xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: adjusted sns access policy

Browse Source
This commit is contained in:
xpk 2024-02-21 12:47:24 +08:00
parent 7fa60d1347
commit e15bc43e46
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
1 changed files with 26 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
modules/ManagementGovernance/acm-cert-expiry-notice/main.tf
View File

@ -45,8 +45,8 @@ module "awscli" {
# SNS topic and subscription # SNS topic and subscription
resource "aws_sns_topic" "ssl-cert-expiry-notice" { resource "aws_sns_topic" "ssl-cert-expiry-notice" {
name = "${var.res-prefix}-ssl-cert-expiry-notice-${random_id.this.dec}" name = "${var.res-prefix}-ssl-cert-expiry-notice-${random_id.this.dec}"
kms_master_key_id = "alias/aws/sns" # kms_master_key_id = "alias/aws/sns"
} }
resource "aws_sns_topic_policy" "default" { resource "aws_sns_topic_policy" "default" {
@ -56,8 +56,12 @@ resource "aws_sns_topic_policy" "default" {
data "aws_iam_policy_document" "sns_topic_policy" { data "aws_iam_policy_document" "sns_topic_policy" {
statement { statement {
effect = "Allow" sid = "AllowPublishingFromEvents"
actions = ["SNS:Publish"] effect = "Allow"
actions = [
"sns:Publish",
"SNS:Publish"
]
principals { principals {
type = "Service" type = "Service"
@ -66,6 +70,24 @@ data "aws_iam_policy_document" "sns_topic_policy" {
resources = [aws_sns_topic.ssl-cert-expiry-notice.arn] resources = [aws_sns_topic.ssl-cert-expiry-notice.arn]
} }
statement {
sid = "AllowPublishThroughSSLOnly"
effect = "Deny"
principals {
identifiers = ["*"]
type = "AWS"
}
actions = [
"sns:Publish",
"SNS:Publish"
]
condition {
test = "Bool"
values = ["false"]
variable = "aws:SecureTransport"
}
resources = [aws_sns_topic.ssl-cert-expiry-notice.arn]
}
} }
resource "aws_sns_topic_subscription" "ssl-cert-expiry-notice-sub" { resource "aws_sns_topic_subscription" "ssl-cert-expiry-notice-sub" {