add files

s3-config-org/sns.s3.tf

@@ -0,0 +1,36 @@
+resource "aws_sns_topic" "config_org_s3" {
+  count             = var.enable_s3_sns ? 1 : 0
+  name              = local.s3_notification_name
+  kms_master_key_id = data.aws_kms_key.incoming_key.id
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    { Name = local.s3_notification_name },
+  )
+}
+
+resource "aws_sns_topic_policy" "config_org_s3" {
+  count  = var.enable_s3_sns ? 1 : 0
+  arn    = var.enable_s3_sns ? aws_sns_topic.config_org_s3[0].arn : null
+  policy = data.aws_iam_policy_document.config_org_s3_topic.json
+}
+
+data "aws_iam_policy_document" "config_org_s3_topic" {
+  policy_id = format("%v_s3_topic", local.s3_notification_name)
+  statement {
+    sid    = "CloudTrailSNSS3Policy"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["s3.amazonaws.com"]
+    }
+    actions   = ["sns:Publish"]
+    resources = [var.enable_s3_sns ? aws_sns_topic.config_org_s3[0].arn : ""]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_s3_bucket.config_org.arn]
+    }
+  }
+}

s3-config-org/sqs.s3.tf

@@ -0,0 +1,118 @@
+resource "aws_sqs_queue" "config_org_s3_deadletter" {
+  count = var.enable_s3_sqs ? 1 : 0
+  # delay=0 retention=4d max=256k visibility=1h
+  name                      = format("%v-deadletter", local.s3_notification_name)
+  delay_seconds             = 0
+  max_message_size          = 262144
+  message_retention_seconds = lookup(local._defaults["sqs_deadletter"], "message_retention_seconds", 1 * 86400)
+  #  message_retention_seconds  = 345600
+  receive_wait_time_seconds  = 15
+  visibility_timeout_seconds = 3600
+
+  kms_master_key_id                 = data.aws_kms_key.incoming_key.id
+  kms_data_key_reuse_period_seconds = 300
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    { Name = format("%v-deadletter", local.s3_notification_name) },
+  )
+}
+
+resource "aws_sqs_queue_policy" "config_org_s3_deadletter" {
+  count     = var.enable_s3_sqs ? 1 : 0
+  queue_url = var.enable_s3_sqs ? aws_sqs_queue.config_org_s3_deadletter[0].id : null
+  policy    = data.aws_iam_policy_document.config_org_s3_deadletter.json
+}
+
+data "aws_iam_policy_document" "config_org_s3_deadletter" {
+  #  policy_id = "SQSDefaultPolicy"
+  statement {
+    sid       = "AllowSNSSendMessage"
+    effect    = "Allow"
+    actions   = ["sqs:SendMessage"]
+    resources = [var.enable_s3_sqs ? aws_sqs_queue.config_org_s3_deadletter[0].arn : ""]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [var.enable_s3_sns ? aws_sns_topic.config_org_s3[0].arn : ""]
+    }
+  }
+}
+
+resource "aws_sqs_queue" "config_org_s3" {
+  count = var.enable_s3_sqs ? 1 : 0
+  # delay=0 retention=7d max=256k visibity=2h
+  name                      = local.s3_notification_name
+  delay_seconds             = 0
+  max_message_size          = 262144
+  message_retention_seconds = lookup(local._defaults["sqs_deadletter"], "message_retention_seconds", 7 * 86400)
+  #  message_retention_seconds  = 604800
+  receive_wait_time_seconds  = 15
+  visibility_timeout_seconds = 7200
+
+  redrive_policy = jsonencode({
+    deadLetterTargetArn = var.enable_s3_sqs ? aws_sqs_queue.config_org_s3_deadletter[0].arn : null
+    maxReceiveCount     = 100
+  })
+
+  kms_master_key_id                 = data.aws_kms_key.incoming_key.id
+  kms_data_key_reuse_period_seconds = 300
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    { Name = local.s3_notification_name },
+  )
+}
+
+resource "aws_sqs_queue_policy" "config_org_s3_sqs" {
+  count     = var.enable_s3_sqs ? 1 : 0
+  queue_url = var.enable_s3_sqs ? aws_sqs_queue.config_org_s3[0].id : null
+  policy    = data.aws_iam_policy_document.config_org_s3_sqs.json
+}
+
+data "aws_iam_policy_document" "config_org_s3_sqs" {
+  #  policy_id = "SQSDefaultPolicy"
+  statement {
+    sid       = "AllowSNSSendMessage"
+    effect    = "Allow"
+    actions   = ["sqs:SendMessage"]
+    resources = [var.enable_s3_sqs ? aws_sqs_queue.config_org_s3[0].arn : ""]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [var.enable_s3_sns ? aws_sns_topic.config_org_s3[0].arn : ""]
+    }
+  }
+  statement {
+    sid    = "AllowSQSS3SendMessage"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["s3.amazonaws.com"]
+    }
+    actions   = ["sqs:SendMessage"]
+    resources = [var.enable_s3_sqs ? aws_sqs_queue.config_org_s3[0].arn : ""]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values   = [var.enable_s3_sns ? aws_sns_topic.config_org_s3[0].arn : ""]
+    }
+  }
+}
+
+resource "aws_sns_topic_subscription" "config_org_s3_sqs" {
+  count     = var.enable_s3_sqs && var.enable_s3_sns ? 1 : 0
+  protocol  = "sqs"
+  topic_arn = var.enable_s3_sns ? aws_sns_topic.config_org_s3[0].arn : null
+  endpoint  = var.enable_s3_sqs ? aws_sqs_queue.config_org_s3[0].arn : null
+}

s3-config-org/variables.s3-notification.tf

@@ -0,0 +1,17 @@
+variable "enable_s3_sns" {
+  description = "Flag to enable or disable the creation of SNS for the Cloudtrail S3 bucket"
+  type        = bool
+  default     = false
+}
+
+variable "enable_s3_sqs" {
+  description = "Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail S3 bucket"
+  type        = bool
+  default     = false
+}
+
+## variable "additional_s3_sqs_names" {
+##   description = "List of additional SQS queues to create and subscribe to the S3 SNS topic (if enabled)"
+##   type        = list(string)
+##   default     = []
+## }