Skip to content

Commit b74b445

Browse files
stevebuxstevebux
committed
Policy fix
1 parent 8c2408f commit b74b445

1 file changed

Lines changed: 64 additions & 6 deletions

File tree

infrastructure/terraform/modules/eventsub/sns_topic_policy.tf

Lines changed: 64 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,20 @@
11
resource "aws_sns_topic_policy" "sns_topic_event_bus" {
22
arn = aws_sns_topic.sns_topic_event_bus.arn
33

4-
policy = data.aws_iam_policy_document.sns_topic_policy.json
4+
policy = data.aws_iam_policy_document.sns_topic_event_bus_policy.json
55
}
66

77
resource "aws_sns_topic_policy" "sns_topic_supplier" {
8-
arn = aws_sns_topic.sns_topic_event_bus.arn
8+
arn = aws_sns_topic.sns_topic_supplier.arn
99

10-
policy = data.aws_iam_policy_document.sns_topic_policy.json
10+
policy = data.aws_iam_policy_document.sns_topic_supplier_policy.json
1111
}
1212

13-
data "aws_iam_policy_document" "sns_topic_policy" {
13+
data "aws_iam_policy_document" "sns_topic_event_bus_policy" {
1414
policy_id = "__default_policy_ID"
1515

1616
statement {
17-
sid = "AllowAllSNSActionsFromAccount"
17+
sid = "AllowAllSNSActionsFromAccount"
1818
effect = "Allow"
1919

2020
principals {
@@ -49,7 +49,7 @@ data "aws_iam_policy_document" "sns_topic_policy" {
4949
}
5050

5151
statement {
52-
sid = "AllowAllSNSActionsFromSharedAccount"
52+
sid = "AllowAllSNSActionsFromSharedAccount"
5353
effect = "Allow"
5454
actions = [
5555
"SNS:Publish",
@@ -67,3 +67,61 @@ data "aws_iam_policy_document" "sns_topic_policy" {
6767
]
6868
}
6969
}
70+
71+
data "aws_iam_policy_document" "sns_topic_supplier_policy" {
72+
policy_id = "__default_policy_ID"
73+
74+
statement {
75+
sid = "AllowAllSNSActionsFromAccount"
76+
effect = "Allow"
77+
78+
principals {
79+
type = "AWS"
80+
identifiers = ["*"]
81+
}
82+
83+
actions = [
84+
"SNS:Subscribe",
85+
"SNS:SetTopicAttributes",
86+
"SNS:RemovePermission",
87+
"SNS:Receive",
88+
"SNS:Publish",
89+
"SNS:ListSubscriptionsByTopic",
90+
"SNS:GetTopicAttributes",
91+
"SNS:DeleteTopic",
92+
"SNS:AddPermission",
93+
]
94+
95+
resources = [
96+
aws_sns_topic.sns_topic_supplier.arn,
97+
]
98+
99+
condition {
100+
test = "StringEquals"
101+
variable = "AWS:SourceOwner"
102+
103+
values = [
104+
var.aws_account_id,
105+
]
106+
}
107+
}
108+
109+
statement {
110+
sid = "AllowAllSNSActionsFromSharedAccount"
111+
effect = "Allow"
112+
actions = [
113+
"SNS:Publish",
114+
]
115+
116+
principals {
117+
type = "AWS"
118+
identifiers = [
119+
"arn:aws:iam::${var.shared_infra_account_id}:root"
120+
]
121+
}
122+
123+
resources = [
124+
aws_sns_topic.sns_topic_supplier.arn,
125+
]
126+
}
127+
}

0 commit comments

Comments
 (0)