From a42f5ae7ec9793a6e0b597df39616411dfb2a7f0 Mon Sep 17 00:00:00 2001
From: jakebark <jakebark@amazon.com>
Date: Thu, 17 Jul 2025 06:35:35 +0100
Subject: [PATCH] add sns notifications

---
 README.md               |  9 +++++++++
 codepipeline.tf         | 13 +++++++++++--
 docs/optional_inputs.md |  2 ++
 variables.tf            | 10 ++++++++++
 4 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 95c00fa..e57fd8e 100644
--- a/README.md
+++ b/README.md
@@ -97,6 +97,15 @@ module "pipeline" {
     security_group_ids = ["sg-001abcd2233ee4455"],
   }
 
+  notifications = {
+    sns_topic   = aws_sns_topic.this.arn
+    detail_type = "BASIC"
+    events = [
+      "codepipeline-pipeline-pipeline-execution-failed",
+      "codepipeline-pipeline-pipeline-execution-succeeded"
+    ]
+  }
+
   tags = join(",", [
     "Environment[Dev,Prod]",
     "Source"
diff --git a/codepipeline.tf b/codepipeline.tf
index 5572842..e9360d1 100644
--- a/codepipeline.tf
+++ b/codepipeline.tf
@@ -150,12 +150,10 @@ data "aws_iam_policy_document" "codepipeline_assume" {
   statement {
     effect  = "Allow"
     actions = ["sts:AssumeRole"]
-
     principals {
       type        = "Service"
       identifiers = ["codepipeline.amazonaws.com"]
     }
-
     condition {
       test     = "StringEquals"
       variable = "aws:SourceArn"
@@ -217,5 +215,16 @@ data "aws_iam_policy_document" "codepipeline" {
       "arn:aws:codebuild:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:project/${var.pipeline_name}-*"
     ]
   }
+}
 
+resource "aws_codestarnotifications_notification_rule" "this" {
+  count          = var.notifications != null ? 1 : 0
+  name           = var.pipeline_name
+  detail_type    = var.notifications["detail_type"]
+  event_type_ids = var.notifications["events"]
+  resource       = aws_codepipeline.this.arn
+
+  target {
+    address = var.notifications["sns_topic"]
+  }
 }
diff --git a/docs/optional_inputs.md b/docs/optional_inputs.md
index 0e6260b..61f407e 100644
--- a/docs/optional_inputs.md
+++ b/docs/optional_inputs.md
@@ -24,6 +24,8 @@
 
 `vpc` configures the CodeBuild projects to [run in a VPC](https://docs.aws.amazon.com/codebuild/latest/userguide/vpc-support.html).
 
+`notifications` creates a [CodeStar notification](https://docs.aws.amazon.com/dtconsole/latest/userguide/welcome.html) for the pipeline. `sns_topic` is the SNS topic arn. `events` are the [notification events](https://docs.aws.amazon.com/dtconsole/latest/userguide/concepts.html#events-ref-pipeline). `detail_type` is either BASIC or FULL. The SNS topic must allow [codestar-notifications.amazonaws.com to publush to the topic](https://docs.aws.amazon.com/dtconsole/latest/userguide/notification-target-create.html). 
+
 `tags` enables tag validation with [tag-nag](https://github.com/jakebark/tag-nag). Input a list of tag keys and/or tag keys and values to enforce. Input must be passed as a string, see [commands](https://github.com/jakebark/tag-nag?tab=readme-ov-file#commands). 
 
 `tagnag_version` controls the [tag-nag](https://github.com/jakebark/tag-nag) version. It defaults to 0.5.8.
diff --git a/variables.tf b/variables.tf
index 10f560a..d08852e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -94,6 +94,16 @@ variable "mode" {
   }
 }
 
+variable "notifications" {
+  description = "SNS notification configuration"
+  type = object({
+    sns_topic   = string
+    events      = list(string)
+    detail_type = string
+  })
+  default = null
+}
+
 variable "tags" {
   description = "tags to check for"
   type        = string