This module creates and configures an SNS topic and multiple subscriptions
This repository is a READ-ONLY sub-tree split. See https://github.com/FriendsOfTerraform/modules to create issues or submit pull requests.
module "basic_usage" {
source = "github.com/FriendsOfTerraform/aws-sns.git?ref=v1.0.0"
name = "demo-sns"
subscriptions = [
# endpoints will the same configuration should be grouped in the same object
# Sales and Marketing team gets notified whenever there is a cancelled order
{
protocol = "email"
endpoints = [
"[email protected]",
"[email protected]"
]
filter_policy = jsonencode(
{
event = ["order_cancelled"]
}
)
},
# all messages get sent to the analysis email
{
protocol = "email"
endpoints = [
"[email protected]"
]
}
]
}Manages the data protection policy
module "data_protection_policy" {
source = "github.com/FriendsOfTerraform/aws-sns.git?ref=v1.0.0"
name = "demo-sns"
data_protection_policy = {
# The keys of the map will be the SID of each statement
statements = {
"audit_aws_secret_key" = {
data_direction = "Inbound"
data_identifiers = ["arn:aws:dataprotection::aws:data-identifier/AwsSecretKey"]
operation = {
audit = {
sample_rate = 10
destinations = {
s3_bucket_name = "test-bucket"
cloudwatch_log_group = "/aws/vendedlogs/test"
}
}
}
}
# Mask DB password with #
"mask_db_password" = {
data_direction = "Inbound"
data_identifiers = ["db-password"]
operation = {
deidentify = {
mask_with_character = "#"
}
}
}
}
configuration = {
custom_data_identifiers = {
db-password = "dbpass.*"
}
}
}
}-
(string)
name[since v1.0.0]The name of the SNS topic. All associated resources will also have their name prefixed with this value
-
(string)
access_policy = null[since v1.0.0]Defines who can access the topic. By default, only the topic owner can publish or subscribe to the topic
-
(map(string))
additional_tags = {}[since v1.0.0]Additional tags for the SNS topic
-
(map(string))
additional_tags_all = {}[since v1.0.0]Additional tags for all resources deployed with this module
-
(object)
data_protection_policy = null[since v1.0.0]Manages the data protection policy for this topic. Please see example
-
(map(object))
statements[since v1.0.0]Manages multiple statements in this policy
-
(string)
data_direction[since v1.0.0]The direction of messages to which this statement applies. Valid value:
"Inbound","Outbound" -
(list(string))
data_identifiers[since v1.0.0]A list of data identifiers that represent sensitive data this statement applies to. Please refer to this documentation for the valid values. Can also include names specified in the
data_protection_policy.configuration.custom_data_identifiers -
(object)
operation[since v1.0.0]The operation to trigger upon finding sensitive data as specified by this statement. You must specify one and only one of the following:
audit,deidentify,deny-
(object)
audit = null[since v1.0.0]Audit matching sensitive data and send audit result to a destination
-
(number)
sample_rate[since v1.0.0]The percentage of messages to audit for sensitive information. Valid value: between
0to99 -
(object)
destinations[since v1.0.0]The AWS services to send the audit finding results. Must specificy at least one of the following:
cloudwatch_log_group,s3_bucket_name,firehose_delivery_stream-
(string)
cloudwatch_log_group = null[since v1.0.0]The Cloudwatch log group to send audit results to
-
(string)
firehose_delivery_stream = null[since v1.0.0]The name of a Kinese Firehose Delivery Stream to send audit results to
-
(string)
s3_bucket_name = null[since v1.0.0]The name of an S3 bucket to send audit results to
-
-
-
(object)
deidentify = null[since v1.0.0]De-identify matching sensitive data by either redacting them or masking them with a specific character. Must specify one and only one of the following:
mask_with_character,redact-
(string)
mask_with_character = null[since v1.0.0]Replaces the data with single characters. All printable ASCII characters except delete are supported
-
(bool)
redact = null[since v1.0.0]Completely removes the data
-
-
(object)
deny = null[since v1.0.0]Denies the delivery of the message if the message contains sensitive data
-
-
(list(string))
principals = ["*"][since v1.0.0]A list of IAM principals this statement applies to
-
-
(object)
configuration = null[since v1.0.0]Define Custom Data identifiers that can be used in data protection policy
-
(map(string))
custom_data_identifiers[since v1.0.0]Map of custom data identifiers in
{Name = Regex}format
-
-
-
(object)
delivery_policy = null[since v1.0.0]Topic wide delivery policy that tells SNS how to retry failed message deliveries to endpoints with the
http,httpsprotocol-
(object)
healthy_retry_policy = null[since v1.0.0]Define the retry policy
-
(number)
min_delay_target = 20[since v1.0.0]The minimum delay for a retry in seconds. Valid value: between
1andmax_delay_target -
(number)
max_delay_target = 20[since v1.0.0]The maximum delay for a retry in seconds. Valid value: between
min_delay_targetand3600 -
(number)
num_retries = 3[since v1.0.0]The total number of retries, including immediate, pre-backoff, backoff, and post-backoff retries. Valid value: between
0to100 -
(number)
num_no_delay_retries = 0[since v1.0.0]The number of retries to be done immediately, with no delay between them
-
(number)
num_min_delay_retries = 0[since v1.0.0]The number of retries in the pre-backoff phase, with the specified
min_delay_targetbetween them -
(number)
num_max_delay_retries = 0[since v1.0.0]The number of retries in the post-backoff phase, with the
max_delay_targetbetween them. -
(string)
backoff_function = "linear"[since v1.0.0]The model for backoff between retries. Valid values:
"arithmetic","exponential","geometric","linear"
-
-
(object)
throttle_policy = null[since v1.0.0]Define the throttle policy
-
(number)
max_receives_per_second[since v1.0.0]The maximum number of deliveries per second, per subscription. Valid value:
1or greater
-
-
(object)
request_policy = null[since v1.0.0]Define the request policy
-
(string)
header_content_type = "text/plain; charset=UTF-8"[since v1.0.0]The content type of the notification being sent to HTTP/S endpoints. Valid values:
"application/json","text/plain".
