OpsGenie 不会在 AWS 仪表板或 terraform 中自动确认 SNS 订阅
Posted
技术标签:
【中文标题】OpsGenie 不会在 AWS 仪表板或 terraform 中自动确认 SNS 订阅【英文标题】:OpsGenie won't autoconfirm SNS subscriptions - in AWS dashboard or terraform 【发布时间】:2021-03-06 17:01:57 【问题描述】:我正在尝试将我的亚马逊帐户连接到我们的 Opsgenie 帐户,以便将 CloudWatch 事件推送给团队。我在这里遵循了本指南:https://docs.opsgenie.com/docs/amazon-cloudwatch-events-integration
我在 terraform 中创建项目,因为我们希望能够动态创建和销毁此环境并使其具有一定的可配置性。一切似乎都已创建,但 OpsGenie 不会自动确认 SNS 订阅该主题。即使我在 UI 中做同样的事情,OpsGenie 也不会确认。
以下是我的 terraform 代码:
##############################################################################
# Opsgenie integration
###############################################################################
resource "opsgenie_api_integration" "test_integration"
name = "api-based-int"
type = "API"
responders
type = "user"
id = opsgenie_user.first.id
enabled = true
allow_write_access = true
ignore_responders_from_payload = false
suppress_notifications = false
owner_team_id = opsgenie_team.test_team.id
resource "opsgenie_user" "first"
username = "testerman@gmail.com"
full_name = "Tester Man"
role = "Admin"
resource "opsgenie_user" "second"
username = "testerman2@gmail.com"
full_name = "Tester Man II"
role = "User"
resource "opsgenie_team" "test_team"
name = "example"
description = "This team deals with all the things"
member
id = opsgenie_user.first.id
role = "admin"
member
id = opsgenie_user.second.id
role = "user"
###############################################################################
# Cloudwatch
###############################################################################
resource "aws_cloudwatch_event_rule" "opsgenie_cloudwatch_event_rule"
name = "send_events_to_opsgenie"
description = "Send all events to opsgenie"
event_pattern = <<EOF
"source": [
"aws.sns"
]
EOF
resource "aws_cloudwatch_event_target" "opsgenie_cloudwatch_event_rule"
rule = aws_cloudwatch_event_rule.opsgenie_cloudwatch_event_rule.name
target_id = "OpsGenie"
arn = aws_sns_topic.opsgenie_notifications.arn
###############################################################################
# SNS
###############################################################################
resource "aws_sns_topic" "opsgenie_notifications"
name = "OpsGenie"
kms_master_key_id = aws_kms_key.kms_key_for_sns_topic.key_id
policy = <<POLICY
"Version":"2012-10-17",
"Statement":[
"Effect": "Allow",
"Principal": "Service":"events.amazonaws.com",
"Action":[
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "*"
]
POLICY
resource "aws_sns_topic_policy" "opsgenie_topic_policy"
arn = aws_sns_topic.opsgenie_notifications.arn
policy = data.aws_iam_policy_document.sns_topic_policy_doc.json
resource "aws_sns_topic_subscription" "user_updates_opsgenie_target"
topic_arn = aws_sns_topic.opsgenie_notifications.arn
protocol = "https"
### IS THIS ENDPOINT CORRECT?? ###
endpoint = "https://api.opsgenie.com/v1/json/amazonsns?apiKey=$opsgenie_api_integration.test_integration.api_key"
confirmation_timeout_in_minutes = 1
endpoint_auto_confirms = true
###############################################################################
# IAM
###############################################################################
data "aws_iam_policy_document" "sns_topic_policy_doc"
statement
effect = "Allow"
actions = ["SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"]
principals
type = "Service"
identifiers = ["events.amazonaws.com"]
resources = ["aws_sns_topic.opsgenie_notifications.arn"]
###############################################################################
# KMS
###############################################################################
resource "aws_kms_key" "kms_key_for_sns_topic"
description = "For OpsGenie"
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = true
policy = <<POLICY
"Version": "2012-10-17",
"Statement": [
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal":
"AWS": "arn:aws:iam::$data.aws_caller_identity.primary_region.account_id:root"
,
"Action": "kms:*",
"Resource": "*"
,
"Effect": "Allow",
"Principal":
"Service": "events.amazonaws.com"
,
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*"
,
"Effect": "Allow",
"Principal":
"Service": "sns.amazonaws.com"
,
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*"
]
POLICY
resource "aws_kms_alias" "topic_key_alias"
name_prefix = "alias/opsgenie-notifications"
target_key_id = aws_kms_key.kms_key_for_sns_topic.key_id
我觉得我很接近了,但我要么错过了文档中的某些内容,要么只是误解了某些内容。
【问题讨论】:
【参考方案1】:看来我需要进一步阅读文档。类型中的“API”:
resource "opsgenie_api_integration" "test_integration"
name = "api-based-int"
type = "API"
... 必须是特定类型。就我而言,
type = "CloudWatchEvents"
是我需要的。作为参考,文档链接位于此页面: https://docs.opsgenie.com/docs/integration-types-to-use-with-api
【讨论】:
以上是关于OpsGenie 不会在 AWS 仪表板或 terraform 中自动确认 SNS 订阅的主要内容,如果未能解决你的问题,请参考以下文章