Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow passing of a new variable aws_sns_topic_arn and not create an SNS topic #36

Closed
wants to merge 1 commit into from
Closed

Allow passing of a new variable aws_sns_topic_arn and not create an SNS topic #36

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,7 @@ module "rds_alarms" {
|------|-------------|------|---------|:--------:|
| <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
| <a name="input_attributes"></a> [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
| <a name="input_aws_sns_topic_arn"></a> [aws\_sns\_topic\_arn](#input\_aws\_sns\_topic\_arn) | ARN of an already existing SNS topic. | `string` | `""` | no |
| <a name="input_burst_balance_threshold"></a> [burst\_balance\_threshold](#input\_burst\_balance\_threshold) | The minimum percent of General Purpose SSD (gp2) burst-bucket I/O credits available. | `string` | `20` | no |
| <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br> "additional_tag_map": {},<br> "attributes": [],<br> "delimiter": null,<br> "enabled": true,<br> "environment": null,<br> "id_length_limit": null,<br> "label_key_case": null,<br> "label_order": [],<br> "label_value_case": null,<br> "name": null,<br> "namespace": null,<br> "regex_replace_chars": null,<br> "stage": null,<br> "tags": {}<br>}</pre> | no |
| <a name="input_cpu_credit_balance_threshold"></a> [cpu\_credit\_balance\_threshold](#input\_cpu\_credit\_balance\_threshold) | The minimum number of CPU credits (t2 instances only) available. | `string` | `20` | no |
Expand Down
28 changes: 14 additions & 14 deletions alarms.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ resource "aws_cloudwatch_metric_alarm" "burst_balance_too_low" {
statistic = "Average"
threshold = local.thresholds["BurstBalanceThreshold"]
alarm_description = "Average database storage burst balance over last 10 minutes too low, expect a significant performance drop soon"
alarm_actions = aws_sns_topic.default.*.arn
ok_actions = aws_sns_topic.default.*.arn
alarm_actions = local.aws_sns_topic_arn
ok_actions = local.aws_sns_topic_arn

dimensions = {
DBInstanceIdentifier = var.db_instance_id
Expand All @@ -38,8 +38,8 @@ resource "aws_cloudwatch_metric_alarm" "cpu_utilization_too_high" {
statistic = "Average"
threshold = local.thresholds["CPUUtilizationThreshold"]
alarm_description = "Average database CPU utilization over last 10 minutes too high"
alarm_actions = aws_sns_topic.default.*.arn
ok_actions = aws_sns_topic.default.*.arn
alarm_actions = local.aws_sns_topic_arn
ok_actions = local.aws_sns_topic_arn

dimensions = {
DBInstanceIdentifier = var.db_instance_id
Expand All @@ -56,8 +56,8 @@ resource "aws_cloudwatch_metric_alarm" "cpu_credit_balance_too_low" {
statistic = "Average"
threshold = local.thresholds["CPUCreditBalanceThreshold"]
alarm_description = "Average database CPU credit balance over last 10 minutes too low, expect a significant performance drop soon"
alarm_actions = aws_sns_topic.default.*.arn
ok_actions = aws_sns_topic.default.*.arn
alarm_actions = local.aws_sns_topic_arn
ok_actions = local.aws_sns_topic_arn

dimensions = {
DBInstanceIdentifier = var.db_instance_id
Expand All @@ -74,8 +74,8 @@ resource "aws_cloudwatch_metric_alarm" "disk_queue_depth_too_high" {
statistic = "Average"
threshold = local.thresholds["DiskQueueDepthThreshold"]
alarm_description = "Average database disk queue depth over last 10 minutes too high, performance may suffer"
alarm_actions = aws_sns_topic.default.*.arn
ok_actions = aws_sns_topic.default.*.arn
alarm_actions = local.aws_sns_topic_arn
ok_actions = local.aws_sns_topic_arn

dimensions = {
DBInstanceIdentifier = var.db_instance_id
Expand All @@ -92,8 +92,8 @@ resource "aws_cloudwatch_metric_alarm" "freeable_memory_too_low" {
statistic = "Average"
threshold = local.thresholds["FreeableMemoryThreshold"]
alarm_description = "Average database freeable memory over last 10 minutes too low, performance may suffer"
alarm_actions = aws_sns_topic.default.*.arn
ok_actions = aws_sns_topic.default.*.arn
alarm_actions = local.aws_sns_topic_arn
ok_actions = local.aws_sns_topic_arn