-
-
-
(object)
delivery_status_logging = null[since v1.0.0]Enables logging of the delivery status of notification messages sent to topics
-
(list(string))
protocols[since v1.0.0]Subscriber protocols which logs will be generated for. Valid values:
"application","http","lambda","sqs","firehose" -
(number)
success_sample_rate[since v1.0.0]The percentage of successful message deliveries to log. Valid value: between
0and100 -
(string)
iam_role_for_successful_deliveries[since v1.0.0]Arn of an IAM role that gives permission to SNS to write successful delivery logs to Cloudwatch
-
(string)
iam_role_for_failed_deliveries[since v1.0.0]Arn of an IAM role that gives permission to SNS to write failed delivery logs to Cloudwatch
-
-
(string)
display_name = null[since v1.0.0]The display name of the topic. Optional for all transports. For SMS subscriptions only the first 10 characters are used. If not specified, the
nameof the topic will be used. -
(bool)
enable_active_tracing = false[since v1.0.0]Enable to have AWS X-Ray collect data about the messages that this topic receives. Additional steps are needed, please see Active Tracing X-Ray resource-based policy
-
(bool)
enable_content_based_message_deduplication = false[since v1.0.0]Enable default message deduplication based on message content. If false, a deduplication ID must be provided for every publish request
-
(object)
enable_encryption = null[since v1.0.0]Enables SNS encryption at-rest
-
(string)
kms_key_id = "alias/aws/sns"[since v1.0.0]The ID of a KMS key used for encryption
-
-
(list(object))
subscriptions = [][since v1.0.0]Manages multiple subscriptions for this topic. See example
-
(string)
protocol[since v1.0.0]The type of endpoint to subscribe. Valid values:
"application","firehose","lambda","sms","sqs","email","email-json","http","https" -
(list(string))
endpoints[since v1.0.0]List of endpoints to send data to. The contents vary with the protocol. See details below:
Protocol Endpoint application ARN of a mobile app and device firehose ARN of an Amazon Kinesis Data Firehose delivery stream lambda ARN of an AWS Lambda function sms Phone number of an SMS-enabled device. sqs ARN of an Amazon SQS queue email An email address email-json An email address http A URL beginning with http:// https A URL beginning with https:// -
(string)
dead_letter_queue_arn = null[since v1.0.0]ARN of a SQS queue where SNS will forward messages that can't be delivered to subscibers successfully to
-
(bool)
enable_raw_message_delivery = false[since v1.0.0]Whether to enable raw message delivery, where the original message is directly passed and not wrapped in JSON with the original message in the message property
-
(string)
filter_policy = null[since v1.0.0]JSON String with the filter policy that will be used in the subscription to filter messages seen by the target resource
-
(string)
filter_policy_scope = "MessageAttributes"[since v1.0.0]The filter policy scope. Valid values:
"MessageAttributes","MessageBody" -
(string)
subscription_role_arn = null[since v1.0.0]ARN of the IAM role to publish to Kinesis Data Firehose delivery stream. Required only if
protocol = "firehose"
-
-
(string)
sns_topic_arn[since v1.0.0]The ARN of the SNS topic
-
(string)
sns_topic_subscription_arns[since v1.0.0]The ARNs of the subscribers for this SNS topic
There is no way to create the X-ray resource-based policy required for the SNS active tracing with Terraform today. Therefore, after enabling active tracing in this module, you must follow this documentation to create the resource-based policy using different means.