xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
8052a71995
terraform.aws-baseline-infra/modules/ManagementGovernance/acm-cert-expiry-notice/README.md
xpk db3703ec4c
DOC: updated readme
2024-02-21 21:19:18 +08:00

3.9 KiB
Raw Blame History

ACM sends daily expiration events for all active certificates (public, private and imported) starting 45 days prior to expiration [1]. This module sets up event rule and sns notification. Deliver email notifications for expiring certificates, useful for imported certificates.

Notes

  • DaysToExpiry cannot be greater than 45
 aws acm put-account-configuration --idempotency-token abcd123456 --expiry-events DaysBeforeExpiry=46 --region=ap-east-1

An error occurred (ValidationException) when calling the PutAccountConfiguration operation: Days before expiry cannot be over 45.
  • KMS key for SNS must allow events.amazonaws.com. Check that this statement is present in the KMS key policy. Otherwise you will get FailedInvocation in event rule graph and there is no other debug info. The default alias/aws/sns managed key does not allow encryption / decryption from cloudwatch or events [2].
{
"Sid": "Allow publish from events",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}

[1] https://docs.aws.amazon.com/acm/latest/userguide/supported-events.html [2] https://docs.gruntwork.io/discussions/knowledge-base/238/

Sample Event bridge event

{
  "version": "0",
  "id": "id",
  "detail-type": "ACM Certificate Approaching Expiration",
  "source": "aws.acm",
  "account": "account",
  "time": "2020-09-30T06:51:08Z",
  "region": "region",
  "resources": [
    "arn:aws:acm:region:account:certificate/certificate_ID"
  ],
  "detail": {
    "DaysToExpiry": 31,
    "CommonName": "example.com"
  }
}

Requirements

Name Version
terraform >= 1.3.0
aws >= 5.0

Providers

Name Version
aws >= 5.0
random n/a

Modules

Name Source Version
awscli ../../util/terraform-aws-cli n/a

Resources

Name Type
aws_cloudwatch_event_rule.this resource
aws_cloudwatch_event_target.sns resource
aws_sns_topic.ssl-cert-expiry-notice resource
aws_sns_topic_policy.default resource
aws_sns_topic_subscription.ssl-cert-expiry-notice-sub resource
random_id.this resource
aws_caller_identity.this data source
aws_iam_policy_document.sns_topic_policy data source

Inputs

Name Description Type Default Required
days-before-expiry ACM DaysBeforeExpiry account configuration number 45 no
email-addresses Set of email addresses to receive SNS notifications set(string) n/a yes
res-prefix Resource name prefix string "aws" no
sns-kms-key-arn ARN of KMS key used for SNS encryption. This key must allow events.amazonaws.com string null no

Outputs

No outputs.

Authorship

This module was developed by xpk.