{"id":13505835,"url":"https://github.com/cloudandthings/terraform-aws-clickops-notifier","last_synced_at":"2026-04-09T21:19:06.725Z","repository":{"id":37898864,"uuid":"469002061","full_name":"cloudandthings/terraform-aws-clickops-notifier","owner":"cloudandthings","description":"Get notified when actions are taken in the AWS Console.","archived":false,"fork":false,"pushed_at":"2025-01-20T10:10:51.000Z","size":17144,"stargazers_count":315,"open_issues_count":22,"forks_count":26,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-01T16:16:13.665Z","etag":null,"topics":["aws","clickops","terraform","terraform-modules"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/cloudandthings/clickops-notifier/aws/latest","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudandthings.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/contributing.md","funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-12T06:37:55.000Z","updated_at":"2025-03-29T10:21:42.000Z","dependencies_parsed_at":"2024-01-07T10:51:20.841Z","dependency_job_id":"1306ca4b-fc16-4164-ab4c-6b2233ceca82","html_url":"https://github.com/cloudandthings/terraform-aws-clickops-notifier","commit_stats":{"total_commits":91,"total_committers":15,"mean_commits":6.066666666666666,"dds":0.6263736263736264,"last_synced_commit":"6a0d63f81fe1ecb011a5c1d7062262886a8040df"},"previous_names":[],"tags_count":26,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudandthings%2Fterraform-aws-clickops-notifier","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudandthings%2Fterraform-aws-clickops-notifier/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudandthings%2Fterraform-aws-clickops-notifier/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudandthings%2Fterraform-aws-clickops-notifier/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudandthings","download_url":"https://codeload.github.com/cloudandthings/terraform-aws-clickops-notifier/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247898519,"owners_count":21014722,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","clickops","terraform","terraform-modules"],"created_at":"2024-08-01T00:01:14.999Z","updated_at":"2026-04-09T21:19:06.719Z","avatar_url":"https://github.com/cloudandthings.png","language":"Python","funding_links":[],"categories":["Tools","Cloud asset inventory"],"sub_categories":["Community providers","Threat modelling"],"readme":"[![Tests](https://github.com/cloudandthings/terraform-aws-clickops-notifier/actions/workflows/tests.yml/badge.svg)](https://github.com/cloudandthings/terraform-aws-clickops-notifier/actions/workflows/tests.yml)\n\n# AWS ClickOps Notifier\nGet notified when users are taking actions in the AWS Console. More [here](https://medium.com/cloudandthings/aws-clickoops-1b8cabc9b8e3)\n\n## 🏗️ Module Usage\nIt is not strictly a requirement, that you use this with AWS ControlTower. The module has only been tested in the Log Archive account that ships with AWS ControlTower. Setup your AWS credentails such that `aws sts get-caller-identity | grep Account` gives you your ControlTower Log Archive account id.\n\n### Organizational Mode vs Standalone Mode\nIf your account is part of an AWS Organization that does not use centralized CloudTrail logging or that does not want to monitor ClickOps at an organizational level, you can deploy ClickOps in `standalone` mode in a single account. For standalone mode you need CloudTrail enabled in your account, have it configured to write logs to a CloudWatch Log Group and have sufficient permission to create a subscription filter on the log group.\n\n## Excluded scoped actions\nThe following actions will not be alerted, these are either:\n- actions that are commonly performed in the AWS Console and we think they are okay\n- actions that can only be performed in the AWS Console\n\nThis functionality can be overriden with the `excluded_scoped_actions` and `excluded_scoped_actions_effect` variables. The list of excluded actions is available in the terraform docs below.\n\n\n\n## Contributing\n\nReport issues/questions/feature requests on in the [issues](https://github.com/cloudandthings/terraform-aws-clickops-notifier/issues/new) section.\n\nFull contributing [guidelines are covered here](.github/contributing.md).