From 3012fdbf7da4bc30ad0ba7e96fe24fddb4f06f45 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 7 Feb 2024 12:06:03 -0500 Subject: [PATCH] add files --- s3-config-org/sns.s3.tf | 36 +++++++ s3-config-org/sqs.s3.tf | 118 +++++++++++++++++++++ s3-config-org/variables.s3-notification.tf | 17 +++ 3 files changed, 171 insertions(+) create mode 100644 s3-config-org/sns.s3.tf create mode 100644 s3-config-org/sqs.s3.tf create mode 100644 s3-config-org/variables.s3-notification.tf diff --git a/s3-config-org/sns.s3.tf b/s3-config-org/sns.s3.tf new file mode 100644 index 0000000..0ef5c49 --- /dev/null +++ b/s3-config-org/sns.s3.tf @@ -0,0 +1,36 @@ +resource "aws_sns_topic" "config_org_s3" { + count = var.enable_s3_sns ? 1 : 0 + name = local.s3_notification_name + kms_master_key_id = data.aws_kms_key.incoming_key.id + + tags = merge( + local.base_tags, + var.tags, + { Name = local.s3_notification_name }, + ) +} + +resource "aws_sns_topic_policy" "config_org_s3" { + count = var.enable_s3_sns ? 1 : 0 + arn = var.enable_s3_sns ? aws_sns_topic.config_org_s3[0].arn : null + policy = data.aws_iam_policy_document.config_org_s3_topic.json +} + +data "aws_iam_policy_document" "config_org_s3_topic" { + policy_id = format("%v_s3_topic", local.s3_notification_name) + statement { + sid = "CloudTrailSNSS3Policy" + effect = "Allow" + principals { + type = "Service" + identifiers = ["s3.amazonaws.com"] + } + actions = ["sns:Publish"] + resources = [var.enable_s3_sns ? aws_sns_topic.config_org_s3[0].arn : ""] + condition { + test = "StringEquals" + variable = "aws:SourceArn" + values = [aws_s3_bucket.config_org.arn] + } + } +} diff --git a/s3-config-org/sqs.s3.tf b/s3-config-org/sqs.s3.tf new file mode 100644 index 0000000..2cb2d6c --- /dev/null +++ b/s3-config-org/sqs.s3.tf @@ -0,0 +1,118 @@ +resource "aws_sqs_queue" "config_org_s3_deadletter" { + count = var.enable_s3_sqs ? 1 : 0 + # delay=0 retention=4d max=256k visibility=1h + name = format("%v-deadletter", local.s3_notification_name) + delay_seconds = 0 + max_message_size = 262144 + message_retention_seconds = lookup(local._defaults["sqs_deadletter"], "message_retention_seconds", 1 * 86400) + # message_retention_seconds = 345600 + receive_wait_time_seconds = 15 + visibility_timeout_seconds = 3600 + + kms_master_key_id = data.aws_kms_key.incoming_key.id + kms_data_key_reuse_period_seconds = 300 + + tags = merge( + local.base_tags, + var.tags, + { Name = format("%v-deadletter", local.s3_notification_name) }, + ) +} + +resource "aws_sqs_queue_policy" "config_org_s3_deadletter" { + count = var.enable_s3_sqs ? 1 : 0 + queue_url = var.enable_s3_sqs ? aws_sqs_queue.config_org_s3_deadletter[0].id : null + policy = data.aws_iam_policy_document.config_org_s3_deadletter.json +} + +data "aws_iam_policy_document" "config_org_s3_deadletter" { + # policy_id = "SQSDefaultPolicy" + statement { + sid = "AllowSNSSendMessage" + effect = "Allow" + actions = ["sqs:SendMessage"] + resources = [var.enable_s3_sqs ? aws_sqs_queue.config_org_s3_deadletter[0].arn : ""] + principals { + type = "AWS" + identifiers = ["*"] + } + condition { + test = "ArnEquals" + variable = "aws:SourceArn" + values = [var.enable_s3_sns ? aws_sns_topic.config_org_s3[0].arn : ""] + } + } +} + +resource "aws_sqs_queue" "config_org_s3" { + count = var.enable_s3_sqs ? 1 : 0 + # delay=0 retention=7d max=256k visibity=2h + name = local.s3_notification_name + delay_seconds = 0 + max_message_size = 262144 + message_retention_seconds = lookup(local._defaults["sqs_deadletter"], "message_retention_seconds", 7 * 86400) + # message_retention_seconds = 604800 + receive_wait_time_seconds = 15 + visibility_timeout_seconds = 7200 + + redrive_policy = jsonencode({ + deadLetterTargetArn = var.enable_s3_sqs ? aws_sqs_queue.config_org_s3_deadletter[0].arn : null + maxReceiveCount = 100 + }) + + kms_master_key_id = data.aws_kms_key.incoming_key.id + kms_data_key_reuse_period_seconds = 300 + + tags = merge( + local.base_tags, + var.tags, + { Name = local.s3_notification_name }, + ) +} + +resource "aws_sqs_queue_policy" "config_org_s3_sqs" { + count = var.enable_s3_sqs ? 1 : 0 + queue_url = var.enable_s3_sqs ? aws_sqs_queue.config_org_s3[0].id : null + policy = data.aws_iam_policy_document.config_org_s3_sqs.json +} + +data "aws_iam_policy_document" "config_org_s3_sqs" { + # policy_id = "SQSDefaultPolicy" + statement { + sid = "AllowSNSSendMessage" + effect = "Allow" + actions = ["sqs:SendMessage"] + resources = [var.enable_s3_sqs ? aws_sqs_queue.config_org_s3[0].arn : ""] + principals { + type = "AWS" + identifiers = ["*"] + } + condition { + test = "ArnEquals" + variable = "aws:SourceArn" + values = [var.enable_s3_sns ? aws_sns_topic.config_org_s3[0].arn : ""] + } + } + statement { + sid = "AllowSQSS3SendMessage" + effect = "Allow" + principals { + type = "Service" + identifiers = ["s3.amazonaws.com"] + } + actions = ["sqs:SendMessage"] + resources = [var.enable_s3_sqs ? aws_sqs_queue.config_org_s3[0].arn : ""] + condition { + test = "StringEquals" + variable = "aws:SourceArn" + values = [var.enable_s3_sns ? aws_sns_topic.config_org_s3[0].arn : ""] + } + } +} + +resource "aws_sns_topic_subscription" "config_org_s3_sqs" { + count = var.enable_s3_sqs && var.enable_s3_sns ? 1 : 0 + protocol = "sqs" + topic_arn = var.enable_s3_sns ? aws_sns_topic.config_org_s3[0].arn : null + endpoint = var.enable_s3_sqs ? aws_sqs_queue.config_org_s3[0].arn : null +} diff --git a/s3-config-org/variables.s3-notification.tf b/s3-config-org/variables.s3-notification.tf new file mode 100644 index 0000000..2e1ff6a --- /dev/null +++ b/s3-config-org/variables.s3-notification.tf @@ -0,0 +1,17 @@ +variable "enable_s3_sns" { + description = "Flag to enable or disable the creation of SNS for the Cloudtrail S3 bucket" + type = bool + default = false +} + +variable "enable_s3_sqs" { + description = "Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail S3 bucket" + type = bool + default = false +} + +## variable "additional_s3_sqs_names" { +## description = "List of additional SQS queues to create and subscribe to the S3 SNS topic (if enabled)" +## type = list(string) +## default = [] +## }