Support multiple sns_topic per alarm

[wesleung]

Describe the Feature

Some of the important CIS alarms needs to be sent to a higher priority SNS topic alarm. Current implementation only supports one SNS topic.

Feature request is to either add sns_topic to the yaml file or ability to run this module multiple times.

I tried to call multiple modules using a different yaml file and sns_topic_arn, but the KMS is hard coded to a specific value. Thus throwing the below error:

module.cloudtrail_api_alarms_info.aws_sns_topic.default[0]: Creation complete after 4s [id=arn:aws:sns:us-east-1:225262634975:cloudtrail-breach]
╷
│ Error: creating KMS Alias (alias/CloudTrailBreach-sns): AlreadyExistsException: An alias with the name arn:aws:kms:us-east-1:225262634975:alias/CloudTrailBreach-sns already exists
│ 
│   with module.cloudtrail_api_alarms_warn.module.sns_kms_key[0].aws_kms_alias.default[0],
│   on .terraform/modules/cloudtrail_api_alarms_warn.sns_kms_key/main.tf line 12, in resource "aws_kms_alias" "default":
│   12: resource "aws_kms_alias" "default" 

Expected Behavior

Expected behavior is that we can run this module multiple times with different SNS topic.

Use Case

Below is sample of calling the module twice

## INFO
module "metric_configs_info" {
  source  = "cloudposse/config/yaml"
  version     = "1.0.2"

  map_config_local_base_path = "./catalog"
  map_config_paths           = ["./catalog/info.yaml"]
}

module "cloudtrail_api_alarms_info" {
  source  = "cloudposse/cloudtrail-cloudwatch-alarms/aws"
  version     = "0.14.3"

  log_group_name  = "/cloudtrail/org"
  metrics         = module.metric_configs_info.map_configs
  name            = "info"
  sns_topic_arn   = "arn:aws:sns:${var.aws_region}:${data.aws_caller_identity.current.account_id}:${var.sns_topic_info}"
}

## WARN
module "metric_configs_warn" {
  source  = "cloudposse/config/yaml"
  version     = "1.0.2"

  map_config_local_base_path = "./catalog"
  map_config_paths           = ["./catalog/warn.yaml"]
}

module "cloudtrail_api_alarms_warn" {
  source  = "cloudposse/cloudtrail-cloudwatch-alarms/aws"
  version     = "0.14.3"

  log_group_name  = "/cloudtrail/org"
  metrics         = module.metric_configs_warn.map_configs
  name            = "warn"
  sns_topic_arn   = "arn:aws:sns:${var.aws_region}:${data.aws_caller_identity.current.account_id}:${var.sns_topic_warn}"
}

Describe Ideal Solution

This looks to be accomplished by adding to either or both of these label attributes to prefix with var.name

module "sns_kms_key_label" {
  source  = "cloudposse/label/null"
  version = "0.25.0"
  count   = local.create_kms_key ? 1 : 0

  attributes = ["${var.name}-sns"]
  context    = module.this.context
}

module "aws_sns_topic_label" {
  source  = "cloudposse/label/null"
  version = "0.25.0"

  attributes = ["${var.name}-cloudtrail-breach"]
  context    = module.this.context
}

Alternatives Considered

More complicated is to have the SNS topic be part of the yaml file. See the last entry "alarm_sns_topic"

#CloudWatch.1 – Ensure a log metric filter and alarm exist for usage of "root" account
use-of-root-account-count:
  metric_name: "UseOfRootAccountCount"
  filter_pattern:
    '{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}'
  metric_namespace: "CISBenchmark"
  alarm_description: "Alarms when root credenitals are used."
  metric_value: "1"
  alarm_name: "RootAccountUsed"
  alarm_comparison_operator: "GreaterThanOrEqualToThreshold"
  alarm_evaluation_periods: "1"
  alarm_period: "86400"
  alarm_statistic: "Sum"
  alarm_treat_missing_data: "notBreaching"
  alarm_threshold: "1"
  alarm_sns_topic: "info"

Problem with this is that it's not an arn and not sure if you want to do something like the below
sns_topic_arn = "arn:aws:sns:${var.aws_region}:${data.aws_caller_identity.current.account_id}:${var.alarm_sns_topic}"

Additional Context

No response