setup for enable_sns

terraform-modules · Nov 16, 2021 · 433ae6e · 433ae6e
1 parent 9381371
commit 433ae6e
Show file tree

Hide file tree

Showing 3 changed files with 160 additions and 0 deletions.
diff --git a/cloudtrail/README.md b/cloudtrail/README.md
@@ -62,11 +62,21 @@ No modules.
 | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_sns_topic.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
+| [aws_sns_topic_policy.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
+| [aws_sns_topic_subscription.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [aws_sqs_queue.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
+| [aws_sqs_queue.cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
+| [aws_sqs_queue_policy.cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
+| [aws_sqs_queue_policy.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
 | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudtrail_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudwatch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |

diff --git a/cloudtrail/sns.tf b/cloudtrail/sns.tf
@@ -0,0 +1,54 @@
+resource "aws_sns_topic" "cloudtrail" {
+  count = var.enable_sns ? 1 : 0
+  name  = local.name
+
+  tags = merge(
+    local.base_tags,
+    local.tags
+  )
+}
+
+resource "aws_sns_topic_policy" "cloudtrail" {
+  count  = var.enable_sns ? 1 : 0
+  arn    = aws_sns_topic.cloudtrail.arn
+  policy = data.aws_iam_policy_document.cloudtrail_topic.json
+}
+
+data "aws_iam_policy_document" "cloudtrail_topic" {
+  policy_id = format("%v_topic", local.name)
+  statement {
+    sid    = "CloudtrailSNSPermissions"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    actions = [
+      "sns:Subscribe",
+      "sns:SetTopicAttributes",
+      "sns:RemovePermission",
+      "sns:Receive",
+      "sns:Publish",
+      "sns:ListSubscriptionsByTopic",
+      "sns:GetTopicAttributes",
+      "sns:DeleteTopic",
+      "sns:AddPermission",
+    ]
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceOwner"
+      values   = [loal.account_id]
+    }
+    resources = [var.enable_sns ? aws_sns_topic.cloudtrail[0].arn : null]
+  }
+  statement {
+    sid    = "CloudTrailSNSPolicy"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+    actions   = ["sns:Publish"]
+    resources = [var.enable_sns ? aws_sns_topic.cloudtrail[0].arn : null]
+  }
+}
diff --git a/cloudtrail/sqs.tf b/cloudtrail/sqs.tf
@@ -0,0 +1,96 @@
+resource "aws_sqs_queue" "cloudtrail_deadletter" {
+  # delay=0 retention=4d max=256k visibility=1h
+  name                       = format("%v-deadletter", local.name)
+  delay_seconds              = 0
+  max_message_size           = 262144
+  message_retention_seconds  = 345600
+  receive_wait_time_seconds  = 15
+  visibility_timeout_seconds = 3600
+
+  kms_master_key_id                 = data.aws_kms_key.incoming_key.id
+  kms_data_key_reuse_period_seconds = 300
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    map("Name", format("%v-deadletter", local.name)),
+  )
+}
+
+resource "aws_sqs_queue_policy" "cloudtrail_deadletter" {
+  queue_url = aws_sqs_queue.cloudtrail_deadletter.id
+  policy    = data.aws_iam_policy_document.cloudtrail_deadletter.json
+}
+
+data "aws_iam_policy_document" "cloudtrail_deadletter" {
+  policy_id = "SQSDefaultPolicy"
+  statement {
+    sid       = "AllowSNSSendMessage"
+    effect    = "Allow"
+    actions   = ["SQS:SendMessage"]
+    resources = [aws_sqs_queue.cloudtrail_deadletter.arn]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_sns_topic.cloudtrail.arn]
+    }
+  }
+}
+
+resource "aws_sqs_queue" "cloudtrail" {
+  # delay=0 retention=7d max=256k visibity=2h
+  name                       = local.name
+  delay_seconds              = 0
+  max_message_size           = 262144
+  message_retention_seconds  = 604800
+  receive_wait_time_seconds  = 15
+  visibility_timeout_seconds = 7200
+
+  redrive_policy = jsonencode({
+    deadLetterTargetArn = aws_sqs_queue.cloudtrail_deadletter.arn
+    maxReceiveCount     = 100
+  })
+
+  kms_master_key_id                 = data.aws_kms_key.incoming_key.id
+  kms_data_key_reuse_period_seconds = 300
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    map("Name", local.name),
+  )
+}
+
+resource "aws_sqs_queue_policy" "cloudtrail_sqs" {
+  queue_url = aws_sqs_queue.cloudtrail.id
+  policy    = data.aws_iam_policy_document.cloudtrail_sqs.json
+}
+
+data "aws_iam_policy_document" "cloudtrail_sqs" {
+  policy_id = "SQSDefaultPolicy"
+  statement {
+    sid       = "AllowSNSSendMessage"
+    effect    = "Allow"
+    actions   = ["SQS:SendMessage"]
+    resources = [aws_sqs_queue.cloudtrail.arn]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_sns_topic.cloudtrail.arn]
+    }
+  }
+}
+
+resource "aws_sns_topic_subscription" "cloudtrail_sqs" {
+  protocol  = "sqs"
+  topic_arn = aws_sns_topic.cloudtrail.arn
+  endpoint  = aws_sqs_queue.cloudtrail.arn
+}