AWS Certificate Manager - Reminder for expiring certificates

Sometimes you have the situation when you have to import certificates manually in ACM. So it is important to renew the certificate before it will expire. This article describes how to set up an email notification in terraform about expiring certificates that will be triggered multiple times before expiration to renew it.

By default, AWS sends the first event to Amazon EventBridge about expiration 45 days before the expiration. This default value can be adjusted in ACM -> Manage expiry events -> Days to expire

To catch those events in EventBridge, we will create a EventBridge rule and create an AWS SNS topic before.

EventBridge rule

In our case we want to be informed three times:

  • 45 Days before expiration
  • 30 Days before expiration
  • 15 Days before expiration

I set up the following code in a terraform module, the times when the notification happens is configurable via the variable var.days_to_expiry in line 15 and is set to [45, 30, 15]

 1resource "aws_cloudwatch_event_rule" "acm_expiration" {
 2  name        = "acm-expirations"
 3  description = "ACM Certificate Approaching Expiration "
 4
 5  # only notify about new findings
 6  event_pattern = jsonencode(
 7    {
 8      "source" : [
 9        "aws.acm"
10      ],
11      "detail-type" : [
12        "ACM Certificate Approaching Expiration"
13      ],
14      "detail": {
15        "DaysToExpiry": var.days_to_expiry
16      }
17    }
18  )
19}

E-Mail formatting / SNS

In the terraform resource aws_cloudwatch_event_target we connect our event rule to an existing SNS topic and make some formatting for a more appealing email with the input_transformer

 1resource "aws_cloudwatch_event_target" "imported_findings" {
 2  rule = aws_cloudwatch_event_rule.acm_expiration.name
 3  arn  = module.sns_topic_acm_expiration.arn
 4
 5  input_transformer {
 6    input_paths = {
 7      "ID" : "$.id",
 8      "Type" : "$.detail-type",
 9      "Account" : "$.account",
10      "DaysToExpiry" : "$.detail.DaysToExpiry",
11      "CommonName" : "$.detail.CommonName",
12    }
13    input_template = "\"Certificate: Expiration Approaching\"\n\n\n\"ID: <ID>\"\n\"Type: <Type>\"\n\"Account: <Account>\"\n\"DaysToExpiry: <DaysToExpiry>\"\n\"Certificate: <CommonName>\"\n"
14  }
15}

That is all you need for a ACM Expiration monitoring, quick and simple.

If you want to further customize the output of your email, this is the full event fired by AWS:

{
  "version": "0",
  "id": "id",
  "detail-type": "ACM Certificate Approaching Expiration",
  "source": "aws.acm",
  "account": "account",
  "time": "2020-09-30T06:51:08Z",
  "region": "region",
  "resources": [
    "arn:aws:acm:region:account:certificate/certificate_ID"
  ],
  "detail": {
    "DaysToExpiry": 31,
    "CommonName": "example.com"
  }
}