Merge pull request #2362 from enmata/s3-eventbridge-sfn-terraform_enmata

Add s3-eventbridge-sfn-terraform patterrn

Author: julianwood

s3-eventbridge-sfn-terraform/README.md

@@ -0,0 +1,83 @@
+# Amazon S3 to AWS Step Functions with Amazon EventBridge Rule
+
+This pattern demonstrates invoking a Step Functions state machine from an S3 event via EventBridge. Implemented with Terraform.
+
+Learn more about this pattern at Serverless Land Patterns: [erverlessland.com/patterns/s3-eventbridge-sfn-terraform](https://serverlessland.com/patterns/s3-eventbridge-sfn-terraform)
+
+Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage - please see the [AWS Pricing page](https://aws.amazon.com/pricing/) for details. You are responsible for any AWS costs incurred. No warranty is implied in this example.
+
+
+## Requirements
+
+- [Create an AWS account](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html) if you do not already have one and log in. The IAM user that you use must have sufficient permissions to make necessary AWS service calls and manage AWS resources.
+- [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured
+- [Git Installed](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)
+* [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli?in=terraform/aws-get-started) installed
+
+
+## Deployment Instructions
+
+1. Create a new directory, navigate to that directory in a terminal and clone the GitHub repository:
+    ``` 
+    git clone https://github.com/aws-samples/serverless-patterns
+    ```
+1. Change directory to the pattern directory:
+    ```
+    cd s3-eventbridge-sfn-terraform
+    ```
+1. From the command line, initialize terraform to  to downloads and installs the providers defined in the configuration:
+    ```
+    terraform init
+    ```
+1. From the command line, apply the configuration in the main.tf file:
+    ```
+    terraform apply
+    ```
+1. During the prompts:
+    * Enter yes
+1. Note the outputs from the deployment process. These contain the resource names and/or ARNs which are used for testing.
+
+
+## How it works
+
+- Upload a file to the newly created S3 bucket
+- This sends an `Object Created` event to EventBridge
+- Based on the EventBridge rule, the state machine is executed
+
+
+## Testing
+
+1. Navigate to Amazon S3 console, then choose the S3 bucket created by this Terraform template.
+
+2. Upload a file to the S3 bucket
+
+3. Immediately after the upload completes successfully, navigate to the Step Functions console. Select the state machine created by the template, and observe the state machine execution.
+
+
+## Documentation and next step
+
+To create a full Step Functions workflow with this pattern, search the example workflows available at [serverlessland.com/workflows](https://serverlessland.com/workflows)
+
+
+## Cleanup
+ 
+1. Change directory to the pattern directory:
+    ```
+    cd s3-eventbridge-sfn-terraform
+    ```
+1. Delete all files from the S3 bucket
+1. Delete all created resources by terraform
+    ```bash
+    terraform destroy
+    ```
+1. During the prompts:
+    * Enter yes
+1. Confirm all created resources has been deleted
+    ```bash
+    terraform show
+    ```
+
+----
+Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+SPDX-License-Identifier: MIT-0

