terraform aws clickops notifier
v5.2.0
當用戶在AWS控制台中採取操作時,請通知通知。更多
並非嚴格的要求,您將其與AWS Controltower一起使用。該模塊僅在使用AWS Controltower發貨的日誌存檔帳戶中進行了測試。設置您的AWS信條,以便aws sts get-caller-identity | grep Account可為您提供控制台日誌存檔帳戶ID。
如果您的帳戶是不使用集中式CloudTrail日誌記錄或不想在組織級別監視ClickOps的AWS組織的一部分,則可以在單個帳戶中以standalone方式部署ClickOps。對於獨立模式,您需要在帳戶中啟用CloudTrail,將其配置為將日誌寫入CloudWatch日誌組,並具有足夠的權限來在日誌組上創建訂閱過濾器。
以下操作不會被提醒,這些措施是:
該功能可以使用excluded_scoped_actions和excluded_scoped_actions_effect變量覆蓋。下面的Terraform文檔中可用排除的操作列表。
在“問題”部分中報告問題/問題/功能請求。
此處介紹了完整的貢獻指南。
| 姓名 | 描述 | 類型 | 預設 | 必需的 |
|---|---|---|---|---|
| 附加_iam_policy_statement | 動態政策語句的地圖,要附加到lambda功能角色 | any | {} | 不 |
| wasse_aws_principals_for_sns_subscribe | 允許訂閱SNS主題(僅適用於組織部署)的AWS校長列表。 | list(string) | [] | 不 |
| cloudtrail_bucket_name | 包含您要處理的CloudTrail日誌的存儲桶。 controltower存儲鍵名遵循此命名慣例aws-controltower-logs-{{account_id}}-{{region}} | string | "" | 不 |
| cloudtrail_bucket_notifications_sns_arn | sns主題用於存儲桶通知。如果未提供,將創建一個新的SNS主題以及存儲桶通知配置。 | string | null | 不 |
| cloudtrail_log_group | CloudWatch日誌組的CloudTrail事件。 | string | "" | 不 |
| create_iam_role | 確定是創建IAM角色還是使用現有的IAM角色 | bool | true | 不 |
| event_batch_size | 將事件批量事件成event_batch_size | number | 100 | 不 |
| event_maximum_batching_window | 最大批處理窗口以秒為單位。 | number | 300 | 不 |
| event_processing_timeout | 允許LAMBDA運行的最大秒數,並在接我的lambda後將其隱藏在SQS中。 | number | 60 | 不 |
| 排除_accounts | 掃描手動操作的帳戶列表。這些限制了包括included_accounts | list(string) | [] | 不 |
| 排除_scoped_actions | 服務範圍的操作列表,該操作將不會被提醒。格式{{service}}。Amazonaws.com:{action}} | list(string) | [] | 不 |
| 排除_scoped_actions_effect | 是否要替換或附加到現有的動作。默認情況下,它將附加到列表,有效值:附加,替換 | string | "APPEND" | 不 |
| 排除_users | 電子郵件地址列表將不會在練習點擊郵件時報告。 | list(string) | [] | 不 |
| firehose_delivery_stream_name | Kinesis FireHose交付流到輸出點擊事件的輸出名稱。 | string | null | 不 |
| iam_role_arn | Lambda的現有IAM角色。如果create_iam_role設置為false則需要 | string | null | 不 |
| 包括_accounts | 掃描手動操作的帳戶列表。如果空將掃描所有帳戶。 | list(string) | [] | 不 |
| 包括_users | 掃描手動操作的電子郵件列表。如果空將掃描所有電子郵件。 | list(string) | [] | 不 |
| kms_key_id_for_sns_topic | KMS密鑰ID用於加密SNS_Topic(僅適用於組織部署)。 | string | null | 不 |
| lambda_deployment_s3_bucket | lambda部署軟件包的S3存儲桶。 | string | null | 不 |
| lambda_deployment_s3_key | lambda部署軟件包的S3對象密鑰。否則,將默認為var.naming_prefix/local.deployment_filename 。 | string | null | 不 |
| lambda_deployment_upload_to_s3_enabled | 如果為true ,則該模塊存儲庫中的Lambda部署包將復製到S3。如果為false ,則必須單獨上傳S3對象。如果lambda_deployment_s3_bucket為null,則忽略。 | bool | true | 不 |
| lambda_log_level | Lambda記錄級別。其中之一: ["DEBUG", "INFO", "WARN", "ERROR"] 。 | string | "WARN" | 不 |
| lambda_memory_size | Lambda使用的內存量 | number | "128" | 不 |
| lambda_runtime | 使用Lambda運行時。之一: ["python3.9", "python3.8", "python3.7"] | string | "python3.8" | 不 |
| log_retention_in_days | 保留CloudWatch日誌的天數 | number | 14 | 不 |
| naming_prefix | 資源將在此前綴 | string | "clickops-notifier" | 不 |
| 獨立 | 將ClickOps部署在獨立帳戶中,而不是在整個AWS組織中。對於只想在沒有在組織層面上進行儀器的帳戶中監視點擊量的團隊的理想選擇。 | bool | false | 不 |
| subcription_filter_distribution | 用於將日誌數據分配到目標的方法。默認情況下,日誌數據按日誌流進行分組,但是可以將分組設置為隨機分組以進行更均勻的分佈。僅當目標是亞馬遜運動流時,此屬性才適用。有效值是“隨機”和“ Bylogstream”。 | string | "Random" | 不 |
| 標籤 | 除了提供商的default_tag之外,還可以添加到資源的標籤 | map(string) | {} | 不 |
| webhooks_for_msteams_notifications | custom_name => webhook URL s。 https://lealen.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-cond-conv/add-incoming-webhook?tabs=dotnet | map(string) | {} | 不 |
