sms-notify.tf

+# vi: ft=tf
+
 variable "messagebird_access_key" {
   description = "MessageBird API access key."
   sensitive   = true
 }
 
-# It would have been nicer to buy the phone number with Terraform and the
-# Twilio provider. unfortunately the sign up for the provider is closed right
-# now. So instead the friendly name, that's something.
-variable "twilio_from_number" {
-  default     = "AmILive"
-  description = "Twilio from phone number."
+variable "send_sms_notifications" {
+  default     = true
+  description = "Whether or not to send SMS notifications."
+  type        = bool
+}
+
+output "send_sms_notifications" {
+  description = "Whether or not to send SMS notifications."
+  value       = var.send_sms_notifications
+}
+
+resource "aws_ssm_parameter" "send_sms_notifications" {
+  name  = "${local.module}/${local.env}/send_sms_notifications"
+  type  = "String"
+  value = tostring(var.send_sms_notifications)
 }
 
 resource "aws_lambda_function" "sms_notify" {
@@ -18,26 +29,27 @@ resource "aws_lambda_function" "sms_notify" {
   # checkov:skip=CKV_AWS_173
   runtime                        = var.runtime
   function_name                  = "${local.function_name_prefix}-sms-notify"
-  role                           = local.lambda_role_arn
+  role                           = aws_iam_role.sms_notify.arn
   source_code_hash               = filebase64sha256("payload.zip")
   s3_bucket                      = local.payloads_bucket_name
   s3_key                         = local.payload_object_name
   s3_object_version              = local.payload_object_version
   package_type                   = "Zip"
   handler                        = "sms_notify.handler"
-  description                    = "Send SMS message notification using Twilio."
+  description                    = "Send SMS message notification using MessageBird."
   memory_size                    = var.memory_size
   reserved_concurrent_executions = -1
   timeout                        = var.timeout
 
   environment {
     variables = {
-      ENV                = local.env
-      MODULE             = local.module
-      TOPIC_ARN          = local.topic_arn
-      VERSION            = local.payload_object_version
-      MSGBIRD_ACCESS_KEY = var.messagebird_access_key
-      TO_NUMBER          = local.my_phone_number
+      ENV                          = local.env
+      MODULE                       = local.module
+      TOPIC_ARN                    = local.topic_arn
+      VERSION                      = local.payload_object_version
+      MSGBIRD_ACCESS_KEY           = var.messagebird_access_key
+      TO_NUMBER                    = local.my_phone_number
+      SEND_SMS_NOTIFICATIONS_PARAM = aws_ssm_parameter.send_sms_notifications.name
     }
   }
 
@@ -138,28 +150,56 @@ data "aws_iam_policy_document" "sms_notify" {
 
     resources = [local.sms_notify_log_group_arn, ]
   }
+
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "ssm:GetParametersByPath",
+    ]
+
+    resources = [aws_ssm_parameter.send_sms_notifications.arn]
+  }
 }
 
 locals {
   sms_notify_log_policy_doc = data.aws_iam_policy_document.sms_notify.json
 }
 
-resource "aws_iam_policy" "sms_notify_log" {
-  name   = "${local.module}-${local.env}-sms-notify-log"
+resource "aws_iam_policy" "sms_notify" {
+  name   = "${local.module}-${local.env}-sms-notify"
   policy = local.sms_notify_log_policy_doc
 }
 
 locals {
-  sms_notify_log_policy_arn  = aws_iam_policy.log.arn
-  sms_notify_log_policy_name = aws_iam_policy.log.name
+  sms_notify_policy_arn  = aws_iam_policy.log.arn
+  sms_notify_policy_name = aws_iam_policy.log.name
+}
+
+output "sms_notify_policy_arn" {
+  value       = local.sms_notify_policy_arn
+  description = "AM policy for SMS notifications ARN."
+}
+
+output "sms_notify_policy_name" {
+  value       = local.sms_notify_policy_name
+  description = "IAM policy for SMS notifications name."
+}
+
+resource "aws_iam_role" "sms_notify" {
+  name               = "${local.name}-sms-notify"
+  assume_role_policy = local.lambda_assume_policy_doc
 }
 
-output "sms_notify_log_policy_arn" {
-  value       = local.sms_notify_log_policy_arn
-  description = "CloudWatch log IAM policy for SMS notifications ARN."
+locals {
+  sms_notify_policies = [
+    local.sms_notify_policy_arn,
+    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+  ]
 }
 
-output "sms_notify_log_policy_name" {
-  value       = local.sms_notify_log_policy_name
-  description = "CloudWatch log IAM policy for SMS notifications name."
+resource "aws_iam_role_policy_attachment" "sms_notify" {
+  count      = length(local.sms_notify_policies)
+  role       = aws_iam_role.sms_notify.name
+  policy_arn = local.sms_notify_policies[count.index]
 }

src/sms_notify.py

 import os
+import boto3  # pylint: disable=import-error
 import messagebird  # pylint: disable=import-error
 
 
@@ -6,8 +7,24 @@ MSGBIRD_ACCESS_KEY = os.environ["MSGBIRD_ACCESS_KEY"]
 TO_NUMBER = os.environ["TO_NUMBER"]
 
 
+def send_notifications():
+    """Check if sending SMSes is enabled."""
+    try:
+        param_path = os.environ["SEND_SMS_NOTIFICATIONS_PARAM"]
+        client = boto3.client("ssm")
+        param = client.get_parameters_by_path(
+            Path=param_path, recursive=False, WithDecryption=False
+        )["Parameters"][0]
+        return param["Value"].tolower == "true"
+    except Exception:  # pylint: disable=broad-except
+        return True
+
+
 # pylint: disable=unused-argument
 def handler(event, context):
+    if not send_notifications():
+        print("Sending notification is disabled.")
+        return
     message = event["Records"][0]["Sns"]["Message"]
     client = messagebird.Client(MSGBIRD_ACCESS_KEY)
     client.message_create(