Add s3-eventbridge-sfn-terraform s3-sqs- patterrn

Ubuntu · Ubuntu · commit 1ac9452852d9 · 2024-07-08T07:48:31.000Z
diff --git a/s3-eventbridge-sfn-terraform/README.md b/s3-eventbridge-sfn-terraform/README.md
@@ -0,0 +1,90 @@
+# S3 to StepFunctions with EventBridge Rule
+
+This pattern demonstrates how to create an EventBridge rule with S3 as the event source and Step Functions as target. Implemented with Terraform.
+
+Learn more about this pattern at Serverless Land Patterns: [erverlessland.com/patterns/s3-eventbridge-sfn-terraform](https://serverlessland.com/patterns/s3-eventbridge-sfn-terraform)
+
+Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage - please see the [AWS Pricing page](https://aws.amazon.com/pricing/) for details. You are responsible for any AWS costs incurred. No warranty is implied in this example.
+
+
+## Requirements
+
+- [Create an AWS account](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html) if you do not already have one and log in. The IAM user that you use must have sufficient permissions to make necessary AWS service calls and manage AWS resources.
+- [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured
+- [Git Installed](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)
+* [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli?in=terraform/aws-get-started) installed
+
+
+## Deployment Instructions
+
+1. Create a new directory, navigate to that directory in a terminal and clone the GitHub repository:
+    ``` 
+    git clone https://github.com/aws-samples/serverless-patterns
+    ```
+1. Change directory to the pattern directory:
+    ```
+    cd s3-eventbridge-sfn-terraform
+    ```
+1. From the command line, initialize terraform to  to downloads and installs the providers defined in the configuration:
+    ```
+    terraform init
+    ```
+1. From the command line, apply the configuration in the main.tf file:
+    ```
+    terraform apply
+    ```
+1. During the prompts:
+    * Enter yes
+1. Note the outputs from the deployment process. These contain the resource names and/or ARNs which are used for testing.
+
+
+## How it works
+
+- Upload a file to the newly created S3 bucket
+- This will send an `Object Created` event to EventBridge
+- Based on the EventBridge rule, the state machine is executed
+
+
+## Testing
+
+1. Navigate to AWS console and go to the S3 bucket that was created by this terraform template
+
+2. Upload a file to the S3 bucket
+
+3. Immediately after the upload is completed successfully, navigate to the Step Functions state machine, you will see an execution has been triggered
+
+## Cleanup
+
+1. Delete the stack
+   ```bash
+   cdk destroy
+   ```
+
+
+## Documentations and next step
+
+To create a full Step Functions workflow with the pattern created, you can find out example workflows at Step Functions Workflow: [serverlessland.com/workflows](https://serverlessland.com/workflows)
+
+
+## Cleanup
+ 
+1. Change directory to the pattern directory:
+    ```
+    cd s3-eventbridge-sfn-terraform
+    ```
+1. Delete all files from the S3 bucket
+1. Delete all created resources by terraform
+    ```bash
+    terraform destroy
+    ```
+1. During the prompts:
+    * Enter yes
+1. Confirm all created resources has been deleted
+    ```bash
+    terraform show
+    ```
+
+----
+Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+SPDX-License-Identifier: MIT-0
diff --git a/s3-eventbridge-sfn-terraform/main.tf b/s3-eventbridge-sfn-terraform/main.tf
@@ -0,0 +1,239 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.27"
+    }
+  }
+
+  required_version = ">= 0.14.9"
+}
+
+# Storing current Account ID and actual AWS region
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+
+#################################################################
+# S3 Bucket
+#################################################################
+# Creating a new S3 bucket
+resource "aws_s3_bucket" "MyS3Bucket" {
+  bucket_prefix = "s3-eventbridge-sfn-tf-"
+}
+
+# Sending notifications to EventBridge for all events in the bucket
+resource "aws_s3_bucket_notification" "MyS3BucketNotification" {
+  bucket      = aws_s3_bucket.MyS3Bucket.id
+  eventbridge = true
+}
+
+# Blocking s3 bucket non secure access
+resource "aws_s3_bucket_policy" "MyS3BucketPolicy" {
+  bucket = aws_s3_bucket.MyS3Bucket.id
+  policy = data.aws_iam_policy_document.MyS3BucketPolicyDocument.json
+}
+
+data "aws_iam_policy_document" "MyS3BucketPolicyDocument" {
+  statement  {
+    effect = "Deny"
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    actions = [
+      "s3:*"
+    ]
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.MyS3Bucket.id}",
+      "arn:aws:s3:::${aws_s3_bucket.MyS3Bucket.id}/*"
+    ]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
+}
+
+
+#################################################################
