terraform-aws-rhythmic-account-monitor

Configures AWS health and account related notifications

This module is used to monitor AWS accounts and send notifications for various events including:

• AWS Backup and Vault Lock lifecycle changes
• AWS Organizations account lifecycle changes
• AWS PHD events
• IAM access analyzer unused permissions/resources findings
• Resources using missing AMIs
• Service Quota limits

Example

Here's what using the module will look like

module "example" {
  source = "rhythmictech/rhythmic-account-monitor/aws"
  datadog_api_key_secret_arn = ""
}

About

Rhythmic is an AWS Managed Services Provider. We rely heavily on automation to deliver our services, ingesting configuration, event and state information from AWS via listeners (e.g., EventBridge and SNS), services (e.g., Anomaly Detection), and APIs via custom scripts (e.g., Trusted Advisor).

We open source the vast majority of the resources we use to deliver our managed services because transparency is one of our principles.

Requirements

Name	Version
terraform	>= 1.5
archive	>= 2.5.0
aws	>= 5.40

Providers

Name	Version
archive	2.5.0
aws	5.62.0

Modules

Name	Source	Version
tags	rhythmictech/tags/terraform	~> 1.1.1

Resources

Name	Type
aws_accessanalyzer_analyzer.unused_access_analyzer	resource
aws_accessanalyzer_archive_rule.archive_rules	resource
aws_cloudwatch_event_rule.backup	resource
aws_cloudwatch_event_rule.backup_event	resource
aws_cloudwatch_event_rule.backup_vaultlock	resource
aws_cloudwatch_event_rule.control_tower	resource
aws_cloudwatch_event_rule.glacier_vaultlock	resource
aws_cloudwatch_event_rule.health	resource
aws_cloudwatch_event_rule.monitor_ami_usage	resource
aws_cloudwatch_event_rule.monitor_service_quotas	resource
aws_cloudwatch_event_rule.organizations	resource
aws_cloudwatch_event_target.backup	resource
aws_cloudwatch_event_target.backup_event	resource
aws_cloudwatch_event_target.backup_vaultlock	resource
aws_cloudwatch_event_target.control_tower	resource
aws_cloudwatch_event_target.glacier_vaultlock	resource
aws_cloudwatch_event_target.health	resource
aws_cloudwatch_event_target.monitor_ami_usage	resource
aws_cloudwatch_event_target.monitor_service_quotas	resource
aws_cloudwatch_event_target.organizations	resource
aws_cloudwatch_log_group.monitor_ami_usage	resource
aws_cloudwatch_log_group.monitor_service_quotas	resource
aws_iam_policy.monitor_ami_usage_execution	resource
aws_iam_policy.monitor_service_quotas_execution	resource
aws_iam_role.monitor_ami_usage_execution	resource
aws_iam_role.monitor_service_quotas_execution	resource
aws_iam_role_policy_attachment.monitor_ami_usage_execution	resource
aws_iam_role_policy_attachment.monitor_service_quotas_execution	resource
aws_iam_role_policy_attachment.monitor_service_quotas_security_analyst	resource
aws_lambda_function.monitor_ami_usage	resource
aws_lambda_function.monitor_service_quotas	resource
aws_lambda_permission.monitor_ami_usage	resource
aws_lambda_permission.monitor_service_quotas	resource
aws_sns_topic.account_alerts	resource
aws_sns_topic_policy.account_alerts	resource
aws_sns_topic_subscription.account_alerts	resource
archive_file.monitor_ami_usage	data source
archive_file.monitor_service_quotas	data source
aws_caller_identity.current	data source
aws_iam_policy_document.account_alerts	data source
aws_iam_policy_document.lambda_assume	data source
aws_iam_policy_document.monitor_ami_usage_execution	data source
aws_iam_policy_document.monitor_service_quotas_execution	data source
aws_kms_alias.notifications	data source
aws_region.current	data source
aws_secretsmanager_secret.datadog_api_key	data source
aws_secretsmanager_secret_version.datadog_api_key	data source

Inputs

Name	Description	Type	Default	Required
datadog_api_key_secret_arn	ARN of the AWS Secret containing the Datadog API key	string	n/a	yes
enable_iam_access_analyzer	A boolean flag to enable/disable IAM Access Analyzer	bool	false	no
enable_iam_access_analyzer_organization	A boolean flag to enable/disable IAM Access Analyzer at the organization level (requires enable_iam_access_analyzer to be true and IAM Access Analyzer to be enabled at the organization level)	bool	false	no
iam_access_analyzer_unused_archive_rules	List of IAM resources to auto-archive unused access findings for	list(object({ accounts = optional(list(string)) finding_type = string is_partial = bool resources = optional(list(string)) resource_type = optional(string) }))	[]	no
iam_analyzer_unused_access_age	The age in days after which IAM access is considered unused.	number	90	no
name_prefix	Prefix for all resource names	string	"rhythmic-"	no
notify_ec2_missing_ami	Whether to notify when EC2 instances are using missing AMIs	bool	false	no
notify_ec2_missing_ami_if_snapshot_exists	Whether to notify when EC2 instances are using missing AMIs but snapshots exist	bool	true	no
service_quota_region_list	List of regions to monitor for service quotas. Note that you cannot monitor across partitions (e.g. us-east-1 and us-gov-east-1)	list(string)	[ "us-east-1" ]	no
service_quota_threshold	The threshold percentage for service quota alerts	number	80	no
tags	User-Defined tags	map(string)	{}	no

Outputs

No outputs.

Getting Started

This workflow has a few prerequisites which are installed through the ./bin/install-x.sh scripts and are linked below. The install script will also work on your local machine.

• pre-commit
• terraform
• tfenv
• terraform-docs
• tfsec
• tflint

We use tfenv to manage terraform versions, so the version is defined in the versions.tf and tfenv installs the latest compliant version. pre-commit is like a package manager for scripts that integrate with git hooks. We use them to run the rest of the tools before apply. terraform-docs creates the beautiful docs (above), tfsec scans for security no-nos, tflint scans for best practices.