Головна сторінка Огляд Довідка
Реєстрація Увійти
AFS
/
xdr-terraform-modules
2
0
Відгалуження 0
Файли Проблеми 0 Запити на злиття 0 Wiki
Дерево: 066ddcdb15
Гілки Теги
xdr-terraform-m...
/
base
/
account_standards_c2
/
account_alerts.tf

account_alerts.tf 4.2 KB
Історія Запис

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142 
  1. # An SNS queue for email alerts
    2. 

  2. resource "aws_sns_topic" "account-alerts" {
    3. 

  3.   name              = "account-alerts"
    4. 

  4.   tags = merge(var.standard_tags, var.tags)
    5. 

  5. }
    6. 

  6. 

  7. resource "aws_sns_topic_policy" "account-alerts" {
    8. 

  8.   arn    = aws_sns_topic.account-alerts.arn
    9. 

  9.   policy = data.aws_iam_policy_document.account-alerts.json
    10. 

  10. }
    11. 

  11. 

  12. data "aws_iam_policy_document" "account-alerts" {
    13. 

  13.   statement {
    14. 

  14.     sid = "AllowAllAccountsToPublish"
    15. 

  15.     actions = [ "SNS:Publish" ]
    16. 

  16.     effect = "Allow"
    17. 

  17.     resources = [ aws_sns_topic.account-alerts.arn ]
    18. 

  18.     principals {
    19. 

  19.       type = "AWS"
    20. 

  20.       identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
    21. 

  21.     }
    22. 

  22.   }
    23. 

  23.   statement {
    24. 

  24.     sid = "AllowCloudWatchToPublic"
    25. 

  25.     actions = [ "SNS:Publish" ]
    26. 

  26.     effect = "Allow"
    27. 

  27.     resources = [ aws_sns_topic.account-alerts.arn ]
    28. 

  28.     principals {
    29. 

  29.       type = "Service"
    30. 

  30.       identifiers = [ "cloudwatch.amazonaws.com" ]
    31. 

  31.     }
    32. 

  32.   }
    33. 

  33. }
    34. 

  34. 

  35. # Unfortunately, terraform does not support email destinations, so we can't manage subscriptions here.
    36. 

  36. 

  37. # SQS to get alerts into Splunk
    38. 

  38. resource "aws_sqs_queue" "account-alerts" {
    39. 

  39.   name                       = "account-alerts"
    40. 

  40.   visibility_timeout_seconds = 300 # wait 5 minutes before allowing a different splunk instance to process the same message
    41. 

  41.   message_retention_seconds  = 604800 # Keep a message in the queue for 7 days
    42. 

  42.   receive_wait_time_seconds  = 0 # how long to wait for a message before returning
    43. 

  43.   redrive_policy             = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.account-alerts-dlq.arn}\",\"maxReceiveCount\":4}"
    44. 

  44.   tags                       = merge(var.standard_tags, var.tags)
    45. 

  45.   kms_master_key_id          = aws_kms_key.account-alerts-key.id
    46. 

  46.   kms_data_key_reuse_period_seconds = 3600
    47. 

  47. }
    48. 

  48. 

  49. data "aws_iam_policy_document" "account-alerts-sns-topic-can-publish" {
    50. 

  50.   statement {
    51. 

  51.     effect = "Allow"
    52. 

  52. 

  53.     principals {
    54. 

  54.       identifiers = [ "*" ]
    55. 

  55.       type = "AWS"
    56. 

  56.     }
    57. 

  57. 

  58.     actions = [ "SQS:SendMessage" ]
    59. 

  59. 

  60.     resources = [ aws_sqs_queue.account-alerts.arn ]
    61. 

  61. 

  62.     condition {
    63. 

  63.       test = "ArnEquals"
    64. 

  64.       values = [ aws_sns_topic.account-alerts.arn ]
    65. 

  65.       variable = "aws:SourceArn"
    66. 

  66.     }
    67. 

  67.   }
    68. 

  68. }
    69. 

  69. 

  70. // Dead Letter queue, use same parameters as main queue
    71. 

  71. resource "aws_sqs_queue" "account-alerts-dlq" {
    72. 

  72.   name                      = "account-alerts-dlq"
    73. 

  73.   message_retention_seconds = 300
    74. 

  74.   receive_wait_time_seconds = 0
    75. 

  75.   tags                      = merge(var.standard_tags, var.tags)
    76. 

  76.   kms_master_key_id         = aws_kms_key.account-alerts-key.id
    77. 

  77.   kms_data_key_reuse_period_seconds = 3600
    78. 

  78. }
    79. 

  79. 

  80. resource "aws_sqs_queue_policy" "account-alerts-can-publish" {
    81. 

  81.   policy    = data.aws_iam_policy_document.account-alerts-sns-topic-can-publish.json
    82. 

  82.   queue_url = aws_sqs_queue.account-alerts.id
    83. 

  83. }
    84. 

  84. 

  85. resource "aws_sns_topic_subscription" "account-alerts-to-queue" {
    86. 

  86.   topic_arn = aws_sns_topic.account-alerts.arn
    87. 

  87.   protocol  = "sqs"
    88. 

  88.   endpoint  = aws_sqs_queue.account-alerts.arn
    89. 

  89. }
    90. 

  90. 

  91. resource "aws_kms_key" "account-alerts-key" {
    92. 

  92.   description             = "Encryption of SNS and SQS queue for account alerts notifications"
    93. 

  93.   policy                  = data.aws_iam_policy_document.account-alerts-kms-policy.json
    94. 

  94.   enable_key_rotation     = true
    95. 

  95. }
    96. 

  96. 

  97. data "aws_iam_policy_document" "account-alerts-kms-policy" {
    98. 

  98.   statement {
    99. 

  99.     sid = "AllowServices"
    100. 

  100.     effect = "Allow"
    101. 

  101.     principals {
    102. 

  102.       identifiers = ["cloudwatch.amazonaws.com", "sns.amazonaws.com", "sqs.amazonaws.com"]
    103. 

  103.       type = "Service"
    104. 

  104.     }
    105. 

  105.     actions = [
    106. 

  106.       "kms:GenerateDataKey",
    107. 

  107.       "kms:Decrypt"
    108. 

  108.     ]
    109. 

  109.     resources = [ "*" ]
    110. 

  110.   }
    111. 

  111.   statement {
    112. 

  112.     sid = "AllowOtherAccounts"
    113. 

  113.     effect = "Allow"
    114. 

  114.     principals {
    115. 

  115.       type = "AWS"
    116. 

  116.       identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
    117. 

  117.     }
    118. 

  118.     actions = [
    119. 

  119.       "kms:GenerateDataKey",
    120. 

  120.       "kms:Encrypt"
    121. 

  121.     ]
    122. 

  122.     resources = [ "*" ]
    123. 

  123.   }
    124. 

  124.   # allow account to modify/manage key
    125. 

  125.   statement {
    126. 

  126.     sid = "AllowThisAccount"
    127. 

  127.     effect = "Allow"
    128. 

  128.     principals {
    129. 

  129.       identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
    130. 

  130.       type = "AWS"
    131. 

  131.     }
    132. 

  132.     actions = [
    133. 

  133.       "kms:*"
    134. 

  134.     ]
    135. 

  135.     resources = ["*"]
    136. 

  136.   }
    137. 

  137. }
    138. 

  138. 

  139. resource "aws_kms_alias" "account-alerts-key-alias" {
    140. 

  140.   name          = "alias/account-alerts-key"
    141. 

  141.   target_key_id = aws_kms_key.account-alerts-key.key_id
    142. 

  142. }
    143.