\n\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n----\n## Documentation\n\n----\n### Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_additional_iam_policy_statements\"\u003e\u003c/a\u003e [additional\\_iam\\_policy\\_statements](#input\\_additional\\_iam\\_policy\\_statements) | Map of dynamic policy statements to attach to Lambda Function role | `any` | `{}` | no |\n| \u003ca name=\"input_allowed_aws_principals_for_sns_subscribe\"\u003e\u003c/a\u003e [allowed\\_aws\\_principals\\_for\\_sns\\_subscribe](#input\\_allowed\\_aws\\_principals\\_for\\_sns\\_subscribe) | List of AWS principals allowed to subscribe to the SNS topic (only applicable to org deployments). | `list(string)` | `[]` | no |\n| \u003ca name=\"input_cloudtrail_bucket_name\"\u003e\u003c/a\u003e [cloudtrail\\_bucket\\_name](#input\\_cloudtrail\\_bucket\\_name) | Bucket containing the Cloudtrail logs that you want to process. ControlTower bucket name follows this naming convention `aws-controltower-logs-{{account_id}}-{{region}}` | `string` | `\"\"` | no |\n| \u003ca name=\"input_cloudtrail_bucket_notifications_sns_arn\"\u003e\u003c/a\u003e [cloudtrail\\_bucket\\_notifications\\_sns\\_arn](#input\\_cloudtrail\\_bucket\\_notifications\\_sns\\_arn) | SNS topic ARN for bucket notifications. If not provided, a new SNS topic will be created along with the bucket notifications configuration. | `string` | `null` | no |\n| \u003ca name=\"input_cloudtrail_log_group\"\u003e\u003c/a\u003e [cloudtrail\\_log\\_group](#input\\_cloudtrail\\_log\\_group) | CloudWatch Log group for CloudTrail events. | `string` | `\"\"` | no |\n| \u003ca name=\"input_create_iam_role\"\u003e\u003c/a\u003e [create\\_iam\\_role](#input\\_create\\_iam\\_role) | Determines whether a an IAM role is created or to use an existing IAM role | `bool` | `true` | no |\n| \u003ca name=\"input_event_batch_size\"\u003e\u003c/a\u003e [event\\_batch\\_size](#input\\_event\\_batch\\_size) | Batch events into chunks of `event_batch_size` | `number` | `100` | no |\n| \u003ca name=\"input_event_maximum_batching_window\"\u003e\u003c/a\u003e [event\\_maximum\\_batching\\_window](#input\\_event\\_maximum\\_batching\\_window) | Maximum batching window in seconds. | `number` | `300` | no |\n| \u003ca name=\"input_event_processing_timeout\"\u003e\u003c/a\u003e [event\\_processing\\_timeout](#input\\_event\\_processing\\_timeout) | Maximum number of seconds the lambda is allowed to run and number of seconds events should be hidden in SQS after being picked up my Lambda. | `number` | `60` | no |\n| \u003ca name=\"input_excluded_accounts\"\u003e\u003c/a\u003e [excluded\\_accounts](#input\\_excluded\\_accounts) | List of accounts that be excluded for scans on manual actions. These take precidence over `included_accounts` | `list(string)` | `[]` | no |\n| \u003ca name=\"input_excluded_scoped_actions\"\u003e\u003c/a\u003e [excluded\\_scoped\\_actions](#input\\_excluded\\_scoped\\_actions) | A list of service scoped actions that will not be alerted on. Format {{service}}.amazonaws.com:{{action}} | `list(string)` | `[]` | no |\n| \u003ca name=\"input_excluded_scoped_actions_effect\"\u003e\u003c/a\u003e [excluded\\_scoped\\_actions\\_effect](#input\\_excluded\\_scoped\\_actions\\_effect) | Should the existing exluded actions be replaces or appended to. By default it will append to the list, valid values: APPEND, REPLACE | `string` | `\"APPEND\"` | no |\n| \u003ca name=\"input_excluded_users\"\u003e\u003c/a\u003e [excluded\\_users](#input\\_excluded\\_users) | List of email addresses will not be reported on when practicing ClickOps. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_firehose_delivery_stream_name\"\u003e\u003c/a\u003e [firehose\\_delivery\\_stream\\_name](#input\\_firehose\\_delivery\\_stream\\_name) | Kinesis Firehose delivery stream name to output ClickOps events to. | `string` | `null` | no |\n| \u003ca name=\"input_iam_role_arn\"\u003e\u003c/a\u003e [iam\\_role\\_arn](#input\\_iam\\_role\\_arn) | Existing IAM role ARN for the lambda. Required if `create_iam_role` is set to `false` | `string` | `null` | no |\n| \u003ca name=\"input_included_accounts\"\u003e\u003c/a\u003e [included\\_accounts](#input\\_included\\_accounts) | List of accounts that be scanned to manual actions. If empty will scan all accounts. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_included_users\"\u003e\u003c/a\u003e [included\\_users](#input\\_included\\_users) | List of emails that be scanned to manual actions. If empty will scan all emails. