Support CLOUDWATCH_LOG_GROUP, SNS_TOPIC, SQS_QUEUE, SSM_RUN_COMMAND targets for eventbridge-rule

Author: posquit0

modules/eventbridge-rule/README.md

@@ -36,14 +36,18 @@ This module creates following resources.
 | [aws_cloudwatch_event_target.event_bus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.event_bus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.ssm_run_command](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.ssm_run_commands](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_name"></a> [name](#input\_name) | (Required) A name of the rule for the event bus. | `string` | n/a | yes |
 | <a name="input_api_destination_targets"></a> [api\_destination\_targets](#input\_api\_destination\_targets) | (Optional) The configuration to manage the specified EventBridge API destination targets for the rule. Each item of `api_destination_targets` as defined below.<br>    (Required) `id` - The unique ID of the target within the specified rule. Use this ID to reference the target when updating the rule.<br>    (Required) `api_destination` - The Amazon Resource Name (ARN) of the target API destination.<br><br>    (Optional) `execution_role` - The ARN (Amazon Resource Name) of the IAM role to be used for this target when the rule is triggered. Only required if `default_execution_role.enabled` is `false`.<br><br>    (Optional) `dead_letter_queue` - The configuration for dead-letter queue of the rule target. Dead letter queues are used for collecting and storing events that were not successfully delivered to targets. `dead_letter_queue` as defined below.<br>      (Optional) `enabled` - Whether to enable the dead letter queue. Defaults to `false`.<br>      (Optional) `sqs_queue` - The Amazon Resource Name (ARN) of the SQS queue specified as the target for the dead letter queue.<br>    (Optional) `retry_policy` - The configuration for retry policy of the rule target. Retry policies are used for specifying how many times to retry sending an event to a target after an error occurs. `retry_policy` as defined below.<br>      (Optional) `maximum_event_age` - The maximum amount of time, in seconds, to continue to make retry attempts. Defaults to `86400` (1 hour).<br>      (Optional) `maximum_retry_attempts` - The maximum number of times to retry sending an event to a target after an error occurs. Defaults to `185`. | <pre>list(object({<br>    id              = string<br>    api_destination = string<br><br>    execution_role = optional(string)<br><br>    dead_letter_queue = optional(object({<br>      enabled   = optional(bool, false)<br>      sqs_queue = optional(string)<br>    }), {})<br>    retry_policy = optional(object({<br>      maximum_event_age      = optional(number, 86400)<br>      maximum_retry_attempts = optional(number, 185)<br>    }), {})<br>  }))</pre> | `[]` | no |
-| <a name="input_aws_service_targets"></a> [aws\_service\_targets](#input\_aws\_service\_targets) | (Optional) The configuration to manage the specified AWS service targets for the rule. Targets are the resources that are invoked when a rule is triggered. Each item of `aws_service_targets` as defined below.<br>    (Required) `id` - The unique ID of the target within the specified rule. Use this ID to reference the target when updating the rule.<br>    (Required) `target` - The Amazon Resource Name (ARN) of the target.<br><br>    (Optional) `execution_role` - The ARN (Amazon Resource Name) of the IAM role to be used for this target when the rule is triggered. Only required if `default_execution_role.enabled` is `false`.<br><br>    (Optional) `dead_letter_queue` - The configuration for dead-letter queue of the rule target. Dead letter queues are used for collecting and storing events that were not successfully delivered to targets. `dead_letter_queue` as defined below.<br>      (Optional) `enabled` - Whether to enable the dead letter queue. Defaults to `false`.<br>      (Optional) `sqs_queue` - The Amazon Resource Name (ARN) of the SQS queue specified as the target for the dead letter queue.<br>    (Optional) `retry_policy` - The configuration for retry policy of the rule target. Retry policies are used for specifying how many times to retry sending an event to a target after an error occurs. `retry_policy` as defined below.<br>      (Optional) `maximum_event_age` - The maximum amount of time, in seconds, to continue to make retry attempts. Defaults to `86400` (1 hour).<br>      (Optional) `maximum_retry_attempts` - The maximum number of times to retry sending an event to a target after an error occurs. Defaults to `185`. | <pre>list(object({<br>    id     = string<br>    target = string<br><br>    execution_role = optional(string)<br><br>    dead_letter_queue = optional(object({<br>      enabled   = optional(bool, false)<br>      sqs_queue = optional(string)<br>    }), {})<br>    retry_policy = optional(object({<br>      maximum_event_age      = optional(number, 86400)<br>      maximum_retry_attempts = optional(number, 185)<br>    }), {})<br>  }))</pre> | `[]` | no |
