Add optional bucket/report creation and SNS support to source module

- Add create_bucket toggle to skip S3 bucket creation for existing buckets
- Add create_report toggle to skip CUR report definition for existing reports
- Add use_sns option for SNS-based notifications instead of direct Lambda
- Add sns_topic_name, sns_subscriber_arns, cur_s3_prefix variables
- Add sns_topic_arn output
- Update README with new inputs/outputs and usage example

Author: stepanclb

README.md

@@ -2,14 +2,14 @@
 
 Multi-account AWS Cost and Usage Report (CUR) aggregation and analysis. This module provides two submodules:
 
-- **`modules/source`** - Deployed in each source AWS account. Creates CUR report definition, S3 bucket, and event notification to forward reports to the target account.
+- **`modules/source`** - Deployed in each source AWS account. Optionally creates CUR report definition, S3 bucket, and event notification (direct Lambda or SNS) to forward reports to the target account.
 - **`modules/target`** - Deployed in the central/target AWS account. Aggregates CUR reports from multiple source accounts using a Lambda function, with optional Athena/Glue analysis and IAM access management.
 
 ## Architecture
 
 ```
 ┌─────────────────────┐     ┌─────────────────────┐
-│  Source Account A    │     │  Source Account B    │
+│  Source Account A   │     │  Source Account B   │
 │                     │     │                     │
 │  CUR Report → S3    │     │  CUR Report → S3    │
 │       │             │     │       │             │
@@ -74,9 +74,34 @@ module "cur_source" {
 }
 ```
 
+### 3. Source module with existing bucket and SNS
+
+```terraform
+module "cur_source" {
+  source = "cookielab/cost-reporting/aws//modules/source"
+
+  providers = {
+    aws.us_east_1 = aws.us_east_1
+  }
+
+  create_bucket = false
+  create_report = false
+  s3_bucket_name = "my-existing-cur-bucket"
+
+  use_sns             = true
+  sns_subscriber_arns = ["arn:aws:iam::000000000000:root"]
+
+  lambda_function_role_arn = "arn:aws:iam::000000000000:role/cur-forwarder-role"
+}
+```
+
 ## Source Module
 
-Creates AWS CUR report definition and S3 bucket in a source account, with cross-account access for the target Lambda.
+Creates AWS CUR report definition and S3 bucket in a source account, with cross-account access for the target Lambda. Both bucket and report creation are optional for accounts that already have them configured.
+
+Supports two notification modes:
+- **Direct Lambda** (default) - S3 event triggers Lambda directly
+- **SNS** (`use_sns = true`) - S3 event publishes to SNS topic, target Lambda subscribes
 
 ### Requirements
 
@@ -89,13 +114,19 @@ Creates AWS CUR report definition and S3 bucket in a source account, with cross-
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| lambda_function_arn | ARN of the Lambda function in the target account | `string` | n/a | yes |
+| create_bucket | Whether to create a new S3 bucket or use existing | `bool` | `true` | no |
+| create_report | Whether to create a new CUR report definition | `bool` | `true` | no |
+| lambda_function_arn | ARN of the Lambda function (required when `use_sns = false`) | `string` | `""` | no |
 | lambda_function_role_arn | ARN of the IAM role for the Lambda function (for bucket policy) | `string` | n/a | yes |
+| use_sns | Use SNS topic instead of direct Lambda invocation | `bool` | `false` | no |
+| sns_topic_name | SNS topic name (defaults to `cur-notifications-{account_id}`) | `string` | `null` | no |
+| sns_subscriber_arns | ARNs allowed to subscribe to the SNS topic | `list(string)` | `[]` | no |
 | s3_bucket_name | S3 bucket name (defaults to `cur-csv-{account_id}`) | `string` | `null` | no |
+| s3_bucket_lifecycle | S3 lifecycle transitions (only when `create_bucket = true`) | `object` | `{transition_to_ia_days=90, transition_to_glacier_days=180}` | no |
 | cur_time_unit | Time unit for CUR report (`HOURLY` or `DAILY`) | `string` | `"HOURLY"` | no |
 | cur_format | Report format (`textORcsv` or `Parquet`) | `string` | `"textORcsv"` | no |
 | cur_compression | Compression (`GZIP`, `ZIP`, or `Parquet`) | `string` | `"GZIP"` | no |
-| s3_bucket_lifecycle | S3 lifecycle transitions | `object` | `{transition_to_ia_days=90, transition_to_glacier_days=180}` | no |
+| cur_s3_prefix | S3 prefix for existing CUR report (only when `create_report = false`) | `string` | `"cur-reports"` | no |
 | tags | Tags to apply to resources | `map(string)` | `{}` | no |
 