s3-eventbridge-sfn-terraform/example-pattern.json

@@ -0,0 +1,61 @@
+{
+  "title": "S3 to Step Functions using EventBridge",
+  "description": "How to create an EventBridge rule with S3 as the event source and Step Functions as target.",
+  "language": "nodejs",
+  "level": "200",
+  "framework": "Terraform",
+  "introBox": {
+    "headline": "How to create an EventBridge rule with S3 as the event source and Step Functions as target.",
+    "text": [
+      "This sample project demonstrates how you can trigger an execution in Step Functions state machine when an object is created in an S3 bucket.",
+      "When you uploads an object to the newly created S3 bucket, this will send an `Object Created` event to EventBridge, based on the EventBridge rule, the state machine is executed.",
+      "This pattern deploys one Step Functions state machine, one S3 bucket, one EventBridge rule."
+    ]
+  },
+  "gitHub": {
+    "template": {
+      "repoURL": "https://github.com/aws-samples/serverless-patterns/tree/main/s3-sqs-lambda-terraform",
+      "templateURL": "serverless-patterns/s3-sqs-lambda-terraform",
+      "projectFolder": "s3-sqs-lambda-terraform",
+      "templateFile": "main.tf"
+    }
+  },
+  "resources": {
+    "bullets": [
+      {
+        "text": "AWS S3 Event Notifications with EventBridge",
+        "link": "https://aws.amazon.com/blogs/aws/new-use-amazon-s3-event-notifications-with-amazon-eventbridge"
+      },
+      {
+        "text": "Using EventBridge with S3",
+        "link": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/EventBridge.html"
+      }
+    ]
+  },
+  "deploy": {
+    "text": [
+      "terraform init",
+      "terraform apply"
+    ]
+  },
+  "testing": {
+    "text": [
+      "See the GitHub repo for detailed testing instructions."
+    ]
+  },
+  "cleanup": {
+    "text": [
+      "terraform destroy"
+    ]
+  },
+  "authors": [
+    {
+      "name": "Oriol Matavacas",
+      "image": "https://togithub.s3.eu-west-1.amazonaws.com/Oriol.jpg",
+      "bio": "Oriol Matavacas is a Sr. Solutions Architect at AWS based in Barcelona. Oriol primarily supporting customers on the journey to the Cloud. He enjoys building new solutions with scalability, availability and easy to maintain by using serverless.",
+      "linkedin": "https://www.linkedin.com/in/oriol-matavacas-rodriguez-b165868a",
+      "twitter": ""
+    }
+  ]
+}
+

