From dcc398a06297c5aab928c02ad97d60c56a4e3876 Mon Sep 17 00:00:00 2001 From: Max Anderson Date: Thu, 9 Jul 2020 15:59:06 -0700 Subject: [PATCH 1/9] Update permissions for sqs queue policy --- modules/sqs_lambda/modules/sqs_queue_policy/main.tf | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/modules/sqs_lambda/modules/sqs_queue_policy/main.tf b/modules/sqs_lambda/modules/sqs_queue_policy/main.tf index d3c457b..9bf9b1e 100644 --- a/modules/sqs_lambda/modules/sqs_queue_policy/main.tf +++ b/modules/sqs_lambda/modules/sqs_queue_policy/main.tf @@ -1,7 +1,7 @@ /* * sqs_queue_policy: Creates a sane queue policy for reflex sqs queues. */ -data "aws_caller_identity" "current" {} +data "aws_organizations_organization" "current" {} resource "aws_sqs_queue_policy" "queue_policy" { queue_url = var.sqs_queue_id @@ -21,7 +21,10 @@ resource "aws_sqs_queue_policy" "queue_policy" { "Resource": "${var.sqs_queue_arn}", "Condition": { "ArnLike": { - "aws:SourceArn": "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/${var.cwe_id}" + "aws:SourceArn": "arn:aws:events:*:*:rule/${var.cwe_id}" + }, + "StringEquals": { + "aws:PrincipalOrgID": "${data.aws_organizations_organization.current.id}" } } }, @@ -35,7 +38,10 @@ resource "aws_sqs_queue_policy" "queue_policy" { "Resource": "${var.sqs_queue_arn}", "Condition": { "ArnLike": { - "aws:SourceArn": "arn:aws:sns:*:${data.aws_caller_identity.current.account_id}:Forwarder-${var.cwe_id}" + "aws:SourceArn": "arn:aws:sns:*:*:Forwarder-${var.cwe_id}" + }, + "StringEquals": { + "aws:PrincipalOrgID": "${data.aws_organizations_organization.current.id}" } } } From 78fc966b1b38c504e133db1012cb334c653fc1b3 Mon Sep 17 00:00:00 2001 From: rjulian Date: Fri, 17 Jul 2020 16:09:31 -0700 Subject: [PATCH 2/9] Neuter conditions to allow cross account sqs communications --- modules/reflex_kms_key/main.tf | 3 +-- modules/sqs_lambda/modules/sqs_queue_policy/main.tf | 10 +--------- 2 files changed, 2 insertions(+), 11 deletions(-) diff --git a/modules/reflex_kms_key/main.tf b/modules/reflex_kms_key/main.tf index 80801ed..f73ea67 100644 --- a/modules/reflex_kms_key/main.tf +++ b/modules/reflex_kms_key/main.tf @@ -62,8 +62,7 @@ resource "aws_kms_key" "reflex_key" { "Resource": "*", "Condition": { "StringEquals": { - "kms:ViaService": "sqs.${data.aws_region.current.name}.amazonaws.com", - "kms:CallerAccount": "${data.aws_caller_identity.current.account_id}" + "kms:ViaService": "sqs.${data.aws_region.current.name}.amazonaws.com" } } } diff --git a/modules/sqs_lambda/modules/sqs_queue_policy/main.tf b/modules/sqs_lambda/modules/sqs_queue_policy/main.tf index 9bf9b1e..f9b135f 100644 --- a/modules/sqs_lambda/modules/sqs_queue_policy/main.tf +++ b/modules/sqs_lambda/modules/sqs_queue_policy/main.tf @@ -35,15 +35,7 @@ resource "aws_sqs_queue_policy" "queue_policy" { "Service": "sns.amazonaws.com" }, "Action": "sqs:SendMessage", - "Resource": "${var.sqs_queue_arn}", - "Condition": { - "ArnLike": { - "aws:SourceArn": "arn:aws:sns:*:*:Forwarder-${var.cwe_id}" - }, - "StringEquals": { - "aws:PrincipalOrgID": "${data.aws_organizations_organization.current.id}" - } - } + "Resource": "${var.sqs_queue_arn}" } ] } From e6604673f34ad77666e89696bd42bd0140d11801 Mon Sep 17 00:00:00 2001 From: rjulian Date: Sun, 16 Aug 2020 15:58:00 -0700 Subject: [PATCH 3/9] First introduction of separated iam assume role infrastructure --- modules/sqs_lambda/main.tf | 8 ++++- .../modules/iam_assume_role/README.md | 30 +++++++++++++++++ .../modules/iam_assume_role/main.tf | 31 +++++++++++++++++ .../modules/iam_assume_role/variables.tf | 16 +++++++++ modules/sqs_lambda/modules/lambda/main.tf | 33 ++----------------- modules/sqs_lambda/modules/lambda/output.tf | 5 +++ .../sqs_lambda/modules/lambda/variables.tf | 6 ---- 7 files changed, 91 insertions(+), 38 deletions(-) create mode 100644 modules/sqs_lambda/modules/iam_assume_role/README.md create