SNS topic

Author: paulschwarzenberger

main.tf

@@ -190,6 +190,7 @@ module "create_rsa_root_ca_lambda" {
   domain                          = var.hosted_zone_domain
   runtime                         = var.runtime
   public_crl                      = var.public_crl
+  sns_topic_arn                   = module.sns.sns_topic_arn
 }
 
 module "create_rsa_issuing_ca_lambda" {
@@ -210,6 +211,7 @@ module "create_rsa_issuing_ca_lambda" {
   domain                          = var.hosted_zone_domain
   runtime                         = var.runtime
   public_crl                      = var.public_crl
+  sns_topic_arn                   = module.sns.sns_topic_arn
 }
 
 module "rsa_root_ca_crl_lambda" {
@@ -232,6 +234,7 @@ module "rsa_root_ca_crl_lambda" {
   domain                          = var.hosted_zone_domain
   runtime                         = var.runtime
   public_crl                      = var.public_crl
+  sns_topic_arn                   = module.sns.sns_topic_arn
 }
 
 module "rsa_issuing_ca_crl_lambda" {
@@ -254,6 +257,7 @@ module "rsa_issuing_ca_crl_lambda" {
   domain                          = var.hosted_zone_domain
   runtime                         = var.runtime
   public_crl                      = var.public_crl
+  sns_topic_arn                   = module.sns.sns_topic_arn
 }
 
 module "rsa_tls_cert_lambda" {
@@ -276,6 +280,7 @@ module "rsa_tls_cert_lambda" {
   public_crl                      = var.public_crl
   max_cert_lifetime               = var.max_cert_lifetime
   allowed_invocation_principals   = var.aws_principals
+  sns_topic_arn                   = module.sns.sns_topic_arn
 }
 
 module "cloudfront_certificate" {
@@ -369,3 +374,16 @@ module "db-reader-role" {
   policy             = "db_reader"
   assume_role_policy = "db_reader"
 }
+
+module "sns-ca-notifications" {
+  source = "./modules/terraform-aws-ca-sns"
+
+  project               = var.project
+  function              = "ca-notifications"
+  env                   = var.env
+  custom_sns_topic_name = var.custom_sns_topic_name
+  kms_key_arn           = coalesce(var.kms_arn_resource, module.kms_tls_keygen.kms_arn)
+  email_subscriptions   = var.sns_email_subscriptions
+  lambda_subscriptions  = var.sns_lambda_subscriptions
+  sqs_subscriptions     = var.sns_sqs_subscriptions
+}

modules/terraform-aws-ca-lambda/main.tf

@@ -61,6 +61,7 @@ resource "aws_lambda_function" "lambda" {
       ROOT_CA_INFO        = jsonencode(var.root_ca_info)
       ROOT_CRL_DAYS       = tostring(var.root_crl_days)
       ROOT_CRL_SECONDS    = tostring(var.root_crl_seconds)
+      SNS_TOPIC_ARN       = var.sns_topic_arn
     }
   }
 

modules/terraform-aws-ca-lambda/variables.tf

@@ -109,6 +109,10 @@ variable "runtime" {
   description = "Lambda language runtime"
 }
 
+variable "sns_topic_arn" {
+  description = "SNS Topic ARN for Lambda function to publish to"
+}
+
 variable "subscription_filter_destination" {
   description = "CloudWatch log subscription filter destination, last section of ARN"
   default     = ""

modules/terraform-aws-ca-sns/data.tf

@@ -0,0 +1,3 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}

modules/terraform-aws-ca-sns/locals.tf

@@ -0,0 +1,8 @@
+locals {
+  sns_topic_name = coalesce(var.custom_sns_topic_name, "${var.project}}-${var.function}-${var.env}")
+
+  tags = merge(var.tags, {
+    Terraform = "true"
+    Name      = local.sns_topic_name,
+  })
+}