 ### Outputs
@@ -105,9 +136,10 @@ Creates AWS CUR report definition and S3 bucket in a source account, with cross-
 | bucket_id | ID of the CUR S3 bucket |
 | bucket_arn | ARN of the CUR S3 bucket |
 | bucket_name | Name of the CUR S3 bucket |
-| cur_report_name | Name of the CUR report |
+| cur_report_name | Name of the CUR report (null if `create_report = false`) |
 | cur_prefix | S3 prefix where CUR reports are stored |
 | account_id | AWS Account ID |
+| sns_topic_arn | ARN of the SNS topic (null if `use_sns = false`) |
 
 ## Target Module
 

modules/source/main.tf

@@ -8,68 +8,79 @@ data "aws_region" "current" {}
 locals {
   bucket_name = coalesce(var.s3_bucket_name, "cur-csv-${data.aws_caller_identity.current.account_id}")
   bucket_arn  = "arn:aws:s3:::${local.bucket_name}"
+  bucket_id   = var.create_bucket ? module.cur_bucket[0].s3_bucket_id : local.bucket_name
+
+  cur_s3_prefix = var.create_report ? aws_cur_report_definition.this[0].s3_prefix : var.cur_s3_prefix
+
+  sns_topic_name = coalesce(var.sns_topic_name, "cur-notifications-${data.aws_caller_identity.current.account_id}")
 }
 
 # =============================================================================
 # IAM Policy Documents
 # =============================================================================
 
-# Policy for AWS Billing service to write CUR reports + Lambda to read
+# Bucket policy: Billing service write + Lambda cross-account read
 data "aws_iam_policy_document" "bucket_policy" {
   # Allow AWS Billing service to check bucket ACL
-  statement {
-    sid    = "AllowBillingGetBucketAcl"
-    effect = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["billingreports.amazonaws.com"]
-    }
+  dynamic "statement" {
+    for_each = var.create_report ? [1] : []
+    content {
+      sid    = "AllowBillingGetBucketAcl"
+      effect = "Allow"
+
+      principals {
+        type        = "Service"
+        identifiers = ["billingreports.amazonaws.com"]
+      }
 
-    actions = [
-      "s3:GetBucketAcl",
-      "s3:GetBucketPolicy"
-    ]
+      actions = [
+        "s3:GetBucketAcl",
+        "s3:GetBucketPolicy"
+      ]
 
-    resources = [local.bucket_arn]
+      resources = [local.bucket_arn]
 
-    condition {
-      test     = "StringEquals"
-      variable = "aws:SourceArn"
-      values   = [aws_cur_report_definition.this.arn]
-    }
+      condition {
+        test     = "StringEquals"
+        variable = "aws:SourceArn"
+        values   = [aws_cur_report_definition.this[0].arn]
+      }
 
-    condition {
-      test     = "StringEquals"
-      variable = "aws:SourceAccount"
-      values   = [data.aws_caller_identity.current.account_id]
+      condition {
+        test     = "StringEquals"
+        variable = "aws:SourceAccount"
+        values   = [data.aws_caller_identity.current.account_id]
+      }
     }
   }
 
   # Allow AWS Billing service to write CUR reports
-  statement {
-    sid    = "AllowBillingPutObject"
-    effect = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["billingreports.amazonaws.com"]
-    }
+  dynamic "statement" {
+    for_each = var.create_report ? [1] : []
+    content {
+      sid    = "AllowBillingPutObject"
+      effect = "Allow"
+
+      principals {
+        type        = "Service"
+        identifiers = ["billingreports.amazonaws.com"]
+      }
 
-    actions = ["s3:PutObject"]
+      actions = ["s3:PutObject"]
 
-    resources = ["${local.bucket_arn}/*"]
+      resources = ["${local.bucket_arn}/*"]
 
-    condition {
-      test     = "StringEquals"
-      variable = "aws:SourceArn"
-      values   = [aws_cur_report_definition.this.arn]
-    }
+      condition {
+        test     = "StringEquals"
+        variable = "aws:SourceArn"
+        values   = [aws_cur_report_definition.this[0].arn]
+      }
 
-    condition {
-      test     = "StringEquals"
-      variable = "aws:SourceAccount"
-      values   = [data.aws_caller_identity.current.account_id]
+      condition {
+        test     = "StringEquals"
+        variable = "aws:SourceAccount"
+        values   = [data.aws_caller_identity.current.account_id]
+      }
     }
   }
 
@@ -97,13 +108,15 @@ data "aws_iam_policy_document" "bucket_policy" {
 }
 
 # =============================================================================
-# S3 Bucket for CUR reports
+# S3 Bucket for CUR reports (optional)
 # =============================================================================
 
 module "cur_bucket" {
   source  = "terraform-aws-modules/s3-bucket/aws"
   version = "4.11.0"
 
+  count = var.create_bucket ? 1 : 0
+
   bucket = local.bucket_name
 
   versioning = {
@@ -168,19 +181,28 @@ module "cur_bucket" {
   })
 }
 
+# Attach bucket policy to existing bucket (when create_bucket = false)
+resource "aws_s3_bucket_policy" "existing" {
+  count = var.create_bucket ? 0 : 1
+
+  bucket = local.bucket_name
+  policy = data.aws_iam_policy_document.bucket_policy.json
+}
+
 # =============================================================================
-# CUR Report Definition (must be in us-east-1)
+# CUR Report Definition (optional, must be in us-east-1)
 # =============================================================================
 
 resource "aws_cur_report_definition" "this" {
+  count    = var.create_report ? 1 : 0
   provider = aws.us_east_1
 
   report_name                = "${lower(var.cur_time_unit)}-cur-${lower(var.cur_format)}-${data.aws_caller_identity.current.account_id}"
   time_unit                  = var.cur_time_unit
   format                     = var.cur_format
   compression                = var.cur_compression
   additional_schema_elements = ["RESOURCES", "SPLIT_COST_ALLOCATION_DATA"]
-  s3_bucket                  = module.cur_bucket.s3_bucket_id
+  s3_bucket                  = local.bucket_id
   s3_region                  = data.aws_region.current.name
   s3_prefix                  = "cur-reports"
 
@@ -191,16 +213,102 @@ resource "aws_cur_report_definition" "this" {
 }
 
 # =============================================================================
-# S3 Event Notification to invoke Lambda in target account
+# SNS Topic for CUR notifications (optional)
+# =============================================================================
+
+resource "aws_sns_topic" "cur" {
+  count = var.use_sns ? 1 : 0
+
+  name = local.sns_topic_name
+
+  tags = merge(var.tags, {
+    Name    = "CUR Notifications"
+    Purpose = "S3 event notifications for CUR reports"
+  })
+}
+
+data "aws_iam_policy_document" "sns_topic_policy" {
+  count = var.use_sns ? 1 : 0
+
+  # Allow S3 to publish to SNS
+  statement {
+    sid    = "AllowS3Publish"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["s3.amazonaws.com"]
+    }
+
+    actions   = ["SNS:Publish"]
+    resources = [aws_sns_topic.cur[0].arn]
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = [local.bucket_arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+  }
+
+  # Allow target account Lambda/SQS to subscribe
+  dynamic "statement" {
+    for_each = length(var.sns_subscriber_arns) > 0 ? [1] : []
+    content {
+      sid    = "AllowCrossAccountSubscribe"
+      effect = "Allow"
+
+      principals {
+        type        = "AWS"
+        identifiers = var.sns_subscriber_arns
+      }
+
+      actions = [
+        "SNS:Subscribe",
+        "SNS:Receive"
+      ]
+
+      resources = [aws_sns_topic.cur[0].arn]
+    }
+  }
+}
+
+resource "aws_sns_topic_policy" "cur" {
+  count = var.use_sns ? 1 : 0
+
+  arn    = aws_sns_topic.cur[0].arn
+  policy = data.aws_iam_policy_document.sns_topic_policy[0].json
+}
+
+# =============================================================================
+# S3 Event Notification
 # =============================================================================
-# Note: Lambda permission is managed in the target module
 
 resource "aws_s3_bucket_notification" "cur" {
-  bucket = module.cur_bucket.s3_bucket_id
+  bucket = local.bucket_id
+
+  # Direct Lambda invocation
+  dynamic "lambda_function" {
+    for_each = var.use_sns ? [] : [1]
+    content {
+      lambda_function_arn = var.lambda_function_arn
+      events              = ["s3:ObjectCreated:*"]
+      filter_prefix       = "${local.cur_s3_prefix}/"
+    }
+  }
 
-  lambda_function {
-    lambda_function_arn = var.lambda_function_arn
-    events              = ["s3:ObjectCreated:*"]
-    filter_prefix       = "${aws_cur_report_definition.this.s3_prefix}/"
+  # SNS notification
+  dynamic "topic" {
+    for_each = var.use_sns ? [1] : []
+    content {
+      topic_arn     = aws_sns_topic.cur[0].arn
+      events        = ["s3:ObjectCreated:*"]
+      filter_prefix = "${local.cur_s3_prefix}/"
+    }
   }
 }