update condition for the creation of sns topic in case of lambda failure [CDS-1331]

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## v1.0.101
+#### **coralogix-aws-shipper**
+### 🧰 Bug fixes 🧰
+- Remove the creation of an SNS topic for lambda failure in case the user didn't set up notification_email
+- Add new variable create_endpoint to allow users to choose if they want to create an endpoint in case they are using a private link and store their ApiKey in secret.
+
 ## v1.0.100
 #### **s3-archive**
 ### 💡 Enhancements 

examples/coralogix-aws-shipper/variables.tf

@@ -110,6 +110,12 @@ variable "security_group_ids" {
   default     = null
 }
 
+variable "create_endpoint" {
+  description = "Create a VPC endpoint for the lambda function to allow if access to the secret"
+  type        = bool
+  default     = false
+}
+
 # Lambda configuration
 
 variable "memory_size" {

modules/coralogix-aws-shipper/README.md

@@ -150,6 +150,7 @@ When using this variable you will need to create an S3 bucket in the region wher
 |------|-------------|------|---------|:--------:|
 | <a name="input_subnet_ids"></a> [vpc\_subnet\_ids](#input\_subnet\_ids) | Specify the ID of the subnet where the integration should be deployed. | `list(string)` | n/a | no |
 | <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | Specify the ID of the Security Group where the integration should be deployed. | `list(string)` | n/a | no |
+| <a name="input_create_endpoint"></a> [security\_create\_endpoint](#input\_create\_endpoint) | Set to true in case that you store your ApiKey in a secret (you can have only one of this endpoints per region) | `bool` | false | no |
 
 ### DLQ
 
@@ -176,4 +177,4 @@ If you want to bypass using the public internet, you can use AWS PrivateLink to
 | <a name="output_lambda_function_arn"></a> [lambda\_function\_arn](#output\_lambda\_function\_arn) | The ARN of the Lambda Function. |
 | <a name="output_lambda_function_name"></a> [lambda\_function\_name](#output\_lambda\_function\_name) | The name of the Lambda Function. |
 | <a name="output_lambda_role_arn"></a> [lambda\_role\_arn](#output\_lambda\_role\_arn) | The ARN of the IAM role created for the Lambda Function. |
-| <a name="output_lambda_role_name"></a> [lambda\_role\_name](#output\_lambda\_role\_name) | The name of the IAM role created for the Lambda Function. |
+| <a name="output_lambda_role_name"></a> [lambda\_role\_name](#output\_lambda\_role\_name) | The name of the IAM role created for the Lambda Function. |

modules/coralogix-aws-shipper/Sns.tf

@@ -11,7 +11,7 @@ resource "aws_s3_bucket_notification" "topic_notification" {
 }
 
 resource "aws_sns_topic" "this" {
-  for_each     = var.integration_info != null ? var.integration_info : local.integration_info
+  for_each     = var.notification_email == null ? {} : var.integration_info != null ? var.integration_info : local.integration_info  
   name_prefix  = each.value.lambda_name == null ? "${module.locals[each.key].function_name}-Failure" : "${each.value.lambda_name}-Failure"
   display_name = each.value.lambda_name == null ? "${module.locals[each.key].function_name}-Failure" : "${each.value.lambda_name}-Failure"
   tags         = merge(var.tags, module.locals[each.key].tags)

modules/coralogix-aws-shipper/main.tf

@@ -43,7 +43,7 @@ module "lambda" {
   memory_size            = var.memory_size
   timeout                = var.timeout
   create_package         = false
-  destination_on_failure = aws_sns_topic.this[each.key].arn
+  destination_on_failure = var.notification_email != null ? aws_sns_topic.this[each.key].arn : null
   vpc_subnet_ids         = var.subnet_ids
   vpc_security_group_ids = var.security_group_ids
   dead_letter_target_arn    = var.enable_dlq ? aws_sqs_queue.DLQ[0].arn : null
@@ -107,10 +107,14 @@ module "lambda" {
       actions   = ["secretsmanager:GetSecretValue"]
       resources = ["*"]
     }
-    destination_on_failure_policy = {
+    destination_on_failure_policy = var.notification_email != null ? {
       effect    = "Allow"
       actions   = ["sns:publish"]
       resources = [aws_sns_topic.this[each.key].arn]
+    } : {
+      effect    = "Deny"
+      actions   = ["rds:DescribeAccountAttributes"]
+      resources = ["*"]
     }
     private_link_policy = var.subnet_ids != null ? {
       effect    = "Allow"
@@ -263,7 +267,7 @@ resource "aws_secretsmanager_secret_version" "service_user" {
 }
 
 resource "aws_vpc_endpoint" "secretsmanager" {
-  count               = (var.store_api_key_in_secrets_manager || local.api_key_is_arn) && var.subnet_ids != null ? 1 : 0
+  count               = (var.store_api_key_in_secrets_manager || local.api_key_is_arn) && var.subnet_ids != null && var.create_endpoint ? 1 : 0
   vpc_id              = data.aws_subnet.subnet[0].vpc_id
   service_name        = "com.amazonaws.${data.aws_region.this.name}.secretsmanager"
   vpc_endpoint_type   = "Interface"

modules/coralogix-aws-shipper/variables.tf

@@ -110,6 +110,12 @@ variable "security_group_ids" {
   default     = null
 }
 
+variable "create_endpoint" {
+  description = "Create a VPC endpoint for the lambda function to allow if access to the secret"
+  type        = bool
+  default     = false
+}
+
 # Lambda configuration
 
 variable "memory_size" {