initial commit
This commit is contained in:
@@ -0,0 +1,98 @@
|
||||
data "aws_caller_identity" "this" {}
|
||||
|
||||
resource "random_id" "this" {
|
||||
byte_length = 2
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_event_rule" "this" {
|
||||
name = "${var.res-prefix}-ssl-cert-expiry-${random_id.this.dec}"
|
||||
description = "Reminder of SSL expiring certificates"
|
||||
|
||||
event_pattern = jsonencode({
|
||||
"source" : ["aws.acm"],
|
||||
"detail-type" : ["ACM Certificate Approaching Expiration"]
|
||||
})
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_event_target" "sns" {
|
||||
rule = aws_cloudwatch_event_rule.this.name
|
||||
target_id = "ssl-cert-expiry-sns-${random_id.this.dec}"
|
||||
arn = aws_sns_topic.ssl-cert-expiry-notice.arn
|
||||
input_transformer {
|
||||
input_paths = {
|
||||
"cert" : "$.resources[0]",
|
||||
"days" : "$.detail.DaysToExpiry",
|
||||
"cn" : "$.detail.CommonName"
|
||||
}
|
||||
input_template = <<-EOT
|
||||
"The following ACM certificate will expire soon"
|
||||
|
||||
"ID: <cert>"
|
||||
"CommonName: <cn>"
|
||||
"Days to expiry: <days>"
|
||||
EOT
|
||||
}
|
||||
}
|
||||
|
||||
# Modify ACM DaysBeforeExpiry account setting if it should be set lower than the default 45 days
|
||||
module "awscli" {
|
||||
count = var.days-before-expiry < 45 ? 1 : 0
|
||||
source = "../../util/terraform-aws-cli"
|
||||
|
||||
role_session_name = "terraform-awscli"
|
||||
aws_cli_commands = ["acm", "put-account-configuration", "--idempotency-token", random_id.this.dec, "--expiry-events DaysBeforeExpiry=${var.days-before-expiry}"]
|
||||
}
|
||||
|
||||
# SNS topic and subscription
|
||||
resource "aws_sns_topic" "ssl-cert-expiry-notice" {
|
||||
name = "${var.res-prefix}-ssl-cert-expiry-notice-${random_id.this.dec}"
|
||||
kms_master_key_id = var.sns-kms-key-arn
|
||||
}
|
||||
|
||||
resource "aws_sns_topic_policy" "default" {
|
||||
arn = aws_sns_topic.ssl-cert-expiry-notice.arn
|
||||
policy = data.aws_iam_policy_document.sns_topic_policy.json
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "sns_topic_policy" {
|
||||
statement {
|
||||
sid = "AllowPublishingFromEvents"
|
||||
effect = "Allow"
|
||||
actions = [
|
||||
"sns:Publish",
|
||||
"SNS:Publish"
|
||||
]
|
||||
|
||||
principals {
|
||||
type = "Service"
|
||||
identifiers = ["events.amazonaws.com"]
|
||||
}
|
||||
|
||||
resources = [aws_sns_topic.ssl-cert-expiry-notice.arn]
|
||||
}
|
||||
statement {
|
||||
sid = "AllowPublishThroughSSLOnly"
|
||||
effect = "Deny"
|
||||
principals {
|
||||
identifiers = ["*"]
|
||||
type = "AWS"
|
||||
}
|
||||
actions = [
|
||||
"sns:Publish",
|
||||
"SNS:Publish"
|
||||
]
|
||||
condition {
|
||||
test = "Bool"
|
||||
values = ["false"]
|
||||
variable = "aws:SecureTransport"
|
||||
}
|
||||
resources = [aws_sns_topic.ssl-cert-expiry-notice.arn]
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_sns_topic_subscription" "ssl-cert-expiry-notice-sub" {
|
||||
for_each = var.email-addresses
|
||||
topic_arn = aws_sns_topic.ssl-cert-expiry-notice.arn
|
||||
protocol = "email"
|
||||
endpoint = each.value
|
||||
}
|
||||
Reference in New Issue
Block a user