I'm trying to hook up my amazon account to our Opsgenie account to get CloudWatch events pushed to the team. I followed this guide here: https://docs.opsgenie.com/docs/amazon-cloudwatch-events-integration
I'm creating the items in terraform, as we want to be able to create and destroy this environment on the fly and make it somewhat configurable. Everything seems to be created, but OpsGenie won't autoconfirm the SNS subscription to the topic. Even if I do the same thing in the UI, OpsGenie won't confirm.
Below is my terraform code:
##############################################################################
# Opsgenie integration
###############################################################################
resource "opsgenie_api_integration" "test_integration" {
name = "api-based-int"
type = "API"
responders {
type = "user"
id = opsgenie_user.first.id
}
enabled = true
allow_write_access = true
ignore_responders_from_payload = false
suppress_notifications = false
owner_team_id = opsgenie_team.test_team.id
}
resource "opsgenie_user" "first" {
username = "[email protected]"
full_name = "Tester Man"
role = "Admin"
}
resource "opsgenie_user" "second" {
username = "[email protected]"
full_name = "Tester Man II"
role = "User"
}
resource "opsgenie_team" "test_team" {
name = "example"
description = "This team deals with all the things"
member {
id = opsgenie_user.first.id
role = "admin"
}
member {
id = opsgenie_user.second.id
role = "user"
}
}
###############################################################################
# Cloudwatch
###############################################################################
resource "aws_cloudwatch_event_rule" "opsgenie_cloudwatch_event_rule" {
name = "send_events_to_opsgenie"
description = "Send all events to opsgenie"
event_pattern = <<EOF
{
"source": [
"aws.sns"
]
}
EOF
}
resource "aws_cloudwatch_event_target" "opsgenie_cloudwatch_event_rule" {
rule = aws_cloudwatch_event_rule.opsgenie_cloudwatch_event_rule.name
target_id = "OpsGenie"
arn = aws_sns_topic.opsgenie_notifications.arn
}
###############################################################################
# SNS
###############################################################################
resource "aws_sns_topic" "opsgenie_notifications" {
name = "OpsGenie"
kms_master_key_id = aws_kms_key.kms_key_for_sns_topic.key_id
policy = <<POLICY
{
"Version":"2012-10-17",
"Statement":[{
"Effect": "Allow",
"Principal": {"Service":"events.amazonaws.com"},
"Action":[
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "*"
}]
}
POLICY
}
resource "aws_sns_topic_policy" "opsgenie_topic_policy" {
arn = aws_sns_topic.opsgenie_notifications.arn
policy = data.aws_iam_policy_document.sns_topic_policy_doc.json
}
resource "aws_sns_topic_subscription" "user_updates_opsgenie_target" {
topic_arn = aws_sns_topic.opsgenie_notifications.arn
protocol = "https"
### IS THIS ENDPOINT CORRECT?? ###
endpoint = "https://api.opsgenie.com/v1/json/amazonsns?apiKey=${opsgenie_api_integration.test_integration.api_key}"
confirmation_timeout_in_minutes = 1
endpoint_auto_confirms = true
}
###############################################################################
# IAM
###############################################################################
data "aws_iam_policy_document" "sns_topic_policy_doc" {
statement {
effect = "Allow"
actions = ["SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"]
principals {
type = "Service"
identifiers = ["events.amazonaws.com"]
}
resources = ["aws_sns_topic.opsgenie_notifications.arn"]
}
}
###############################################################################
# KMS
###############################################################################
resource "aws_kms_key" "kms_key_for_sns_topic" {
description = "For OpsGenie"
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = true
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.primary_region.account_id}:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*"
}
]
}
POLICY
}
resource "aws_kms_alias" "topic_key_alias" {
name_prefix = "alias/opsgenie-notifications"
target_key_id = aws_kms_key.kms_key_for_sns_topic.key_id
}
I feel like I'm close, but I either missed something in the documentation or just am misunderstanding something.
It looks like I needed to read further into the documentation. The "API" in the type:
... needed to be a specfic type. In my case,
was what I needed. For reference, the documentation link is located on this page: https://docs.opsgenie.com/docs/integration-types-to-use-with-api