首页 发现 帮助
注册 登录
AFS
/
xdr-terraform-modules
2
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
目录树: 370353c645
分支列表 标签列表
xdr-terraform-m...
/
base
/
account_standards_c2
/
account_alerts.tf

account_alerts.tf 4.4 KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143 
  1. # An SNS queue for email alerts
    2. 

  2. # tfsec:ignore:aws-sns-enable-topic-encryption
    3. 

  3. resource "aws_sns_topic" "account-alerts" {
    4. 

  4.   name = "account-alerts"
    5. 

  5.   tags = merge(local.standard_tags, var.tags)
    6. 

  6. }
    7. 

  7. 

  8. resource "aws_sns_topic_policy" "account-alerts" {
    9. 

  9.   arn    = aws_sns_topic.account-alerts.arn
    10. 

  10.   policy = data.aws_iam_policy_document.account-alerts.json
    11. 

  11. }
    12. 

  12. 

  13. data "aws_iam_policy_document" "account-alerts" {
    14. 

  14.   statement {
    15. 

  15.     sid       = "AllowAllAccountsToPublish"
    16. 

  16.     actions   = ["SNS:Publish"]
    17. 

  17.     effect    = "Allow"
    18. 

  18.     resources = [aws_sns_topic.account-alerts.arn]
    19. 

  19.     principals {
    20. 

  20.       type        = "AWS"
    21. 

  21.       identifiers = [for a in local.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
    22. 

  22.     }
    23. 

  23.   }
    24. 

  24.   statement {
    25. 

  25.     sid       = "AllowCloudWatchToPublic"
    26. 

  26.     actions   = ["SNS:Publish"]
    27. 

  27.     effect    = "Allow"
    28. 

  28.     resources = [aws_sns_topic.account-alerts.arn]
    29. 

  29.     principals {
    30. 

  30.       type        = "Service"
    31. 

  31.       identifiers = ["cloudwatch.amazonaws.com"]
    32. 

  32.     }
    33. 

  33.   }
    34. 

  34. }
    35. 

  35. 

  36. # Unfortunately, terraform does not support email destinations, so we can't manage subscriptions here.
    37. 

  37. 

  38. # SQS to get alerts into Splunk
    39. 

  39. resource "aws_sqs_queue" "account-alerts" {
    40. 

  40.   name                              = "account-alerts"
    41. 

  41.   visibility_timeout_seconds        = 300    # wait 5 minutes before allowing a different splunk instance to process the same message
    42. 

  42.   message_retention_seconds         = 604800 # Keep a message in the queue for 7 days
    43. 

  43.   receive_wait_time_seconds         = 0      # how long to wait for a message before returning
    44. 

  44.   redrive_policy                    = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.account-alerts-dlq.arn}\",\"maxReceiveCount\":4}"
    45. 

  45.   tags                              = merge(local.standard_tags, var.tags)
    46. 

  46.   kms_master_key_id                 = aws_kms_key.account-alerts-key.id
    47. 

  47.   kms_data_key_reuse_period_seconds = 3600
    48. 

  48. }
    49. 

  49. 

  50. data "aws_iam_policy_document" "account-alerts-sns-topic-can-publish" {
    51. 

  51.   statement {
    52. 

  52.     effect = "Allow"
    53. 

  53. 

  54.     principals {
    55. 

  55.       identifiers = ["*"]
    56. 

  56.       type        = "AWS"
    57. 

  57.     }
    58. 

  58. 

  59.     actions = ["SQS:SendMessage"]
    60. 

  60. 

  61.     resources = [aws_sqs_queue.account-alerts.arn]
    62. 

  62. 

  63.     condition {
    64. 

  64.       test     = "ArnEquals"
    65. 

  65.       values   = [aws_sns_topic.account-alerts.arn]
    66. 

  66.       variable = "aws:SourceArn"
    67. 

  67.     }
    68. 

  68.   }
    69. 

  69. }
    70. 

  70. 

  71. // Dead Letter queue, use same parameters as main queue
    72. 

  72. resource "aws_sqs_queue" "account-alerts-dlq" {
    73. 

  73.   name                              = "account-alerts-dlq"
    74. 

  74.   message_retention_seconds         = 300
    75. 

  75.   receive_wait_time_seconds         = 0
    76. 

  76.   tags                              = merge(local.standard_tags, var.tags)
    77. 

  77.   kms_master_key_id                 = aws_kms_key.account-alerts-key.id
    78. 

  78.   kms_data_key_reuse_period_seconds = 3600
    79. 

  79. }
    80. 

  80. 

  81. resource "aws_sqs_queue_policy" "account-alerts-can-publish" {
    82. 

  82.   policy    = data.aws_iam_policy_document.account-alerts-sns-topic-can-publish.json
    83. 

  83.   queue_url = aws_sqs_queue.account-alerts.id
    84. 

  84. }
    85. 

  85. 

  86. resource "aws_sns_topic_subscription" "account-alerts-to-queue" {
    87. 

  87.   topic_arn = aws_sns_topic.account-alerts.arn
    88. 

  88.   protocol  = "sqs"
    89. 

  89.   endpoint  = aws_sqs_queue.account-alerts.arn
    90. 

  90. }
    91. 

  91. 

  92. resource "aws_kms_key" "account-alerts-key" {
    93. 

  93.   description         = "Encryption of SNS and SQS queue for account alerts notifications"
    94. 

  94.   policy              = data.aws_iam_policy_document.account-alerts-kms-policy.json
    95. 

  95.   enable_key_rotation = true
    96. 

  96. }
    97. 

  97. 

  98. data "aws_iam_policy_document" "account-alerts-kms-policy" {
    99. 

  99.   statement {
    100. 

  100.     sid    = "AllowServices"
    101. 

  101.     effect = "Allow"
    102. 

  102.     principals {
    103. 

  103.       identifiers = ["cloudwatch.amazonaws.com", "sns.amazonaws.com", "sqs.amazonaws.com"]
    104. 

  104.       type        = "Service"
    105. 

  105.     }
    106. 

  106.     actions = [
    107. 

  107.       "kms:GenerateDataKey",
    108. 

  108.       "kms:Decrypt"
    109. 

  109.     ]
    110. 

  110.     resources = ["*"]
    111. 

  111.   }
    112. 

  112.   statement {
    113. 

  113.     sid    = "AllowOtherAccounts"
    114. 

  114.     effect = "Allow"
    115. 

  115.     principals {
    116. 

  116.       type        = "AWS"
    117. 

  117.       identifiers = [for a in local.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
    118. 

  118.     }
    119. 

  119.     actions = [
    120. 

  120.       "kms:GenerateDataKey",
    121. 

  121.       "kms:Encrypt"
    122. 

  122.     ]
    123. 

  123.     resources = ["*"]
    124. 

  124.   }
    125. 

  125.   # allow account to modify/manage key
    126. 

  126.   statement {
    127. 

  127.     sid    = "AllowThisAccount"
    128. 

  128.     effect = "Allow"
    129. 

  129.     principals {
    130. 

  130.       identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
    131. 

  131.       type        = "AWS"
    132. 

  132.     }
    133. 

  133.     actions = [
    134. 

  134.       "kms:*"
    135. 

  135.     ]
    136. 

  136.     resources = ["*"]
    137. 

  137.   }
    138. 

  138. }
    139. 

  139. 

  140. resource "aws_kms_alias" "account-alerts-key-alias" {
    141. 

  141.   name          = "alias/account-alerts-key"
    142. 

  142.   target_key_id = aws_kms_key.account-alerts-key.key_id
    143. 

  143. }
    144.