+# EventBridge Rule
+#################################################################
+# Creating an EventBridge rule
+resource "aws_cloudwatch_event_rule" "MyEventRule" {
+  name          = "s3-eventbridge-sfn-tf-eventrule"
+  description   = "Object create events on bucket s3://${aws_s3_bucket.MyS3Bucket.id}"
+  event_pattern = <<EOF
+{
+  "detail-type": ["Object Created"],
+  "source": ["aws.s3"],
+  "detail": {
+    "bucket": {
+      "name": ["${aws_s3_bucket.MyS3Bucket.id}"]
+    }
+  }
+}
+EOF
+}
+
+# Setting Event Target, DLQ and transformer of the EventBridge rule
+resource "aws_cloudwatch_event_target" "MyEventRuleTarget" {
+  rule      = aws_cloudwatch_event_rule.MyEventRule.name
+  arn       = aws_sfn_state_machine.MySTFRoleMachine.arn
+  role_arn  = aws_iam_role.MyEventRuleTargetRole.arn
+  
+  dead_letter_config {
+    arn = aws_sqs_queue.MySQSDLQ-Queue.arn
+  }
+  
+  input_transformer {
+    input_paths = {
+      "detail": "$.detail"
+    } 
+    input_template = <<EOF
+{"input":{"detail":<detail>},"inputType":0}
+EOF
+}
+}
+
+# Creating Event Target IAM Role
+resource "aws_iam_role" "MyEventRuleTargetRole" {
+  name               = "s3-eventbridge-sfn-tf-EventRole"
+  assume_role_policy = jsonencode({
+    Version   = "2012-10-17"
+    Statement = [
+      {
+        Effect    = "Allow"
+        Principal = { Service = "events.amazonaws.com" }
+        Action    = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "MyEventRuleTargetPolicy" {
+  name   = "s3-eventbridge-sfn-tf-EventRolePolicy"
+  policy = jsonencode(
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "states:StartExecution",
+            "Resource": "${aws_sfn_state_machine.MySTFRoleMachine.arn}",
+            "Effect": "Allow"
+        }
+    ]
+}
+)
+  role = aws_iam_role.MyEventRuleTargetRole.name
+}
+
+
+#################################################################
+# SQS - Dead Letter Queue (DLQ)
+#################################################################
+# Creating SQS - Dead Letter Queue (DLQ)
+resource "aws_sqs_queue" "MySQSDLQ-Queue" {
+  name            = "s3-eventbridge-sfn-tf-SQSDLQQueue"
+}
+
+resource "aws_sqs_queue_policy" "MySQSDLQ-Policy" {
+  queue_url = aws_sqs_queue.MySQSDLQ-Queue.id
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Deny",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "sqs:*",
+      "Resource": "arn:aws:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${aws_sqs_queue.MySQSDLQ-Queue.name}",
+      "Condition": {
+        "Bool": {
+          "aws:SecureTransport": "false"
+        }
+      }
+    },
+    {
+      "Sid": "AllowEventRuleS3EventBridgeSfnStackStackpatternEventsRule",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "events.amazonaws.com"
+      },
+      "Action": "sqs:SendMessage",
+      "Resource": "arn:aws:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${aws_sqs_queue.MySQSDLQ-Queue.name}",
+      "Condition": {
+        "ArnEquals": {
+          "aws:SourceArn": "${aws_cloudwatch_event_rule.MyEventRule.arn}"
+        }
+      }
+    }
+  ]
+}
+POLICY
+}
+
+
+#################################################################
+# Step Funcions 
+#################################################################
+# Creating Step Functions Machine
+resource "aws_sfn_state_machine" "MySTFRoleMachine" {
+  name     = "s3-eventbridge-sfn-tf-StepFunctions"
+  role_arn = aws_iam_role.MySTFRole.arn
+  type     = "STANDARD"
+
+  definition = <<EOF
+{
+    "StartAt": "state",
+    "States": {
+      "state": {
+        "Type": "Pass",
+        "End": true
+      }
+    }
+}
+EOF
+
+}
+
+# Creating Step Functions Machine Role
+resource "aws_iam_role" "MySTFRole" {
+  name               = "s3-eventbridge-sfn-tf-StepFunctionsRole"
+  assume_role_policy = jsonencode({
+    Version   = "2012-10-17"
+    Statement = [
+      {
+        Effect    = "Allow"
+        Principal = { Service = "states.${data.aws_region.current.name}.amazonaws.com" }
+        Action    = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+
+#################################################################
+# Outputs
+#################################################################
+# Displaying the SQS Dead Letter Queue, EventBridge rule, S3 bucket and StepFunctions
+output "SQSDeadLetterQueue" {
+  value       = aws_sqs_queue.MySQSDLQ-Queue.arn
+  description = "The SQS Dead Letter Queue ARN"
+}
+output "EventBridgeRuleARN" {
+  value       = aws_cloudwatch_event_rule.MyEventRule.arn
+  description = "The EventBridge Rule ARN"
+}
+output "S3BucketName" {
+  value       = aws_s3_bucket.MyS3Bucket.id
+  description = "The S3 Bucket Name"
+}
+output "StepFunctions" {
+  value       = aws_sfn_state_machine.MySTFRoleMachine.arn
+  description = "The StepFunctions Machine ARN"
+}