mode 100644 modules/sqs_lambda/modules/iam_assume_role/main.tf create mode 100644 modules/sqs_lambda/modules/iam_assume_role/variables.tf diff --git a/modules/sqs_lambda/main.tf b/modules/sqs_lambda/main.tf index e1161d5..7bf1631 100644 --- a/modules/sqs_lambda/main.tf +++ b/modules/sqs_lambda/main.tf @@ -45,10 +45,16 @@ module "lambda_endpoint" { environment_variable_map = var.environment_variable_map sqs_queue_arn = module.sqs_queue.arn sns_topic_arn = var.sns_topic_arn - custom_lambda_policy = var.custom_lambda_policy kms_key_id = var.sqs_kms_key_id } +module "iam_assume_role" { + source = "./modules/iam_assume_role" + function_name = var.function_name + lambda_execution_role_arn = module.lambda_endpoint.execution_role_arn + custom_lambda_policy = var.custom_lambda_policy +} + resource "aws_lambda_event_source_mapping" "event_source_mapping" { event_source_arn = module.sqs_queue.arn enabled = true diff --git a/modules/sqs_lambda/modules/iam_assume_role/README.md b/modules/sqs_lambda/modules/iam_assume_role/README.md new file mode 100644 index 0000000..abbe072 --- /dev/null +++ b/modules/sqs_lambda/modules/iam_assume_role/README.md @@ -0,0 +1,30 @@ +lambda: Reflex module to create lambda function infrastructure for processing events. + +## Providers + +| Name | Version | +|------|---------| +| archive | n/a | +| aws | n/a | +| null | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| custom\_lambda\_policy | Lambda policy specific to invoked lambda | `string` | `null` | no | +| environment\_variable\_map | Map of environment variables for Lambda | `map(string)` | n/a | yes | +| function\_name | Clean name for Lambda function | `string` | n/a | yes | +| handler | Handler location for lambda function | `string` | n/a | yes | +| kms\_key\_id | KMS Key Id to be used with CloudWatch Logs | `string` | n/a | yes | +| lambda\_runtime | Language runtime for lambda function | `string` | n/a | yes | +| sns\_topic\_arn | Topic arn for deployed notification topic | `string` | n/a | yes | +| source\_code\_dir | Directory holding Lambda source code | `string` | n/a | yes | +| sqs\_queue\_arn | Arn of resource for sqs IAM permissions | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| arn | Lambda Arn | + diff --git a/modules/sqs_lambda/modules/iam_assume_role/main.tf b/modules/sqs_lambda/modules/iam_assume_role/main.tf new file mode 100644 index 0000000..ffa26b2 --- /dev/null +++ b/modules/sqs_lambda/modules/iam_assume_role/main.tf @@ -0,0 +1,31 @@ +/* +* lambda_iam: Reflex module to create AssumeRole for lambdas to use +*/ + +resource "aws_iam_role" "assume_role" { + name = "Reflex${var.function_name}LambdaAssume" + + assume_role_policy = < Date: Sun, 16 Aug 2020 21:08:44 -0700 Subject: [PATCH 4/9] Add in cross account sns and sqs queue structure --- modules/sns_cross_account_sqs/README.md | 21 ++++++++ modules/sns_cross_account_sqs/main.tf | 60 ++++++++++++++++++++++ modules/sns_cross_account_sqs/variables.tf | 24 +++++++++ 3 files changed, 105 insertions(+) create mode 100644 modules/sns_cross_account_sqs/README.md create mode 100644 modules/sns_cross_account_sqs/main.tf create mode 100644 modules/sns_cross_account_sqs/variables.tf diff --git a/modules/sns_cross_account_sqs/README.md b/modules/sns_cross_account_sqs/README.md new file mode 100644 index 0000000..ed56483 --- /dev/null +++ b/modules/sns_cross_account_sqs/README.md @@ -0,0 +1,21 @@ +sns\_cross\_region\_sqs: module to create forwarder infrastructure using SNS topic publishing to a central SQS queue. + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| central\_queue\_name | Camel case name of queue found in central region | `string` | n/a | yes | +| central\_region | Central region to forward events to | `string` | n/a | yes | +| cloudwatch\_event\_rule\_id | Easy name for our CWE rule | `string` | n/a | yes | +| kms\_key\_id | Key ID of reflex KMS key | `string` | n/a | yes | + +## Outputs + +No output. + diff --git a/modules/sns_cross_account_sqs/main.tf b/modules/sns_cross_account_sqs/main.tf new file mode 100644 index 0000000..b9f50d1 --- /dev/null +++ b/modules/sns_cross_account_sqs/main.tf @@ -0,0 +1,60 @@ +/* +* sns_cross_region_sqs: module to create forwarder infrastructure using SNS topic publishing to a central SQS queue. +*/ +data "aws_caller_identity" "current" {} + +resource "aws_sns_topic" "forwarder_topic" { + name = "Forwarder-${var.cloudwatch_event_rule_id}" + kms_master_key_id = var.kms_key_id +} + +resource "aws_sns_topic_policy" "events_policy" { + arn = aws_sns_topic.forwarder_topic.arn + + policy = "${data.aws_iam_policy_document.sns_topic_policy.json}" +} + +data "aws_iam_policy_document" "sns_topic_policy" { + policy_id = "__default_policy_ID" + + statement { + actions = [ + "SNS:Subscribe", + "SNS:SetTopicAttributes", + "SNS:RemovePermission", + "SNS:Receive", + "SNS:Publish", + "SNS:ListSubscriptionsByTopic", + "SNS:GetTopicAttributes", + "SNS:DeleteTopic", + "SNS:AddPermission", + ] + + effect = "Allow" + + principals { + type = "Service" + identifiers = ["events.amazonaws.com"] + } + + resources = [ + "${aws_sns_topic.forwarder_topic.arn}", + ] + + sid = "__default_statement_ID" + } +} + +resource "aws_sns_topic_subscription" "cross_region_sqs_subscription" { + topic_arn = aws_sns_topic.forwarder_topic.arn + protocol = "sqs" + raw_message_delivery = true + endpoint = "arn:aws:sqs:${var.central_region}:${var.parent_account}:${var.central_queue_name}" +} + +resource "aws_cloudwatch_event_target" "cwe_rule_target" { + rule = var.cloudwatch_event_rule_id + target_id = "ForwarderTarget${var.cloudwatch_event_rule_id}" + arn = aws_sns_topic.forwarder_topic.arn +} + diff --git a/modules/sns_cross_account_sqs/variables.tf b/modules/sns_cross_account_sqs/variables.tf new file mode 100644 index 0000000..a960d0b --- /dev/null +++ b/modules/sns_cross_account_sqs/variables.tf @@ -0,0 +1,24 @@ +variable "kms_key_id" { + description = "Key ID of reflex KMS key" + type = string +} + +variable "cloudwatch_event_rule_id" { + description = "Easy name for our CWE rule" + type = string +} + +variable "central_region" { + description = "Central region to forward events to" + type = string +} + +variable "central_queue_name" { + description = "Camel case name of queue found in central region" + type = string +} + +variable "parent_account" { + description = "Account id that we will forward events to" + type = string +} From 8e2f49472073afff94c2c88267c0ff91f2ed57bb Mon Sep 17 00:00:00 2001 From: rjulian Date: Tue, 18 Aug 2020 17:48:14 -0700 Subject: [PATCH 5/9] Change to string boolean in hopes of actually working --- modules/sns_cross_account_sqs/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/sns_cross_account_sqs/main.tf b/modules/sns_cross_account_sqs/main.tf index b9f50d1..c6bf8a8 100644 --- a/modules/sns_cross_account_sqs/main.tf +++ b/modules/sns_cross_account_sqs/main.tf @@ -48,7 +48,7 @@ data "aws_iam_policy_document" "sns_topic_policy" { resource "aws_sns_topic_subscription" "cross_region_sqs_subscription" { topic_arn = aws_sns_topic.forwarder_topic.arn protocol = "sqs" - raw_message_delivery = true + raw_message_delivery = "true" endpoint = "arn:aws:sqs:${var.central_region}:${var.parent_account}:${var.central_queue_name}" } From 66460f5ec3d3c14144c9322d933514143fed3d6c Mon Sep 17 00:00:00 2001 From: rjulian Date: Tue, 18 Aug 2020 18:57:07 -0700 Subject: [PATCH 6/9] Add in auto_confirms to test evading error message --- modules/sns_cross_account_sqs/main.tf | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/modules/sns_cross_account_sqs/main.tf b/modules/sns_cross_account_sqs/main.tf index c6bf8a8..5ba2249 100644 --- a/modules/sns_cross_account_sqs/main.tf +++ b/modules/sns_cross_account_sqs/main.tf @@ -46,10 +46,11 @@ data "aws_iam_policy_document" "sns_topic_policy" { } resource "aws_sns_topic_subscription" "cross_region_sqs_subscription" { - topic_arn = aws_sns_topic.forwarder_topic.arn - protocol = "sqs" - raw_message_delivery = "true" - endpoint = "arn:aws:sqs:${var.central_region}:${var.parent_account}:${var.central_queue_name}" + topic_arn = aws_sns_topic.forwarder_topic.arn + protocol = "sqs" + raw_message_delivery = "true" + endpoint_auto_confirms = "true" + endpoint = "arn:aws:sqs:${var.central_region}:${var.parent_account}:${var.central_queue_name}" } resource "aws_cloudwatch_event_target" "cwe_rule_target" { From a5d57a3e7f7471fdf6e2f7a93b93f0082aca634d Mon Sep 17 00:00:00 2001 From: rjulian Date: Tue, 18 Aug 2020 19:03:57 -0700 Subject: [PATCH 7/9] Remove auto confirm and capitalize sqs --- modules/sns_cross_account_sqs/main.tf | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/modules/sns_cross_account_sqs/main.tf b/modules/sns_cross_account_sqs/main.tf index 5ba2249..a1f940e 100644 --- a/modules/sns_cross_account_sqs/main.tf +++ b/modules/sns_cross_account_sqs/main.tf @@ -46,11 +46,10 @@ data "aws_iam_policy_document" "sns_topic_policy" { } resource "aws_sns_topic_subscription" "cross_region_sqs_subscription" { - topic_arn = aws_sns_topic.forwarder_topic.arn - protocol = "sqs" - raw_message_delivery = "true" - endpoint_auto_confirms = "true" - endpoint = "arn:aws:sqs:${var.central_region}:${var.parent_account}:${var.central_queue_name}" + topic_arn = aws_sns_topic.forwarder_topic.arn + protocol = "SQS" + raw_message_delivery = "true" + endpoint = "arn:aws:sqs:${var.central_region}:${var.parent_account}:${var.central_queue_name}" } resource "aws_cloudwatch_event_target" "cwe_rule_target" { From 0e92898eb194ead69f078ccc0f2d06bec6460770 Mon Sep 17 00:00:00 2001 From: rjulian Date: Tue, 18 Aug 2020 19:15:38 -0700 Subject: [PATCH 8/9] Add in custom exec to battle bug in TF TF issue found https://github.com/terraform-providers/terraform-provider-aws/issues/12692 --- modules/sns_cross_account_sqs/main.tf | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/modules/sns_cross_account_sqs/main.tf b/modules/sns_cross_account_sqs/main.tf index a1f940e..89b6f10 100644 --- a/modules/sns_cross_account_sqs/main.tf +++ b/modules/sns_cross_account_sqs/main.tf @@ -44,12 +44,15 @@ data "aws_iam_policy_document" "sns_topic_policy" { sid = "__default_statement_ID" } } +resource "custom_sns_subscription" "sqs_account_subscribe" { + provisioner "local-exec" { + command = "aws sns subscribe --topic-arn $SNS_TOPIC_ARN --protocol sqs --notification-endpoint $SQS_QUEUE" -resource "aws_sns_topic_subscription" "cross_region_sqs_subscription" { - topic_arn = aws_sns_topic.forwarder_topic.arn - protocol = "SQS" - raw_message_delivery = "true" - endpoint = "arn:aws:sqs:${var.central_region}:${var.parent_account}:${var.central_queue_name}" + environment = { + SNS_TOPIC_ARN = aws_sns_topic.forwarder_topic.arn + SQS_QUEUE = "arn:aws:sqs:${var.central_region}:${var.parent_account}:${var.central_queue_name}" + } + } } resource "aws_cloudwatch_event_target" "cwe_rule_target" { From baf7f3dc56cfe48216090138efd4a94e9c990fbc Mon Sep 17 00:00:00 2001 From: rjulian Date: Tue, 18 Aug 2020 19:18:15 -0700 Subject: [PATCH 9/9] Change to null resource resource name --- modules/sns_cross_account_sqs/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/sns_cross_account_sqs/main.tf b/modules/sns_cross_account_sqs/main.tf index 89b6f10..75ea3db 100644 --- a/modules/sns_cross_account_sqs/main.tf +++ b/modules/sns_cross_account_sqs/main.tf @@ -44,7 +44,7 @@ data "aws_iam_policy_document" "sns_topic_policy" { sid = "__default_statement_ID" } } -resource "custom_sns_subscription" "sqs_account_subscribe" { +resource "null_resource" "sqs_account_subscribe" { provisioner "local-exec" { command = "aws sns subscribe --topic-arn $SNS_TOPIC_ARN --protocol sqs --notification-endpoint $SQS_QUEUE"