xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
9371ec8e5b
terraform.aws-baseline-infra/modules/ManagementGovernance/acm-cert-expiry-notice/README.md

83 lines
3.4 KiB
Markdown
Raw Normal View History

NEW: acm-cert-expiry-notice module
2024-02-21 08:39:35 +08:00
ACM sends daily expiration events for all active certificates (public, private and imported) starting 45 days prior to expiration [1].
DOC: updated readme and variables
2024-02-21 08:42:56 +08:00
This module sets up event rule and sns notification. Deliver email notifications for expiring certificates, useful for imported certificates.
NEW: acm-cert-expiry-notice module
2024-02-21 08:39:35 +08:00
[1] https://docs.aws.amazon.com/acm/latest/userguide/supported-events.html
## Notes
* DaysToExpiry cannot be greater than 45
```bash
aws acm put-account-configuration --idempotency-token abcd123456 --expiry-events DaysBeforeExpiry=46 --region=ap-east-1
An error occurred (ValidationException) when calling the PutAccountConfiguration operation: Days before expiry cannot be over 45.
```
## Sample Event bridge event
```json
{
"version": "0",
"id": "id",
"detail-type": "ACM Certificate Approaching Expiration",
"source": "aws.acm",
"account": "account",
"time": "2020-09-30T06:51:08Z",
"region": "region",
"resources": [
"arn:aws:acm:region:account:certificate/certificate_ID"
],
"detail": {
"DaysToExpiry": 31,
"CommonName": "example.com"
}
}
```
## Requirements
| Name | Version |
|------|---------|
| terraform | >= 1.3.0 |
| aws | >= 5.0 |
## Providers
| Name | Version |
|------|---------|
| aws | >= 5.0 |
| random | n/a |
## Modules
| Name | Source | Version |
|------|--------|---------|
| awscli | ../../util/terraform-aws-cli | n/a |
## Resources
| Name | Type |
|------|------|
| [aws_cloudwatch_event_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
| [aws_cloudwatch_event_target.sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_sns_topic.ssl-cert-expiry-notice](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
| [aws_sns_topic_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
| [aws_sns_topic_subscription.ssl-cert-expiry-notice-sub](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
| [random_id.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.sns_topic_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
UPD: updated variable comment for sns-kms-key-arn
2024-02-21 14:06:01 +08:00
| Name | Description | Type | Default | Required |
|------|----------------------------------------------------------------------------------|------|---------|:--------:|
| days-before-expiry | ACM DaysBeforeExpiry account configuration | `number` | `45` | no |
| email-addresses | Set of email addresses to receive SNS notifications | `set(string)` | n/a | yes |
| res-prefix | Resource name prefix | `string` | `"aws"` | no |
| sns-kms-key-arn | ARN of KMS key used for SNS encryption. This key must allow events.amazonaws.com | `string` | `null` | no |
NEW: acm-cert-expiry-notice module
2024-02-21 08:39:35 +08:00
## Outputs
No outputs.
---
## Authorship
UPD: added custom kms key support. the default alias/aws/sns key does not work.
2024-02-21 13:52:03 +08:00
This module was developed by UPDATE_THIS.
Reference in New Issue Copy Permalink