terraform.aws-baseline-infra/modules/ManagementGovernance/acm-cert-expiry-notice/README.md

ACM sends daily expiration events for all active certificates (public, private and imported) starting 45 days prior to expiration [1]. This module sets up event rule and sns notification. Deliver email notifications for expiring certificates, useful for imported certificates.

[1] https://docs.aws.amazon.com/acm/latest/userguide/supported-events.html

Notes

• DaysToExpiry cannot be greater than 45

❯ aws acm put-account-configuration --idempotency-token abcd123456 --expiry-events DaysBeforeExpiry=46 --region=ap-east-1

An error occurred (ValidationException) when calling the PutAccountConfiguration operation: Days before expiry cannot be over 45.

Sample Event bridge event

{
  "version": "0",
  "id": "id",
  "detail-type": "ACM Certificate Approaching Expiration",
  "source": "aws.acm",
  "account": "account",
  "time": "2020-09-30T06:51:08Z",
  "region": "region",
  "resources": [
    "arn:aws:acm:region:account:certificate/certificate_ID"
  ],
  "detail": {
    "DaysToExpiry": 31,
    "CommonName": "example.com"
  }
}

Requirements

Name	Version
terraform	>= 1.3.0
aws	>= 5.0

Providers

Name	Version
aws	>= 5.0
random	n/a

Modules

Name	Source	Version
awscli	../../util/terraform-aws-cli	n/a

Resources

Name	Type
aws_cloudwatch_event_rule.this	resource
aws_cloudwatch_event_target.sns	resource
aws_sns_topic.ssl-cert-expiry-notice	resource
aws_sns_topic_policy.default	resource
aws_sns_topic_subscription.ssl-cert-expiry-notice-sub	resource
random_id.this	resource
aws_caller_identity.this	data source
aws_iam_policy_document.sns_topic_policy	data source

Inputs

Name	Description	Type	Default	Required
days-before-expiry	ACM DaysBeforeExpiry account configuration	number	45	no
email-addresses	Set of email addresses to receive SNS notifications	set(string)	n/a	yes
res-prefix	Resource name prefix	string	"aws"	no

Outputs

No outputs.

---

Authorship

This module was developed by xpk.