Skip to content

Latest commit

 

History

History
173 lines (138 loc) · 17.2 KB

README.md

File metadata and controls

173 lines (138 loc) · 17.2 KB

AWS Notify Slack Terraform module

This module creates an SNS topic (or uses an existing one) and an AWS Lambda function that sends notifications to Slack using the incoming webhooks API.

Start by setting up an incoming webhook integration in your Slack workspace.

Doing serverless with Terraform? Check out serverless.tf framework, which aims to simplify all operations when working with the serverless in Terraform.

Supported Features

  • AWS Lambda runtime Python 3.11
  • Create new SNS topic or use existing one
  • Support plaintext and encrypted version of Slack webhook URL
  • Most of Slack message options are customizable
  • Custom Lambda function
  • Various event types are supported, even generic messages:
    • AWS CloudWatch Alarms
    • AWS CloudWatch LogMetrics Alarms
    • AWS GuardDuty Findings

Usage

module "notify_slack" {
  source  = "terraform-aws-modules/notify-slack/aws"
  version = "~> 5.0"

  sns_topic_name = "slack-topic"

  slack_webhook_url = "https://hooks.slack.com/services/AAA/BBB/CCC"
  slack_channel     = "aws-notification"
  slack_username    = "reporter"
}

Using with Terraform Cloud Agents

Terraform Cloud Agents are a paid feature, available as part of the Terraform Cloud for Business upgrade package.

This module requires Python 3.11. You can customize tfc-agent to include Python using this sample Dockerfile:

FROM hashicorp/tfc-agent:latest
RUN apt-get -y update && apt-get -y install python3.11 python3-pip
ENTRYPOINT ["/bin/tfc-agent"]

Use existing SNS topic or create new

If you want to subscribe the AWS Lambda Function created by this module to an existing SNS topic you should specify create_sns_topic = false as an argument and specify the name of existing SNS topic name in sns_topic_name.

Examples

  • notify-slack-simple - Creates SNS topic which sends messages to Slack channel.
  • cloudwatch-alerts-to-slack - End to end example which shows how to send AWS Cloudwatch alerts to Slack channel and use KMS to encrypt webhook URL.

Local Development and Testing

See the functions for further details.

Requirements

Name Version
terraform >= 1.0
aws >= 4.8

Providers

Name Version
aws >= 4.8

Modules

Name Source Version
lambda terraform-aws-modules/lambda/aws 6.8.0

Resources

Name Type
aws_cloudwatch_log_group.lambda resource
aws_iam_role.sns_feedback_role resource
aws_sns_topic.this resource
aws_sns_topic_subscription.sns_notify_slack resource
aws_caller_identity.current data source
aws_iam_policy_document.lambda data source
aws_iam_policy_document.sns_feedback data source
aws_iam_policy_document.sns_feedback_allow_log_creation data source
aws_partition.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
architectures Instruction set architecture for your Lambda function. Valid values are ["x86_64"] and ["arm64"]. list(string) null no
cloudwatch_log_group_kms_key_id The ARN of the KMS Key to use when encrypting log data for Lambda string null no
cloudwatch_log_group_retention_in_days Specifies the number of days you want to retain log events in log group for Lambda. number 0 no
cloudwatch_log_group_tags Additional tags for the Cloudwatch log group map(string) {} no
create Whether to create all resources bool true no
create_sns_topic Whether to create new SNS topic bool true no
enable_sns_topic_delivery_status_logs Whether to enable SNS topic delivery status logs bool false no
hash_extra The string to add into hashing function. Useful when building same source path for different functions. string "" no
iam_policy_path Path of policies to that should be added to IAM role for Lambda Function string null no
iam_role_boundary_policy_arn The ARN of the policy that is used to set the permissions boundary for the role string null no
iam_role_name_prefix A unique role name beginning with the specified prefix string "lambda" no
iam_role_path Path of IAM role to use for Lambda Function string null no
iam_role_tags Additional tags for the IAM role map(string) {} no
kms_key_arn ARN of the KMS key used for decrypting slack webhook url string "" no
lambda_attach_dead_letter_policy Controls whether SNS/SQS dead letter notification policy should be added to IAM role for Lambda Function bool false no
lambda_dead_letter_target_arn The ARN of an SNS topic or SQS queue to notify when an invocation fails. string null no
lambda_description The description of the Lambda function string null no
lambda_function_ephemeral_storage_size Amount of ephemeral storage (/tmp) in MB your Lambda Function can use at runtime. Valid value between 512 MB to 10,240 MB (10 GB). number 512 no
lambda_function_name The name of the Lambda function to create string "notify_slack" no
lambda_function_s3_bucket S3 bucket to store artifacts string null no
lambda_function_store_on_s3 Whether to store produced artifacts on S3 or locally. bool false no
lambda_function_tags Additional tags for the Lambda function map(string) {} no
lambda_function_vpc_security_group_ids List of security group ids when Lambda Function should run in the VPC. list(string) null no
lambda_function_vpc_subnet_ids List of subnet ids when Lambda Function should run in the VPC. Usually private or intra subnets. list(string) null no
lambda_role IAM role attached to the Lambda Function. If this is set then a role will not be created for you. string "" no
lambda_source_path The source path of the custom Lambda function string null no
log_events Boolean flag to enabled/disable logging of incoming events bool false no
putin_khuylo Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! bool true no
recreate_missing_package Whether to recreate missing Lambda package if it is missing locally or not bool true no
reserved_concurrent_executions The amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations number -1 no
slack_channel The name of the channel in Slack for notifications string n/a yes
slack_emoji A custom emoji that will appear on Slack messages string ":aws:" no
slack_username The username that will appear on Slack messages string n/a yes
slack_webhook_url The URL of Slack webhook string n/a yes
sns_topic_feedback_role_description Description of IAM role to use for SNS topic delivery status logging string null no
sns_topic_feedback_role_force_detach_policies Specifies to force detaching any policies the IAM role has before destroying it. bool true no
sns_topic_feedback_role_name Name of the IAM role to use for SNS topic delivery status logging string null no
sns_topic_feedback_role_path Path of IAM role to use for SNS topic delivery status logging string null no
sns_topic_feedback_role_permissions_boundary The ARN of the policy that is used to set the permissions boundary for the IAM role used by SNS topic delivery status logging string null no
sns_topic_feedback_role_tags A map of tags to assign to IAM the SNS topic feedback role map(string) {} no
sns_topic_kms_key_id ARN of the KMS key used for enabling SSE on the topic string "" no
sns_topic_lambda_feedback_role_arn IAM role for SNS topic delivery status logs. If this is set then a role will not be created for you. string "" no
sns_topic_lambda_feedback_sample_rate The percentage of successful deliveries to log number 100 no
sns_topic_name The name of the SNS topic to create string n/a yes
sns_topic_tags Additional tags for the SNS topic map(string) {} no
subscription_filter_policy (Optional) A valid filter policy that will be used in the subscription to filter messages seen by the target resource. string null no
subscription_filter_policy_scope (Optional) A valid filter policy scope MessageAttributes|MessageBody string null no
tags A map of tags to add to all resources map(string) {} no
trigger_on_package_timestamp (Optional) Whether or not to ignore the file timestamp when deciding to create the archive bool false no

Outputs

Name Description
lambda_cloudwatch_log_group_arn The Amazon Resource Name (ARN) specifying the log group
lambda_iam_role_arn The ARN of the IAM role used by Lambda function
lambda_iam_role_name The name of the IAM role used by Lambda function
notify_slack_lambda_function_arn The ARN of the Lambda function
notify_slack_lambda_function_invoke_arn The ARN to be used for invoking Lambda function from API Gateway
notify_slack_lambda_function_last_modified The date Lambda function was last modified
notify_slack_lambda_function_name The name of the Lambda function
notify_slack_lambda_function_version Latest published version of your Lambda function
slack_topic_arn The ARN of the SNS topic from which messages will be sent to Slack
sns_topic_feedback_role_arn The Amazon Resource Name (ARN) of the IAM role used for SNS delivery status logging
this_slack_topic_arn The ARN of the SNS topic from which messages will be sent to Slack (backward compatibility for version 4.x)

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.