DNXLabs · mvsnogueira-dnx · Jan 26, 2024 · Jan 25, 2024 · Jan 25, 2024 · Jan 25, 2024
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -16,6 +16,6 @@ jobs:
         with:
           directory: .
           framework: terraform
-          skip_check: ""
+          skip_check: "CKV2_AWS_64"
           quiet: true
           skip_path: "examples"
diff --git a/README.md b/README.md
@@ -1,8 +1,27 @@
-# terraform-aws-template
+# terraform-aws-health-events-notification
 
 [![Lint Status](https://github.com/DNXLabs/terraform-aws-template/workflows/Lint/badge.svg)](https://github.com/DNXLabs/terraform-aws-template/actions)
 [![LICENSE](https://img.shields.io/github/license/DNXLabs/terraform-aws-template)](https://github.com/DNXLabs/terraform-aws-template/blob/master/LICENSE)
 
+Terraform module to configure AWS EventBridge Rules and SNS Notifications for AWS Personal Health Dashboard
+
+The following resources will be created:
+
+ - Event Bridge
+   - You can use a defaut event pattern or a custom event pattern, where you can select which services you want monitor
+      - Amazon ECR image scanning helps in identifying software vulnerabilities in your container images.
+ - SNS topics / Subscriptions
+
+
+You can enable organizational view from the AWS Health console. You must sign in to the management account of your AWS organization.
+To view the AWS Health Dashboard for your organization
+
+    Open your AWS Health Dashboard at https://health.aws.amazon.com/health/home
+
+In the navigation pane, under Your organization health, choose Configurations.
+
+On the Enable organizational view page, choose Enable organizational view.
+
 <!--- BEGIN_TF_DOCS --->
 
