Allowing bringing your own SNS topic instead of letting module create…

… and removing open policy
DNXLabs · Apr 19, 2021 · 5eea463 · 5eea463
1 parent 4eb4a0a
commit 5eea463
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 80 deletions.
diff --git a/_outputs.tf b/_outputs.tf
@@ -1,3 +1,3 @@
 output "aws_sns_topic_arn" {
-  value = aws_sns_topic.default.arn
+  value = try(aws_sns_topic.default[0].arn, "")
 }
diff --git a/_variables.tf b/_variables.tf
@@ -7,12 +7,18 @@ variable "slack_endpoint" {
   description = "endpoint to Slack notifications chanel"
 }
 
-variable "topic_name" {
-  description = "Topic name"
+variable "sns_topic_name" {
+  description = "Topic name (optional - creates SNS topic)"
+  default     = ""
+}
+
+variable "sns_topic_arn" {
+  description = "SNS Topic to use instead of creating one (optional)"
+  default     = ""
 }
 
 variable "account_ids" {
   type        = list(string)
   default     = []
-  description = "List of accounts to allow publishing to SNS"
+  description = "List of accounts to allow publishing to SNS (optional - only when SNS topic is created)"
 }
diff --git a/lambda-slack.tf b/lambda-slack.tf
@@ -49,20 +49,25 @@ resource "aws_iam_policy" "default" {
 EOF
 }
 
-
 resource "aws_iam_role_policy_attachment" "lambda_logs" {
   count = var.slack_endpoint == "" ? 0 : 1
 
   role       = aws_iam_role.default[0].name
   policy_arn = aws_iam_policy.default[0].arn
 }
 
+resource "random_string" "lambda_suffix" {
+  length  = 8
+  special = false
+  lower   = true
+  number  = false
+}
 
 resource "aws_lambda_function" "default" {
   count = var.slack_endpoint == "" ? 0 : 1
 
   filename      = "${path.module}/slack.zip"
-  function_name = "slack-notification-healthcheck-${var.topic_name}"
+  function_name = "slack-cloudwatch-notification-${random_string.lambda_suffix.result}"
   role          = aws_iam_role.default[0].arn
   handler       = "index.handler"
 
@@ -84,15 +89,15 @@ resource "aws_lambda_permission" "with_sns" {
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.default[0].function_name
   principal     = "sns.amazonaws.com"
-  source_arn    = aws_sns_topic.default.arn
+  source_arn    = var.sns_topic_arn != "" ? var.sns_topic_arn : aws_sns_topic.default[0].arn
 }
 
 resource "aws_sns_topic_subscription" "lambda_subscription" {
   count = var.slack_endpoint == "" ? 0 : 1
 
   #topic_arn = data.aws_sns_topic.health_topic_client.arn
   #endpoint  = data.aws_lambda_function.slack-lambda-function.arn
-  topic_arn  = aws_sns_topic.default.arn
+  topic_arn  = var.sns_topic_arn != "" ? var.sns_topic_arn : aws_sns_topic.default[0].arn
   protocol   = "lambda"
   endpoint   = aws_lambda_function.default[0].arn
   depends_on = [aws_lambda_function.default]

diff --git a/sns-topic.tf b/sns-topic.tf
@@ -1,107 +1,46 @@
 resource "aws_sns_topic" "default" {
-  name = var.topic_name
+  count = var.sns_topic_name != "" ? 1 : 0
+  name  = var.sns_topic_name
 
   # provisioner "local-exec" {
   #   command = "aws sns subscribe --topic-arn ${self.arn} --region ${data.aws_region.current.name} --protocol email --notification-endpoint ${var.sns_subscribe_list}"
   # }
 }
 
 resource "aws_sns_topic_policy" "default" {
-  arn    = aws_sns_topic.default.arn
-  policy = length(var.account_ids) != 0 ? data.aws_iam_policy_document.sns[0].json : data.aws_iam_policy_document.sns_all[0].json
-}
-
-data "aws_iam_policy_document" "sns_all" {
-  count = length(var.account_ids) != 0 ? 0 : 1
-
-  policy_id = "allow-publish-clients"
-
-  statement {
-    actions = [
-      "SNS:Publish"
-    ]
-
-    effect = "Allow"
-
-    principals {
-      type        = "AWS"
-      identifiers = ["*"]
-    }
-
-    resources = [
-      aws_sns_topic.default.arn,
-    ]
-
-    sid = "allow-publish-clients-stmt"
-  }
-
-  statement {
-    actions = [
-      "SNS:Publish"
-    ]
-
-    effect = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["events.amazonaws.com"]
-    }
-
-    resources = [
-      aws_sns_topic.default.arn,
-    ]
-
-    sid = "allow-publish-event-bridge"
-  }
+  count  = var.sns_topic_name != "" && length(var.account_ids) != 0 ? 1 : 0
+  arn    = aws_sns_topic.default[0].arn
+  policy = data.aws_iam_policy_document.sns[0].json
 }
 
 data "aws_iam_policy_document" "sns" {
-  count = length(var.account_ids) != 0 ? 1 : 0
-
+  count     = var.sns_topic_name != "" && length(var.account_ids) != 0 ? 1 : 0
   policy_id = "allow-publish-clients"
 
   statement {
-    actions = [
-      "SNS:Publish"
-    ]
-
+    actions = ["SNS:Publish"]
     condition {
       test     = "StringEquals"
       variable = "AWS:SourceOwner"
-
-      values = var.account_ids
+      values   = var.account_ids
     }
-
     effect = "Allow"
-
     principals {
       type        = "AWS"
       identifiers = ["*"]
     }
-
-    resources = [
-      aws_sns_topic.default.arn,
-    ]
-
+    resources = [aws_sns_topic.default[0].arn]
     sid = "allow-publish-clients-stmt"
   }
 
   statement {
-    actions = [
-      "SNS:Publish"
-    ]
-
+    actions = ["SNS:Publish"]
     effect = "Allow"
-
     principals {
       type        = "Service"
       identifiers = ["events.amazonaws.com"]
     }
-
-    resources = [
-      aws_sns_topic.default.arn,
-    ]
-
+    resources = [aws_sns_topic.default[0].arn]
     sid = "allow-publish-event-bridge"
   }
 }