[WIFI-10659] Create alert for new content in coredumps s3 bucket (#217)

* Add lifecycle config to coredump S3 bucket Signed-off-by: Johann Hoffmann <johann.hoffmann@mailbox.org> * Add required resources to create S3 event notification and Lambda function Signed-off-by: Johann Hoffmann <johann.hoffmann@mailbox.org> * Add handler argument Signed-off-by: Johann Hoffmann <johann.hoffmann@mailbox.org> * Fix Terraform format Signed-off-by: Johann Hoffmann <johann.hoffmann@mailbox.org> Signed-off-by: Johann Hoffmann <johann.hoffmann@mailbox.org>
2025-10-29 18:12:20 +00:00 · 2022-10-06 12:47:18 +02:00
parent 7a477970da
commit c256631a28
4 changed files with 101 additions and 0 deletions
--- a/terraform/wifi-289708231103/core-dumps-s3/.sops.yaml
+++ b/terraform/wifi-289708231103/core-dumps-s3/.sops.yaml
@@ -0,0 +1,2 @@
+creation_rules:
+- kms: 'arn:aws:kms:us-east-2:289708231103:alias/helm-secrets'
--- a/terraform/wifi-289708231103/core-dumps-s3/main.tf
+++ b/terraform/wifi-289708231103/core-dumps-s3/main.tf
@@ -12,6 +12,13 @@ terraform {
    dynamodb_table = "terraform-state-lock"
    encrypt        = true
  }
+
+  required_providers {
+    sops = {
+      source  = "carlpett/sops"
+      version = "~> 0.5"
+    }
+  }
 }

 locals {
@@ -20,11 +27,81 @@ locals {
  }
 }

+data "sops_file" "secrets" {
+  source_file = "secrets.enc.json"
+}
+
 resource "aws_s3_bucket" "openwifi-core-dumps" {
  bucket = "openwifi-core-dumps"
  tags   = local.common_tags
 }

+resource "aws_s3_bucket_lifecycle_configuration" "openwifi-core-dumps" {
+  bucket = aws_s3_bucket.openwifi-core-dumps.id
+
+  rule {
+    id = "core-dumps-retention"
+    filter {}
+    status = "Enabled"
+
+    expiration {
+      days = 14
+    }
+  }
+}
+
+resource "aws_s3_bucket_notification" "s3_eventnotification_slack" {
+  bucket = aws_s3_bucket.openwifi-core-dumps.id
+
+  lambda_function {
+    lambda_function_arn = aws_lambda_function.s3_eventnotification_slack.arn
+    events              = ["s3:ObjectCreated:Put"]
+  }
+
+  depends_on = [aws_lambda_permission.s3_eventnotification_slack]
+}
+
+resource "aws_iam_role" "s3_eventnotification_slack" {
+  name = "s3_eventnotification_slack"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_lambda_permission" "s3_eventnotification_slack" {
+  statement_id  = "AllowExecutionFromS3Bucket"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.s3_eventnotification_slack.arn
+  principal     = "s3.amazonaws.com"
+  source_arn    = aws_s3_bucket.openwifi-core-dumps.arn
+}
+
+resource "aws_lambda_function" "s3_eventnotification_slack" {
+  filename      = "s3_eventnotification_slack.zip"
+  function_name = "s3_eventnotification_slack"
+  handler       = "s3_eventnotification_slack.lambda_handler"
+  role          = aws_iam_role.s3_eventnotification_slack.arn
+  runtime       = "python3.9"
+
+  environment {
+    variables = {
+      SLACK_WEBHOOK_URL = data.sops_file.secrets.data["slack_webhook_url"]
+    }
+  }
+}
+
 resource "aws_s3_bucket_acl" "openwifi-core-dumps" {
  bucket = aws_s3_bucket.openwifi-core-dumps.id
  acl    = "private"
--- a/terraform/wifi-289708231103/core-dumps-s3/s3_eventnotification_slack.zip
+++ b/terraform/wifi-289708231103/core-dumps-s3/s3_eventnotification_slack.zip
--- a/terraform/wifi-289708231103/core-dumps-s3/secrets.enc.json
+++ b/terraform/wifi-289708231103/core-dumps-s3/secrets.enc.json
@@ -0,0 +1,22 @@
+{
+	"slack_webhook_url": "ENC[AES256_GCM,data:XKM7b0Fvgh0MObnGi5ad3tQ0f19TeeJSPeJ8SDRI+rBGBdCXGFLbkh/CAT19g7ddFNCX5DeYXXMN2WsWNhjyBai2yhC9UeefkYaK8bhLnEcZ,iv:6VLvnjyRbX6sHbTfQLoiq2bqIfHYqTRvn1/3L+HaleY=,tag:0mph2YAxqzEuPDnjA/VHXg==,type:str]",
+	"sops": {
+		"kms": [
+			{
+				"arn": "arn:aws:kms:us-east-2:289708231103:alias/helm-secrets",
+				"created_at": "2022-08-30T17:40:01Z",
+				"enc": "AQICAHiG/4CitJjM31GdYxTw9OLz/Zs5oK+DCq0cU2fAjtAA3AEt8nVCknDEL+YOfRwA3V4lAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMpGIJPhf0dqp3uqsPAgEQgDuJZk20++N1k3zofsYfLBB1bo9RJqvkR0o94/ToTZ7A6s/3Z4QzSVb25a8jmfB5p07hINmVPtMt3bnKfQ==",
+				"aws_profile": ""
+			}
+		],
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-08-30T17:40:03Z",
+		"mac": "ENC[AES256_GCM,data:OvMx5D74wactxfTPuXhNQMFcbcPcHm8Nz/qleAGswPbnYxMXVw790Dycnv5EZbNlEeGkykfKt17zWCgb5vQXLhkpvpRk88HB6s4cNNqzNT428+7YLJZlzAroHSBu5uH5qEMwf3C+/ow418H7UCwAYU2tfLY4Nb2Tb1xAL9eu+Uk=,iv:/2sMTkq+iDYg3S05N7t3Q3PL8AhwpIv5uUPjQoesfsQ=,tag:8j8dfoxCU4nr4yetFeBvjA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.1"
+	}
+}