From 73f8f06e661eb668cad91d15118b1c460c2257de Mon Sep 17 00:00:00 2001 From: Jan Sebastian Siwy Date: Mon, 22 Jan 2024 20:27:27 +0100 Subject: [PATCH 1/9] Initial version --- .github/workflows/validate.yml | 33 ++++ .gitignore | 2 + CHANGELOG.md | 5 + LICENSE | 7 + _test/.github/dependabot.yml | 10 ++ _test/main.tf | 23 +++ main.tf | 304 +++++++++++++++++++++++++++++++++ variables.tf | 50 ++++++ versions.tf | 10 ++ 9 files changed, 444 insertions(+) create mode 100644 .github/workflows/validate.yml create mode 100644 .gitignore create mode 100644 CHANGELOG.md create mode 100644 LICENSE create mode 100644 _test/.github/dependabot.yml create mode 100644 _test/main.tf create mode 100644 main.tf create mode 100644 variables.tf create mode 100644 versions.tf diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml new file mode 100644 index 0000000..4e12181 --- /dev/null +++ b/.github/workflows/validate.yml @@ -0,0 +1,33 @@ +name: Validate + +on: pull_request + +jobs: + validate_terraform_versions: + runs-on: ubuntu-22.04 + + strategy: + matrix: + terraform_version: + - "1.2.2" + + defaults: + run: + working-directory: _test + + steps: + - uses: actions/checkout@v4 + - uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ matrix.terraform_version }} + - run: terraform init + - run: terraform validate + + validate: # this is a workaround, see https://github.community/t/status-check-for-a-matrix-jobs/127354/6 + if: ${{ always() }} + needs: [validate_terraform_versions] + runs-on: ubuntu-22.04 + steps: + - name: Check build status of all needed jobs + if: ${{ needs.validate_terraform_versions.result != 'success' }} + run: exit 1 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..576c848 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +/_test/.terraform +/_test/.terraform.lock.hcl diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..32add6f --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,5 @@ +# CHANGELOG.md + +## v1.0.0 + +- [Initial version](https://github.com/babbel/terraform-aws-sns-to-rollbar/pull/1) diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..306de58 --- /dev/null +++ b/LICENSE @@ -0,0 +1,7 @@ +Copyright 2021 Babbel GmbH + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/_test/.github/dependabot.yml b/_test/.github/dependabot.yml new file mode 100644 index 0000000..df44be6 --- /dev/null +++ b/_test/.github/dependabot.yml @@ -0,0 +1,10 @@ +version: 2 + +updates: +- package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + day: saturday + time: "01:00" + timezone: Europe/Berlin diff --git a/_test/main.tf b/_test/main.tf new file mode 100644 index 0000000..9e77e66 --- /dev/null +++ b/_test/main.tf @@ -0,0 +1,23 @@ +provider "aws" { + region = "local" +} + +module "athena" { + source = "./.." + + name = "example" + + environment = "test" + level = "debug" + + json_key = "message" + + rollbar_project_access_token = { + access_token = "some-token" + } + + tags = { + app = "some-service" + env = "production" + } +} diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..e01d430 --- /dev/null +++ b/main.tf @@ -0,0 +1,304 @@ +# SNS topic (forwards messages to SQS queue) + +resource "aws_sns_topic" "this" { + name = var.name + tags = var.tags +} + +resource "aws_sns_topic_subscription" "sqs-queue" { + topic_arn = aws_sns_topic.this.arn + protocol = "sqs" + endpoint = aws_sqs_queue.this.arn +} + +# SQS queue + +resource "aws_sqs_queue" "this" { + name = var.name + tags = var.tags +} + +data "aws_iam_policy_document" "sqs-queue-consume" { + statement { + actions = [ + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:ReceiveMessage", + ] + + resources = [aws_sqs_queue.this.arn] + } +} + +resource "aws_sqs_queue_policy" "this" { + queue_url = aws_sqs_queue.this.url + policy = data.aws_iam_policy_document.sqs-queue.json +} + +data "aws_iam_policy_document" "sqs-queue" { + statement { + principals { + type = "Service" + identifiers = ["sns.amazonaws.com"] + } + + actions = ["sqs:SendMessage"] + resources = [aws_sqs_queue.this.arn] + + condition { + variable = "aws:SourceArn" + test = "ArnEquals" + values = [aws_sns_topic.this.arn] + } + } +} + +# EventBridge Pipe (pipes messages from SQS queue to Step Function) + +resource "aws_pipes_pipe" "this" { + name = var.name + role_arn = aws_iam_role.pipes-pipe.arn + + source = aws_sqs_queue.this.arn + + target = aws_sfn_state_machine.this.arn + + target_parameters { + input_template = < } + EOF + + step_function_state_machine_parameters { + invocation_type = "FIRE_AND_FORGET" + } + } + + tags = var.tags + + depends_on = [ + aws_iam_role_policy.pipes-pipe-sqs-queue-consume, + aws_iam_role_policy.pipes-pipe-sfn-state-machine-start-execution, + ] +} + +resource "aws_iam_role" "pipes-pipe" { + name = "pipes-${var.name}" + assume_role_policy = data.aws_iam_policy_document.pipes-assume-role.json + tags = var.tags +} + +data "aws_iam_policy_document" "pipes-assume-role" { + statement { + principals { + type = "Service" + identifiers = ["pipes.amazonaws.com"] + } + + actions = ["sts:AssumeRole"] + } +} +resource "aws_iam_role_policy" "pipes-pipe-sqs-queue-consume" { + role = aws_iam_role.pipes-pipe.name + name = "sqs-queue-consume" + policy = data.aws_iam_policy_document.sqs-queue-consume.json +} + +resource "aws_iam_role_policy" "pipes-pipe-sfn-state-machine-start-execution" { + role = aws_iam_role.pipes-pipe.name + name = "sfn-state-machine-start-execution" + policy = data.aws_iam_policy_document.sfn-state-machine-start-execution.json +} + +# Step Function (invokes Rollbar API) + +resource "aws_sfn_state_machine" "this" { + name = var.name + role_arn = aws_iam_role.sfn-state-machine.arn + + definition = jsonencode({ + StartAt = "PostItems" + + States = { + PostItems = { + Type = "Map" + + ItemProcessor = { + StartAt = "IsJSON" + + States = { + IsJSON = { + Type = "Choice" + + Choices = [ + { + Variable = "$.message" + StringMatches = "{*}" + Next = "ParseJSON" + }, + ] + + Default = "DontParseJSON" + } + + ParseJSON = { + Type = "Pass" + + Parameters = { + "message.$" = "States.StringToJson($.message)" + } + + Next = "FindBody" + } + + FindBody = { + Type = "Pass" + + Parameters = { + "body.$" = "$.message['${var.json_key}']" + } + ResultPath = "$.overrides" + + Next = "MergeBody" + } + + MergeBody = { + Type = "Pass" + + Parameters = { + "message.$" = "States.JsonMerge($.message, $.overrides, false)" + } + + Next = "PostItem" + } + + DontParseJSON = { + Type = "Pass" + + Parameters = { + "message" = { + "body.$" = "$.message" + } + } + + Next = "PostItem" + } + + PostItem = { + Type = "Task" + + Resource = "arn:aws:states:::http:invoke" + + Parameters = { + Method = "POST" + ApiEndpoint = "https://api.rollbar.com/api/1/item/" + Headers = { + "Accept" = "application/json" + "Content-Type" = "application/json" + } + Authentication = { + ConnectionArn = aws_cloudwatch_event_connection.this.arn + } + RequestBody = { + data = { + environment = var.environment + level = var.level + body = { + "message.$" = "$.message" + } + } + } + } + + End = true + } + } + } + + End = true + } + } + }) + + tags = var.tags +} + +data "aws_iam_policy_document" "sfn-state-machine-start-execution" { + statement { + actions = ["states:StartExecution"] + resources = [aws_sfn_state_machine.this.arn] + } +} + +resource "aws_iam_role" "sfn-state-machine" { + name = "step-function-${var.name}" + assume_role_policy = data.aws_iam_policy_document.states.json + tags = var.tags +} + +data "aws_iam_policy_document" "states" { + statement { + principals { + type = "Service" + identifiers = ["states.amazonaws.com"] + } + + actions = ["sts:AssumeRole"] + } +} + +resource "aws_iam_role_policy" "sfn-state-machine-invoke-http-endpoint" { + role = aws_iam_role.sfn-state-machine.name + name = "invoke-http-endpoint" + policy = data.aws_iam_policy_document.invoke-http-endpoint.json +} + +# Rollbar + +resource "aws_cloudwatch_event_connection" "this" { + name = "${var.name}-rollbar" + description = "Posts items to Rollbar" + authorization_type = "API_KEY" + + auth_parameters { + api_key { + key = "X-Rollbar-Access-Token" + value = var.rollbar_project_access_token.access_token + } + } +} + +data "aws_iam_policy_document" "invoke-http-endpoint" { + statement { + actions = [ + "states:InvokeHTTPEndpoint", + ] + resources = ["*"] + + condition { + variable = "states:HTTPMethod" + test = "StringEquals" + values = ["POST"] + } + + condition { + variable = "states:HTTPEndpoint" + test = "StringEquals" + values = ["https://api.rollbar.com/api/1/item/"] + } + } + + statement { + actions = [ + "events:RetrieveConnectionCredentials", + ] + resources = [aws_cloudwatch_event_connection.this.arn] + } + + statement { + actions = [ + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret", + ] + resources = [aws_cloudwatch_event_connection.this.secret_arn] + } +} diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..e42c596 --- /dev/null +++ b/variables.tf @@ -0,0 +1,50 @@ +variable "environment" { + type = string + + description = < Date: Mon, 22 Jan 2024 20:34:31 +0100 Subject: [PATCH 2/9] Create outputs.tf --- outputs.tf | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 outputs.tf diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..5811821 --- /dev/null +++ b/outputs.tf @@ -0,0 +1,7 @@ +output "sns_topic" { + value = aws_sns_topic.sns_topic + + description = < Date: Mon, 22 Jan 2024 20:36:48 +0100 Subject: [PATCH 3/9] Update outputs.tf --- outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/outputs.tf b/outputs.tf index 5811821..e6f4239 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,5 +1,5 @@ output "sns_topic" { - value = aws_sns_topic.sns_topic + value = aws_sns_topic.this description = < Date: Mon, 22 Jan 2024 20:39:58 +0100 Subject: [PATCH 4/9] fix formatting --- _test/main.tf | 2 +- main.tf | 4 ++-- variables.tf | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/_test/main.tf b/_test/main.tf index 9e77e66..500f5bb 100644 --- a/_test/main.tf +++ b/_test/main.tf @@ -8,7 +8,7 @@ module "athena" { name = "example" environment = "test" - level = "debug" + level = "debug" json_key = "message" diff --git a/main.tf b/main.tf index e01d430..269ae0d 100644 --- a/main.tf +++ b/main.tf @@ -131,9 +131,9 @@ resource "aws_sfn_state_machine" "this" { Choices = [ { - Variable = "$.message" + Variable = "$.message" StringMatches = "{*}" - Next = "ParseJSON" + Next = "ParseJSON" }, ] diff --git a/variables.tf b/variables.tf index e42c596..a5020df 100644 --- a/variables.tf +++ b/variables.tf @@ -41,7 +41,7 @@ EOS } variable "tags" { - type = map(string) + type = map(string) default = {} description = < Date: Mon, 22 Jan 2024 20:40:09 +0100 Subject: [PATCH 5/9] Add usage example to `README` --- README.md | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 837ed0c..28d989c 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,28 @@ -# terraform-aws-sns-to-rollbar +# AWS SNS to Rollbar + Terraform module which allows posting SNS messages to Rollbar + +## Usage + +```tf +module "sns-to-rollbar" { + source = "babbel/sns-to-rollbar/aws" + version = "~> 1.0" + + name = "example" + + environment = "test" + level = "debug" + + json_key = "message" + + rollbar_project_access_token = { + access_token = "some-token" + } + + tags = { + app = "some-service" + env = "production" + } +} +``` From 1d3db1fd3320162233c9543ba5cc7533086b9130 Mon Sep 17 00:00:00 2001 From: Jan Sebastian Siwy Date: Mon, 22 Jan 2024 20:45:50 +0100 Subject: [PATCH 6/9] update exmaples --- README.md | 6 +++--- _test/main.tf | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 28d989c..76b8552 100644 --- a/README.md +++ b/README.md @@ -11,15 +11,15 @@ module "sns-to-rollbar" { name = "example" - environment = "test" - level = "debug" - json_key = "message" rollbar_project_access_token = { access_token = "some-token" } + environment = "test" + level = "debug" + tags = { app = "some-service" env = "production" diff --git a/_test/main.tf b/_test/main.tf index 500f5bb..51adbeb 100644 --- a/_test/main.tf +++ b/_test/main.tf @@ -7,15 +7,15 @@ module "athena" { name = "example" - environment = "test" - level = "debug" - json_key = "message" rollbar_project_access_token = { access_token = "some-token" } + environment = "test" + level = "debug" + tags = { app = "some-service" env = "production" From e526c279594776252ce68a8f4edac78fe743237d Mon Sep 17 00:00:00 2001 From: Jan Sebastian Siwy Date: Tue, 23 Jan 2024 09:24:14 +0100 Subject: [PATCH 7/9] fix tests and README --- README.md | 2 +- _test/main.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 76b8552..cd7c7a6 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ module "sns-to-rollbar" { tags = { app = "some-service" - env = "production" + env = "test" } } ``` diff --git a/_test/main.tf b/_test/main.tf index 51adbeb..ad22081 100644 --- a/_test/main.tf +++ b/_test/main.tf @@ -2,7 +2,7 @@ provider "aws" { region = "local" } -module "athena" { +module "sns-to-rollbar" { source = "./.." name = "example" @@ -18,6 +18,6 @@ module "athena" { tags = { app = "some-service" - env = "production" + env = "test" } } From 504f35e2a38240576905cf42be0dc37e5e28e0dc Mon Sep 17 00:00:00 2001 From: Jan Sebastian Siwy Date: Tue, 23 Jan 2024 19:23:31 +0100 Subject: [PATCH 8/9] update Terraform version --- .github/workflows/validate.yml | 2 +- versions.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 4e12181..076392f 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -9,7 +9,7 @@ jobs: strategy: matrix: terraform_version: - - "1.2.2" + - "1.6.6" defaults: run: diff --git a/versions.tf b/versions.tf index 8fbc73b..7a2ec41 100644 --- a/versions.tf +++ b/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2.2" + required_version = ">= 1.6.6" required_providers { aws = { From 041658a3d28b53f88d26689724883d48bb235462 Mon Sep 17 00:00:00 2001 From: Jan Sebastian Siwy Date: Tue, 23 Jan 2024 19:23:53 +0100 Subject: [PATCH 9/9] Update LICENSE Co-authored-by: Fionn Masuhr --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 306de58..f661a1d 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright 2021 Babbel GmbH +Copyright 2024 Babbel GmbH Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: