AWS Notify Slack Terraform module
This module creates an SNS topic (or uses an existing one) and an AWS Lambda function that sends notifications to Slack using the incoming webhooks API.
Start by setting up an incoming webhook integration in your Slack workspace.
Doing serverless with Terraform? Check out serverless.tf framework, which aims to simplify all operations when working with the serverless in Terraform.
Supported Features
- AWS Lambda runtime Python 3.8
- Create new SNS topic or use existing one
- Support plaintext and encrypted version of Slack webhook URL
- Most of Slack message options are customizable
- Custom Lambda function
- Various event types are supported, even generic messages:
- AWS CloudWatch Alarms
- AWS CloudWatch LogMetrics Alarms
- AWS GuardDuty Findings
Usage
module "notify_slack" {
source = "terraform-aws-modules/notify-slack/aws"
version = "~> 5.0"
sns_topic_name = "slack-topic"
slack_webhook_url = "https://hooks.slack.com/services/AAA/BBB/CCC"
slack_channel = "aws-notification"
slack_username = "reporter"
}Using with Terraform Cloud Agents
Terraform Cloud Agents are a paid feature, available as part of the Terraform Cloud for Business upgrade package.
This module requires Python 3.8. You can customize tfc-agent to include Python using this sample Dockerfile:
FROM hashicorp/tfc-agent:latest
RUN apt-get -y update && apt-get -y install python3.8 python3-pip
ENTRYPOINT ["/bin/tfc-agent"]
Use existing SNS topic or create new
If you want to subscribe the AWS Lambda Function created by this module to an existing SNS topic you should specify create_sns_topic = false as an argument and specify the name of existing SNS topic name in sns_topic_name.
Examples
- notify-slack-simple - Creates SNS topic which sends messages to Slack channel.
- cloudwatch-alerts-to-slack - End to end example which shows how to send AWS Cloudwatch alerts to Slack channel and use KMS to encrypt webhook URL.
Local Development and Testing
See the functions for further details.
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.8 |
Providers
| Name | Version |
|---|---|
| aws | >= 4.8 |
Modules
| Name | Source | Version |
|---|---|---|
| lambda | terraform-aws-modules/lambda/aws | 3.2.0 |
Resources
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.lambda | resource |
| aws_iam_role.sns_feedback_role | resource |
| aws_sns_topic.this | resource |
| aws_sns_topic_subscription.sns_notify_slack | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.lambda | data source |
| aws_iam_policy_document.sns_feedback | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cloudwatch_log_group_kms_key_id | The ARN of the KMS Key to use when encrypting log data for Lambda | string |
null |
no |
| cloudwatch_log_group_retention_in_days | Specifies the number of days you want to retain log events in log group for Lambda. | number |
0 |
no |
| cloudwatch_log_group_tags | Additional tags for the Cloudwatch log group | map(string) |
{} |
no |
| create | Whether to create all resources | bool |
true |
no |
| create_sns_topic | Whether to create new SNS topic | bool |
true |
no |
| enable_sns_topic_delivery_status_logs | Whether to enable SNS topic delivery status logs | bool |
false |
no |
| iam_policy_path | Path of policies to that should be added to IAM role for Lambda Function | string |
null |
no |
| iam_role_boundary_policy_arn | The ARN of the policy that is used to set the permissions boundary for the role | string |
null |
no |
| iam_role_name_prefix | A unique role name beginning with the specified prefix | string |
"lambda" |
no |
| iam_role_path | Path of IAM role to use for Lambda Function | string |
null |
no |
| iam_role_tags | Additional tags for the IAM role | map(string) |
{} |
no |
| kms_key_arn | ARN of the KMS key used for decrypting slack webhook url | string |
"" |
no |
| lambda_attach_dead_letter_policy | Controls whether SNS/SQS dead letter notification policy should be added to IAM role for Lambda Function | bool |
false |
no |
| lambda_dead_letter_target_arn | The ARN of an SNS topic or SQS queue to notify when an invocation fails. | string |
null |
no |
| lambda_description | The description of the Lambda function | string |
null |
no |
| lambda_function_ephemeral_storage_size | Amount of ephemeral storage (/tmp) in MB your Lambda Function can use at runtime. Valid value between 512 MB to 10,240 MB (10 GB). | number |
512 |
no |
| lambda_function_name | The name of the Lambda function to create | string |
"notify_slack" |
no |
| lambda_function_s3_bucket | S3 bucket to store artifacts | string |
null |
no |
| lambda_function_store_on_s3 | Whether to store produced artifacts on S3 or locally. | bool |
false |
no |
| lambda_function_tags | Additional tags for the Lambda function | map(string) |
{} |
no |
| lambda_function_vpc_security_group_ids | List of security group ids when Lambda Function should run in the VPC. | list(string) |
null |
no |
| lambda_function_vpc_subnet_ids | List of subnet ids when Lambda Function should run in the VPC. Usually private or intra subnets. | list(string) |
null |
no |
| lambda_role | IAM role attached to the Lambda Function. If this is set then a role will not be created for you. | string |
"" |
no |
| lambda_source_path | The source path of the custom Lambda function | string |
null |
no |
| log_events | Boolean flag to enabled/disable logging of incoming events | bool |
false |
no |
| putin_khuylo | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | bool |
true |
no |
| recreate_missing_package | Whether to recreate missing Lambda package if it is missing locally or not | bool |
true |
no |
| reserved_concurrent_executions | The amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations | number |
-1 |
no |
| slack_channel | The name of the channel in Slack for notifications | string |
n/a | yes |
| slack_emoji | A custom emoji that will appear on Slack messages | string |
":aws:" |
no |
| slack_username | The username that will appear on Slack messages | string |
n/a | yes |
| slack_webhook_url | The URL of Slack webhook | string |
n/a | yes |
| sns_topic_feedback_role_description | Description of IAM role to use for SNS topic delivery status logging | string |
null |
no |
| sns_topic_feedback_role_force_detach_policies | Specifies to force detaching any policies the IAM role has before destroying it. | bool |
true |
no |
| sns_topic_feedback_role_name | Name of the IAM role to use for SNS topic delivery status logging | string |
null |
no |
| sns_topic_feedback_role_path | Path of IAM role to use for SNS topic delivery status logging | string |
null |
no |
| sns_topic_feedback_role_permissions_boundary | The ARN of the policy that is used to set the permissions boundary for the IAM role used by SNS topic delivery status logging | string |
null |
no |
| sns_topic_feedback_role_tags | A map of tags to assign to IAM the SNS topic feedback role | map(string) |
{} |
no |
| sns_topic_kms_key_id | ARN of the KMS key used for enabling SSE on the topic | string |
"" |
no |
| sns_topic_lambda_feedback_role_arn | IAM role for SNS topic delivery status logs. If this is set then a role will not be created for you. | string |
"" |
no |
| sns_topic_lambda_feedback_sample_rate | The percentage of successful deliveries to log | number |
100 |
no |
| sns_topic_name | The name of the SNS topic to create | string |
n/a | yes |
| sns_topic_tags | Additional tags for the SNS topic | map(string) |
{} |
no |
| subscription_filter_policy | (Optional) A valid filter policy that will be used in the subscription to filter messages seen by the target resource. | string |
null |
no |
| subscription_filter_policy_scope | (Optional) A valid filter policy scope MessageAttributes|MessageBody | string |
null |
no |
| tags | A map of tags to add to all resources | map(string) |
{} |
no |
Outputs
| Name | Description |
|---|---|
| lambda_cloudwatch_log_group_arn | The Amazon Resource Name (ARN) specifying the log group |
| lambda_iam_role_arn | The ARN of the IAM role used by Lambda function |
| lambda_iam_role_name | The name of the IAM role used by Lambda function |
| notify_slack_lambda_function_arn | The ARN of the Lambda function |
| notify_slack_lambda_function_invoke_arn | The ARN to be used for invoking Lambda function from API Gateway |
| notify_slack_lambda_function_last_modified | The date Lambda function was last modified |
| notify_slack_lambda_function_name | The name of the Lambda function |
| notify_slack_lambda_function_version | Latest published version of your Lambda function |
| slack_topic_arn | The ARN of the SNS topic from which messages will be sent to Slack |
| sns_topic_feedback_role_arn | The Amazon Resource Name (ARN) of the IAM role used for SNS delivery status logging |
| this_slack_topic_arn | The ARN of the SNS topic from which messages will be sent to Slack (backward compatibility for version 4.x) |
Authors
Module is maintained by Anton Babenko with help from these awesome contributors.
License
Apache 2 Licensed. See LICENSE for full details.