Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow passing existing sns topic var #46

Closed
wants to merge 7 commits into from
Closed

Allow passing existing sns topic var #46

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e8ab935
Allow passing of a new variable `aws_sns_topic_arn` and not create an…
Jul 12, 2021
0ff3394
Merge remote-tracking branch 'upstream/master' into HEAD
joe-niland Jul 9, 2022
e87bfb1
Update readme
joe-niland Jul 9, 2022
9580fac
Add test for existing SNS topic
joe-niland Jul 9, 2022
031ae74
fix find/replace error
joe-niland Jul 9, 2022
1c641f0
Add test to make command
joe-niland Jul 9, 2022
88b9c76
modify make test
joe-niland Jul 9, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,7 @@ module "rds_alarms" {
|------|-------------|------|---------|:--------:|
| <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
| <a name="input_aws_sns_topic_arn"></a> [aws\_sns\_topic\_arn](#input\_aws\_sns\_topic\_arn) | ARN of an already existing SNS topic. | `string` | `""` | no |
| <a name="input_burst_balance_threshold"></a> [burst\_balance\_threshold](#input\_burst\_balance\_threshold) | The minimum percent of General Purpose SSD (gp2) burst-bucket I/O credits available. | `number` | `20` | no |
| <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br> "additional_tag_map": {},<br> "attributes": [],<br> "delimiter": null,<br> "descriptor_formats": {},<br> "enabled": true,<br> "environment": null,<br> "id_length_limit": null,<br> "label_key_case": null,<br> "label_order": [],<br> "label_value_case": null,<br> "labels_as_tags": [<br> "unset"<br> ],<br> "name": null,<br> "namespace": null,<br> "regex_replace_chars": null,<br> "stage": null,<br> "tags": {},<br> "tenant": null<br>}</pre> | no |
| <a name="input_cpu_credit_balance_threshold"></a> [cpu\_credit\_balance\_threshold](#input\_cpu\_credit\_balance\_threshold) | The minimum number of CPU credits (t2 instances only) available. | `number` | `20` | no |
Expand Down
28 changes: 14 additions & 14 deletions alarms.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,8 @@ resource "aws_cloudwatch_metric_alarm" "burst_balance_too_low" {
statistic = "Average"
threshold = local.thresholds["BurstBalanceThreshold"]
alarm_description = "Average database storage burst balance over last 10 minutes too low, expect a significant performance drop soon"
alarm_actions = aws_sns_topic.default.*.arn
ok_actions = aws_sns_topic.default.*.arn
alarm_actions = local.aws_sns_topic_arn
ok_actions = local.aws_sns_topic_arn

dimensions = {
DBInstanceIdentifier = var.db_instance_id
Expand All @@ -59,8 +59,8 @@ resource "aws_cloudwatch_metric_alarm" "cpu_utilization_too_high" {
statistic = "Average"
threshold = local.thresholds["CPUUtilizationThreshold"]
alarm_description = "Average database CPU utilization over last 10 minutes too high"
alarm_actions = aws_sns_topic.default.*.arn
ok_actions = aws_sns_topic.default.*.arn
alarm_actions = local.aws_sns_topic_arn
ok_actions = local.aws_sns_topic_arn

dimensions = {
DBInstanceIdentifier = var.db_instance_id
Expand All @@ -77,8 +77,8 @@ resource "aws_cloudwatch_metric_alarm" "cpu_credit_balance_too_low" {
statistic = "Average"
threshold = local.thresholds["CPUCreditBalanceThreshold"]
alarm_description = "Average database CPU credit balance over last 10 minutes too low, expect a significant performance drop soon"
alarm_actions = aws_sns_topic.default.*.arn
ok_actions = aws_sns_topic.default.*.arn
alarm_actions = local.aws_sns_topic_arn
ok_actions = local.aws_sns_topic_arn

dimensions = {
DBInstanceIdentifier = var.db_instance_id
Expand All @@ -95,8 +95,8 @@ resource "aws_cloudwatch_metric_alarm" "disk_queue_depth_too_high" {
statistic = "Average"
threshold = local.thresholds["DiskQueueDepthThreshold"]
alarm_description = "Average database disk queue depth over last 10 minutes too high, performance may suffer"
alarm_actions = aws_sns_topic.default.*.arn
ok_actions = aws_sns_topic.default.*.arn
alarm_actions = local.aws_sns_topic_arn
ok_actions = local.aws_sns_topic_arn

dimensions = {
DBInstanceIdentifier = var.db_instance_id
Expand All @@ -113,8 +113,8 @@ resource "aws_cloudwatch_metric_alarm" "freeable_memory_too_low" {
statistic = "Average"
threshold = local.thresholds["FreeableMemoryThreshold"]
alarm_description = "Average database freeable memory over last 10 minutes too low, performance may suffer"
alarm_actions = aws_sns_topic.default.*.arn
ok_actions = aws_sns_topic.default.*.arn
alarm_actions = local.aws_sns_topic_arn
ok_actions = local.aws_sns_topic_arn

dimensions = {
DBInstanceIdentifier = var.db_instance_id
Expand All @@ -131,8 +131,8 @@ resource "aws_cloudwatch_metric_alarm" "free_storage_space_too_low" {
statistic = "Average"
threshold = local.thresholds["FreeStorageSpaceThreshold"]
alarm_description = "Average database free storage space over last 10 minutes too low"
alarm_actions = aws_sns_topic.default.*.arn
ok_actions = aws_sns_topic.default.*.arn
alarm_actions = local.aws_sns_topic_arn
ok_actions = local.aws_sns_topic_arn

