Awesome

AWS Notify Slack Terraform module

This module creates an SNS topic (or uses an existing one) and an AWS Lambda function that sends notifications to Slack using the incoming webhooks API.

Start by setting up an incoming webhook integration in your Slack workspace.

Doing serverless with Terraform? Check out serverless.tf framework, which aims to simplify all operations when working with the serverless in Terraform.

Supported Features

AWS Lambda runtime Python 3.11
Create new SNS topic or use existing one
Support plaintext and encrypted version of Slack webhook URL
Most of Slack message options are customizable
Custom Lambda function
Various event types are supported, even generic messages:
- AWS CloudWatch Alarms
- AWS CloudWatch LogMetrics Alarms
- AWS GuardDuty Findings

Usage

module "notify_slack" {
  source  = "terraform-aws-modules/notify-slack/aws"
  version = "~> 5.0"

  sns_topic_name = "slack-topic"

  slack_webhook_url = "https://hooks.slack.com/services/AAA/BBB/CCC"
  slack_channel     = "aws-notification"
  slack_username    = "reporter"
}

Using with Terraform Cloud Agents

Terraform Cloud Agents are a paid feature, available as part of the Terraform Cloud for Business upgrade package.

This module requires Python 3.11. You can customize tfc-agent to include Python using this sample Dockerfile:

FROM hashicorp/tfc-agent:latest
RUN apt-get -y update && apt-get -y install python3.11 python3-pip
ENTRYPOINT ["/bin/tfc-agent"]

Use existing SNS topic or create new

If you want to subscribe the AWS Lambda Function created by this module to an existing SNS topic you should specify create_sns_topic = false as an argument and specify the name of existing SNS topic name in sns_topic_name.

Examples

notify-slack-simple - Creates SNS topic which sends messages to Slack channel.
cloudwatch-alerts-to-slack - End to end example which shows how to send AWS Cloudwatch alerts to Slack channel and use KMS to encrypt webhook URL.

Local Development and Testing

See the functions for further details.

Requirements

Name	Version
<a name="requirement_terraform"></a> terraform	>= 1.0
<a name="requirement_aws"></a> aws	>= 4.8

Providers

Name	Version
<a name="provider_aws"></a> aws	>= 4.8

Modules

Name	Source	Version
<a name="module_lambda"></a> lambda	terraform-aws-modules/lambda/aws	6.8.0

Resources

Name	Type
aws_cloudwatch_log_group.lambda	resource
aws_iam_role.sns_feedback_role	resource
aws_sns_topic.this	resource
aws_sns_topic_subscription.sns_notify_slack	resource
aws_caller_identity.current	data source
aws_iam_policy_document.lambda	data source
aws_iam_policy_document.sns_feedback	data source
aws_partition.current	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
<a name="input_architectures"></a> architectures	Instruction set architecture for your Lambda function. Valid values are ["x86_64"] and ["arm64"].	`list(string)`	`null`	no
<a name="input_cloudwatch_log_group_kms_key_id"></a> cloudwatch_log_group_kms_key_id	The ARN of the KMS Key to use when encrypting log data for Lambda	`string`	`null`	no
<a name="input_cloudwatch_log_group_retention_in_days"></a> cloudwatch_log_group_retention_in_days	Specifies the number of days you want to retain log events in log group for Lambda.	`number`	`0`	no
<a name="input_cloudwatch_log_group_tags"></a> cloudwatch_log_group_tags	Additional tags for the Cloudwatch log group	`map(string)`	`{}`	no
<a name="input_create"></a> create	Whether to create all resources	`bool`	`true`	no
<a name="input_create_sns_topic"></a> create_sns_topic	Whether to create new SNS topic	`bool`	`true`	no
<a name="input_enable_sns_topic_delivery_status_logs"></a> enable_sns_topic_delivery_status_logs	Whether to enable SNS topic delivery status logs	`bool`	`false`	no
<a name="input_hash_extra"></a> hash_extra	The string to add into hashing function. Useful when building same source path for different functions.	`string`	`""`	no
<a name="input_iam_policy_path"></a> iam_policy_path	Path of policies to that should be added to IAM role for Lambda Function	`string`	`null`	no
<a name="input_iam_role_boundary_policy_arn"></a> iam_role_boundary_policy_arn	The ARN of the policy that is used to set the permissions boundary for the role	`string`	`null`	no
<a name="input_iam_role_name_prefix"></a> iam_role_name_prefix	A unique role name beginning with the specified prefix	`string`	`"lambda"`	no
<a name="input_iam_role_path"></a> iam_role_path	Path of IAM role to use for Lambda Function	`string`	`null`	no
<a name="input_iam_role_tags"></a> iam_role_tags	Additional tags for the IAM role	`map(string)`	`{}`	no
<a name="input_kms_key_arn"></a> kms_key_arn	ARN of the KMS key used for decrypting slack webhook url	`string`	`""`	no
<a name="input_lambda_attach_dead_letter_policy"></a> lambda_attach_dead_letter_policy	Controls whether SNS/SQS dead letter notification policy should be added to IAM role for Lambda Function	`bool`	`false`	no
<a name="input_lambda_dead_letter_target_arn"></a> lambda_dead_letter_target_arn	The ARN of an SNS topic or SQS queue to notify when an invocation fails.	`string`	`null`	no
<a name="input_lambda_description"></a> lambda_description	The description of the Lambda function	`string`	`null`	no
<a name="input_lambda_function_ephemeral_storage_size"></a> lambda_function_ephemeral_storage_size	Amount of ephemeral storage (/tmp) in MB your Lambda Function can use at runtime. Valid value between 512 MB to 10,240 MB (10 GB).	`number`	`512`	no
<a name="input_lambda_function_name"></a> lambda_function_name	The name of the Lambda function to create	`string`	`"notify_slack"`	no
<a name="input_lambda_function_s3_bucket"></a> lambda_function_s3_bucket	S3 bucket to store artifacts	`string`	`null`	no
<a name="input_lambda_function_store_on_s3"></a> lambda_function_store_on_s3	Whether to store produced artifacts on S3 or locally.	`bool`	`false`	no
<a name="input_lambda_function_tags"></a> lambda_function_tags	Additional tags for the Lambda function	`map(string)`	`{}`	no
<a name="input_lambda_function_vpc_security_group_ids"></a> lambda_function_vpc_security_group_ids	List of security group ids when Lambda Function should run in the VPC.	`list(string)`	`null`	no
<a name="input_lambda_function_vpc_subnet_ids"></a> lambda_function_vpc_subnet_ids	List of subnet ids when Lambda Function should run in the VPC. Usually private or intra subnets.	`list(string)`	`null`	no
<a name="input_lambda_role"></a> lambda_role	IAM role attached to the Lambda Function. If this is set then a role will not be created for you.	`string`	`""`	no
<a name="input_lambda_source_path"></a> lambda_source_path	The source path of the custom Lambda function	`string`	`null`	no
<a name="input_log_events"></a> log_events	Boolean flag to enabled/disable logging of incoming events	`bool`	`false`	no
<a name="input_putin_khuylo"></a> putin_khuylo	Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!	`bool`	`true`	no
<a name="input_recreate_missing_package"></a> recreate_missing_package	Whether to recreate missing Lambda package if it is missing locally or not	`bool`	`true`	no
<a name="input_reserved_concurrent_executions"></a> reserved_concurrent_executions	The amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations	`number`	`-1`	no
<a name="input_slack_channel"></a> slack_channel	The name of the channel in Slack for notifications	`string`	n/a	yes
<a name="input_slack_emoji"></a> slack_emoji	A custom emoji that will appear on Slack messages	`string`	`":aws:"`	no
<a name="input_slack_username"></a> slack_username	The username that will appear on Slack messages	`string`	n/a	yes
<a name="input_slack_webhook_url"></a> slack_webhook_url	The URL of Slack webhook	`string`	n/a	yes
<a name="input_sns_topic_feedback_role_description"></a> sns_topic_feedback_role_description	Description of IAM role to use for SNS topic delivery status logging	`string`	`null`	no
<a name="input_sns_topic_feedback_role_force_detach_policies"></a> sns_topic_feedback_role_force_detach_policies	Specifies to force detaching any policies the IAM role has before destroying it.	`bool`	`true`	no
<a name="input_sns_topic_feedback_role_name"></a> sns_topic_feedback_role_name	Name of the IAM role to use for SNS topic delivery status logging	`string`	`null`	no
<a name="input_sns_topic_feedback_role_path"></a> sns_topic_feedback_role_path	Path of IAM role to use for SNS topic delivery status logging	`string`	`null`	no
<a name="input_sns_topic_feedback_role_permissions_boundary"></a> sns_topic_feedback_role_permissions_boundary	The ARN of the policy that is used to set the permissions boundary for the IAM role used by SNS topic delivery status logging	`string`	`null`	no
<a name="input_sns_topic_feedback_role_tags"></a> sns_topic_feedback_role_tags	A map of tags to assign to IAM the SNS topic feedback role	`map(string)`	`{}`	no
<a name="input_sns_topic_kms_key_id"></a> sns_topic_kms_key_id	ARN of the KMS key used for enabling SSE on the topic	`string`	`""`	no
<a name="input_sns_topic_lambda_feedback_role_arn"></a> sns_topic_lambda_feedback_role_arn	IAM role for SNS topic delivery status logs. If this is set then a role will not be created for you.	`string`	`""`	no
<a name="input_sns_topic_lambda_feedback_sample_rate"></a> sns_topic_lambda_feedback_sample_rate	The percentage of successful deliveries to log	`number`	`100`	no
<a name="input_sns_topic_name"></a> sns_topic_name	The name of the SNS topic to create	`string`	n/a	yes
<a name="input_sns_topic_tags"></a> sns_topic_tags	Additional tags for the SNS topic	`map(string)`	`{}`	no
<a name="input_subscription_filter_policy"></a> subscription_filter_policy	(Optional) A valid filter policy that will be used in the subscription to filter messages seen by the target resource.	`string`	`null`	no
<a name="input_subscription_filter_policy_scope"></a> subscription_filter_policy_scope	(Optional) A valid filter policy scope MessageAttributes\|MessageBody	`string`	`null`	no
<a name="input_tags"></a> tags	A map of tags to add to all resources	`map(string)`	`{}`	no
<a name="input_trigger_on_package_timestamp"></a> trigger_on_package_timestamp	(Optional) Whether or not to ignore the file timestamp when deciding to create the archive	`bool`	`false`	no

