From 5eea463b8958553d5530f7273c496a784ccbff96 Mon Sep 17 00:00:00 2001 From: Allan Denot Date: Mon, 19 Apr 2021 15:08:45 +1000 Subject: [PATCH] Allowing bringing your own SNS topic instead of letting module create and removing open policy --- _outputs.tf | 2 +- _variables.tf | 12 +++++-- lambda-slack.tf | 13 +++++--- sns-topic.tf | 83 +++++++------------------------------------------ 4 files changed, 30 insertions(+), 80 deletions(-) diff --git a/_outputs.tf b/_outputs.tf index 5afdea9..ecf5a0b 100644 --- a/_outputs.tf +++ b/_outputs.tf @@ -1,3 +1,3 @@ output "aws_sns_topic_arn" { - value = aws_sns_topic.default.arn + value = try(aws_sns_topic.default[0].arn, "") } diff --git a/_variables.tf b/_variables.tf index fe341eb..99f6f12 100644 --- a/_variables.tf +++ b/_variables.tf @@ -7,12 +7,18 @@ variable "slack_endpoint" { description = "endpoint to Slack notifications chanel" } -variable "topic_name" { - description = "Topic name" +variable "sns_topic_name" { + description = "Topic name (optional - creates SNS topic)" + default = "" +} + +variable "sns_topic_arn" { + description = "SNS Topic to use instead of creating one (optional)" + default = "" } variable "account_ids" { type = list(string) default = [] - description = "List of accounts to allow publishing to SNS" + description = "List of accounts to allow publishing to SNS (optional - only when SNS topic is created)" } diff --git a/lambda-slack.tf b/lambda-slack.tf index 595a81d..706f443 100644 --- a/lambda-slack.tf +++ b/lambda-slack.tf @@ -49,7 +49,6 @@ resource "aws_iam_policy" "default" { EOF } - resource "aws_iam_role_policy_attachment" "lambda_logs" { count = var.slack_endpoint == "" ? 0 : 1 @@ -57,12 +56,18 @@ resource "aws_iam_role_policy_attachment" "lambda_logs" { policy_arn = aws_iam_policy.default[0].arn } +resource "random_string" "lambda_suffix" { + length = 8 + special = false + lower = true + number = false +} resource "aws_lambda_function" "default" { count = var.slack_endpoint == "" ? 0 : 1 filename = "${path.module}/slack.zip" - function_name = "slack-notification-healthcheck-${var.topic_name}" + function_name = "slack-cloudwatch-notification-${random_string.lambda_suffix.result}" role = aws_iam_role.default[0].arn handler = "index.handler" @@ -84,7 +89,7 @@ resource "aws_lambda_permission" "with_sns" { action = "lambda:InvokeFunction" function_name = aws_lambda_function.default[0].function_name principal = "sns.amazonaws.com" - source_arn = aws_sns_topic.default.arn + source_arn = var.sns_topic_arn != "" ? var.sns_topic_arn : aws_sns_topic.default[0].arn } resource "aws_sns_topic_subscription" "lambda_subscription" { @@ -92,7 +97,7 @@ resource "aws_sns_topic_subscription" "lambda_subscription" { #topic_arn = data.aws_sns_topic.health_topic_client.arn #endpoint = data.aws_lambda_function.slack-lambda-function.arn - topic_arn = aws_sns_topic.default.arn + topic_arn = var.sns_topic_arn != "" ? var.sns_topic_arn : aws_sns_topic.default[0].arn protocol = "lambda" endpoint = aws_lambda_function.default[0].arn depends_on = [aws_lambda_function.default] diff --git a/sns-topic.tf b/sns-topic.tf index 7d8d6af..a2f0810 100644 --- a/sns-topic.tf +++ b/sns-topic.tf @@ -1,5 +1,6 @@ resource "aws_sns_topic" "default" { - name = var.topic_name + count = var.sns_topic_name != "" ? 1 : 0 + name = var.sns_topic_name # provisioner "local-exec" { # command = "aws sns subscribe --topic-arn ${self.arn} --region ${data.aws_region.current.name} --protocol email --notification-endpoint ${var.sns_subscribe_list}" @@ -7,101 +8,39 @@ resource "aws_sns_topic" "default" { } resource "aws_sns_topic_policy" "default" { - arn = aws_sns_topic.default.arn - policy = length(var.account_ids) != 0 ? data.aws_iam_policy_document.sns[0].json : data.aws_iam_policy_document.sns_all[0].json -} - -data "aws_iam_policy_document" "sns_all" { - count = length(var.account_ids) != 0 ? 0 : 1 - - policy_id = "allow-publish-clients" - - statement { - actions = [ - "SNS:Publish" - ] - - effect = "Allow" - - principals { - type = "AWS" - identifiers = ["*"] - } - - resources = [ - aws_sns_topic.default.arn, - ] - - sid = "allow-publish-clients-stmt" - } - - statement { - actions = [ - "SNS:Publish" - ] - - effect = "Allow" - - principals { - type = "Service" - identifiers = ["events.amazonaws.com"] - } - - resources = [ - aws_sns_topic.default.arn, - ] - - sid = "allow-publish-event-bridge" - } + count = var.sns_topic_name != "" && length(var.account_ids) != 0 ? 1 : 0 + arn = aws_sns_topic.default[0].arn + policy = data.aws_iam_policy_document.sns[0].json } data "aws_iam_policy_document" "sns" { - count = length(var.account_ids) != 0 ? 1 : 0 - + count = var.sns_topic_name != "" && length(var.account_ids) != 0 ? 1 : 0 policy_id = "allow-publish-clients" statement { - actions = [ - "SNS:Publish" - ] - + actions = ["SNS:Publish"] condition { test = "StringEquals" variable = "AWS:SourceOwner" - - values = var.account_ids + values = var.account_ids } - effect = "Allow" - principals { type = "AWS" identifiers = ["*"] } - - resources = [ - aws_sns_topic.default.arn, - ] - + resources = [aws_sns_topic.default[0].arn] sid = "allow-publish-clients-stmt" } statement { - actions = [ - "SNS:Publish" - ] - + actions = ["SNS:Publish"] effect = "Allow" - principals { type = "Service" identifiers = ["events.amazonaws.com"] } - - resources = [ - aws_sns_topic.default.arn, - ] - + resources = [aws_sns_topic.default[0].arn] sid = "allow-publish-event-bridge" } }