| webhooks_for_slack_notifications | custom_name => webhook URL s的地圖,用於鬆弛通知。 https://api.slack.com/messaging/webhooks | map(string) | {} | 不 |
| 姓名 | 來源 | 版本 |
|---|---|---|
| ClickOps_notifier_lambda | Terraform-aws-modules/lambda/aws | 4.9.0 |
| 姓名 | 描述 |
|---|---|
| ClickOps_notifier_lambda | 從Lambda模塊中公開所有輸出 |
| SNS_TOPIC | 揭露桶通知SNS詳細信息 |
| sqs_queue | 揭示存儲桶通知SQS詳細信息 |
| 姓名 | 版本 |
|---|---|
| AWS | > = 4.9 |
| 姓名 | 版本 |
|---|---|
| Terraform | > = 0.15.0 |
| AWS | > = 4.9 |
| 姓名 | 類型 |
|---|---|
| aws_cloudwatch_log_subscription_filter.this | 資源 |
| aws_s3_bucket_notification.bucket_notification | 資源 |
| aws_s3_object.deployment | 資源 |
| aws_sns_topic.bucket_notifications | 資源 |
| aws_sns_topic_policy.bucket_notifications | 資源 |
| aws_sns_topic_subscription.bucket_notifications | 資源 |
| aws_sqs_queue.bucket_notifications | 資源 |
| aws_sqs_queue_policy.bucket_notifications | 資源 |
| aws_ssm_parameter.webhooks_for_msteams | 資源 |
| aws_ssm_parameter.webhooks_for_slack | 資源 |
| AWS_CALLER_IDENTITY.CURRENT | 數據源 |
| aws_cloudwatch_log_group.this | 數據源 |
| aws_iam_policy_document.bucket_notifications | 數據源 |
| aws_iam_policy_document.lambda_permissions | 數據源 |
| aws_iam_policy_document.sns_topic_policy_bucket_notifications | 數據源 |
| aws_region.current | 數據源 |
locals {
ignored_scoped_events_built_in = [
" cognito-idp.amazonaws.com:InitiateAuth " ,
" cognito-idp.amazonaws.com:RespondToAuthChallenge " ,
" sso.amazonaws.com:Federate " ,
" sso.amazonaws.com:Authenticate " ,
" sso.amazonaws.com:Logout " ,
" sso.amazonaws.com:SearchUsers " ,
" sso.amazonaws.com:SearchGroups " ,
" sso.amazonaws.com:CreateToken " ,
" signin.amazonaws.com:UserAuthentication " ,
" signin.amazonaws.com:SwitchRole " ,
" signin.amazonaws.com:RenewRole " ,
" signin.amazonaws.com:ExternalIdPDirectoryLogin " ,
" signin.amazonaws.com:CredentialVerification " ,
" signin.amazonaws.com:CredentialChallenge " ,
" signin.amazonaws.com:CheckMfa " ,
" logs.amazonaws.com:StartQuery " ,
" cloudtrail.amazonaws.com:StartQuery " ,
" iam.amazonaws.com:SimulatePrincipalPolicy " ,
" iam.amazonaws.com:GenerateServiceLastAccessedDetails " ,
" glue.amazonaws.com:BatchGetJobs " ,
" glue.amazonaws.com:BatchGetCrawlers " ,
" glue.amazonaws.com:StartJobRun " ,
" glue.amazonaws.com:StartCrawler " ,
" athena.amazonaws.com:StartQueryExecution " ,
" servicecatalog.amazonaws.com:SearchProductsAsAdmin " ,
" servicecatalog.amazonaws.com:SearchProducts " ,
" servicecatalog.amazonaws.com:SearchProvisionedProducts " ,
" servicecatalog.amazonaws.com:TerminateProvisionedProduct " ,
" cloudshell.amazonaws.com:CreateSession " ,
" cloudshell.amazonaws.com:PutCredentials " ,
" cloudshell.amazonaws.com:SendHeartBeat " ,
" cloudshell.amazonaws.com:CreateEnvironment " ,
" kms.amazonaws.com:Decrypt " ,
" kms.amazonaws.com:RetireGrant " ,
" trustedadvisor.amazonaws.com:RefreshCheck " ,
# Must CreateMultipartUpload before uploading any parts.
" s3.amazonaws.com:UploadPart " ,
" s3.amazonaws.com:UploadPartCopy " ,
" route53domains:TransferDomain " ,
" support.amazonaws.com:AddAttachmentsToSet " ,
" support.amazonaws.com:AddCommunicationToCase " ,
" support.amazonaws.com:CreateCase " ,
" support.amazonaws.com:InitiateCallForCase " ,
" support.amazonaws.com:InitiateChatForCase " ,
" support.amazonaws.com:PutCaseAttributes " ,
" support.amazonaws.com:RateCaseCommunication " ,
" support.amazonaws.com:RefreshTrustedAdvisorCheck " ,
" support.amazonaws.com:ResolveCase " ,
" grafana.amazonaws.com:login_auth_sso " ,
]
}
