Clone SNS Topic

stevebux · stevebux · commit 4f83cfeba8fd · 2026-01-16T09:05:22.000Z
diff --git a/infrastructure/terraform/components/api/module_sqs_letter_updates.tf b/infrastructure/terraform/components/api/module_sqs_letter_updates.tf
@@ -65,7 +65,10 @@ data "aws_iam_policy_document" "letter_updates_queue_policy" {
     condition {
       test     = "ArnEquals"
       variable = "aws:SourceArn"
-      values   = [module.eventsub.sns_topic.arn]
+      values   = [
+        module.eventsub.sns_topic.arn,
+        module.eventsub.sns_topic_clone.arn
+      ]
     }
   }
 }
diff --git a/infrastructure/terraform/components/api/sns_topic_subscription_eventsub_sqs_letter_updates.tf b/infrastructure/terraform/components/api/sns_topic_subscription_eventsub_sqs_letter_updates.tf
@@ -3,3 +3,9 @@ resource "aws_sns_topic_subscription" "eventsub_sqs_letter_updates" {
   protocol  = "sqs"
   endpoint  = module.sqs_letter_updates.sqs_queue_arn
 }
+
+resource "aws_sns_topic_subscription" "eventsub_sqs_letter_updates_clone" {
+  topic_arn = module.eventsub.sns_topic_clone.arn
+  protocol  = "sqs"
+  endpoint  = module.sqs_letter_updates.sqs_queue_arn
+}
diff --git a/infrastructure/terraform/modules/eventsub/README.md b/infrastructure/terraform/modules/eventsub/README.md
@@ -41,6 +41,7 @@
 |------|-------------|
 | <a name="output_s3_bucket_event_cache"></a> [s3\_bucket\_event\_cache](#output\_s3\_bucket\_event\_cache) | S3 Bucket ARN and Name for event cache |
 | <a name="output_sns_topic"></a> [sns\_topic](#output\_sns\_topic) | SNS Topic ARN and Name |
+| <a name="output_sns_topic_clone"></a> [sns\_topic\_clone](#output\_sns\_topic\_clone) | SNS Topic ARN and Name |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->
diff --git a/infrastructure/terraform/modules/eventsub/cloudwatch_metric_alarm_sns_delivery_failures.tf b/infrastructure/terraform/modules/eventsub/cloudwatch_metric_alarm_sns_delivery_failures.tf
@@ -11,6 +11,23 @@ resource "aws_cloudwatch_metric_alarm" "sns_delivery_failures" {
   treat_missing_data  = "notBreaching"
 
   dimensions = {
-    TopicName = aws_sns_topic.main.name
+    TopicName = aws_sns_topic.main_orig.name
+  }
+}
+
+resource "aws_cloudwatch_metric_alarm" "sns_delivery_failures_clone" {
+  alarm_name          = "${local.csi}-sns-delivery-failures"
+  alarm_description   = "RELIABILITY: Alarm for SNS topic delivery failures"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = 1
+  metric_name         = "NumberOfNotificationsFailed"
+  namespace           = "AWS/SNS"
+  period              = 300
+  statistic           = "Sum"
+  threshold           = 0
+  treat_missing_data  = "notBreaching"
+
+  dimensions = {
+    TopicName = aws_sns_topic.main_clone.name
   }
 }
diff --git a/infrastructure/terraform/modules/eventsub/outputs.tf b/infrastructure/terraform/modules/eventsub/outputs.tf
@@ -1,8 +1,16 @@
 output "sns_topic" {
   description = "SNS Topic ARN and Name"
   value = {
-    arn  = aws_sns_topic.main.arn
-    name = aws_sns_topic.main.name
+    arn  = aws_sns_topic.main_orig.arn
+    name = aws_sns_topic.main_orig.name
+  }
+}
+
+output "sns_topic_clone" {
+  description = "SNS Topic ARN and Name"
+  value = {
+    arn  = aws_sns_topic.main_clone.arn
+    name = aws_sns_topic.main_clone.name
   }
 }
 
diff --git a/infrastructure/terraform/modules/eventsub/sns_topic.tf b/infrastructure/terraform/modules/eventsub/sns_topic.tf
@@ -1,4 +1,4 @@
-resource "aws_sns_topic" "main" {
+resource "aws_sns_topic" "main_orig" {
   name              = local.csi
   kms_master_key_id = var.kms_key_arn
 
