From c256631a2828bec3bbe36193f5fc8aa8fab1d4b8 Mon Sep 17 00:00:00 2001 From: Johann Hoffmann Date: Thu, 6 Oct 2022 12:47:18 +0200 Subject: [PATCH] [WIFI-10659] Create alert for new content in coredumps s3 bucket (#217) * Add lifecycle config to coredump S3 bucket Signed-off-by: Johann Hoffmann * Add required resources to create S3 event notification and Lambda function Signed-off-by: Johann Hoffmann * Add handler argument Signed-off-by: Johann Hoffmann * Fix Terraform format Signed-off-by: Johann Hoffmann Signed-off-by: Johann Hoffmann --- .../core-dumps-s3/.sops.yaml | 2 + .../wifi-289708231103/core-dumps-s3/main.tf | 77 ++++++++++++++++++ .../s3_eventnotification_slack.zip | Bin 0 -> 769 bytes .../core-dumps-s3/secrets.enc.json | 22 +++++ 4 files changed, 101 insertions(+) create mode 100644 terraform/wifi-289708231103/core-dumps-s3/.sops.yaml create mode 100644 terraform/wifi-289708231103/core-dumps-s3/s3_eventnotification_slack.zip create mode 100644 terraform/wifi-289708231103/core-dumps-s3/secrets.enc.json diff --git a/terraform/wifi-289708231103/core-dumps-s3/.sops.yaml b/terraform/wifi-289708231103/core-dumps-s3/.sops.yaml new file mode 100644 index 0000000..fcaa26c --- /dev/null +++ b/terraform/wifi-289708231103/core-dumps-s3/.sops.yaml @@ -0,0 +1,2 @@ +creation_rules: +- kms: 'arn:aws:kms:us-east-2:289708231103:alias/helm-secrets' diff --git a/terraform/wifi-289708231103/core-dumps-s3/main.tf b/terraform/wifi-289708231103/core-dumps-s3/main.tf index 09a60f4..9e26cc7 100644 --- a/terraform/wifi-289708231103/core-dumps-s3/main.tf +++ b/terraform/wifi-289708231103/core-dumps-s3/main.tf @@ -12,6 +12,13 @@ terraform { dynamodb_table = "terraform-state-lock" encrypt = true } + + required_providers { + sops = { + source = "carlpett/sops" + version = "~> 0.5" + } + } } locals { @@ -20,11 +27,81 @@ locals { } } +data "sops_file" "secrets" { + source_file = "secrets.enc.json" +} + resource "aws_s3_bucket" "openwifi-core-dumps" { bucket = "openwifi-core-dumps" tags = local.common_tags } +resource "aws_s3_bucket_lifecycle_configuration" "openwifi-core-dumps" { + bucket = aws_s3_bucket.openwifi-core-dumps.id + + rule { + id = "core-dumps-retention" + filter {} + status = "Enabled" + + expiration { + days = 14 + } + } +} + +resource "aws_s3_bucket_notification" "s3_eventnotification_slack" { + bucket = aws_s3_bucket.openwifi-core-dumps.id + + lambda_function { + lambda_function_arn = aws_lambda_function.s3_eventnotification_slack.arn + events = ["s3:ObjectCreated:Put"] + } + + depends_on = [aws_lambda_permission.s3_eventnotification_slack] +} + +resource "aws_iam_role" "s3_eventnotification_slack" { + name = "s3_eventnotification_slack" + + assume_role_policy = <VODzoZS`yN^N{(ZbSakzyb^2y`MU7MS@83vuI0e3LE>Hja?ChTH$v3l%`1WK< z?es_y&(&G^xX!W9?RZ1Zq#J@hyDl%vQqh{8UN+^c(Cv<_=ywGh)oxAmIbpDgbya$% zhp2YSgTrsHe)auX{p;=VyLWwmzWz7u^CYS17dpxUyNh%~?k+g_ab_iZz{H{-kE$NC z{P@Xo|6*gbvQEv`r@GCF-PHk$TqC5i9v`0}EzGyUv)ttLyNyc0w{z@%8_jQB_VaGy zA-xSLpJzyTsI&WX>Gm8wv|8Pt&--r0?ElUEV$y4r1&S;gzaei0w69&BWD4@{NH)U(Z;Z?bA` z%&Ei$QrGrf-Nw(qxLN+_;->k$T-^be{f?UbJ1nuAGtc{L&$W|N3nYq{Y?bRSDVR5_ zs#{Is)UHdx;?Aypx1EX=9Y4iRzj4W}ZAxKp*=vvKqFZlSn>_xayX?v#PBUGe48hi? z?CRC7CQ_fz-8bD7dCaYT{b3PJ^O9=W--1!*n}qx({gUb6yTUgAp8j0s^IqM*^UnU4 zdgqvvTA*_!^seW2yYvSJcihhv^8Zlcjq*M9=toMU@$Zl9_Dn6&mP#|duCT|x7kJ*= zHQ}=5zK|8NK93JQax(pMVomRp|Dx66e4AGqrW{zrb(xFb(O^r)+K9x7b3?@^EoYx> zAK=Z%B*%;^B}xEOC<6l{5HD#2u?VC~R!F);OOpZKtZX37j6j$Sq&t8Koq+)W5G+5O literal 0 HcmV?d00001 diff --git a/terraform/wifi-289708231103/core-dumps-s3/secrets.enc.json b/terraform/wifi-289708231103/core-dumps-s3/secrets.enc.json new file mode 100644 index 0000000..2ad2c51 --- /dev/null +++ b/terraform/wifi-289708231103/core-dumps-s3/secrets.enc.json @@ -0,0 +1,22 @@ +{ + "slack_webhook_url": "ENC[AES256_GCM,data:XKM7b0Fvgh0MObnGi5ad3tQ0f19TeeJSPeJ8SDRI+rBGBdCXGFLbkh/CAT19g7ddFNCX5DeYXXMN2WsWNhjyBai2yhC9UeefkYaK8bhLnEcZ,iv:6VLvnjyRbX6sHbTfQLoiq2bqIfHYqTRvn1/3L+HaleY=,tag:0mph2YAxqzEuPDnjA/VHXg==,type:str]", + "sops": { + "kms": [ + { + "arn": "arn:aws:kms:us-east-2:289708231103:alias/helm-secrets", + "created_at": "2022-08-30T17:40:01Z", + "enc": "AQICAHiG/4CitJjM31GdYxTw9OLz/Zs5oK+DCq0cU2fAjtAA3AEt8nVCknDEL+YOfRwA3V4lAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMpGIJPhf0dqp3uqsPAgEQgDuJZk20++N1k3zofsYfLBB1bo9RJqvkR0o94/ToTZ7A6s/3Z4QzSVb25a8jmfB5p07hINmVPtMt3bnKfQ==", + "aws_profile": "" + } + ], + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-08-30T17:40:03Z", + "mac": "ENC[AES256_GCM,data:OvMx5D74wactxfTPuXhNQMFcbcPcHm8Nz/qleAGswPbnYxMXVw790Dycnv5EZbNlEeGkykfKt17zWCgb5vQXLhkpvpRk88HB6s4cNNqzNT428+7YLJZlzAroHSBu5uH5qEMwf3C+/ow418H7UCwAYU2tfLY4Nb2Tb1xAL9eu+Uk=,iv:/2sMTkq+iDYg3S05N7t3Q3PL8AhwpIv5uUPjQoesfsQ=,tag:8j8dfoxCU4nr4yetFeBvjA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +}