terraform aws clickops notifier
v5.2.0
当用户在AWS控制台中采取操作时,请通知通知。更多
并非严格的要求,您将其与AWS Controltower一起使用。该模块仅在使用AWS Controltower发货的日志存档帐户中进行了测试。设置您的AWS信条,以便aws sts get-caller-identity | grep Account可为您提供控制台日志存档帐户ID。
如果您的帐户是不使用集中式CloudTrail日志记录或不想在组织级别监视ClickOps的AWS组织的一部分,则可以在单个帐户中以standalone方式部署ClickOps。对于独立模式,您需要在帐户中启用CloudTrail,将其配置为将日志写入CloudWatch日志组,并具有足够的权限来在日志组上创建订阅过滤器。
以下操作不会被提醒,这些措施是:
该功能可以使用excluded_scoped_actions和excluded_scoped_actions_effect变量覆盖。下面的Terraform文档中可用排除的操作列表。
在“问题”部分中报告问题/问题/功能请求。
此处介绍了完整的贡献指南。
| 姓名 | 描述 | 类型 | 默认 | 必需的 |
|---|---|---|---|---|
| 附加_iam_policy_statement | 动态政策语句的地图,要附加到lambda功能角色 | any | {} | 不 |
| wasse_aws_principals_for_sns_subscribe | 允许订阅SNS主题(仅适用于组织部署)的AWS校长列表。 | list(string) | [] | 不 |
| cloudtrail_bucket_name | 包含您要处理的CloudTrail日志的存储桶。 controltower存储键名遵循此命名惯例aws-controltower-logs-{{account_id}}-{{region}} | string | "" | 不 |
| cloudtrail_bucket_notifications_sns_arn | sns主题用于存储桶通知。如果未提供,将创建一个新的SNS主题以及存储桶通知配置。 | string | null | 不 |
| cloudtrail_log_group | CloudWatch日志组的CloudTrail事件。 | string | "" | 不 |
| create_iam_role | 确定是创建IAM角色还是使用现有的IAM角色 | bool | true | 不 |
| event_batch_size | 将事件批量事件成event_batch_size | number | 100 | 不 |
| event_maximum_batching_window | 最大批处理窗口以秒为单位。 | number | 300 | 不 |
| event_processing_timeout | 允许LAMBDA运行的最大秒数,并在接我的lambda后将其隐藏在SQS中。 | number | 60 | 不 |
| 排除_accounts | 扫描手动操作的帐户列表。这些限制了包括included_accounts | list(string) | [] | 不 |
| 排除_scoped_actions | 服务范围的操作列表,该操作将不会被提醒。格式{{service}}。Amazonaws.com:{action}} | list(string) | [] | 不 |
| 排除_scoped_actions_effect | 是否要替换或附加到现有的动作。默认情况下,它将附加到列表,有效值:附加,替换 | string | "APPEND" | 不 |
| 排除_users | 电子邮件地址列表将不会在练习点击邮件时报告。 | list(string) | [] | 不 |
| firehose_delivery_stream_name | Kinesis FireHose交付流到输出点击事件的输出名称。 | string | null | 不 |
| iam_role_arn | Lambda的现有IAM角色。如果create_iam_role设置为false则需要 | string | null | 不 |
| 包括_accounts | 扫描手动操作的帐户列表。如果空将扫描所有帐户。 | list(string) | [] | 不 |
| 包括_users | 扫描手动操作的电子邮件列表。如果空将扫描所有电子邮件。 | list(string) | [] | 不 |
| kms_key_id_for_sns_topic | KMS密钥ID用于加密SNS_Topic(仅适用于组织部署)。 | string | null | 不 |
| lambda_deployment_s3_bucket | lambda部署软件包的S3存储桶。 | string | null | 不 |
| lambda_deployment_s3_key | lambda部署软件包的S3对象密钥。否则,将默认为var.naming_prefix/local.deployment_filename 。 | string | null | 不 |
| lambda_deployment_upload_to_s3_enabled | 如果为true ,则该模块存储库中的Lambda部署包将复制到S3。如果为false ,则必须单独上传S3对象。如果lambda_deployment_s3_bucket为null,则忽略。 | bool | true | 不 |
| lambda_log_level | Lambda记录级别。其中之一: ["DEBUG", "INFO", "WARN", "ERROR"] 。 | string | "WARN" | 不 |
| lambda_memory_size | Lambda使用的内存量 | number | "128" | 不 |
| lambda_runtime | 使用Lambda运行时。之一: ["python3.9", "python3.8", "python3.7"] | string | "python3.8" | 不 |
| log_retention_in_days | 保留CloudWatch日志的天数 | number | 14 | 不 |
| naming_prefix | 资源将在此前缀 | string | "clickops-notifier" | 不 |
| 独立 | 将ClickOps部署在独立帐户中,而不是在整个AWS组织中。对于只想在没有在组织层面上进行仪器的帐户中监视点击量的团队的理想选择。 | bool | false | 不 |
| subcription_filter_distribution | 用于将日志数据分配到目标的方法。默认情况下,日志数据按日志流进行分组,但是可以将分组设置为随机分组以进行更均匀的分布。仅当目标是亚马逊运动流时,此属性才适用。有效值是“随机”和“ Bylogstream”。 | string | "Random" | 不 |
| 标签 | 除了提供商的default_tag之外,还可以添加到资源的标签 | map(string) | {} | 不 |
| webhooks_for_msteams_notifications | custom_name => webhook URL s。 https://lealen.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-cond-conv/add-incoming-webhook?tabs=dotnet | map(string) | {} | 不 |
| webhooks_for_slack_notifications | custom_name => webhook URL s的地图,用于松弛通知。 https://api.slack.com/messaging/webhooks | map(string) | {} | 不 |
| 姓名 | 来源 | 版本 |
|---|---|---|
| ClickOps_notifier_lambda | Terraform-aws-modules/lambda/aws | 4.9.0 |
| 姓名 | 描述 |
|---|---|
| ClickOps_notifier_lambda | 从Lambda模块中公开所有输出 |
| SNS_TOPIC | 揭露桶通知SNS详细信息 |
| sqs_queue | 揭示存储桶通知SQS详细信息 |
| 姓名 | 版本 |
|---|---|
| AWS | > = 4.9 |
| 姓名 | 版本 |
|---|---|
| Terraform | > = 0.15.0 |
| AWS | > = 4.9 |
| 姓名 | 类型 |
|---|---|
| aws_cloudwatch_log_subscription_filter.this | 资源 |
| aws_s3_bucket_notification.bucket_notification | 资源 |
| aws_s3_object.deployment | 资源 |
| aws_sns_topic.bucket_notifications | 资源 |
| aws_sns_topic_policy.bucket_notifications | 资源 |
| aws_sns_topic_subscription.bucket_notifications | 资源 |
| aws_sqs_queue.bucket_notifications | 资源 |
| aws_sqs_queue_policy.bucket_notifications | 资源 |
| aws_ssm_parameter.webhooks_for_msteams | 资源 |
| aws_ssm_parameter.webhooks_for_slack | 资源 |
| AWS_CALLER_IDENTITY.CURRENT | 数据源 |
| aws_cloudwatch_log_group.this | 数据源 |
| aws_iam_policy_document.bucket_notifications | 数据源 |
| aws_iam_policy_document.lambda_permissions | 数据源 |
| aws_iam_policy_document.sns_topic_policy_bucket_notifications | 数据源 |
| aws_region.current | 数据源 |
locals {
ignored_scoped_events_built_in = [
" cognito-idp.amazonaws.com:InitiateAuth " ,
" cognito-idp.amazonaws.com:RespondToAuthChallenge " ,
" sso.amazonaws.com:Federate " ,
" sso.amazonaws.com:Authenticate " ,
" sso.amazonaws.com:Logout " ,
" sso.amazonaws.com:SearchUsers " ,
" sso.amazonaws.com:SearchGroups " ,
" sso.amazonaws.com:CreateToken " ,
" signin.amazonaws.com:UserAuthentication " ,
" signin.amazonaws.com:SwitchRole " ,
" signin.amazonaws.com:RenewRole " ,
" signin.amazonaws.com:ExternalIdPDirectoryLogin " ,
" signin.amazonaws.com:CredentialVerification " ,
" signin.amazonaws.com:CredentialChallenge " ,
" signin.amazonaws.com:CheckMfa " ,
" logs.amazonaws.com:StartQuery " ,
" cloudtrail.amazonaws.com:StartQuery " ,
" iam.amazonaws.com:SimulatePrincipalPolicy " ,
" iam.amazonaws.com:GenerateServiceLastAccessedDetails " ,
" glue.amazonaws.com:BatchGetJobs " ,
" glue.amazonaws.com:BatchGetCrawlers " ,
" glue.amazonaws.com:StartJobRun " ,
" glue.amazonaws.com:StartCrawler " ,
" athena.amazonaws.com:StartQueryExecution " ,
" servicecatalog.amazonaws.com:SearchProductsAsAdmin " ,
" servicecatalog.amazonaws.com:SearchProducts " ,
" servicecatalog.amazonaws.com:SearchProvisionedProducts " ,
" servicecatalog.amazonaws.com:TerminateProvisionedProduct " ,
" cloudshell.amazonaws.com:CreateSession " ,
" cloudshell.amazonaws.com:PutCredentials " ,
" cloudshell.amazonaws.com:SendHeartBeat " ,
" cloudshell.amazonaws.com:CreateEnvironment " ,
" kms.amazonaws.com:Decrypt " ,
" kms.amazonaws.com:RetireGrant " ,
" trustedadvisor.amazonaws.com:RefreshCheck " ,
# Must CreateMultipartUpload before uploading any parts.
" s3.amazonaws.com:UploadPart " ,
" s3.amazonaws.com:UploadPartCopy " ,
" route53domains:TransferDomain " ,
" support.amazonaws.com:AddAttachmentsToSet " ,
" support.amazonaws.com:AddCommunicationToCase " ,
" support.amazonaws.com:CreateCase " ,
" support.amazonaws.com:InitiateCallForCase " ,
" support.amazonaws.com:InitiateChatForCase " ,
" support.amazonaws.com:PutCaseAttributes " ,
" support.amazonaws.com:RateCaseCommunication " ,
" support.amazonaws.com:RefreshTrustedAdvisorCheck " ,
" support.amazonaws.com:ResolveCase " ,
" grafana.amazonaws.com:login_auth_sso " ,
]
}
