diff --git a/README.md b/README.md index 65ea9a9..03ce3f4 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,7 @@ for dxw's Dalmatian hosting platform. | [cloudtrail\_log\_retention](#input\_cloudtrail\_log\_retention) | Cloudtrail log retention in days. Set to 0 to keep all logs. | `number` | n/a | yes | | [cloudwatch\_opsgenie\_alerts\_sns\_endpoint](#input\_cloudwatch\_opsgenie\_alerts\_sns\_endpoint) | The Opsgenie SNS endpoint. https://support.atlassian.com/opsgenie/docs/integrate-opsgenie-with-incoming-amazon-sns/ | `string` | n/a | yes | | [cloudwatch\_opsgenie\_alerts\_sns\_kms\_encryption](#input\_cloudwatch\_opsgenie\_alerts\_sns\_kms\_encryption) | Use KMS encryption with the Opsgenie Alerts SNS topic | `bool` | n/a | yes | +| [cloudwatch\_opsgenie\_alerts\_sns\_kms\_key\_additional\_principles\_allow](#input\_cloudwatch\_opsgenie\_alerts\_sns\_kms\_key\_additional\_principles\_allow) | Add additional principles to allow full access to the key that is created for the Opsgenie Alerts SNS topic key | `list(string)` | n/a | yes | | [cloudwatch\_slack\_alerts\_channel](#input\_cloudwatch\_slack\_alerts\_channel) | The Slack channel for CloudWatch alerts | `string` | n/a | yes | | [cloudwatch\_slack\_alerts\_hook\_url](#input\_cloudwatch\_slack\_alerts\_hook\_url) | The Slack webhook URL for CloudWatch alerts | `string` | n/a | yes | | [enable\_cloudtrail](#input\_enable\_cloudtrail) | Enable Cloudtrail | `bool` | n/a | yes | diff --git a/cloudwatch-opsgenie-alerts-sns.tf b/cloudwatch-opsgenie-alerts-sns.tf index 3107ae6..5e3a3b0 100644 --- a/cloudwatch-opsgenie-alerts-sns.tf +++ b/cloudwatch-opsgenie-alerts-sns.tf @@ -10,6 +10,7 @@ resource "aws_kms_key" "cloudwatch_opsgenie_alerts_sns" { { services = jsonencode(["cloudwatch.amazonaws.com"]), sns_topic_arn = "arn:aws:sns:${local.aws_region}:${local.aws_account_id}:${local.project_name}-cloudwatch-opsgenie-alerts" + additional_principle_allow = jsonencode(local.cloudwatch_opsgenie_alerts_sns_kms_key_additional_principles_allow) } ) } @@ -42,6 +43,7 @@ resource "aws_kms_key" "cloudwatch_opsgenie_alerts_sns_us_east_1" { { services = jsonencode(["cloudwatch.amazonaws.com"]), sns_topic_arn = "arn:aws:sns:us-east-1:${local.aws_account_id}:${local.project_name}-cloudwatch-opsgenie-alerts" + additional_principle_allow = jsonencode(local.cloudwatch_opsgenie_alerts_sns_kms_key_additional_principles_allow) } ) } diff --git a/locals.tf b/locals.tf index 130881a..58d479b 100644 --- a/locals.tf +++ b/locals.tf @@ -18,9 +18,10 @@ locals { cloudwatch_slack_alerts_hook_url = var.cloudwatch_slack_alerts_hook_url cloudwatch_slack_alerts_channel = var.cloudwatch_slack_alerts_channel - enable_cloudwatch_opsgenie_alerts = var.enable_cloudwatch_opsgenie_alerts - cloudwatch_opsgenie_alerts_sns_kms_encryption = var.cloudwatch_opsgenie_alerts_sns_kms_encryption && local.enable_cloudwatch_opsgenie_alerts - cloudwatch_opsgenie_alerts_sns_endpoint = var.cloudwatch_opsgenie_alerts_sns_endpoint + enable_cloudwatch_opsgenie_alerts = var.enable_cloudwatch_opsgenie_alerts + cloudwatch_opsgenie_alerts_sns_kms_encryption = var.cloudwatch_opsgenie_alerts_sns_kms_encryption && local.enable_cloudwatch_opsgenie_alerts + cloudwatch_opsgenie_alerts_sns_kms_key_additional_principles_allow = var.cloudwatch_opsgenie_alerts_sns_kms_key_additional_principles_allow + cloudwatch_opsgenie_alerts_sns_endpoint = var.cloudwatch_opsgenie_alerts_sns_endpoint default_tags = { Project = local.project_name, diff --git a/policies/kms-key-policy-sns-topic.json.tpl b/policies/kms-key-policy-sns-topic.json.tpl index db2e6cb..30a4d8a 100644 --- a/policies/kms-key-policy-sns-topic.json.tpl +++ b/policies/kms-key-policy-sns-topic.json.tpl @@ -25,6 +25,15 @@ }, "Action": "kms:*", "Resource": "*" + }%{ if additional_principle_allow != "[]" }, + { + "Effect": "Allow", + "Principal": { + "AWS": ${additional_principle_allow} + }, + "Action": "kms:*", + "Resource": "*" } + %{~ endif } ] } diff --git a/variables.tf b/variables.tf index 21155e5..a76eb7a 100644 --- a/variables.tf +++ b/variables.tf @@ -87,3 +87,8 @@ variable "cloudwatch_opsgenie_alerts_sns_kms_encryption" { description = "Use KMS encryption with the Opsgenie Alerts SNS topic" type = bool } + +variable "cloudwatch_opsgenie_alerts_sns_kms_key_additional_principles_allow" { + description = "Add additional principles to allow full access to the key that is created for the Opsgenie Alerts SNS topic key" + type = list(string) +}