diff --git a/terraform/environments/ppud/iam.tf b/terraform/environments/ppud/iam.tf index c0d5b92848f..52b7a8a3db5 100644 --- a/terraform/environments/ppud/iam.tf +++ b/terraform/environments/ppud/iam.tf @@ -859,6 +859,7 @@ resource "aws_iam_role_policy_attachment" "attach_lambda_policy_certificate_expi ## Production +/* data "aws_iam_policy_document" "sns_topic_policy_ec2cw" { count = local.is-production == true ? 1 : 0 policy_id = "SnsTopicId" @@ -895,6 +896,7 @@ data "aws_iam_policy_document" "sns_topic_policy_ec2cw" { ] } } +*/ #################################################### # IAM User, Policy for MGN diff --git a/terraform/environments/ppud/sns.tf b/terraform/environments/ppud/sns.tf index d1d6dfa7b2f..f7025b4817a 100644 --- a/terraform/environments/ppud/sns.tf +++ b/terraform/environments/ppud/sns.tf @@ -10,11 +10,14 @@ resource "aws_sns_topic" "cw_alerts" { name = "ppud-prod-cw-alerts" } +/* resource "aws_sns_topic_policy" "sns_policy" { count = local.is-production == true ? 1 : 0 arn = aws_sns_topic.cw_alerts[0].arn - policy = data.aws_iam_policy_document.sns_topic_policy_ec2cw[0].json + policy = data.aws_iam_policy_document.sns_topic_policy_ec2cw[0].json } +*/ + resource "aws_sns_topic_subscription" "cw_subscription" { count = local.is-production == true ? 1 : 0 topic_arn = aws_sns_topic.cw_alerts[0].arn @@ -62,6 +65,39 @@ resource "aws_sns_topic_subscription" "cw_sms_subscription4" { } */ +resource "aws_sns_topic_policy" "sns_topic_policy_ec2cw" { + count = local.is-production == true ? 1 : 0 + arn = aws_sns_topic.cw_alerts[0].arn + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + "Sid" : "SnsTopicId", + "Effect" : "Allow", + "Principal" : { + "AWS" : "*" + }, + "Action" : [ + "SNS:Publish", + "SNS:RemovePermission", + "SNS:SetTopicAttributes", + "SNS:DeleteTopic", + "SNS:ListSubscriptionsByTopic", + "SNS:GetTopicAttributes", + "SNS:AddPermission", + "SNS:Subscribe" + ], + "Resource" : "aws_sns_topic.cw_alerts[0].arn", + "Condition" : { + "StringEquals" : { + "AWS:SourceOwner" : "data.aws_caller_identity.current.account_id" + } + } + } + ] + }) +} # PreProduction - Cloud Watch