99 lines
2.6 KiB
HCL
99 lines
2.6 KiB
HCL
data "aws_caller_identity" "this" {}
|
|
|
|
resource "random_id" "this" {
|
|
byte_length = 2
|
|
}
|
|
|
|
resource "aws_cloudwatch_event_rule" "this" {
|
|
name = "${var.res-prefix}-ssl-cert-expiry-${random_id.this.dec}"
|
|
description = "Reminder of SSL expiring certificates"
|
|
|
|
event_pattern = jsonencode({
|
|
"source" : ["aws.acm"],
|
|
"detail-type" : ["ACM Certificate Approaching Expiration"]
|
|
})
|
|
}
|
|
|
|
resource "aws_cloudwatch_event_target" "sns" {
|
|
rule = aws_cloudwatch_event_rule.this.name
|
|
target_id = "ssl-cert-expiry-sns-${random_id.this.dec}"
|
|
arn = aws_sns_topic.ssl-cert-expiry-notice.arn
|
|
input_transformer {
|
|
input_paths = {
|
|
"cert" : "$.resources[0]",
|
|
"days" : "$.detail.DaysToExpiry",
|
|
"cn" : "$.detail.CommonName"
|
|
}
|
|
input_template = <<-EOT
|
|
"The following ACM certificate will expire soon"
|
|
|
|
"ID: <cert>"
|
|
"CommonName: <cn>"
|
|
"Days to expiry: <days>"
|
|
EOT
|
|
}
|
|
}
|
|
|
|
# Modify ACM DaysBeforeExpiry account setting if it should be set lower than the default 45 days
|
|
module "awscli" {
|
|
count = var.days-before-expiry < 45 ? 1 : 0
|
|
source = "../../util/terraform-aws-cli"
|
|
|
|
role_session_name = "terraform-awscli"
|
|
aws_cli_commands = ["acm", "put-account-configuration", "--idempotency-token", random_id.this.dec, "--expiry-events DaysBeforeExpiry=${var.days-before-expiry}"]
|
|
}
|
|
|
|
# SNS topic and subscription
|
|
resource "aws_sns_topic" "ssl-cert-expiry-notice" {
|
|
name = "${var.res-prefix}-ssl-cert-expiry-notice-${random_id.this.dec}"
|
|
kms_master_key_id = var.sns-kms-key-arn
|
|
}
|
|
|
|
resource "aws_sns_topic_policy" "default" {
|
|
arn = aws_sns_topic.ssl-cert-expiry-notice.arn
|
|
policy = data.aws_iam_policy_document.sns_topic_policy.json
|
|
}
|
|
|
|
data "aws_iam_policy_document" "sns_topic_policy" {
|
|
statement {
|
|
sid = "AllowPublishingFromEvents"
|
|
effect = "Allow"
|
|
actions = [
|
|
"sns:Publish",
|
|
"SNS:Publish"
|
|
]
|
|
|
|
principals {
|
|
type = "Service"
|
|
identifiers = ["events.amazonaws.com"]
|
|
}
|
|
|
|
resources = [aws_sns_topic.ssl-cert-expiry-notice.arn]
|
|
}
|
|
statement {
|
|
sid = "AllowPublishThroughSSLOnly"
|
|
effect = "Deny"
|
|
principals {
|
|
identifiers = ["*"]
|
|
type = "AWS"
|
|
}
|
|
actions = [
|
|
"sns:Publish",
|
|
"SNS:Publish"
|
|
]
|
|
condition {
|
|
test = "Bool"
|
|
values = ["false"]
|
|
variable = "aws:SecureTransport"
|
|
}
|
|
resources = [aws_sns_topic.ssl-cert-expiry-notice.arn]
|
|
}
|
|
}
|
|
|
|
resource "aws_sns_topic_subscription" "ssl-cert-expiry-notice-sub" {
|
|
for_each = var.email-addresses
|
|
topic_arn = aws_sns_topic.ssl-cert-expiry-notice.arn
|
|
protocol = "email"
|
|
endpoint = each.value
|
|
}
|