From 7697599ce9f232006d14dd53f2e27fd2617022e1 Mon Sep 17 00:00:00 2001 From: Allan Denot Date: Mon, 3 May 2021 11:59:00 +1000 Subject: [PATCH] Adding email subscription --- _data.tf | 3 ++- _variables.tf | 13 ++++++++++++- email.tf | 6 ++++++ kms.tf | 30 ++++++++++++++++++++++++++++++ sns-topic.tf | 6 +++--- 5 files changed, 53 insertions(+), 5 deletions(-) create mode 100644 email.tf create mode 100644 kms.tf diff --git a/_data.tf b/_data.tf index e26d851..79b6b02 100644 --- a/_data.tf +++ b/_data.tf @@ -19,4 +19,5 @@ #} # -data "aws_region" "current" {} \ No newline at end of file +data "aws_region" "current" {} +data "aws_caller_identity" "current" {} \ No newline at end of file diff --git a/_variables.tf b/_variables.tf index 99f6f12..3bef68f 100644 --- a/_variables.tf +++ b/_variables.tf @@ -4,7 +4,12 @@ variable "slack_endpoint" { default = "" - description = "endpoint to Slack notifications chanel" + description = "endpoint to Slack notifications channel (optional)" +} + +variable "email" { + default = "" + description = "Email address to subscribe notification to (optional)" } variable "sns_topic_name" { @@ -22,3 +27,9 @@ variable "account_ids" { default = [] description = "List of accounts to allow publishing to SNS (optional - only when SNS topic is created)" } + +variable "sns_kms_encryption" { + type = bool + default = false + description = "Enabled KMS CMK encryption at rest for SNS Topic" +} \ No newline at end of file diff --git a/email.tf b/email.tf new file mode 100644 index 0000000..505cddb --- /dev/null +++ b/email.tf @@ -0,0 +1,6 @@ +resource "aws_sns_topic_subscription" "alarm_email" { + count = var.email != "" ? 1 : 0 + topic_arn = aws_sns_topic.default[0].arn + protocol = "email" + endpoint = var.email +} \ No newline at end of file diff --git a/kms.tf b/kms.tf new file mode 100644 index 0000000..105515e --- /dev/null +++ b/kms.tf @@ -0,0 +1,30 @@ +data "aws_iam_policy_document" "kms_policy_sns" { + count = var.sns_kms_encryption ? 1 : 0 + statement { + sid = "Enable IAM User Permissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + actions = ["kms:*"] + resources = ["*"] + } + statement { + actions = [ "kms:Decrypt","kms:GenerateDataKey*"] + principals { + type = "Service" + identifiers = ["cloudwatch.amazonaws.com","lambda.amazonaws.com"] + } + resources = ["*"] + sid = "allow-services-kms" + } +} + +resource "aws_kms_key" "sns" { + count = var.sns_kms_encryption ? 1 : 0 + deletion_window_in_days = 7 + description = "SNS CMK Encryption Key" + enable_key_rotation = true + policy = data.aws_iam_policy_document.kms_policy_sns[0].json +} \ No newline at end of file diff --git a/sns-topic.tf b/sns-topic.tf index a2f0810..b6bd460 100644 --- a/sns-topic.tf +++ b/sns-topic.tf @@ -1,7 +1,7 @@ resource "aws_sns_topic" "default" { - count = var.sns_topic_name != "" ? 1 : 0 - name = var.sns_topic_name - + count = var.sns_topic_name != "" ? 1 : 0 + name = var.sns_topic_name + kms_master_key_id = var.sns_kms_encryption ? aws_kms_key.sns[0].id : null # default key does not allow cloudwatch alarms to publish # provisioner "local-exec" { # command = "aws sns subscribe --topic-arn ${self.arn} --region ${data.aws_region.current.name} --protocol email --notification-endpoint ${var.sns_subscribe_list}" # }