modules/terraform-aws-ca-sns/main.tf

@@ -0,0 +1,36 @@
+resource "aws_sns_topic" "sns_topic" {
+  name   = local.sns_topic_name
+  policy = coalesce(var.sns_policy, templatefile("${path.module}/templates/${var.sns_policy_template}.json", { region = data.aws_region.current.id, account_id = data.aws_caller_identity.current.account_id, sns_topic_name = local.sns_topic_name }))
+
+  tags = merge(
+    var.tags,
+    tomap(
+      { "Name" = local.sns_topic_name }
+    )
+  )
+  kms_master_key_id = var.kms_key_arn
+}
+
+resource "aws_sns_topic_subscription" "email_subscriptions" {
+  for_each             = toset(var.email_subscriptions)
+  endpoint             = each.key
+  protocol             = "email"
+  topic_arn            = aws_sns_topic.sns_topic.arn
+  raw_message_delivery = false
+}
+
+resource "aws_sns_topic_subscription" "lambda_subscriptions" {
+  for_each             = var.lambda_subscriptions
+  endpoint             = each.value
+  protocol             = "lambda"
+  topic_arn            = aws_sns_topic.sns_topic.arn
+  raw_message_delivery = false
+}
+
+resource "aws_sns_topic_subscription" "sqs_subscriptions" {
+  for_each             = var.sqs_subscriptions
+  endpoint             = each.value
+  protocol             = "sqs"
+  topic_arn            = aws_sns_topic.sns_topic.arn
+  raw_message_delivery = true
+}

modules/terraform-aws-ca-sns/outputs.tf

@@ -0,0 +1,3 @@
+output "sns_topic_arn" {
+  value = aws_sns_topic.sns_topic.arn
+}

modules/terraform-aws-ca-sns/templates/default.json

@@ -0,0 +1,30 @@
+{
+  "Version": "2012-10-17",
+  "Id": "default_policy",
+  "Statement": [
+    {
+      "Sid": "default_statement",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": [
+        "sns:GetTopicAttributes",
+        "sns:SetTopicAttributes",
+        "sns:AddPermission",
+        "sns:RemovePermission",
+        "sns:DeleteTopic",
+        "sns:Subscribe",
+        "sns:ListSubscriptionsByTopic",
+        "sns:Publish",
+        "sns:Receive"
+      ],
+      "Resource": "arn:aws:sns:${region}:${account_id}:${sns_topic_name}",
+      "Condition": {
+        "StringEquals": {
+          "AWS:SourceOwner": "${account_id}"
+        }
+      }
+    }
+  ]
+}

modules/terraform-aws-ca-sns/templates/eventbridge.json

@@ -0,0 +1,39 @@
+{
+  "Version": "2012-10-17",
+  "Id": "allow_account_access_to_topic_policy",
+  "Statement": [
+    {
+      "Sid": "allow_account_access_to_topic",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": [
+        "sns:GetTopicAttributes",
+        "sns:SetTopicAttributes",
+        "sns:AddPermission",
+        "sns:RemovePermission",
+        "sns:DeleteTopic",
+        "sns:Subscribe",
+        "sns:ListSubscriptionsByTopic",
+        "sns:Publish",
+        "sns:Receive"
+      ],
+      "Resource": "arn:aws:sns:${region}:${account_id}:${sns_topic_name}",
+      "Condition": {
+        "StringEquals": {
+          "AWS:SourceOwner": "${account_id}"
+        }
+      }
+    },
+    {
+      "Sid": "allow_eventbridge_access_to_topic",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "events.amazonaws.com"
+      },
+      "Action": "sns:Publish",
+      "Resource": "arn:aws:sns:${region}:${account_id}:${sns_topic_name}"
+    }
+  ]
+}

modules/terraform-aws-ca-sns/variables.tf

@@ -0,0 +1,57 @@
+variable "project" {
+  description = "abbreviation for the project, forms the first part of the resource name"
+  default     = ""
+}
+
+variable "function" {
+  description = "forms the second part of the resource name"
+  default     = ""
+}
+
+variable "env" {
+  description = "suffix for environment, e.g. dev"
+  default     = ""
+}
+
+variable "custom_sns_topic_name" {
+  description = "Customised SNS topic name, leave empty to use standard naming convention"
+  default     = ""
+}
+
+variable "sns_policy" {
+  description = "A string containing the SNS policy, if used"
+  default     = ""
+}
+
+variable "sns_policy_template" {
+  description = "Name of SNS policy template file, if used"
+  default     = "default"
+}
+
+variable "kms_key_arn" {
+  description = "A KMS key arn to be used to encrypt the queue contents at rest"
+  default     = null
+}
+
+variable "email_subscriptions" {
+  type        = list(string)
+  description = "List of email addresses to subscribe to this topic"
+  default     = []
+}
+
+variable "lambda_subscriptions" {
+  type        = map(string)
+  description = "A map of lambda names to arns to subscribe to this topic"
+  default     = {}
+}
+
+variable "sqs_subscriptions" {
+  type        = map(string)
+  description = "A map of SQS names to arns to subscribe to this topic"
+  default     = {}
+}
+
+variable "tags" {
+  type    = map(string)
+  default = {}
+}