diff --git a/infrastructure/terraform/modules/eventsub/sns_topic_clone.tf b/infrastructure/terraform/modules/eventsub/sns_topic_clone.tf
@@ -0,0 +1,24 @@
+resource "aws_sns_topic" "main_clone" {
+  name              = "${local.csi}-clone"
+  kms_master_key_id = var.kms_key_arn
+
+  application_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  application_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  application_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+
+  firehose_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  firehose_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  firehose_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+
+  http_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  http_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  http_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+
+  lambda_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  lambda_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  lambda_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+
+  sqs_failure_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  sqs_success_feedback_role_arn    = var.enable_sns_delivery_logging == true ? aws_iam_role.sns_delivery_logging_role[0].arn : null
+  sqs_success_feedback_sample_rate = var.enable_sns_delivery_logging == true ? var.sns_success_logging_sample_percent : null
+}
diff --git a/infrastructure/terraform/modules/eventsub/sns_topic_policy.tf b/infrastructure/terraform/modules/eventsub/sns_topic_policy.tf
@@ -1,5 +1,11 @@
-resource "aws_sns_topic_policy" "main" {
-  arn = aws_sns_topic.main.arn
+resource "aws_sns_topic_policy" "main_orig" {
+  arn = aws_sns_topic.main_orig.arn
+
+  policy = data.aws_iam_policy_document.sns_topic_policy.json
+}
+
+resource "aws_sns_topic_policy" "main_clone" {
+  arn = aws_sns_topic.main_clone.arn
 
   policy = data.aws_iam_policy_document.sns_topic_policy.json
 }
@@ -29,7 +35,65 @@ data "aws_iam_policy_document" "sns_topic_policy" {
     ]
 
     resources = [
-      aws_sns_topic.main.arn,
+      aws_sns_topic.main_orig.arn,
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceOwner"
+
+      values = [
+        var.aws_account_id,
+      ]
+    }
+  }
+
+  statement {
+    sid = "AllowAllSNSActionsFromSharedAccount"
+    effect = "Allow"
+    actions = [
+      "SNS:Publish",
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.shared_infra_account_id}:root"
+      ]
+    }
+
+    resources = [
+      aws_sns_topic.main_orig.arn,
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "sns_topic_policy_clone" {
+  policy_id = "__default_policy_ID"
+
+  statement {
+    sid = "AllowAllSNSActionsFromAccount"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = [
+      "SNS:Subscribe",
+      "SNS:SetTopicAttributes",
+      "SNS:RemovePermission",
+      "SNS:Receive",
+      "SNS:Publish",
+      "SNS:ListSubscriptionsByTopic",
+      "SNS:GetTopicAttributes",
+      "SNS:DeleteTopic",
+      "SNS:AddPermission",
+    ]
+
+    resources = [
+      aws_sns_topic.main_clone.arn,
     ]
 
     condition {
@@ -57,7 +121,7 @@ data "aws_iam_policy_document" "sns_topic_policy" {
     }
 
     resources = [
-      aws_sns_topic.main.arn,
+      aws_sns_topic.main_clone.arn,
     ]
   }
 }
diff --git a/infrastructure/terraform/modules/eventsub/sns_topic_subscription_firehose.tf b/infrastructure/terraform/modules/eventsub/sns_topic_subscription_firehose.tf
@@ -1,7 +1,17 @@
 resource "aws_sns_topic_subscription" "firehose" {
   count = var.enable_event_cache ? 1 : 0
 
-  topic_arn             = aws_sns_topic.main.arn
+  topic_arn             = aws_sns_topic.main_orig.arn
+  protocol              = "firehose"
+  subscription_role_arn = aws_iam_role.sns_role.arn
+  endpoint              = aws_kinesis_firehose_delivery_stream.main[0].arn
+  raw_message_delivery  = var.enable_firehose_raw_message_delivery
+}
+
+resource "aws_sns_topic_subscription" "firehose_clone" {
+  count = var.enable_event_cache ? 1 : 0
+
+  topic_arn             = aws_sns_topic.main_clone.arn
   protocol              = "firehose"
   subscription_role_arn = aws_iam_role.sns_role.arn
   endpoint              = aws_kinesis_firehose_delivery_stream.main[0].arn

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,10 @@ data "aws_iam_policy_document" "letter_updates_queue_policy" {`
`65`	`65`	`condition {`
`66`	`66`	`test = "ArnEquals"`
`67`	`67`	`variable = "aws:SourceArn"`
`68`		`- values = [module.eventsub.sns_topic.arn]`
	`68`	`+ values = [`
	`69`	`+ module.eventsub.sns_topic.arn,`
	`70`	`+ module.eventsub.sns_topic_clone.arn`
	`71`	`+ ]`
`69`	`72`	`}`
`70`	`73`	`}`
`71`	`74`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-resource "aws_sns_topic" "main" {`
	`1`	`+resource "aws_sns_topic" "main_orig" {`
`2`	`2`	`name = local.csi`
`3`	`3`	`kms_master_key_id = var.kms_key_arn`
`4`	`4`