diff --git a/_variables.tf b/_variables.tf index 78e4268..5b5f4cb 100644 --- a/_variables.tf +++ b/_variables.tf @@ -27,11 +27,14 @@ variable "alarm_notification_sns_topic" { default = "" } -variable "emails" { +variable "endpoints" { default = [] type = list(string) } - +variable "alarm_protocol" { + default = "email" + type = string +} variable "alarm_mode" { default = "light" type = string diff --git a/event_bridge.tf b/event_bridge.tf index 170da31..693421c 100644 --- a/event_bridge.tf +++ b/event_bridge.tf @@ -1,5 +1,5 @@ resource "aws_cloudwatch_event_rule" "alarm_notification" { - count = length(var.emails) > 0 ? 1 : 0 + count = length(var.endpoints) > 0 ? 1 : 0 name = "cloudtrail_alarm_custom_notifications" description = "Will be notified with a custom message when any alarm is performed" @@ -23,8 +23,8 @@ resource "aws_cloudwatch_event_rule" "alarm_notification" { } resource "aws_cloudwatch_event_target" "lambda_target" { - count = length(var.emails) > 0 ? 1 : 0 + count = length(var.endpoints) > 0 ? 1 : 0 rule = aws_cloudwatch_event_rule.alarm_notification[0].name target_id = "NotifyLambda" - arn = aws_lambda_function.lambda[0].arn + arn = var.alarm_protocol == "email" ? aws_lambda_function.lambda[0].arn : aws_sns_topic.alarms[0].arn } diff --git a/iam.tf b/iam.tf index 16ef74b..f572747 100644 --- a/iam.tf +++ b/iam.tf @@ -1,5 +1,5 @@ data "aws_iam_policy_document" "lambda_assume_role" { - count = length(var.emails) > 0 ? 1 : 0 + count = length(var.endpoints) > 0 ? 1 : 0 statement { actions = ["sts:AssumeRole"] principals { @@ -10,14 +10,14 @@ data "aws_iam_policy_document" "lambda_assume_role" { } resource "aws_iam_role" "iam_for_lambda" { - count = length(var.emails) > 0 ? 1 : 0 + count = length(var.endpoints) > 0 ? 1 : 0 name = "cloudtrail-cn-role-${data.aws_region.current.name}" assume_role_policy = data.aws_iam_policy_document.lambda_assume_role[0].json tags = var.tags } resource "aws_iam_policy" "lambda_cw" { - count = length(var.emails) > 0 ? 1 : 0 + count = length(var.endpoints) > 0 ? 1 : 0 name = "cloudtrail-cn-policy-${data.aws_region.current.name}" path = "/" description = "IAM policy for logging from a lambda" @@ -53,7 +53,7 @@ resource "aws_iam_policy" "lambda_cw" { } resource "aws_iam_role_policy_attachment" "lambda_cw" { - count = length(var.emails) > 0 ? 1 : 0 + count = length(var.endpoints) > 0 ? 1 : 0 role = aws_iam_role.iam_for_lambda[0].name policy_arn = aws_iam_policy.lambda_cw[0].arn } diff --git a/main.tf b/main.tf index a824140..ef906b7 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,5 @@ resource "aws_lambda_function" "lambda" { - count = length(var.emails) > 0 ? 1 : 0 + count = length(var.endpoints) > 0 ? 1 : 0 filename = "${path.module}/lambda.zip" function_name = var.lambda_name role = aws_iam_role.iam_for_lambda[0].arn @@ -21,7 +21,7 @@ resource "aws_lambda_function" "lambda" { } resource "aws_lambda_permission" "default" { - count = length(var.emails) > 0 ? 1 : 0 + count = length(var.endpoints) > 0 ? 1 : 0 statement_id = "AllowExecutionFromEventBridge" action = "lambda:InvokeFunction" function_name = aws_lambda_function.lambda[0].function_name @@ -30,8 +30,9 @@ resource "aws_lambda_permission" "default" { } resource "aws_cloudwatch_log_group" "alarm_lambda" { - count = length(var.emails) > 0 ? 1 : 0 + count = length(var.endpoints) > 0 ? 1 : 0 name = "/aws/lambda/${var.lambda_name}" retention_in_days = 365 + kms_key_id = var.kms_key tags = var.tags } diff --git a/sns.tf b/sns.tf index 0ddad30..cf81d6f 100644 --- a/sns.tf +++ b/sns.tf @@ -2,7 +2,7 @@ # The SNS topic to which CloudWatch alarms send events. # -------------------------------------------------------------------------------------------------- resource "aws_sns_topic" "alarms" { - count = length(var.emails) > 0 ? 1 : 0 + count = length(var.endpoints) > 0 ? 1 : 0 name = var.sns_topic_name kms_master_key_id = var.kms_key #aws_kms_key.sns[0].id # default key does not allow cloudwatch alarms to publish tags = var.tags @@ -10,13 +10,13 @@ resource "aws_sns_topic" "alarms" { resource "aws_sns_topic_policy" "alarms" { - count = length(var.emails) > 0 ? 1 : 0 + count = length(var.endpoints) > 0 ? 1 : 0 arn = aws_sns_topic.alarms[0].arn policy = data.aws_iam_policy_document.alarms_policy[0].json } data "aws_iam_policy_document" "alarms_policy" { - count = length(var.emails) > 0 ? 1 : 0 + count = length(var.endpoints) > 0 ? 1 : 0 policy_id = "allow-org-accounts" statement { @@ -46,8 +46,8 @@ data "aws_iam_policy_document" "alarms_policy" { } resource "aws_sns_topic_subscription" "cloudtrail_custom_alarm_email" { - for_each = toset(var.emails) + for_each = toset(var.endpoints) topic_arn = aws_sns_topic.alarms[0].arn - protocol = "email" + protocol = var.alarm_protocol endpoint = each.value }