UPD: adjusted sns access policy

This commit is contained in:
xpk 2024-02-21 12:47:24 +08:00
parent 7fa60d1347
commit e15bc43e46
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86

View File

@ -46,7 +46,7 @@ module "awscli" {
# SNS topic and subscription
resource "aws_sns_topic" "ssl-cert-expiry-notice" {
name = "${var.res-prefix}-ssl-cert-expiry-notice-${random_id.this.dec}"
kms_master_key_id = "alias/aws/sns"
# kms_master_key_id = "alias/aws/sns"
}
resource "aws_sns_topic_policy" "default" {
@ -56,8 +56,12 @@ resource "aws_sns_topic_policy" "default" {
data "aws_iam_policy_document" "sns_topic_policy" {
statement {
sid = "AllowPublishingFromEvents"
effect = "Allow"
actions = ["SNS:Publish"]
actions = [
"sns:Publish",
"SNS:Publish"
]
principals {
type = "Service"
@ -66,6 +70,24 @@ data "aws_iam_policy_document" "sns_topic_policy" {
resources = [aws_sns_topic.ssl-cert-expiry-notice.arn]
}
statement {
sid = "AllowPublishThroughSSLOnly"
effect = "Deny"
principals {
identifiers = ["*"]
type = "AWS"
}
actions = [
"sns:Publish",
"SNS:Publish"
]
condition {
test = "Bool"
values = ["false"]
variable = "aws:SecureTransport"
}
resources = [aws_sns_topic.ssl-cert-expiry-notice.arn]
}
}
resource "aws_sns_topic_subscription" "ssl-cert-expiry-notice-sub" {