+| <a name="input_aws_service_targets"></a> [aws\_service\_targets](#input\_aws\_service\_targets) | (Optional) The configuration to manage the specified AWS service targets for the rule. Targets are the resources that are invoked when a rule is triggered. Each item of `aws_service_targets` as defined below.<br>    (Required) `id` - The unique ID of the target within the specified rule. Use this ID to reference the target when updating the rule.<br>    (Required) `type` - The AWS resource type of the target. Valid values are<br>  `CLOUDWATCH_LOG_GROUP`, `SNS_TOPIC`, `SQS_QUEUE`, `SSM_RUN_COMMAND`.<br>    (Optional) `cloudwatch_log_group` - The configuration for CloudWatch log group target. `cloudwatch_log_group` as defined below.<br>      (Required) `arn` - The Amazon Resource Name (ARN) of the CloudWatch log group.<br>    (Optional) `sns_topic` - The configuration for SNS topic target. `sns_topic` as defined below.<br>      (Required) `arn` - The Amazon Resource Name (ARN) of the SNS topic.<br>    (Optional) `sqs_queue` - The configuration for SQS queue target. `sqs_queue` as defined below.<br>      (Required) `arn` - The Amazon Resource Name (ARN) of the SQS queue.<br>      (Optional) `message_group_id` - The FIFO message group ID to use as the target.<br>    (Optional) `ssm_run_command` - The configuration for SSM run command target. `ssm_run_command` as defined below.<br>      (Required) `document` - The Amazon Resource Name (ARN) of the SSM document to run on the target.<br>      (Required) `target_selector` - The target selector as a Map of key-value pairs. Valid keys are `InstanceIds` or `tag:${tag-name}`.<br><br>    (Optional) `execution_role` - The ARN (Amazon Resource Name) of the IAM role to be used for this target when the rule is triggered. Only required if `default_execution_role.enabled` is `false`.<br><br>    (Optional) `dead_letter_queue` - The configuration for dead-letter queue of the rule target. Dead letter queues are used for collecting and storing events that were not successfully delivered to targets. `dead_letter_queue` as defined below.<br>      (Optional) `enabled` - Whether to enable the dead letter queue. Defaults to `false`.<br>      (Optional) `sqs_queue` - The Amazon Resource Name (ARN) of the SQS queue specified as the target for the dead letter queue.<br>    (Optional) `retry_policy` - The configuration for retry policy of the rule target. Retry policies are used for specifying how many times to retry sending an event to a target after an error occurs. `retry_policy` as defined below.<br>      (Optional) `maximum_event_age` - The maximum amount of time, in seconds, to continue to make retry attempts. Defaults to `86400` (1 hour).<br>      (Optional) `maximum_retry_attempts` - The maximum number of times to retry sending an event to a target after an error occurs. Defaults to `185`. | <pre>list(object({<br>    id   = string<br>    type = string<br>    cloudwatch_log_group = optional(object({<br>      arn = string<br>    }))<br>    sns_topic = optional(object({<br>      arn = string<br>    }))<br>    sqs_queue = optional(object({<br>      arn              = string<br>      message_group_id = optional(string)<br>    }))<br>    ssm_run_command = optional(object({<br>      document        = string<br>      target_selector = map(list(string))<br>    }))<br><br>    execution_role = optional(string)<br><br>    dead_letter_queue = optional(object({<br>      enabled   = optional(bool, false)<br>      sqs_queue = optional(string)<br>    }), {})<br>    retry_policy = optional(object({<br>      maximum_event_age      = optional(number, 86400)<br>      maximum_retry_attempts = optional(number, 185)<br>    }), {})<br>  }))</pre> | `[]` | no |
 | <a name="input_default_execution_role"></a> [default\_execution\_role](#input\_default\_execution\_role) | (Optional) A configuration for the default execution role to use for the rule that is used for target invocation. Use `execution_role` if `default_execution_role.enabled` is `false`. `default_execution_role` as defined below.<br>    (Optional) `enabled` - Whether to create the default execution role. Defaults to `true`.<br>    (Optional) `name` - The name of the default execution role. Defaults to `aws-eventbridge-${var.event_bus}-rule-${var.name}`.<br>    (Optional) `path` - The path of the default execution role. Defaults to `/`.<br>    (Optional) `description` - The description of the default execution role.<br>    (Optional) `policies` - A list of IAM policy ARNs to attach to the default execution role. Defaults to `[]`.<br>    (Optional) `inline_policies` - A Map of inline IAM policies to attach to the default execution role. (`name` => `policy`). | <pre>object({<br>    enabled     = optional(bool, true)<br>    name        = optional(string)<br>    path        = optional(string, "/")<br>    description = optional(string, "Managed by Terraform.")<br><br>    policies        = optional(list(string), [])<br>    inline_policies = optional(map(string), {})<br>  })</pre> | `{}` | no |
 | <a name="input_description"></a> [description](#input\_description) | (Optional) The description of the rule. | `string` | `"Managed by Terraform."` | no |
 | <a name="input_event_bus"></a> [event\_bus](#input\_event\_bus) | (Optional) The name or ARN of the event bus to associate with this rule. If you omit this, the `default` event bus is used. | `string` | `"default"` | no |

modules/eventbridge-rule/iam.tf

@@ -1,4 +1,13 @@
+data "aws_partition" "this" {}
 data "aws_caller_identity" "this" {}
+data "aws_region" "this" {}
+
+locals {
+  partition  = data.aws_partition.this.partition
+  account_id = data.aws_caller_identity.this.account_id
+  region     = data.aws_region.this.name
+}
+
 
 ###################################################
 # IAM Role for Event Bus Rule
@@ -23,7 +32,7 @@ module "role" {
       conditions = [{
         key       = "aws:SourceAccount"
         condition = "StringEquals"
-        values    = [data.aws_caller_identity.this.account_id]
+        values    = [local.account_id]
       }]
     }
   ]
@@ -36,6 +45,12 @@ module "role" {
       }
       : {}
     ),
+    (one(data.aws_iam_policy_document.ssm_run_commands) != null
+      ? {
+        "ssm-run-command-targets" = one(data.aws_iam_policy_document.ssm_run_commands).json
+      }
+      : {}
+    ),
     var.default_execution_role.inline_policies
   )
 
@@ -66,3 +81,66 @@ data "aws_iam_policy_document" "event_bus" {
   }
 }
 
+data "aws_iam_policy_document" "ssm_run_commands" {
+  count = length(keys(data.aws_iam_policy_document.ssm_run_command)) > 0 ? 1 : 0
+
+  source_policy_documents = values(data.aws_iam_policy_document.ssm_run_command)[*].json
+}
+
+data "aws_iam_policy_document" "ssm_run_command" {
+  for_each = {
+    for target in var.aws_service_targets :
+    target.id => target
+    if var.default_execution_role.enabled && target.type == "SSM_RUN_COMMAND"
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["ssm:SendCommand"]
+    resources = ["arn:${local.partition}:ssm:${local.region}:*:document/${regex("/([0-9A-Za-z_-]+)$", each.value.ssm_run_command.document)[0]}"]
+  }
+
+  dynamic "statement" {
+    for_each = {
+      for k, v in each.value.ssm_run_command.target_selector :
+      k => v
+      if k == "InstanceIds"
+    }
+
+    content {
+      effect  = "Allow"
+      actions = ["ssm:SendCommand"]
+      resources = [
+        for instance_id in statement.value :
+        "arn:${local.partition}:ec2:${local.region}:${local.account_id}:instance/${instance_id}"
+      ]
+    }
+  }
+  dynamic "statement" {
+    for_each = length([
+      for k in keys(each.value.ssm_run_command.target_selector) :
+      k
+      if startswith(k, "tag:")
+    ]) > 0 ? ["go"] : []
+
+    content {
+      effect    = "Allow"
+      actions   = ["ssm:SendCommand"]
+      resources = ["arn:${local.partition}:ec2:${local.region}:${local.account_id}:instance/*"]
+
+      dynamic "condition" {
+        for_each = {
+          for k, v in each.value.ssm_run_command.target_selector :
+          k => v
+          if startswith(k, "tag:")
+        }
+
+        content {
+          variable = condition.key
+          test     = "StringEquals"
+          values   = condition.value
+        }
+      }
+    }
+  }
+}

modules/eventbridge-rule/outputs.tf

@@ -46,7 +46,7 @@ output "event_bus_targets" {
   value = {
     for id, target in aws_cloudwatch_event_target.event_bus :
     id => {
-      id             = target.id
+      id             = target.target_id
       event_bus      = target.arn
       execution_role = target.role_arn
 
@@ -67,7 +67,7 @@ output "api_destination_targets" {
   value = {
     for id, target in aws_cloudwatch_event_target.api_destination :
     id => {
-      id              = target.id
+      id              = target.target_id
       api_destination = target.arn
       execution_role  = target.role_arn
 
@@ -91,7 +91,7 @@ output "aws_service_targets" {
   value = {
     for id, target in aws_cloudwatch_event_target.aws_service :
     id => {
-      id             = target.id
+      id             = target.target_id
       target         = target.arn
       execution_role = target.role_arn
 
@@ -109,7 +109,8 @@ output "aws_service_targets" {
       z = {
         for k, v in target :
         k => v
-        if !contains(["id", "arn", "role_arn", "dead_letter_config"], k)
+        if !contains(["id", "arn", "role_arn", "dead_letter_config", "retry_policy",
+        "event_bus_name", "rule", "target_id"], k)
       }
     }
   }

modules/eventbridge-rule/targets.tf

@@ -1,3 +1,21 @@
+locals {
+  aws_service_types = {
+    "CLOUDWATCH_LOG_GROUP" = {
+      support_execution_role = false
+    }
+    "SNS_TOPIC" = {
+      support_execution_role = false
+    }
+    "SQS_QUEUE" = {
+      support_execution_role = false
+    }
+    "SSM_RUN_COMMAND" = {
+      support_execution_role = true
+    }
+  }
+}
+
+
 ###################################################
 # Rule Targets (Event Bus)
 ###################################################
@@ -83,9 +101,7 @@ resource "aws_cloudwatch_event_target" "api_destination" {
 # ecs_target - (Optional) Parameters used when you are using the rule to invoke Amazon ECS Task. Documented below. A maximum of 1 are allowed.
 # http_target - (Optional) Parameters used when you are using the rule to invoke an API Gateway REST endpoint. Documented below. A maximum of 1 is allowed.
 # kinesis_target - (Optional) Parameters used when you are using the rule to invoke an Amazon Kinesis Stream. Documented below. A maximum of 1 are allowed.
-# run_command_targets - (Optional) Parameters used when you are using the rule to invoke Amazon EC2 Run Command. Documented below. A maximum of 5 are allowed.
 # redshift_target - (Optional) Parameters used when you are using the rule to invoke an Amazon Redshift Statement. Documented below. A maximum of 1 are allowed.
-# sqs_target - (Optional) Parameters used when you are using the rule to invoke an Amazon SQS Queue. Documented below. A maximum of 1 are allowed.
 # sagemaker_pipeline_target - (Optional) Parameters used when you are using the rule to invoke an Amazon SageMaker Pipeline. Documented below. A maximum of 1 are allowed.
 
 # NOTE:
@@ -104,14 +120,47 @@ resource "aws_cloudwatch_event_target" "aws_service" {
   event_bus_name = var.event_bus
   rule           = aws_cloudwatch_event_rule.this.name
 
+
+  ## Target
   target_id = each.key
-  arn       = each.value.target
+  arn = (
+    each.value.type == "CLOUDWATCH_LOG_GROUP"
+    ? each.value.cloudwatch_log_group.arn
+    : each.value.type == "SNS_TOPIC"
+    ? each.value.sns_topic.arn
+    : each.value.type == "SQS_QUEUE"
+    ? each.value.sqs_queue.arn
+    : each.value.type == "SSM_RUN_COMMAND"
+    ? each.value.ssm_run_command.document
+    : null
+  )
+
+  dynamic "sqs_target" {
+    for_each = each.value.type == "SQS_QUEUE" ? [each.value.sqs_queue] : []
+    iterator = target
+
+    content {
+      message_group_id = target.value.message_group_id
+    }
+  }
+  dynamic "run_command_targets" {
+    for_each = each.value.type == "SSM_RUN_COMMAND" ? each.value.ssm_run_command.target_selector : {}
+    iterator = target
+
+    content {
+      key    = target.key
+      values = target.value
+    }
+  }
 
 
   ## Permissions
-  role_arn = (each.value.execution_role != null
-    ? each.value.execution_role
-    : (var.default_execution_role.enabled ? module.role[0].arn : null)
+  role_arn = (local.aws_service_types[each.value.type].support_execution_role
+    ? (each.value.execution_role != null
+      ? each.value.execution_role
+      : (var.default_execution_role.enabled ? module.role[0].arn : null)
+    )
+    : null
   )