Merge pull request #62 from appvia/feat/sa-519

shanilhirani · web-flow · commit 0772b34d0d7c · 2025-01-21T13:28:22.000Z
feat(module): bump notification module and replace accounts id var
diff --git a/README.md b/README.md
@@ -43,7 +43,7 @@ module "account_baseline_alarms" {
 |------|-------------|------|---------|:--------:|
 | <a name="input_notification"></a> [notification](#input\_notification) | The configuration for how to send notifications. | <pre>object({<br/>    email = optional(object({<br/>      addresses = list(string)<br/>    }), null)<br/>    slack = optional(object({<br/>      lambda_name = optional(string, "alarms-notifications")<br/>      webhook_url = string<br/>    }), null)<br/>    teams = optional(object({<br/>      webhook_url = string<br/>    }), null)<br/>  })</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | n/a | yes |
-| <a name="input_accounts_id_to_name"></a> [accounts\_id\_to\_name](#input\_accounts\_id\_to\_name) | A mapping of account id and account name - used by notification lamdba to map an account ID to a human readable name | `map(string)` | `{}` | no |
+| <a name="input_accounts_id_to_name_parameter_arn"></a> [accounts\_id\_to\_name\_parameter\_arn](#input\_accounts\_id\_to\_name\_parameter\_arn) | The ARN of the parameter that contains the account ID to name mapping. This ARN will be attached to lambda execution role as a resource, therefore a valid resource must exist. e.g 'arn:aws:ssm:eu-west-2:0123456778:parameter/myorg/configmaps/accounts\_id\_to\_name\_mapping' to enable the lambda retrieve values from ssm. | `string` | `null` | no |
 | <a name="input_alarm_namespace"></a> [alarm\_namespace](#input\_alarm\_namespace) | The cloudwatch alarm namespace. | `string` | `"cis-benchmark"` | no |
 | <a name="input_cloudtrail_log_group_name"></a> [cloudtrail\_log\_group\_name](#input\_cloudtrail\_log\_group\_name) | The name of the CloudTrail log group to filter on. | `string` | `"aws-controltower/CloudTrailLogs"` | no |
 | <a name="input_cloudwatch_log_group_retention"></a> [cloudwatch\_log\_group\_retention](#input\_cloudwatch\_log\_group\_retention) | The retention period for the cloudwatch log group (for lambda function logs) in days | `string` | `"0"` | no |
diff --git a/main.tf b/main.tf
@@ -2,17 +2,17 @@
 ## Provision the notifications
 module "notifications" {
   source  = "appvia/notifications/aws"
-  version = "1.1.0"
+  version = "2.0.0"
 
-  allowed_aws_services           = ["cloudwatch.amazonaws.com"]
-  create_sns_topic               = var.create_sns_topic
-  email                          = local.email_configuration
-  enable_slack                   = local.enable_slack
-  slack                          = local.slack_configuration
-  sns_topic_name                 = var.sns_topic_name
-  tags                           = var.tags
-  accounts_id_to_name            = var.accounts_id_to_name
-  cloudwatch_log_group_retention = var.cloudwatch_log_group_retention
-  identity_center_start_url      = var.identity_center_start_url
-  identity_center_role           = var.identity_center_role
+  accounts_id_to_name_parameter_arn = var.accounts_id_to_name_parameter_arn
+  allowed_aws_services              = ["cloudwatch.amazonaws.com"]
+  cloudwatch_log_group_retention    = var.cloudwatch_log_group_retention
+  create_sns_topic                  = var.create_sns_topic
+  email                             = local.email_configuration
+  enable_slack                      = local.enable_slack
+  identity_center_role              = var.identity_center_role
+  identity_center_start_url         = var.identity_center_start_url
+  slack                             = local.slack_configuration
+  sns_topic_name                    = var.sns_topic_name
+  tags                              = var.tags
 }
diff --git a/variables.tf b/variables.tf
@@ -151,10 +151,15 @@ variable "tags" {
   type        = map(string)
 }
 
-variable "accounts_id_to_name" {
-  description = "A mapping of account id and account name - used by notification lamdba to map an account ID to a human readable name"
-  type        = map(string)
-  default     = {}
+variable "accounts_id_to_name_parameter_arn" {
+  description = "The ARN of the parameter that contains the account ID to name mapping. This ARN will be attached to lambda execution role as a resource, therefore a valid resource must exist. e.g 'arn:aws:ssm:eu-west-2:0123456778:parameter/myorg/configmaps/accounts_id_to_name_mapping' to enable the lambda retrieve values from ssm."
+  type        = string
+  default     = null
+
+  validation {
+    condition     = var.accounts_id_to_name_parameter_arn == null ? true : can(regex("^arn:[^:]+:ssm:[a-z0-9-]+:[0-9]{12}:parameter/.+$", var.accounts_id_to_name_parameter_arn))
+    error_message = "The accounts_id_to_name_parameter_arn must be a valid SSM parameter ARN."
+  }
 }
 
 variable "cloudwatch_log_group_retention" {