dimensions = {
DBInstanceIdentifier = var.db_instance_id
Expand All @@ -149,8 +149,8 @@ resource "aws_cloudwatch_metric_alarm" "swap_usage_too_high" {
statistic = "Average"
threshold = local.thresholds["SwapUsageThreshold"]
alarm_description = "Average database swap usage over last 10 minutes too high, performance may suffer"
alarm_actions = aws_sns_topic.default.*.arn
ok_actions = aws_sns_topic.default.*.arn
alarm_actions = local.aws_sns_topic_arn
ok_actions = local.aws_sns_topic_arn

dimensions = {
DBInstanceIdentifier = var.db_instance_id
Expand Down
1 change: 1 addition & 0 deletions docs/terraform.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
|------|-------------|------|---------|:--------:|
| <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
| <a name="input_aws_sns_topic_arn"></a> [aws\_sns\_topic\_arn](#input\_aws\_sns\_topic\_arn) | ARN of an already existing SNS topic. | `string` | `""` | no |
| <a name="input_burst_balance_threshold"></a> [burst\_balance\_threshold](#input\_burst\_balance\_threshold) | The minimum percent of General Purpose SSD (gp2) burst-bucket I/O credits available. | `number` | `20` | no |
| <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br> "additional_tag_map": {},<br> "attributes": [],<br> "delimiter": null,<br> "descriptor_formats": {},<br> "enabled": true,<br> "environment": null,<br> "id_length_limit": null,<br> "label_key_case": null,<br> "label_order": [],<br> "label_value_case": null,<br> "labels_as_tags": [<br> "unset"<br> ],<br> "name": null,<br> "namespace": null,<br> "regex_replace_chars": null,<br> "stage": null,<br> "tags": {},<br> "tenant": null<br>}</pre> | no |
| <a name="input_cpu_credit_balance_threshold"></a> [cpu\_credit\_balance\_threshold](#input\_cpu\_credit\_balance\_threshold) | The minimum number of CPU credits (t2 instances only) available. | `number` | `20` | no |
Expand Down
15 changes: 10 additions & 5 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,13 @@ module "topic_label" {
context = module.this.context
}

locals {
create_sns_topic = var.aws_sns_topic_arn == ""
aws_sns_topic_arn = local.create_sns_topic ? aws_sns_topic.default.*.arn : [var.aws_sns_topic_arn]
}

resource "aws_sns_topic" "default" {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM   Ensure AWS SNS topic has SSE enabled
    Resource: aws_sns_topic.default | ID: BC_AWS_GENERAL_15

How to Fix

resource "aws_sns_topic" "example" {
  ...
  name              = "user-updates-topic"
+ kms_master_key_id = "alias/aws/sns"
}

Description

Amazon SNS is a publishers and subscribers messaging service. When you publish messages to encrypted topics, customer master keys (CMK), powered by AWS KMS, can be used to encrypt your messages.

If you operate in a regulated market, such as HIPAA for healthcare, PCI DSS for finance, or FedRAMP for government, you need to ensure sensitive data messages passed in this service are encrypted at rest.

Benchmarks

  • PCI-DSS V3.2 3
  • FEDRAMP (MODERATE) SC-28

Copy link

@bridgecrew bridgecrew bot Jul 9, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM   Ensure AWS SNS topic has SSE enabled
    Resource: module.rds_alarms.aws_sns_topic.default | ID: BC_AWS_GENERAL_15

How to Fix

resource "aws_sns_topic" "example" {
  ...
  name              = "user-updates-topic"
+ kms_master_key_id = "alias/aws/sns"
}

Description

Amazon SNS is a publishers and subscribers messaging service. When you publish messages to encrypted topics, customer master keys (CMK), powered by AWS KMS, can be used to encrypt your messages.

If you operate in a regulated market, such as HIPAA for healthcare, PCI DSS for finance, or FedRAMP for government, you need to ensure sensitive data messages passed in this service are encrypted at rest.

Benchmarks

  • PCI-DSS V3.2 3
  • FEDRAMP (MODERATE) SC-28

🎉   Fixed by commit 9580fac - Add test for existing SNS topic

count = module.this.enabled ? 1 : 0
count = module.this.enabled && local.create_sns_topic ? 1 : 0
name = module.topic_label.id
}

Expand All @@ -28,7 +33,7 @@ module "subscription_label" {
resource "aws_db_event_subscription" "default" {
count = module.this.enabled ? 1 : 0
name = module.subscription_label.id
sns_topic = join("", aws_sns_topic.default.*.arn)
sns_topic = join("", local.aws_sns_topic_arn)

source_type = "db-instance"
source_ids = [var.db_instance_id]
Expand All @@ -43,18 +48,18 @@ resource "aws_db_event_subscription" "default" {
]

depends_on = [
aws_sns_topic_policy.default
local.aws_sns_topic_arn
]
}

resource "aws_sns_topic_policy" "default" {
count = module.this.enabled ? 1 : 0
count = module.this.enabled && local.create_sns_topic ? 1 : 0
arn = join("", aws_sns_topic.default.*.arn)
policy = join("", data.aws_iam_policy_document.sns_topic_policy.*.json)
}

data "aws_iam_policy_document" "sns_topic_policy" {
count = module.this.enabled ? 1 : 0
count = module.this.enabled && local.create_sns_topic ? 1 : 0

statement {
sid = "AllowManageSNS"
Expand Down
2 changes: 1 addition & 1 deletion outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
output "sns_topic_arn" {
description = "The ARN of the SNS topic"
value = join("", aws_sns_topic.default.*.arn)
value = join("", local.aws_sns_topic_arn)
}
6 changes: 6 additions & 0 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,3 +50,9 @@ variable "swap_usage_threshold" {

# 256 Megabyte in Byte
}

variable "aws_sns_topic_arn" {
description = "ARN of an already existing SNS topic."
type = string
default = ""
}