Outputs

Name	Description
<a name="output_lambda_cloudwatch_log_group_arn"></a> lambda_cloudwatch_log_group_arn	The Amazon Resource Name (ARN) specifying the log group
<a name="output_lambda_iam_role_arn"></a> lambda_iam_role_arn	The ARN of the IAM role used by Lambda function
<a name="output_lambda_iam_role_name"></a> lambda_iam_role_name	The name of the IAM role used by Lambda function
<a name="output_notify_slack_lambda_function_arn"></a> notify_slack_lambda_function_arn	The ARN of the Lambda function
<a name="output_notify_slack_lambda_function_invoke_arn"></a> notify_slack_lambda_function_invoke_arn	The ARN to be used for invoking Lambda function from API Gateway
<a name="output_notify_slack_lambda_function_last_modified"></a> notify_slack_lambda_function_last_modified	The date Lambda function was last modified
<a name="output_notify_slack_lambda_function_name"></a> notify_slack_lambda_function_name	The name of the Lambda function
<a name="output_notify_slack_lambda_function_version"></a> notify_slack_lambda_function_version	Latest published version of your Lambda function
<a name="output_slack_topic_arn"></a> slack_topic_arn	The ARN of the SNS topic from which messages will be sent to Slack
<a name="output_sns_topic_feedback_role_arn"></a> sns_topic_feedback_role_arn	The Amazon Resource Name (ARN) of the IAM role used for SNS delivery status logging
<a name="output_this_slack_topic_arn"></a> this_slack_topic_arn	The ARN of the SNS topic from which messages will be sent to Slack (backward compatibility for version 4.x)

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.