-
Notifications
You must be signed in to change notification settings - Fork 1
/
cloudwatch_sns.tf
51 lines (42 loc) · 1.54 KB
/
cloudwatch_sns.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# ------------------------------------------------------------------------------
# Provision the SNS topic that will receive notifications from the CDM S3
# bucket and be subscribed to by the SQS queue.
# ------------------------------------------------------------------------------
# Create an SNS topic to receive notifications from the S3 bucket.
# NOTE: Using an SNS topic is a requirement for the tool used by CDM.
# See https://docs.splunk.com/Documentation/AddOns/released/AWS/SQS-basedS3
# ("AWS service configuration prerequisites" and "Best practices" sections) for
# more information.
resource "aws_sns_topic" "cloudwatch_logs" {
provider = aws.sharedservicesprovisionaccount
name = var.cloudwatch_logs_sns_topic_name
}
# Create an IAM policy document that allows the CDM S3 bucket to send
# notifications to the SNS topic.
data "aws_iam_policy_document" "s3_to_sns" {
statement {
actions = [
"SNS:Publish",
]
condition {
test = "ArnLike"
values = [aws_s3_bucket.cloudwatch.arn]
variable = "aws:SourceArn"
}
effect = "Allow"
principals {
identifiers = ["s3.amazonaws.com"]
type = "Service"
}
resources = [
aws_sns_topic.cloudwatch_logs.arn,
]
}
}
# Attach the policy to the SNS topic that allows the CDM S3 bucket to send
# notifications to the SNS topic.
resource "aws_sns_topic_policy" "cloudwatch_logs" {
provider = aws.sharedservicesprovisionaccount
arn = aws_sns_topic.cloudwatch_logs.arn
policy = data.aws_iam_policy_document.s3_to_sns.json
}