var.emails) > 0 ? 1 : 0
count = length(var.endpoints) > 0 ? 1 : 0
name = "cloudtrail-cn-role-${data.aws_region.current.name}"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role[0].json
tags = var.tags
}

resource "aws_iam_policy" "lambda_cw" {

Check failure on line 19 in iam.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"

Check failure on line 19 in iam.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
count = length(var.emails) > 0 ? 1 : 0
count = length(var.endpoints) > 0 ? 1 : 0
name = "cloudtrail-cn-policy-${data.aws_region.current.name}"
path = "/"
description = "IAM policy for logging from a lambda"
Expand Down Expand Up @@ -53,7 +53,7 @@ resource "aws_iam_policy" "lambda_cw" {
}

resource "aws_iam_role_policy_attachment" "lambda_cw" {
count = length(var.emails) > 0 ? 1 : 0
count = length(var.endpoints) > 0 ? 1 : 0
role = aws_iam_role.iam_for_lambda[0].name
policy_arn = aws_iam_policy.lambda_cw[0].arn
}
7 changes: 4 additions & 3 deletions main.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
resource "aws_lambda_function" "lambda" {

Check failure on line 1 in main.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"

Check failure on line 1 in main.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_173: "Check encryption settings for Lambda environmental variable"

Check failure on line 1 in main.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"

Check failure on line 1 in main.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"

Check failure on line 1 in main.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
count = length(var.emails) > 0 ? 1 : 0
count = length(var.endpoints) > 0 ? 1 : 0
filename = "${path.module}/lambda.zip"
function_name = var.lambda_name
role = aws_iam_role.iam_for_lambda[0].arn
Expand All @@ -21,7 +21,7 @@ resource "aws_lambda_function" "lambda" {
}

resource "aws_lambda_permission" "default" {
count = length(var.emails) > 0 ? 1 : 0
count = length(var.endpoints) > 0 ? 1 : 0
statement_id = "AllowExecutionFromEventBridge"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.lambda[0].function_name
Expand All @@ -30,8 +30,9 @@ resource "aws_lambda_permission" "default" {
}

resource "aws_cloudwatch_log_group" "alarm_lambda" {

Check failure on line 32 in main.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
count = length(var.emails) > 0 ? 1 : 0
count = length(var.endpoints) > 0 ? 1 : 0
name = "/aws/lambda/${var.lambda_name}"
retention_in_days = 365
kms_key_id = var.kms_key
tags = var.tags
}
10 changes: 5 additions & 5 deletions sns.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,21 +2,21 @@
# The SNS topic to which CloudWatch alarms send events.
# --------------------------------------------------------------------------------------------------
resource "aws_sns_topic" "alarms" {

Check failure on line 4 in sns.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
count = length(var.emails) > 0 ? 1 : 0
count = length(var.endpoints) > 0 ? 1 : 0
name = var.sns_topic_name
kms_master_key_id = var.kms_key #aws_kms_key.sns[0].id # default key does not allow cloudwatch alarms to publish
tags = var.tags
}


resource "aws_sns_topic_policy" "alarms" {
count = length(var.emails) > 0 ? 1 : 0
count = length(var.endpoints) > 0 ? 1 : 0
arn = aws_sns_topic.alarms[0].arn
policy = data.aws_iam_policy_document.alarms_policy[0].json
}

data "aws_iam_policy_document" "alarms_policy" {
count = length(var.emails) > 0 ? 1 : 0
count = length(var.endpoints) > 0 ? 1 : 0
policy_id = "allow-org-accounts"

statement {
Expand Down Expand Up @@ -46,8 +46,8 @@ data "aws_iam_policy_document" "alarms_policy" {
}

resource "aws_sns_topic_subscription" "cloudtrail_custom_alarm_email" {
for_each = toset(var.emails)
for_each = toset(var.endpoints)
topic_arn = aws_sns_topic.alarms[0].arn
protocol = "email"
protocol = var.alarm_protocol
endpoint = each.value
}

0 comments on commit 585ef51

Please sign in to comment.