v2.1.0 Multi-account support.

modules/reflex_kms_key/main.tf

@@ -62,8 +62,7 @@ resource "aws_kms_key" "reflex_key" {
             "Resource": "*",
             "Condition": {
                 "StringEquals": {
-                    "kms:ViaService": "sqs.${data.aws_region.current.name}.amazonaws.com",
-                    "kms:CallerAccount": "${data.aws_caller_identity.current.account_id}"
+                    "kms:ViaService": "sqs.${data.aws_region.current.name}.amazonaws.com"
                 }
             }
         }

modules/sns_cross_account_sqs/README.md

@@ -0,0 +1,21 @@
+sns\_cross\_region\_sqs: module to create forwarder infrastructure using SNS topic publishing to a central SQS queue.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| central\_queue\_name | Camel case name of queue found in central region | `string` | n/a | yes |
+| central\_region | Central region to forward events to | `string` | n/a | yes |
+| cloudwatch\_event\_rule\_id | Easy name for our CWE rule | `string` | n/a | yes |
+| kms\_key\_id | Key ID of reflex KMS key | `string` | n/a | yes |
+
+## Outputs
+
+No output.
+

modules/sns_cross_account_sqs/main.tf

@@ -0,0 +1,63 @@
+/*
+* sns_cross_region_sqs: module to create forwarder infrastructure using SNS topic publishing to a central SQS queue.
+*/
+data "aws_caller_identity" "current" {}
+
+resource "aws_sns_topic" "forwarder_topic" {
+  name              = "Forwarder-${var.cloudwatch_event_rule_id}"
+  kms_master_key_id = var.kms_key_id
+}
+
+resource "aws_sns_topic_policy" "events_policy" {
+  arn = aws_sns_topic.forwarder_topic.arn
+
+  policy = "${data.aws_iam_policy_document.sns_topic_policy.json}"
+}
+
+data "aws_iam_policy_document" "sns_topic_policy" {
+  policy_id = "__default_policy_ID"
+
+  statement {
+    actions = [
+      "SNS:Subscribe",
+      "SNS:SetTopicAttributes",
+      "SNS:RemovePermission",
+      "SNS:Receive",
+      "SNS:Publish",
+      "SNS:ListSubscriptionsByTopic",
+      "SNS:GetTopicAttributes",
+      "SNS:DeleteTopic",
+      "SNS:AddPermission",
+    ]
+
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+
+    resources = [
+      "${aws_sns_topic.forwarder_topic.arn}",
+    ]
+
+    sid = "__default_statement_ID"
+  }
+}
+resource "null_resource" "sqs_account_subscribe" {
+  provisioner "local-exec" {
+    command = "aws sns subscribe --topic-arn $SNS_TOPIC_ARN --protocol sqs --notification-endpoint $SQS_QUEUE"
+
+    environment = {
+      SNS_TOPIC_ARN = aws_sns_topic.forwarder_topic.arn
+      SQS_QUEUE     = "arn:aws:sqs:${var.central_region}:${var.parent_account}:${var.central_queue_name}"
+    }
+  }
+}
+
+resource "aws_cloudwatch_event_target" "cwe_rule_target" {
+  rule      = var.cloudwatch_event_rule_id
+  target_id = "ForwarderTarget${var.cloudwatch_event_rule_id}"
+  arn       = aws_sns_topic.forwarder_topic.arn
+}
+

modules/sns_cross_account_sqs/variables.tf

@@ -0,0 +1,24 @@
+variable "kms_key_id" {
+  description = "Key ID of reflex KMS key"
+  type        = string
+}
+
+variable "cloudwatch_event_rule_id" {
+  description = "Easy name for our CWE rule"
+  type        = string
+}
+
+variable "central_region" {
+  description = "Central region to forward events to"
+  type        = string
+}
+
+variable "central_queue_name" {
+  description = "Camel case name of queue found in central region"
+  type        = string
+}
+
+variable "parent_account" {
+  description = "Account id that we will forward events to"
+  type        = string
+}

modules/sqs_lambda/main.tf

@@ -45,10 +45,16 @@ module "lambda_endpoint" {
   environment_variable_map = var.environment_variable_map
   sqs_queue_arn            = module.sqs_queue.arn
   sns_topic_arn            = var.sns_topic_arn
-  custom_lambda_policy     = var.custom_lambda_policy
   kms_key_id               = var.sqs_kms_key_id
 }
 
+module "iam_assume_role" {
+  source                    = "./modules/iam_assume_role"
+  function_name             = var.function_name
+  lambda_execution_role_arn = module.lambda_endpoint.execution_role_arn
+  custom_lambda_policy      = var.custom_lambda_policy
+}
+
 resource "aws_lambda_event_source_mapping" "event_source_mapping" {
   event_source_arn = module.sqs_queue.arn
   enabled          = true

