Skip to content

Commit

Permalink
fixup! Route SNS notifications through a Lambda function (#5246)
Browse files Browse the repository at this point in the history
  • Loading branch information
@achave11-ucsc
achave11-ucsc committed Nov 2, 2023
1 parent 963c977 commit 41f55e3
Show file tree
Hide file tree
Showing 5 changed files with 71 additions and 58 deletions.
10 changes: 0 additions & 10 deletions UPGRADING.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,16 +19,6 @@ branch that does not have the listed changes, the steps would need to be
reverted. This is all fairly informal and loosely defined. Hopefully we won't
have too many entries in this file.

#5246 Route SNS notifications through a Lambda function
=======================================================

Operator
~~~~~~~~

Manually deploy the ``shared`` & ``gitlab`` components (in that order)
of any main deployment just before pushing the merge commit to the
GitLab instance in that deployment.


#5612 AWS Inspector fails to post findings to SNS topic
=======================================================
Expand Down
7 changes: 5 additions & 2 deletions src/azul/indexer/notify_service.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,11 @@ def notify_group(self, subject: str, message: str) -> None:
else:
body = json.dumps(body, indent=4)
response = aws.ses.send_email(
FromEmailAddress=f'Azul {config.deployment_stage} Monitoring'
f'<notify@{config.domain_name}>',
FromEmailAddress=' '.join(['Azul',
config.deployment_stage,
'Monitoring',
'<monitoring@' + config.api_lambda_domain('notify') + '>'
]),
Destination={
'ToAddresses': [config.monitoring_email]
},
Expand Down
72 changes: 66 additions & 6 deletions terraform/api_gateway.tf.json.template.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,11 +136,22 @@ def for_domain(cls, domain):
'data': [
{
'aws_route53_zone': {
zone.slug: {
'name': zone.name,
'private_zone': False
}
for zone in set(zones_by_domain.values())
**{
zone.slug: {
'name': zone.name,
'private_zone': False
}
for zone in set(zones_by_domain.values())
},
**(
{
'gitlab': {
'name': config.domain_name + '.',
'private_zone': False
}
} if config.enable_monitoring else
{}
),
},
'aws_vpc': {
'gitlab': {
Expand Down Expand Up @@ -499,7 +510,20 @@ def for_domain(cls, domain):
}
})
} for i, domain in enumerate(app.domains)
}
},
**(
{
'notify_ses': {
'zone_id': '${data.aws_route53_zone.gitlab.id}',
# WIP: `config.api_lambda_domain`, name doesn't match
'name': '_amazonses.' + config.api_lambda_domain('notify'),
'type': 'TXT',
'ttl': '600',
'records': ['${aws_ses_domain_identity.notify.verification_token}']
}
} if app.name == 'indexer' and config.enable_monitoring else
{}
)
},
'aws_cloudwatch_log_group': {
app.name: {
Expand Down Expand Up @@ -621,6 +645,42 @@ def for_domain(cls, domain):
}
)
},
**(
{
'aws_ses_domain_identity': {
'notify': {
'domain': config.api_lambda_domain('notify')
}
},
'aws_ses_identity_policy': {
'notify': {
'identity': '${aws_ses_domain_identity.notify.arn}',
'name': config.qualified_resource_name('notify'),
'policy': json.dumps({
'Version': '2012-10-17',
'Statement': [
{
'Effect': 'Allow',
'Principal': {
'AWS': 'arn:aws:sts::' + aws.account
+ '/'.join([':assumed-role',
config.qualified_resource_name(app.name),
config.qualified_resource_name(app.name,
'-notify')
])
},
'Action': [
'ses:SendEmail',
'ses:SendRawEmail'
],
'Resource': '${aws_ses_domain_identity.notify.arn}',
}
]
})
}
}
} if app.name == 'indexer' and config.enable_monitoring else {}
),
**(
{
'aws_lb': {
Expand Down
12 changes: 0 additions & 12 deletions terraform/gitlab/gitlab.tf.json.template.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -301,11 +301,6 @@ def qq(*words):
'private_zone': False
}
},
'aws_ses_domain_identity': {
'notify': {
'domain': config.domain_name
}
},
'aws_s3_bucket': {
'logs': {
'bucket': aws.logs_bucket,
Expand Down Expand Up @@ -1365,13 +1360,6 @@ def qq(*words):
'zone_id': '${aws_lb.gitlab_nlb.zone_id}',
'evaluate_target_health': False
}
},
'notify_ses': {
'zone_id': '${data.aws_route53_zone.gitlab.id}',
'name': f'_amazonses.{config.domain_name}',
'type': 'TXT',
'ttl': '600',
'records': ['${data.aws_ses_domain_identity.notify.verification_token}']
}
},
'aws_network_interface': {
Expand Down
28 changes: 0 additions & 28 deletions terraform/shared/shared.tf.json.template.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -898,34 +898,6 @@ def paren(s: str) -> str:
})
}
},
'aws_ses_domain_identity': {
'notify': {
'domain': config.domain_name
}
},
'aws_ses_identity_policy': {
'notify': {
'identity': '${aws_ses_domain_identity.notify.arn}',
'name': config.qualified_resource_name('notify'),
'policy': json.dumps({
'Version': '2012-10-17',
'Statement': [
{
'Effect': 'Allow',
'Principal': {
'AWS': f'arn:aws:sts::{aws.account}:assumed-role/{config.indexer_name}/'
f'{config.indexer_function_name("notify")}'
},
'Action': [
'ses:SendEmail',
'ses:SendRawEmail'
],
'Resource': '${aws_ses_domain_identity.notify.arn}',
}
]
})
}
},
'aws_sns_topic_subscription': {
'monitoring': {
'topic_arn': '${aws_sns_topic.monitoring.arn}',
Expand Down

0 comments on commit 41f55e3

Please sign in to comment.