UPD: adjusted sns access policy
This commit is contained in:
parent
7fa60d1347
commit
e15bc43e46
@ -46,7 +46,7 @@ module "awscli" {
|
||||
# SNS topic and subscription
|
||||
resource "aws_sns_topic" "ssl-cert-expiry-notice" {
|
||||
name = "${var.res-prefix}-ssl-cert-expiry-notice-${random_id.this.dec}"
|
||||
kms_master_key_id = "alias/aws/sns"
|
||||
# kms_master_key_id = "alias/aws/sns"
|
||||
}
|
||||
|
||||
resource "aws_sns_topic_policy" "default" {
|
||||
@ -56,8 +56,12 @@ resource "aws_sns_topic_policy" "default" {
|
||||
|
||||
data "aws_iam_policy_document" "sns_topic_policy" {
|
||||
statement {
|
||||
sid = "AllowPublishingFromEvents"
|
||||
effect = "Allow"
|
||||
actions = ["SNS:Publish"]
|
||||
actions = [
|
||||
"sns:Publish",
|
||||
"SNS:Publish"
|
||||
]
|
||||
|
||||
principals {
|
||||
type = "Service"
|
||||
@ -66,6 +70,24 @@ data "aws_iam_policy_document" "sns_topic_policy" {
|
||||
|
||||
resources = [aws_sns_topic.ssl-cert-expiry-notice.arn]
|
||||
}
|
||||
statement {
|
||||
sid = "AllowPublishThroughSSLOnly"
|
||||
effect = "Deny"
|
||||
principals {
|
||||
identifiers = ["*"]
|
||||
type = "AWS"
|
||||
}
|
||||
actions = [
|
||||
"sns:Publish",
|
||||
"SNS:Publish"
|
||||
]
|
||||
condition {
|
||||
test = "Bool"
|
||||
values = ["false"]
|
||||
variable = "aws:SecureTransport"
|
||||
}
|
||||
resources = [aws_sns_topic.ssl-cert-expiry-notice.arn]
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_sns_topic_subscription" "ssl-cert-expiry-notice-sub" {
|
||||
|
Loading…
Reference in New Issue
Block a user