modules/sqs_lambda/modules/iam_assume_role/README.md

@@ -0,0 +1,30 @@
+lambda: Reflex module to create lambda function infrastructure for processing events.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| archive | n/a |
+| aws | n/a |
+| null | n/a |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| custom\_lambda\_policy | Lambda policy specific to invoked lambda | `string` | `null` | no |
+| environment\_variable\_map | Map of environment variables for Lambda | `map(string)` | n/a | yes |
+| function\_name | Clean name for Lambda function | `string` | n/a | yes |
+| handler | Handler location for lambda function | `string` | n/a | yes |
+| kms\_key\_id | KMS Key Id to be used with CloudWatch Logs | `string` | n/a | yes |
+| lambda\_runtime | Language runtime for lambda function | `string` | n/a | yes |
+| sns\_topic\_arn | Topic arn for deployed notification topic | `string` | n/a | yes |
+| source\_code\_dir | Directory holding Lambda source code | `string` | n/a | yes |
+| sqs\_queue\_arn | Arn of resource for sqs IAM permissions | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| arn | Lambda Arn |
+

modules/sqs_lambda/modules/iam_assume_role/main.tf

@@ -0,0 +1,31 @@
+/*
+* lambda_iam: Reflex module to create AssumeRole for lambdas to use
+*/
+
+resource "aws_iam_role" "assume_role" {
+  name = "Reflex${var.function_name}LambdaAssume"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "AWS": "${var.lambda_execution_role_arn}"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "custom_lambda_policy" {
+  count = var.custom_lambda_policy != null ? 1 : 0
+  name  = "custom_lambda_policy"
+  role  = aws_iam_role.assume_role.id
+
+  policy = var.custom_lambda_policy
+}

modules/sqs_lambda/modules/iam_assume_role/variables.tf

@@ -0,0 +1,16 @@
+variable "lambda_execution_role_arn" {
+  description = "Arn for lambda execution role."
+  type        = string
+}
+
+variable "function_name" {
+  description = "Clean name for Lambda function"
+  type        = string
+}
+
+variable "custom_lambda_policy" {
+  description = "Lambda policy specific to invoked lambda"
+  type        = string
+  default     = null
+}
+

modules/sqs_lambda/modules/lambda/main.tf

@@ -55,42 +55,13 @@ resource "aws_iam_role_policy" "lambda_policy" {
         "sts:AssumeRole"
       ],
       "Effect": "Allow",
-      "Resource": "${aws_iam_role.assume_role.arn}"
+      "Resource": "arn:aws:iam::*:role/Reflex${var.function_name}LambdaAssume"
     }
   ]
 }
 EOF
 }
 
-resource "aws_iam_role" "assume_role" {
-  name = "Reflex${var.function_name}LambdaAssume"
-
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "AWS": "${aws_iam_role.iam_for_lambda.arn}"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
-}
-
-
-resource "aws_iam_role_policy" "custom_lambda_policy" {
-  count = var.custom_lambda_policy != null ? 1 : 0
-  name  = "custom_lambda_policy"
-  role  = aws_iam_role.assume_role.id
-
-  policy = var.custom_lambda_policy
-}
-
 resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
   role       = aws_iam_role.iam_for_lambda.id
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
@@ -114,6 +85,6 @@ resource "aws_lambda_function" "cwe_lambda" {
 
   environment {
     variables = merge(var.environment_variable_map,
-    { "ASSUME_ROLE_NAME" = aws_iam_role.assume_role.name })
+    { "ASSUME_ROLE_NAME" = "Reflex${var.function_name}LambdaAssume" })
   }
 }

modules/sqs_lambda/modules/lambda/output.tf

@@ -3,3 +3,8 @@ output "arn" {
   value       = element(concat(aws_lambda_function.cwe_lambda.*.arn, [""]), 0)
 }
 
+output "execution_role_arn" {
+  description = "IAM Execution Arn"
+  value       = element(concat(aws_iam_role.iam_for_lambda.*.arn, [""]), 0)
+}
+

modules/sqs_lambda/modules/lambda/variables.tf

@@ -28,12 +28,6 @@ variable "sqs_queue_arn" {
   type        = string
 }
 
-variable "custom_lambda_policy" {
-  description = "Lambda policy specific to invoked lambda"
-  type        = string
-  default     = null
-}
-
 variable "sns_topic_arn" {
   description = "Topic arn for deployed notification topic"
   type        = string

modules/sqs_lambda/modules/sqs_queue_policy/main.tf

@@ -1,7 +1,7 @@
 /*
 * sqs_queue_policy: Creates a sane queue policy for reflex sqs queues.
 */
-data "aws_caller_identity" "current" {}
+data "aws_organizations_organization" "current" {}
 
 resource "aws_sqs_queue_policy" "queue_policy" {
   queue_url = var.sqs_queue_id
@@ -21,7 +21,10 @@ resource "aws_sqs_queue_policy" "queue_policy" {
       "Resource": "${var.sqs_queue_arn}",
       "Condition": {
         "ArnLike": {
-          "aws:SourceArn": "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/${var.cwe_id}"
+          "aws:SourceArn": "arn:aws:events:*:*:rule/${var.cwe_id}"
+        },
+        "StringEquals": {
+           "aws:PrincipalOrgID": "${data.aws_organizations_organization.current.id}"
         }
       }
     },
@@ -32,12 +35,7 @@ resource "aws_sqs_queue_policy" "queue_policy" {
         "Service": "sns.amazonaws.com"
       },
       "Action": "sqs:SendMessage",
-      "Resource": "${var.sqs_queue_arn}",
-      "Condition": {
-        "ArnLike": {
-          "aws:SourceArn": "arn:aws:sns:*:${data.aws_caller_identity.current.account_id}:Forwarder-${var.cwe_id}"
-        }
-      }
+      "Resource": "${var.sqs_queue_arn}"
     }
   ]
 }