xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
d56e02214d
terraform.aws-baseline-infra/modules/ManagementGovernance/acm-cert-expiry-notice
History
xpk d56e02214d
DOC: Provided sample KMS key policy for reference
2024-02-21 14:08:53 +08:00
..
examples NEW: added examples directory 2024-02-21 08:43:18 +08:00
main.tf UPD: added custom kms key support. the default alias/aws/sns key does not work. 2024-02-21 13:52:03 +08:00
README.md DOC: Provided sample KMS key policy for reference 2024-02-21 14:08:53 +08:00
variables.tf UPD: updated variable comment for sns-kms-key-arn 2024-02-21 14:06:01 +08:00
versions.tf NEW: acm-cert-expiry-notice module 2024-02-21 08:39:35 +08:00

README.md

ACM sends daily expiration events for all active certificates (public, private and imported) starting 45 days prior to expiration [1]. This module sets up event rule and sns notification. Deliver email notifications for expiring certificates, useful for imported certificates.

[1] https://docs.aws.amazon.com/acm/latest/userguide/supported-events.html

Notes

  • DaysToExpiry cannot be greater than 45
 aws acm put-account-configuration --idempotency-token abcd123456 --expiry-events DaysBeforeExpiry=46 --region=ap-east-1

An error occurred (ValidationException) when calling the PutAccountConfiguration operation: Days before expiry cannot be over 45.
  • KMS key for SNS must allow events.amazonaws.com. Check that this statement is present in the KMS key policy. Otherwise you will get FailedInvocation in event rule graph and there is no other debug info.
{
"Sid": "Allow publish from events",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}

Sample Event bridge event

{
  "version": "0",
  "id": "id",
  "detail-type": "ACM Certificate Approaching Expiration",
  "source": "aws.acm",
  "account": "account",
  "time": "2020-09-30T06:51:08Z",
  "region": "region",
  "resources": [
    "arn:aws:acm:region:account:certificate/certificate_ID"
  ],
  "detail": {
    "DaysToExpiry": 31,
    "CommonName": "example.com"
  }
}

Requirements

Name Version
terraform >= 1.3.0
aws >= 5.0

Providers

Name Version
aws >= 5.0
random n/a

Modules

Name Source Version
awscli ../../util/terraform-aws-cli n/a

Resources

Name Type
aws_cloudwatch_event_rule.this resource
aws_cloudwatch_event_target.sns resource
aws_sns_topic.ssl-cert-expiry-notice resource
aws_sns_topic_policy.default resource
aws_sns_topic_subscription.ssl-cert-expiry-notice-sub resource
random_id.this resource
aws_caller_identity.this data source
aws_iam_policy_document.sns_topic_policy data source

Inputs

Name Description Type Default Required
days-before-expiry ACM DaysBeforeExpiry account configuration number 45 no
email-addresses Set of email addresses to receive SNS notifications set(string) n/a yes
res-prefix Resource name prefix string "aws" no
sns-kms-key-arn ARN of KMS key used for SNS encryption. This key must allow events.amazonaws.com string null no

Outputs

No outputs.

Authorship

This module was developed by UPDATE_THIS.