Skip to content

Commit

Permalink
Allow additional principles for the Opsgenie SNS topic KMS key
Browse files Browse the repository at this point in the history
* Adds the `kms:*` allow permission in the KMS Key policy for the
  provided principles
  • Loading branch information
Stretch96 committed Oct 23, 2023
1 parent 7ce9de9 commit 20bf079
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 3 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ for dxw's Dalmatian hosting platform.
| <a name="input_cloudtrail_log_retention"></a> [cloudtrail\_log\_retention](#input\_cloudtrail\_log\_retention) | Cloudtrail log retention in days. Set to 0 to keep all logs. | `number` | n/a | yes |
| <a name="input_cloudwatch_opsgenie_alerts_sns_endpoint"></a> [cloudwatch\_opsgenie\_alerts\_sns\_endpoint](#input\_cloudwatch\_opsgenie\_alerts\_sns\_endpoint) | The Opsgenie SNS endpoint. https://support.atlassian.com/opsgenie/docs/integrate-opsgenie-with-incoming-amazon-sns/ | `string` | n/a | yes |
| <a name="input_cloudwatch_opsgenie_alerts_sns_kms_encryption"></a> [cloudwatch\_opsgenie\_alerts\_sns\_kms\_encryption](#input\_cloudwatch\_opsgenie\_alerts\_sns\_kms\_encryption) | Use KMS encryption with the Opsgenie Alerts SNS topic | `bool` | n/a | yes |
| <a name="input_cloudwatch_opsgenie_alerts_sns_kms_key_additional_principles_allow"></a> [cloudwatch\_opsgenie\_alerts\_sns\_kms\_key\_additional\_principles\_allow](#input\_cloudwatch\_opsgenie\_alerts\_sns\_kms\_key\_additional\_principles\_allow) | Add additional principles to allow full access to the key that is created for the Opsgenie Alerts SNS topic key | `list(string)` | n/a | yes |
| <a name="input_cloudwatch_slack_alerts_channel"></a> [cloudwatch\_slack\_alerts\_channel](#input\_cloudwatch\_slack\_alerts\_channel) | The Slack channel for CloudWatch alerts | `string` | n/a | yes |
| <a name="input_cloudwatch_slack_alerts_hook_url"></a> [cloudwatch\_slack\_alerts\_hook\_url](#input\_cloudwatch\_slack\_alerts\_hook\_url) | The Slack webhook URL for CloudWatch alerts | `string` | n/a | yes |
| <a name="input_enable_cloudtrail"></a> [enable\_cloudtrail](#input\_enable\_cloudtrail) | Enable Cloudtrail | `bool` | n/a | yes |
Expand Down
2 changes: 2 additions & 0 deletions cloudwatch-opsgenie-alerts-sns.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ resource "aws_kms_key" "cloudwatch_opsgenie_alerts_sns" {
{
services = jsonencode(["cloudwatch.amazonaws.com"]),
sns_topic_arn = "arn:aws:sns:${local.aws_region}:${local.aws_account_id}:${local.project_name}-cloudwatch-opsgenie-alerts"
additional_principle_allow = jsonencode(local.cloudwatch_opsgenie_alerts_sns_kms_key_additional_principles_allow)
}
)
}
Expand Down Expand Up @@ -42,6 +43,7 @@ resource "aws_kms_key" "cloudwatch_opsgenie_alerts_sns_us_east_1" {
{
services = jsonencode(["cloudwatch.amazonaws.com"]),
sns_topic_arn = "arn:aws:sns:us-east-1:${local.aws_account_id}:${local.project_name}-cloudwatch-opsgenie-alerts"
additional_principle_allow = jsonencode(local.cloudwatch_opsgenie_alerts_sns_kms_key_additional_principles_allow)
}
)
}
Expand Down
7 changes: 4 additions & 3 deletions locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,10 @@ locals {
cloudwatch_slack_alerts_hook_url = var.cloudwatch_slack_alerts_hook_url
cloudwatch_slack_alerts_channel = var.cloudwatch_slack_alerts_channel

enable_cloudwatch_opsgenie_alerts = var.enable_cloudwatch_opsgenie_alerts
cloudwatch_opsgenie_alerts_sns_kms_encryption = var.cloudwatch_opsgenie_alerts_sns_kms_encryption && local.enable_cloudwatch_opsgenie_alerts
cloudwatch_opsgenie_alerts_sns_endpoint = var.cloudwatch_opsgenie_alerts_sns_endpoint
enable_cloudwatch_opsgenie_alerts = var.enable_cloudwatch_opsgenie_alerts
cloudwatch_opsgenie_alerts_sns_kms_encryption = var.cloudwatch_opsgenie_alerts_sns_kms_encryption && local.enable_cloudwatch_opsgenie_alerts
cloudwatch_opsgenie_alerts_sns_kms_key_additional_principles_allow = var.cloudwatch_opsgenie_alerts_sns_kms_key_additional_principles_allow
cloudwatch_opsgenie_alerts_sns_endpoint = var.cloudwatch_opsgenie_alerts_sns_endpoint

default_tags = {
Project = local.project_name,
Expand Down
9 changes: 9 additions & 0 deletions policies/kms-key-policy-sns-topic.json.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,15 @@
},
"Action": "kms:*",
"Resource": "*"
}%{ if additional_principle_allow != "[]" },
{
"Effect": "Allow",
"Principal": {
"AWS": ${additional_principle_allow}
},
"Action": "kms:*",
"Resource": "*"
}
%{~ endif }
]
}
5 changes: 5 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -87,3 +87,8 @@ variable "cloudwatch_opsgenie_alerts_sns_kms_encryption" {
description = "Use KMS encryption with the Opsgenie Alerts SNS topic"
type = bool
}

variable "cloudwatch_opsgenie_alerts_sns_kms_key_additional_principles_allow" {
description = "Add additional principles to allow full access to the key that is created for the Opsgenie Alerts SNS topic key"
type = list(string)
}

0 comments on commit 20bf079

Please sign in to comment.