 ## Requirements

diff --git a/_data.tf b/_data.tf
@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}
diff --git a/examples/event-default-pattern.tf b/examples/event-default-pattern.tf
@@ -0,0 +1,8 @@
+module "aws_health_config" {
+  source                 = "./modules/aws-health"
+  email_endpoint         = "[email protected]"  # Email address for notifications (manual confirmation)
+  webhook_endpoint       = ""  # Webhook URL for notifications (automatic confirmation)
+  aws_health_services    = []  # List of AWS services to filter AWS Health events
+  use_default_event_pattern = true
+  sns_topic_name = "AWSHealthEventSNS"
+}
diff --git a/examples/event-service-pattern.tf b/examples/event-service-pattern.tf
@@ -0,0 +1,8 @@
+module "aws_health_config" {
+  source                 = "./modules/aws-health"
+  email_endpoint         = "[email protected]"  # Email address for notifications (manual confirmation)
+  webhook_endpoint       = ""  # Webhook URL for notifications (automatic confirmation)
+  aws_health_services    = ["RDS","EC2","S3"]  # List of AWS services to filter AWS Health events
+  use_default_event_pattern = false
+  sns_topic_name = "AWSHealthEventSNS"
+}
diff --git a/kms.tf b/kms.tf
@@ -0,0 +1,46 @@
+# Create the KMS key
+resource "aws_kms_key" "sns" {
+  count                   = var.sns_kms_encryption ? 1 : 0
+  deletion_window_in_days = 7
+  description             = "SNS CMK Encryption Key"
+  enable_key_rotation     = true
+}
+
+# Define the KMS policy document
+data "aws_iam_policy_document" "kms_policy_sns" {
+  count = var.sns_kms_encryption ? 1 : 0
+
+  statement {
+    sid    = "Enable Specific IAM User Permissions"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions   = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = [aws_kms_key.sns[0].arn]
+  }
+
+  statement {
+    sid       = "Allow Use of Key for Specific Services"
+    actions   = ["kms:Decrypt", "kms:GenerateDataKey*"]
+    principals {
+      type        = "Service"
+      identifiers = ["cloudwatch.amazonaws.com", "lambda.amazonaws.com"]
+    }
+    resources = [aws_kms_key.sns[0].arn]
+  }
+}
+
+# Update the policy of the KMS key
+resource "aws_kms_key_policy" "sns_policy" {
+  count      = var.sns_kms_encryption ? 1 : 0
+  key_id     = aws_kms_key.sns[0].key_id
+  policy     = data.aws_iam_policy_document.kms_policy_sns[0].json
+}
diff --git a/main.tf b/main.tf
@@ -0,0 +1,51 @@
+locals {
+  custom_event_pattern = {
+    "source"      = ["aws.health"],
+    "detail-type" = ["AWS Health Event"],
+    "detail" = {
+      "service" = var.aws_health_services
+    }
+  }
+
+  default_event_pattern = {
+    "source"      = ["aws.health"],
+    "detail-type" = ["AWS Health Event"]
+  }
+}
+
+resource "aws_cloudwatch_event_rule" "console" {
+  count       = var.sns_topic_name != "" ? 1 : 0
+  name        = "AWSHealthEventRule"
+  description = "EventBridge rule for AWS Health events"
+
+  event_pattern = var.use_default_event_pattern ? jsonencode(local.default_event_pattern) : jsonencode(local.custom_event_pattern)
+}
+resource "aws_sns_topic" "health_event_topic" {
+  count             = var.sns_topic_name != "" ? 1 : 0
+  kms_master_key_id = var.sns_kms_encryption ? aws_kms_key.sns[0].id : null # default key does not allow cloudwatch alarms to publish
+  name              = var.sns_topic_name
+}
+
+resource "aws_cloudwatch_event_target" "sns" {
+  count     = var.sns_topic_name != "" ? 1 : 0
+  rule      = aws_cloudwatch_event_rule.console[count.index].name
+  target_id = "SendToSNS"
+  arn       = aws_sns_topic.health_event_topic[count.index].arn
+}
+
+resource "aws_sns_topic_subscription" "email_subscription" {
+  count     = var.email_endpoint != null ? 1 : 0
+  topic_arn = aws_sns_topic.health_event_topic[count.index].arn
+  protocol  = "email"
+  endpoint  = var.email_endpoint
+}
+
+resource "aws_sns_topic_subscription" "webhook_subscription" {
+  count                           = var.webhook_endpoint != "" ? 1 : 0
+  topic_arn                       = aws_sns_topic.health_event_topic[count.index].arn
+  protocol                        = "https"
+  endpoint                        = var.webhook_endpoint
+  confirmation_timeout_in_minutes = 1
+  endpoint_auto_confirms          = true
+}
+
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,7 @@
+output "event_bridge_rule_id" {
+  value = aws_cloudwatch_event_rule.console[0].id
+}
+
+output "sns_topic_arn" {
+  value = aws_sns_topic.health_event_topic[0].arn
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,35 @@
+variable "email_endpoint" {
+  description = "Email address for notifications (optional)"
+  type        = string
+  default     = ""
+}
+
+variable "webhook_endpoint" {
+  description = "Webhook URL for notifications (optional)"
+  type        = string
+  default     = ""
+}
+
+variable "aws_health_services" {
+  description = "List of AWS services to filter AWS Health events"
+  type        = list(string)
+  default     = []
+}
+
+variable "use_default_event_pattern" {
+  description = "Flag to determine whether to use the default event pattern or not"
+  type        = bool
+  default     = true
+}
+
+variable "sns_kms_encryption" {
+  type        = bool
+  default     = true
+  description = "Enabled KMS CMK encryption at rest for SNS Topic"
+}
+
+variable "sns_topic_name" {
+  type        = string
+  description = "Topic name (optional - creates SNS topic)"
+  default     = ""
+}
diff --git a/versions.tf b/versions.tf
@@ -1,3 +1,10 @@
 terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+
   required_version = ">= 0.13.0"
-}
+}