Merge pull request #64 from ricoli/sns-topic-support

ability to define an sns topic for notifications of config changes
trussworks · Jun 5, 2020 · 05518ae · 05518ae
2 parents 7a5086c + d02942b
commit 05518ae
Show file tree

Hide file tree

Showing 7 changed files with 112 additions and 4 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: git://github.com/pre-commit/pre-commit-hooks
-    rev: v2.5.0
+    rev: v3.1.0
     hooks:
       - id: check-json
       - id: check-merge-conflict
@@ -12,17 +12,17 @@ repos:
       - id: trailing-whitespace
 
   - repo: git://github.com/igorshubovych/markdownlint-cli
-    rev: v0.22.0
+    rev: v0.23.1
     hooks:
       - id: markdownlint
 
   - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.30.0
+    rev: v1.31.0
     hooks:
       - id: terraform_docs
       - id: terraform_fmt
 
   - repo: git://github.com/golangci/golangci-lint
-    rev: v1.25.0
+    rev: v1.27.0
     hooks:
       - id: golangci-lint
diff --git a/README.md b/README.md
@@ -137,6 +137,7 @@ module "aws_config" {
 | config\_logs\_prefix | The S3 prefix for AWS Config logs. | `string` | `"config"` | no |
 | config\_max\_execution\_frequency | The maximum frequency with which AWS Config runs evaluations for a rule. | `string` | `"TwentyFour_Hours"` | no |
 | config\_name | The name of the AWS Config instance. | `string` | `"aws-config"` | no |
+| config\_sns\_topic\_arn | An SNS topic to stream configuration changes and notifications to. | `string` | `null` | no |
 | include\_global\_resource\_types | Specifies whether AWS Config includes all supported types of global resources with the resources that it records. | `bool` | `true` | no |
 | password\_max\_age | Number of days before password expiration. | `number` | `90` | no |
 | password\_min\_length | Password minimum length. | `number` | `14` | no |

diff --git a/config-service.tf b/config-service.tf
@@ -12,6 +12,7 @@ resource "aws_config_delivery_channel" "main" {
   name           = var.config_name
   s3_bucket_name = var.config_logs_bucket
   s3_key_prefix  = var.config_logs_prefix
+  sns_topic_arn  = var.config_sns_topic_arn
 
   snapshot_delivery_properties {
     delivery_frequency = var.config_delivery_frequency

diff --git a/examples/sns-topic/main.tf b/examples/sns-topic/main.tf
@@ -0,0 +1,59 @@
+data "aws_partition" "current" {}
+
+#
+# AWS Config Logs Bucket
+#
+
+module "config_logs" {
+  source  = "trussworks/logs/aws"
+  version = "~> 8"
+
+  s3_bucket_name     = var.config_logs_bucket
+  region             = var.region
+  allow_config       = true
+  config_logs_prefix = "config"
+  force_destroy      = true
+}
+
+#
+# SNS Topic
+#
+
+data "aws_iam_policy_document" "config" {
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [module.config.aws_config_role_arn]
+    }
+    actions   = ["SNS:Publish"]
+    resources = [aws_sns_topic.config.arn]
+  }
+}
+
+resource "aws_sns_topic" "config" {
+  name = var.config_name
+}
+
+resource "aws_sns_topic_policy" "config" {
+  arn    = aws_sns_topic.config.arn
+  policy = data.aws_iam_policy_document.config.json
+}
+
+#
+# AWS Config
+#
+
+module "config" {
+  source = "../../"
+
+  config_name          = var.config_name
+  config_logs_bucket   = module.config_logs.aws_logs_bucket
+  config_logs_prefix   = "config"
+  config_sns_topic_arn = aws_sns_topic.config.arn
+
+  tags = {
+    "Automation" = "Terraform"
+    "Name"       = var.config_name
+  }
+}
diff --git a/examples/sns-topic/variables.tf b/examples/sns-topic/variables.tf
@@ -0,0 +1,12 @@
+variable "config_name" {
+  type = string
+}
+
+variable "config_logs_bucket" {
+  type = string
+}
+
+variable "region" {
+  type = string
+}
+
diff --git a/test/terraform_aws_config_test.go b/test/terraform_aws_config_test.go
@@ -80,3 +80,32 @@ func TestRequiredTags(t *testing.T) {
 	assert.NotEmpty(t, requiredTagsRuleARN)
 
 }
+
+func TestSnsTopic(t *testing.T) {
+	t.Parallel()
+
+	tempTestFolder := test_structure.CopyTerraformFolderToTemp(t, "../", "examples/sns-topic")
+
+	configName := fmt.Sprintf("aws-config-%s", strings.ToLower(random.UniqueId()))
+	expectedConfigLogsBucket := fmt.Sprintf("terratest-%s", configName)
+
+	// AWS only supports one configuration recorder per region.
+	// Each test will need to specify a different region.
+	awsRegion := "eu-west-2"
+
+	terraformOptions := &terraform.Options{
+		TerraformDir: tempTestFolder,
+		Vars: map[string]interface{}{
+			"region":             awsRegion,
+			"config_logs_bucket": expectedConfigLogsBucket,
+			"config_name":        configName,
+		},
+		EnvVars: map[string]string{
+			"AWS_DEFAULT_REGION": awsRegion,
+		},
+	}
+
+	defer terraform.Destroy(t, terraformOptions)
+
+	terraform.InitAndApply(t, terraformOptions)
+}
diff --git a/variables.tf b/variables.tf
@@ -266,3 +266,9 @@ variable "include_global_resource_types" {
   type        = bool
   default     = true
 }
+
+variable "config_sns_topic_arn" {
+  description = "An SNS topic to stream configuration changes and notifications to."
+  type        = string
+  default     = null
+}