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_kms_key_id_for_sns_topic\"\u003e\u003c/a\u003e [kms\\_key\\_id\\_for\\_sns\\_topic](#input\\_kms\\_key\\_id\\_for\\_sns\\_topic) | KMS key ID for encrypting the sns\\_topic (only applicable to org deployments). | `string` | `null` | no |\n| \u003ca name=\"input_lambda_deployment_s3_bucket\"\u003e\u003c/a\u003e [lambda\\_deployment\\_s3\\_bucket](#input\\_lambda\\_deployment\\_s3\\_bucket) | S3 bucket for lambda deployment package. | `string` | `null` | no |\n| \u003ca name=\"input_lambda_deployment_s3_key\"\u003e\u003c/a\u003e [lambda\\_deployment\\_s3\\_key](#input\\_lambda\\_deployment\\_s3\\_key) | S3 object key for lambda deployment package. Otherwise, defaults to `var.naming_prefix/local.deployment_filename`. | `string` | `null` | no |\n| \u003ca name=\"input_lambda_deployment_upload_to_s3_enabled\"\u003e\u003c/a\u003e [lambda\\_deployment\\_upload\\_to\\_s3\\_enabled](#input\\_lambda\\_deployment\\_upload\\_to\\_s3\\_enabled) | If `true`, the lambda deployment package within this module repo will be copied to S3. If `false` then the S3 object must be uploaded separately. Ignored if `lambda_deployment_s3_bucket` is null. | `bool` | `true` | no |\n| \u003ca name=\"input_lambda_log_level\"\u003e\u003c/a\u003e [lambda\\_log\\_level](#input\\_lambda\\_log\\_level) | Lambda logging level. One of: `[\"DEBUG\", \"INFO\", \"WARN\", \"ERROR\"]`. | `string` | `\"WARN\"` | no |\n| \u003ca name=\"input_lambda_memory_size\"\u003e\u003c/a\u003e [lambda\\_memory\\_size](#input\\_lambda\\_memory\\_size) | The amount of memory for Lambda to use | `number` | `\"128\"` | no |\n| \u003ca name=\"input_lambda_runtime\"\u003e\u003c/a\u003e [lambda\\_runtime](#input\\_lambda\\_runtime) | The lambda runtime to use. One of: `[\"python3.9\", \"python3.8\", \"python3.11\"]` | `string` | `\"python3.11\"` | no |\n| \u003ca name=\"input_log_retention_in_days\"\u003e\u003c/a\u003e [log\\_retention\\_in\\_days](#input\\_log\\_retention\\_in\\_days) | Number of days to keep CloudWatch logs | `number` | `14` | no |\n| \u003ca name=\"input_naming_prefix\"\u003e\u003c/a\u003e [naming\\_prefix](#input\\_naming\\_prefix) | Resources will be prefixed with this | `string` | `\"clickops-notifier\"` | no |\n| \u003ca name=\"input_standalone\"\u003e\u003c/a\u003e [standalone](#input\\_standalone) | Deploy ClickOps in a standalone account instead of into an entire AWS Organization. Ideal for teams who want to monitor ClickOps in only their accounts where it is not instrumented at an Organizational level. | `bool` | `false` | no |\n| \u003ca name=\"input_subcription_filter_distribution\"\u003e\u003c/a\u003e [subcription\\_filter\\_distribution](#input\\_subcription\\_filter\\_distribution) | The method used to distribute log data to the destination. By default log data is grouped by log stream, but the grouping can be set to random for a more even distribution. This property is only applicable when the destination is an Amazon Kinesis stream. Valid values are \"Random\" and \"ByLogStream\". | `string` | `\"Random\"` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | Tags to add to resources in addition to the default\\_tags for the provider | `map(string)` | `{}` | no |\n| \u003ca name=\"input_webhooks_for_msteams_notifications\"\u003e\u003c/a\u003e [webhooks\\_for\\_msteams\\_notifications](#input\\_webhooks\\_for\\_msteams\\_notifications) | Map of `custom_name =\u003e webhook URL`s for MS Teams notifications. https://learn.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook?tabs=dotnet | `map(string)` | `{}` | no |\n| \u003ca name=\"input_webhooks_for_slack_notifications\"\u003e\u003c/a\u003e [webhooks\\_for\\_slack\\_notifications](#input\\_webhooks\\_for\\_slack\\_notifications) | Map of `custom_name =\u003e webhook URL`s for Slack notifications. https://api.slack.com/messaging/webhooks | `map(string)` | `{}` | no |\n\n----\n### Modules\n\n| Name | Source | Version |\n|------|--------|---------|\n| \u003ca name=\"module_clickops_notifier_lambda\"\u003e\u003c/a\u003e [clickops\\_notifier\\_lambda](#module\\_clickops\\_notifier\\_lambda) | terraform-aws-modules/lambda/aws | 4.9.0 |\n\n----\n### Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_clickops_notifier_lambda\"\u003e\u003c/a\u003e [clickops\\_notifier\\_lambda](#output\\_clickops\\_notifier\\_lambda) | Expose all the outputs from the lambda module |\n| \u003ca name=\"output_sns_topic\"\u003e\u003c/a\u003e [sns\\_topic](#output\\_sns\\_topic) | Expose the bucket notification SNS details |\n| \u003ca name=\"output_sqs_queue\"\u003e\u003c/a\u003e [sqs\\_queue](#output\\_sqs\\_queue) | Expose the bucket notification SQS details |\n\n----\n### Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | \u003e= 4.9 |\n\n----\n### Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 0.15.0 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 4.9 |\n\n----\n### Resources\n\n| Name | Type |\n|------|------|\n| [aws_cloudwatch_log_subscription_filter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter) | resource |\n| [aws_s3_bucket_notification.bucket_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |\n| [aws_s3_object.