OpsGenie won't autoconfirm SNS subscriptions - in AWS dashboard or terraform

Question

I'm trying to hook up my amazon account to our Opsgenie account to get CloudWatch events pushed to the team. I followed this guide here: https://docs.opsgenie.com/docs/amazon-cloudwatch-events-integration

I'm creating the items in terraform, as we want to be able to create and destroy this environment on the fly and make it somewhat configurable. Everything seems to be created, but OpsGenie won't autoconfirm the SNS subscription to the topic. Even if I do the same thing in the UI, OpsGenie won't confirm.

Below is my terraform code:

##############################################################################
# Opsgenie integration
###############################################################################
resource "opsgenie_api_integration" "test_integration" {
  name = "api-based-int"
  type = "API"

  responders {
    type = "user"
    id   = opsgenie_user.first.id
  }
  enabled                        = true
  allow_write_access             = true
  ignore_responders_from_payload = false
  suppress_notifications         = false
  owner_team_id                  = opsgenie_team.test_team.id
}

resource "opsgenie_user" "first" {
  username  = "testerman@gmail.com"
  full_name = "Tester Man"
  role      = "Admin"
}

resource "opsgenie_user" "second" {
  username  = "testerman2@gmail.com"
  full_name = "Tester Man II"
  role      = "User"
}

resource "opsgenie_team" "test_team" {
  name        = "example"
  description = "This team deals with all the things"

  member {
    id   = opsgenie_user.first.id
    role = "admin"
  }

  member {
    id   = opsgenie_user.second.id
    role = "user"
  }
}
###############################################################################
# Cloudwatch
###############################################################################
resource "aws_cloudwatch_event_rule" "opsgenie_cloudwatch_event_rule" {
  name        = "send_events_to_opsgenie"
  description = "Send all events to opsgenie"

  event_pattern = <<EOF
{
  "source": [
    "aws.sns"
  ]
}
EOF
}

resource "aws_cloudwatch_event_target" "opsgenie_cloudwatch_event_rule" {
  rule      = aws_cloudwatch_event_rule.opsgenie_cloudwatch_event_rule.name
  target_id = "OpsGenie"
  arn       = aws_sns_topic.opsgenie_notifications.arn
}


###############################################################################
# SNS
###############################################################################
resource "aws_sns_topic" "opsgenie_notifications" {
  name              = "OpsGenie"
  kms_master_key_id =  aws_kms_key.kms_key_for_sns_topic.key_id

  policy = <<POLICY
{
    "Version":"2012-10-17",
    "Statement":[{
        "Effect": "Allow",
        "Principal": {"Service":"events.amazonaws.com"},
        "Action":[
          "SNS:GetTopicAttributes",
          "SNS:SetTopicAttributes",
          "SNS:AddPermission",
          "SNS:RemovePermission",
          "SNS:DeleteTopic",
          "SNS:Subscribe",
          "SNS:ListSubscriptionsByTopic",
          "SNS:Publish",
          "SNS:Receive"
        ],
        "Resource": "*"
    }]
}
POLICY
}

resource "aws_sns_topic_policy" "opsgenie_topic_policy" {
  arn    = aws_sns_topic.opsgenie_notifications.arn
  policy = data.aws_iam_policy_document.sns_topic_policy_doc.json
}

resource "aws_sns_topic_subscription" "user_updates_opsgenie_target" {
  topic_arn                       = aws_sns_topic.opsgenie_notifications.arn
  protocol                        = "https"
  ### IS THIS ENDPOINT CORRECT?? ###
  endpoint                        = "https://api.opsgenie.com/v1/json/amazonsns?apiKey=${opsgenie_api_integration.test_integration.api_key}"
  confirmation_timeout_in_minutes = 1
  endpoint_auto_confirms          = true
}

###############################################################################
# IAM
###############################################################################
data "aws_iam_policy_document" "sns_topic_policy_doc" {
  statement {
    effect  = "Allow"
    actions = ["SNS:GetTopicAttributes",
               "SNS:SetTopicAttributes",
               "SNS:AddPermission",
               "SNS:RemovePermission",
               "SNS:DeleteTopic",
               "SNS:Subscribe",
               "SNS:ListSubscriptionsByTopic",
               "SNS:Publish",
               "SNS:Receive"]
    principals {
      type        = "Service"
      identifiers = ["events.amazonaws.com"]
    }
    resources = ["aws_sns_topic.opsgenie_notifications.arn"]
  }
}

###############################################################################
# KMS
###############################################################################
resource "aws_kms_key" "kms_key_for_sns_topic" {
  description              = "For OpsGenie"
  key_usage                = "ENCRYPT_DECRYPT"
  customer_master_key_spec = "SYMMETRIC_DEFAULT"
  enable_key_rotation      = true
  policy                   = <<POLICY
  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "Enable IAM User Permissions",
              "Effect": "Allow",
              "Principal": {
                  "AWS": "arn:aws:iam::${data.aws_caller_identity.primary_region.account_id}:root"
              },
              "Action": "kms:*",
              "Resource": "*"
          },
          {
              "Effect": "Allow",
              "Principal": {
                  "Service": "events.amazonaws.com"
              },
              "Action": [
                  "kms:Encrypt*",
                  "kms:Decrypt*",
                  "kms:ReEncrypt*",
                  "kms:GenerateDataKey*",
                  "kms:Describe*"
              ],
              "Resource": "*"
          },
          {
              "Effect": "Allow",
              "Principal": {
                  "Service": "sns.amazonaws.com"
              },
              "Action": [
                  "kms:Encrypt*",
                  "kms:Decrypt*",
                  "kms:ReEncrypt*",
                  "kms:GenerateDataKey*",
                  "kms:Describe*"
              ],
              "Resource": "*"
          }
      ]
  }
POLICY
}

resource "aws_kms_alias" "topic_key_alias" {
  name_prefix   = "alias/opsgenie-notifications"
  target_key_id = aws_kms_key.kms_key_for_sns_topic.key_id
}

I feel like I'm close, but I either missed something in the documentation or just am misunderstanding something.

score 4 · Answer 1 · answered Nov 24 '20 at 17:20

It looks like I needed to read further into the documentation. The "API" in the type:

resource "opsgenie_api_integration" "test_integration" {
  name = "api-based-int"
  type = "API"

... needed to be a specfic type. In my case,

type = "CloudWatchEvents"

was what I needed. For reference, the documentation link is located on this page: https://docs.opsgenie.com/docs/integration-types-to-use-with-api

score 1 · Answer 2 · answered Mar 09 '23 at 15:20

The code you have works for the most part, in order to fix the "endpoint auto confirms" section, you need to update your endpoint URL:

resource "aws_sns_topic_subscription" "user_updates_opsgenie_target" {
topic_arn                       = aws_sns_topic.opsgenie_notifications.arn
protocol                        = "https"
### IS THIS ENDPOINT CORRECT?? ###
endpoint                        = "https://api.opsgenie.com/v1/json/amazonsns?apiKey=${opsgenie_api_integration.test_integration.api_key}"
### USE THIS ENDPOINT INSTEAD. ###
endpoint                        = "https://api.opsgenie.com/v1/json/cloudwatchevents?apiKey=${opsgenie_api_integration.test_integration.api_key}"

confirmation_timeout_in_minutes = 1
endpoint_auto_confirms          = true
}

OpsGenie won't autoconfirm SNS subscriptions - in AWS dashboard or terraform

2 Answers2