From c185974ca52eeaba6fd30c46526fe8f03846070e Mon Sep 17 00:00:00 2001 From: Dave Hall Date: Sat, 24 Jan 2026 17:47:49 +1100 Subject: [PATCH 1/2] Make CMK mandatory for the DLQ For new installs it is tricky to get Terraform to provision the new KMS key. Going forward users will need to provide their own CMK for the DLQ to use. --- README.md | 6 +++--- examples/full/main.tf | 21 ++++++++++++++---- modules/dlq/README.md | 12 ++++------- modules/dlq/kms.tf | 46 ---------------------------------------- modules/dlq/main.tf | 7 +----- modules/dlq/outputs.tf | 2 +- modules/dlq/sqs.tf | 6 +++--- modules/dlq/variables.tf | 8 +------ 8 files changed, 30 insertions(+), 78 deletions(-) delete mode 100644 modules/dlq/kms.tf diff --git a/README.md b/README.md index e9274cd..c817b31 100644 --- a/README.md +++ b/README.md @@ -205,7 +205,7 @@ module "eventbus_dlq_example" { source = "git::ssh://git@github.com/proactiveops/eventbus//modules/dlq?ref=main" queue_name = "[sub-name]-[optional-rule-name]" # Must not exceed 60 characters as the module appends "-dlq" to the name - kms_key_id = aws_kms_key.my_key.id # omit if you want a new KMS key to be created. + kms_key_id = aws_kms_key.my_key.id # The key is required. If needed, create a new one and pass it to the module. tags = var.tags } @@ -220,13 +220,13 @@ EventBus++ is built and maintained by [ProactiveOps](https://proactiveops.com/). | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0, < 2.0 | -| [aws](#requirement\_aws) | >= 4.0, <6.0 | +| [aws](#requirement\_aws) | >= 5.0, <7.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.94.1 | +| [aws](#provider\_aws) | >= 5.0, <7.0 | ## Modules diff --git a/examples/full/main.tf b/examples/full/main.tf index 02e2918..caac322 100644 --- a/examples/full/main.tf +++ b/examples/full/main.tf @@ -1,17 +1,30 @@ -/** - * Example of using EventBus++ module with multiple event buses and cross-bus rules. - */ +resource "aws_kms_key" "this" { + description = "EvenBus Example" + + deletion_window_in_days = 14 + enable_key_rotation = true + + tags = local.tags +} + +resource "aws_kms_alias" "this" { + name = "alias/eventbus-example" + target_key_id = aws_kms_key.this.key_id +} module "eventbus_dlq_example" { source = "../../modules/dlq" + kms_key_id = aws_kms_alias.this.arn queue_name = "example" - tags = local.tags + + tags = local.tags } module "eventbus_partner" { source = "../../" + # Note: Zendesk no longer supports EventBridge partnet buses. name = "aws.partner/zendesk.com/12345678/default" cross_bus_rules = [ diff --git a/modules/dlq/README.md b/modules/dlq/README.md index 283e204..9cc7075 100644 --- a/modules/dlq/README.md +++ b/modules/dlq/README.md @@ -1,20 +1,20 @@ - # EventBus Dead Letter Queue (DLQ) Sub Module This module creates a SQS queue that can be used by Amazon EventBridge as a DLQ. + ## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.0 | +| [aws](#requirement\_aws) | >= 5.0, <7.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.0 | +| [aws](#provider\_aws) | >= 5.0, <7.0 | ## Modules @@ -24,19 +24,15 @@ No modules. | Name | Type | |------|------| -| [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | -| [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | | [aws_sqs_queue.dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | | [aws_sqs_queue_policy.dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [kms\_key\_id](#input\_kms\_key\_id) | The ID of the existing KMS key. If empty, then a new key will be created with permissions for EventBridge. | `string` | `""` | no | +| [kms\_key\_id](#input\_kms\_key\_id) | The ID of the existing KMS key. | `string` | n/a | yes | | [queue\_name](#input\_queue\_name) | The name of the queue to create. -dlq will be appended to the end. The name should the [bus-name]-[rule-name] convention. | `string` | n/a | yes | | [tags](#input\_tags) | Tags help you manage, identify, organize search and filter resources. | `map(string)` | n/a | yes | diff --git a/modules/dlq/kms.tf b/modules/dlq/kms.tf deleted file mode 100644 index 8107863..0000000 --- a/modules/dlq/kms.tf +++ /dev/null @@ -1,46 +0,0 @@ -data "aws_iam_policy_document" "kms" { - statement { - sid = "IAMAdmin" - effect = "Allow" - actions = [ - "kms:*" - ] - resources = ["*"] - - principals { - type = "AWS" - identifiers = [data.aws_caller_identity.current.account_id] - } - } - - statement { - sid = "EventBridgeToSQS" - effect = "Allow" - actions = [ - "kms:Decrypt", - "kms:GenerateDataKey" - ] - resources = ["*"] - - principals { - type = "Service" - identifiers = ["events.amazonaws.com"] - } - } -} - -resource "aws_kms_key" "this" { - count = local.kms_count - description = "KMS key for ${var.queue_name} DLQ" - policy = data.aws_iam_policy_document.kms.json - - enable_key_rotation = true - - tags = var.tags -} - -resource "aws_kms_alias" "this" { - count = local.kms_count - name = "alias/sqs-${var.queue_name}" - target_key_id = aws_kms_key.this[0].arn -} diff --git a/modules/dlq/main.tf b/modules/dlq/main.tf index 0fb0590..8b13789 100644 --- a/modules/dlq/main.tf +++ b/modules/dlq/main.tf @@ -1,6 +1 @@ -/** -* # EventBus Dead Letter Queue (DLQ) Sub Module -* -* This module creates a SQS queue that can be used by Amazon EventBridge as a DLQ. -*/ -data "aws_caller_identity" "current" {} + diff --git a/modules/dlq/outputs.tf b/modules/dlq/outputs.tf index f32bb8e..981de31 100644 --- a/modules/dlq/outputs.tf +++ b/modules/dlq/outputs.tf @@ -4,6 +4,6 @@ output "arn" { } output "kms_id" { - value = local.kms_key_id + value = var.kms_key_id description = "The ID of the KMS used by the queue." } diff --git a/modules/dlq/sqs.tf b/modules/dlq/sqs.tf index 3ee9cf3..7705b0c 100644 --- a/modules/dlq/sqs.tf +++ b/modules/dlq/sqs.tf @@ -6,7 +6,7 @@ resource "aws_sqs_queue" "dlq" { receive_wait_time_seconds = 0 max_message_size = 262144 - kms_master_key_id = local.kms_key_id + kms_master_key_id = var.kms_key_id tags = var.tags } @@ -26,7 +26,7 @@ data "aws_iam_policy_document" "dlq" { } dynamic "statement" { - for_each = local.kms_count == 1 ? [1] : [] + for_each = var.kms_key_id == null ? [1] : [] content { sid = "events-policy" effect = "Allow" @@ -39,7 +39,7 @@ data "aws_iam_policy_document" "dlq" { identifiers = ["events.amazonaws.com"] } resources = [ - local.kms_key_id + var.kms_key_id ] } } diff --git a/modules/dlq/variables.tf b/modules/dlq/variables.tf index 8808e1a..29c5ac8 100644 --- a/modules/dlq/variables.tf +++ b/modules/dlq/variables.tf @@ -1,7 +1,6 @@ variable "kms_key_id" { - description = "The ID of the existing KMS key. If empty, then a new key will be created with permissions for EventBridge." + description = "The ID of the existing KMS key." type = string - default = "" } variable "queue_name" { @@ -13,8 +12,3 @@ variable "tags" { description = "Tags help you manage, identify, organize search and filter resources." type = map(string) } - -locals { - kms_count = var.kms_key_id == "" ? 1 : 0 - kms_key_id = local.kms_count == 1 ? aws_kms_key.this[0].id : var.kms_key_id -} From 3848789985471c3d5341d61c0a7d940d2977b707 Mon Sep 17 00:00:00 2001 From: Dave Hall Date: Sun, 25 Jan 2026 12:28:12 +1100 Subject: [PATCH 2/2] Add copyright headers --- LICENSE | 2 +- event_bus.tf | 2 ++ event_bus_iam.tf | 2 ++ event_bus_rules.tf | 2 ++ examples/full/main.tf | 2 ++ main.tf | 2 ++ modules/dlq/README.md | 2 +- modules/dlq/main.tf | 1 - modules/dlq/outputs.tf | 2 ++ modules/dlq/sqs.tf | 2 ++ modules/dlq/variables.tf | 2 ++ modules/dlq/versions.tf | 4 +++- outputs.tf | 1 + schema_discovery.tf | 2 ++ variables.tf | 2 ++ versions.tf | 2 ++ 16 files changed, 28 insertions(+), 4 deletions(-) delete mode 100644 modules/dlq/main.tf diff --git a/LICENSE b/LICENSE index 66d9b33..55d96d0 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023-2025 Dave Hall +Copyright (c) 2023-2026 Dave Hall, https://proactiveops.io Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/event_bus.tf b/event_bus.tf index 03b2491..254d9ee 100644 --- a/event_bus.tf +++ b/event_bus.tf @@ -1,3 +1,5 @@ +# Copyright 2023 - 2026 Dave Hall, https://proactiveops.io, MIT License + resource "aws_cloudwatch_event_bus" "this" { name = local.namespace diff --git a/event_bus_iam.tf b/event_bus_iam.tf index b0f690f..3fc8260 100644 --- a/event_bus_iam.tf +++ b/event_bus_iam.tf @@ -1,3 +1,5 @@ +# Copyright 2023 - 2026 Dave Hall, https://proactiveops.io, MIT License + data "aws_iam_policy_document" "event_bus" { statement { sid = "iamManageBus" diff --git a/event_bus_rules.tf b/event_bus_rules.tf index 8d8423d..0100e6b 100644 --- a/event_bus_rules.tf +++ b/event_bus_rules.tf @@ -1,3 +1,5 @@ +# Copyright 2023 - 2026 Dave Hall, https://proactiveops.io, MIT License + resource "aws_cloudwatch_event_rule" "targets" { for_each = { for index, rule in var.cross_bus_rules : rule.name => rule } diff --git a/examples/full/main.tf b/examples/full/main.tf index caac322..1c786a4 100644 --- a/examples/full/main.tf +++ b/examples/full/main.tf @@ -1,3 +1,5 @@ +# Copyright 2023 - 2026 Dave Hall, https://proactiveops.io, MIT License + resource "aws_kms_key" "this" { description = "EvenBus Example" diff --git a/main.tf b/main.tf index 9494696..c778da8 100644 --- a/main.tf +++ b/main.tf @@ -1,3 +1,5 @@ +# Copyright 2023 - 2026 Dave Hall, https://proactiveops.io, MIT License + data "aws_caller_identity" "current" {} data "aws_partition" "current" {} diff --git a/modules/dlq/README.md b/modules/dlq/README.md index 9cc7075..0af08d6 100644 --- a/modules/dlq/README.md +++ b/modules/dlq/README.md @@ -7,7 +7,7 @@ This module creates a SQS queue that can be used by Amazon EventBridge as a DLQ. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | +| [terraform](#requirement\_terraform) | >= 1.0, < 2.0 | | [aws](#requirement\_aws) | >= 5.0, <7.0 | ## Providers diff --git a/modules/dlq/main.tf b/modules/dlq/main.tf deleted file mode 100644 index 8b13789..0000000 --- a/modules/dlq/main.tf +++ /dev/null @@ -1 +0,0 @@ - diff --git a/modules/dlq/outputs.tf b/modules/dlq/outputs.tf index 981de31..e216cfb 100644 --- a/modules/dlq/outputs.tf +++ b/modules/dlq/outputs.tf @@ -1,3 +1,5 @@ +# Copyright 2023 - 2026 Dave Hall, https://proactiveops.io, MIT License + output "arn" { value = aws_sqs_queue.dlq.arn description = "The ARN of the dead letter queue." diff --git a/modules/dlq/sqs.tf b/modules/dlq/sqs.tf index 7705b0c..0086189 100644 --- a/modules/dlq/sqs.tf +++ b/modules/dlq/sqs.tf @@ -1,3 +1,5 @@ +# Copyright 2023 - 2026 Dave Hall, https://proactiveops.io, MIT License + resource "aws_sqs_queue" "dlq" { name = "${var.queue_name}-dlq" diff --git a/modules/dlq/variables.tf b/modules/dlq/variables.tf index 29c5ac8..cca911c 100644 --- a/modules/dlq/variables.tf +++ b/modules/dlq/variables.tf @@ -1,3 +1,5 @@ +# Copyright 2023 - 2026 Dave Hall, https://proactiveops.io, MIT License + variable "kms_key_id" { description = "The ID of the existing KMS key." type = string diff --git a/modules/dlq/versions.tf b/modules/dlq/versions.tf index 6b548b0..264b8d1 100644 --- a/modules/dlq/versions.tf +++ b/modules/dlq/versions.tf @@ -1,5 +1,7 @@ +# Copyright 2023 - 2026 Dave Hall, https://proactiveops.io, MIT License + terraform { - required_version = ">= 1.0" + required_version = ">= 1.0, < 2.0" required_providers { aws = { diff --git a/outputs.tf b/outputs.tf index bfc89d3..2011368 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,3 +1,4 @@ +# Copyright 2023 - 2026 Dave Hall, https://proactiveops.io, MIT License output "bus" { value = aws_cloudwatch_event_bus.this diff --git a/schema_discovery.tf b/schema_discovery.tf index 784a204..0ed5d09 100644 --- a/schema_discovery.tf +++ b/schema_discovery.tf @@ -1,3 +1,5 @@ +# Copyright 2023 - 2026 Dave Hall, https://proactiveops.io, MIT License + resource "aws_schemas_discoverer" "this" { count = var.enable_schema_discovery_registry ? 1 : 0 diff --git a/variables.tf b/variables.tf index 37ef6f8..a1d3123 100644 --- a/variables.tf +++ b/variables.tf @@ -1,3 +1,5 @@ +# Copyright 2023 - 2026 Dave Hall, https://proactiveops.io, MIT License + variable "name" { description = "The name of the eventbus or partner source. This must be unique per region per account." type = string diff --git a/versions.tf b/versions.tf index c2a3886..264b8d1 100644 --- a/versions.tf +++ b/versions.tf @@ -1,3 +1,5 @@ +# Copyright 2023 - 2026 Dave Hall, https://proactiveops.io, MIT License + terraform { required_version = ">= 1.0, < 2.0"