s3-eventbridge-sfn-terraform/main.tf

@@ -0,0 +1,239 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.27"
+    }
+  }
+
+  required_version = ">= 0.14.9"
+}
+
+# Storing current Account ID and actual AWS region
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+
+#################################################################
+# S3 Bucket
+#################################################################
+# Creating a new S3 bucket
+resource "aws_s3_bucket" "MyS3Bucket" {
+  bucket_prefix = "s3-eventbridge-sfn-tf-"
+}
+
+# Sending notifications to EventBridge for all events in the bucket
+resource "aws_s3_bucket_notification" "MyS3BucketNotification" {
+  bucket      = aws_s3_bucket.MyS3Bucket.id
+  eventbridge = true
+}
+
+# Blocking s3 bucket non secure access
+resource "aws_s3_bucket_policy" "MyS3BucketPolicy" {
+  bucket = aws_s3_bucket.MyS3Bucket.id
+  policy = data.aws_iam_policy_document.MyS3BucketPolicyDocument.json
+}
+
+data "aws_iam_policy_document" "MyS3BucketPolicyDocument" {
+  statement  {
+    effect = "Deny"
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    actions = [
+      "s3:*"
+    ]
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.MyS3Bucket.id}",
+      "arn:aws:s3:::${aws_s3_bucket.MyS3Bucket.id}/*"
+    ]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
+}
+
+
+#################################################################
+# EventBridge Rule
+#################################################################
+# Creating an EventBridge rule
+resource "aws_cloudwatch_event_rule" "MyEventRule" {
+  name          = "s3-eventbridge-sfn-tf-eventrule"
+  description   = "Object create events on bucket s3://${aws_s3_bucket.MyS3Bucket.id}"
+  event_pattern = <<EOF
+{
+  "detail-type": ["Object Created"],
+  "source": ["aws.s3"],
+  "detail": {
+    "bucket": {
+      "name": ["${aws_s3_bucket.MyS3Bucket.id}"]
+    }
+  }
+}
+EOF
+}
+
+# Setting Event Target, DLQ and transformer of the EventBridge rule
+resource "aws_cloudwatch_event_target" "MyEventRuleTarget" {
+  rule      = aws_cloudwatch_event_rule.MyEventRule.name
+  arn       = aws_sfn_state_machine.MySTFRoleMachine.arn
+  role_arn  = aws_iam_role.MyEventRuleTargetRole.arn
+  
+  dead_letter_config {
+    arn = aws_sqs_queue.MySQSDLQ-Queue.arn
+  }
+  
+  input_transformer {
+    input_paths = {
+      "detail": "$.detail"
+    } 
+    input_template = <<EOF
+{"input":{"detail":<detail>},"inputType":0}
+EOF
+}
+}
+
+# Creating Event Target IAM Role
+resource "aws_iam_role" "MyEventRuleTargetRole" {
+  name               = "s3-eventbridge-sfn-tf-EventRole"
+  assume_role_policy = jsonencode({
+    Version   = "2012-10-17"
+    Statement = [
+      {
+        Effect    = "Allow"
+        Principal = { Service = "events.amazonaws.com" }
+        Action    = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "MyEventRuleTargetPolicy" {
+  name   = "s3-eventbridge-sfn-tf-EventRolePolicy"
+  policy = jsonencode(
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "states:StartExecution",
+            "Resource": "${aws_sfn_state_machine.MySTFRoleMachine.arn}",
+            "Effect": "Allow"
+        }
+    ]
+}
+)
+  role = aws_iam_role.MyEventRuleTargetRole.name
+}
+
+
+#################################################################
+# SQS - Dead Letter Queue (DLQ)
+#################################################################
+# Creating SQS - Dead Letter Queue (DLQ)
+resource "aws_sqs_queue" "MySQSDLQ-Queue" {
+  name            = "s3-eventbridge-sfn-tf-SQSDLQQueue"
+}
+
+resource "aws_sqs_queue_policy" "MySQSDLQ-Policy" {
+  queue_url = aws_sqs_queue.MySQSDLQ-Queue.id
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Deny",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "sqs:*",
+      "Resource": "arn:aws:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${aws_sqs_queue.MySQSDLQ-Queue.name}",
+      "Condition": {
+        "Bool": {
+          "aws:SecureTransport": "false"
+        }
+      }
+    },
+    {
+      "Sid": "AllowEventRuleS3EventBridgeSfnStackStackpatternEventsRule",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "events.amazonaws.com"
+      },
+      "Action": "sqs:SendMessage",
+      "Resource": "arn:aws:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${aws_sqs_queue.MySQSDLQ-Queue.name}",
+      "Condition": {
+        "ArnEquals": {
+          "aws:SourceArn": "${aws_cloudwatch_event_rule.MyEventRule.arn}"
+        }
+      }
+    }
+  ]
+}
+POLICY
+}
+
+
+#################################################################
+# Step Funcions 
+#################################################################
+# Creating Step Functions Machine
+resource "aws_sfn_state_machine" "MySTFRoleMachine" {
+  name     = "s3-eventbridge-sfn-tf-StepFunctions"
+  role_arn = aws_iam_role.MySTFRole.arn
+  type     = "STANDARD"
+
+  definition = <<EOF
+{
+    "StartAt": "state",
+    "States": {
+      "state": {
+        "Type": "Pass",
+        "End": true
+      }
+    }
+}
+EOF
+
+}
+
+# Creating Step Functions Machine Role
+resource "aws_iam_role" "MySTFRole" {
+  name               = "s3-eventbridge-sfn-tf-StepFunctionsRole"
+  assume_role_policy = jsonencode({
+    Version   = "2012-10-17"
+    Statement = [
+      {
+        Effect    = "Allow"
+        Principal = { Service = "states.${data.aws_region.current.name}.amazonaws.com" }
+        Action    = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+
+#################################################################
+# Outputs
+#################################################################
+# Displaying the SQS Dead Letter Queue, EventBridge rule, S3 bucket and StepFunctions
+output "SQSDeadLetterQueue" {
+  value       = aws_sqs_queue.MySQSDLQ-Queue.arn
+  description = "The SQS Dead Letter Queue ARN"
+}
+output "EventBridgeRuleARN" {
+  value       = aws_cloudwatch_event_rule.MyEventRule.arn
+  description = "The EventBridge Rule ARN"
+}
+output "S3BucketName" {
+  value       = aws_s3_bucket.MyS3Bucket.id
+  description = "The S3 Bucket Name"
+}
+output "StepFunctions" {
+  value       = aws_sfn_state_machine.MySTFRoleMachine.arn
+  description = "The StepFunctions Machine ARN"
+}