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |\n| [aws_sns_topic.bucket_notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |\n| [aws_sns_topic_policy.bucket_notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |\n| [aws_sns_topic_subscription.bucket_notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |\n| [aws_sqs_queue.bucket_notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |\n| [aws_sqs_queue_policy.bucket_notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |\n| [aws_ssm_parameter.webhooks_for_msteams](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |\n| [aws_ssm_parameter.webhooks_for_slack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudwatch_log_group) | data source |\n| [aws_iam_policy_document.bucket_notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.lambda_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.sns_topic_policy_bucket_notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |\n\n----\n### Default excluded scoped actions\n```hcl\nlocals {\n  ignored_scoped_events_built_in = [\n    \"cognito-idp.amazonaws.com:InitiateAuth\",\n    \"cognito-idp.amazonaws.com:RespondToAuthChallenge\",\n\n    \"sso.amazonaws.com:Federate\",\n    \"sso.amazonaws.com:Authenticate\",\n    \"sso.amazonaws.com:Logout\",\n    \"sso.amazonaws.com:SearchUsers\",\n    \"sso.amazonaws.com:SearchGroups\",\n    \"sso.amazonaws.com:CreateToken\",\n\n    \"signin.amazonaws.com:UserAuthentication\",\n    \"signin.amazonaws.com:SwitchRole\",\n    \"signin.amazonaws.com:RenewRole\",\n    \"signin.amazonaws.com:ExternalIdPDirectoryLogin\",\n    \"signin.amazonaws.com:CredentialVerification\",\n    \"signin.amazonaws.com:CredentialChallenge\",\n    \"signin.amazonaws.com:CheckMfa\",\n\n    \"logs.amazonaws.com:StartQuery\",\n    \"cloudtrail.amazonaws.com:StartQuery\",\n\n    \"iam.amazonaws.com:SimulatePrincipalPolicy\",\n    \"iam.amazonaws.com:GenerateServiceLastAccessedDetails\",\n\n    \"glue.amazonaws.com:BatchGetJobs\",\n    \"glue.amazonaws.com:BatchGetCrawlers\",\n    \"glue.amazonaws.com:StartJobRun\",\n    \"glue.amazonaws.com:StartCrawler\",\n\n    \"athena.amazonaws.com:StartQueryExecution\",\n\n    \"servicecatalog.amazonaws.com:SearchProductsAsAdmin\",\n    \"servicecatalog.amazonaws.com:SearchProducts\",\n    \"servicecatalog.amazonaws.com:SearchProvisionedProducts\",\n    \"servicecatalog.amazonaws.com:TerminateProvisionedProduct\",\n\n    \"cloudshell.amazonaws.com:CreateSession\",\n    \"cloudshell.amazonaws.com:PutCredentials\",\n    \"cloudshell.amazonaws.com:SendHeartBeat\",\n    \"cloudshell.amazonaws.com:CreateEnvironment\",\n\n    \"kms.amazonaws.com:Decrypt\",\n    \"kms.amazonaws.com:RetireGrant\",\n\n    \"trustedadvisor.amazonaws.com:RefreshCheck\",\n\n    # Must CreateMultipartUpload before uploading any parts.\n    \"s3.amazonaws.com:UploadPart\",\n    \"s3.amazonaws.com:UploadPartCopy\",\n\n    \"route53domains:TransferDomain\",\n\n    \"support.amazonaws.com:AddAttachmentsToSet\",\n    \"support.amazonaws.com:AddCommunicationToCase\",\n    \"support.amazonaws.com:CreateCase\",\n    \"support.amazonaws.com:InitiateCallForCase\",\n    \"support.amazonaws.com:InitiateChatForCase\",\n    \"support.amazonaws.com:PutCaseAttributes\",\n    \"support.amazonaws.com:RateCaseCommunication\",\n    \"support.amazonaws.com:RefreshTrustedAdvisorCheck\",\n    \"support.amazonaws.com:ResolveCase\",\n\n    \"grafana.amazonaws.com:login_auth_sso\",\n  ]\n}\n```\n\u003c!-- END_TF_DOCS --\u003e\n\n----\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudandthings%2Fterraform-aws-clickops-notifier","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudandthings%2Fterraform-aws-clickops-notifier","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudandthings%2Fterraform-aws-clickops-notifier/lists"}