dimensions = {
DBInstanceIdentifier = var.db_instance_id
Expand All @@ -110,8 +110,8 @@ resource "aws_cloudwatch_metric_alarm" "free_storage_space_too_low" {
statistic = "Average"
threshold = local.thresholds["FreeStorageSpaceThreshold"]
alarm_description = "Average database free storage space over last 10 minutes too low"
alarm_actions = aws_sns_topic.default.*.arn
ok_actions = aws_sns_topic.default.*.arn
alarm_actions = local.aws_sns_topic_arn
ok_actions = local.aws_sns_topic_arn

dimensions = {
DBInstanceIdentifier = var.db_instance_id
Expand All @@ -128,8 +128,8 @@ resource "aws_cloudwatch_metric_alarm" "swap_usage_too_high" {
statistic = "Average"
threshold = local.thresholds["SwapUsageThreshold"]
alarm_description = "Average database swap usage over last 10 minutes too high, performance may suffer"
alarm_actions = aws_sns_topic.default.*.arn
ok_actions = aws_sns_topic.default.*.arn
alarm_actions = local.aws_sns_topic_arn
ok_actions = local.aws_sns_topic_arn

dimensions = {
DBInstanceIdentifier = var.db_instance_id
Expand Down
15 changes: 10 additions & 5 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,13 @@ module "topic_label" {
context = module.this.context
}

locals {
create_sns_topic = var.aws_sns_topic_arn == ""
aws_sns_topic_arn = local.create_sns_topic ? aws_sns_topic.default.*.arn : [var.aws_sns_topic_arn]
}

resource "aws_sns_topic" "default" {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM   Ensure all data stored in the SNS topic is encrypted
    Resource: aws_sns_topic.default | ID: BC_AWS_GENERAL_15

How to Fix

resource "aws_sns_topic" "user_updates" {
  name              = "user-updates-topic"
+ kms_master_key_id = "alias/aws/sns"
}

Description

Amazon SNS is a publishers and subscribers messaging service. When you publish messages to encrypted topics, customer master keys (CMK), powered by AWS KMS, can be used to encrypt your messages.

If you operate in a regulated market, such as HIPAA for healthcare, PCI DSS for finance, or FedRAMP for government, you need to ensure sensitive data messages passed in this service are encrypted at rest.

Benchmarks

  • PCI-DSS V3.2 3
  • FEDRAMP (MODERATE) SC-28
Dependent Resources

Calculating...

count = module.this.enabled ? 1 : 0
count = module.this.enabled && local.create_sns_topic ? 1 : 0
name = module.topic_label.id
}

Expand All @@ -28,7 +33,7 @@ module "subscription_label" {
resource "aws_db_event_subscription" "default" {
count = module.this.enabled ? 1 : 0
name = module.subscription_label.id
sns_topic = join("", aws_sns_topic.default.*.arn)
sns_topic = join("", local.aws_sns_topic_arn)

source_type = "db-instance"
source_ids = [var.db_instance_id]
Expand All @@ -43,18 +48,18 @@ resource "aws_db_event_subscription" "default" {
]

depends_on = [
aws_sns_topic_policy.default
local.aws_sns_topic_arn
]
}

resource "aws_sns_topic_policy" "default" {
count = module.this.enabled ? 1 : 0
count = module.this.enabled && local.create_sns_topic ? 1 : 0
arn = join("", aws_sns_topic.default.*.arn)
policy = join("", data.aws_iam_policy_document.sns_topic_policy.*.json)
}

data "aws_iam_policy_document" "sns_topic_policy" {
count = module.this.enabled ? 1 : 0
count = module.this.enabled && local.create_sns_topic ? 1 : 0

statement {
sid = "AllowManageSNS"
Expand Down
2 changes: 1 addition & 1 deletion outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
output "sns_topic_arn" {
description = "The ARN of the SNS topic"
value = join("", aws_sns_topic.default.*.arn)
value = join("", local.aws_sns_topic_arn)
}
6 changes: 6 additions & 0 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,3 +50,9 @@ variable "swap_usage_threshold" {

# 256 Megabyte in Byte
}

variable "aws_sns_topic_arn" {
description = "ARN of an already existing SNS topic."
type = string
default = ""
}