From 781086812e5a8ff6705f5062cad48748a63e5a41 Mon Sep 17 00:00:00 2001
From: martin-nhs <martin.taylor22@nhs.net>
Date: Thu, 15 Feb 2024 12:33:50 +0000
Subject: [PATCH] [PRMT-4482] Added topic policy to enforce HTTPS on SNS
 topics.

---
 terraform/iam.tf       | 13 ++++----
 terraform/sns-topic.tf | 69 ++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 73 insertions(+), 9 deletions(-)

diff --git a/terraform/iam.tf b/terraform/iam.tf
index e91ca8e..64759df 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -1,5 +1,8 @@
 locals {
   account_id = data.aws_caller_identity.current.account_id
+  sns_topic_arns = [
+    aws_sns_topic.re_registration_audit_topic.arn
+  ]
 }
 
 data "aws_iam_policy_document" "ecs-assume-role-policy" {
@@ -124,9 +127,7 @@ data "aws_iam_policy_document" "sns_policy_doc" {
     actions = [
       "sns:Publish"
     ]
-    resources = [
-      aws_sns_topic.re_registration_audit_topic.arn
-    ]
+    resources = local.sns_topic_arns
   }
 }
 
@@ -264,8 +265,8 @@ data "aws_iam_policy_document" "active_suspensions_sns_topic_access_to_queue" {
     ]
 
     condition {
-      test     = "ArnEquals"
-      values   = [
+      test = "ArnEquals"
+      values = [
         data.aws_ssm_parameter.suspension_active_suspensions_topic_arn.value,
         data.aws_ssm_parameter.end_of_transfer_active_suspensions_topic_arn.value
       ]
@@ -327,7 +328,7 @@ resource "aws_iam_policy" "dynamodb-table-access" {
 
 data "aws_iam_policy_document" "dynamodb-table-access" {
   statement {
-    actions   = [
+    actions = [
       "dynamodb:GetItem",
       "dynamodb:PutItem",
       "dynamodb:DeleteItem"
diff --git a/terraform/sns-topic.tf b/terraform/sns-topic.tf
index 0194f2e..e5f8efd 100644
--- a/terraform/sns-topic.tf
+++ b/terraform/sns-topic.tf
@@ -1,11 +1,74 @@
 resource "aws_sns_topic" "re_registration_audit_topic" {
-  name = "${var.environment}-${var.component_name}-re-registration-audit-sns-topic"
-  kms_master_key_id = aws_kms_key.re_registration_audit.id
+  name                          = "${var.environment}-${var.component_name}-re-registration-audit-sns-topic"
+  kms_master_key_id             = aws_kms_key.re_registration_audit.id
   sqs_failure_feedback_role_arn = aws_iam_role.sns_failure_feedback_role.arn
 
   tags = {
-    Name = "${var.environment}-${var.component_name}-re-registration-audit-sns-topic"
+    Name        = "${var.environment}-${var.component_name}-re-registration-audit-sns-topic"
     CreatedBy   = var.repo_name
     Environment = var.environment
   }
+}
+
+resource "aws_sns_topic_policy" "deny_http" {
+  for_each = toset(local.sns_topic_arns)
+
+  arn = each.value
+
+  policy = <<EOF
+{
+  "Version": "2008-10-17",
+  "Id": "__default_policy_ID",
+  "Statement": [
+    {
+      "Sid": "__default_statement_ID",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": [
+        "SNS:GetTopicAttributes",
+        "SNS:SetTopicAttributes",
+        "SNS:AddPermission",
+        "SNS:RemovePermission",
+        "SNS:DeleteTopic",
+        "SNS:Subscribe",
+        "SNS:ListSubscriptionsByTopic",
+        "SNS:Publish",
+        "SNS:Receive"
+      ],
+      "Resource": "${each.value}",
+      "Condition": {
+        "StringEquals": {
+          "AWS:SourceOwner": "${data.aws_caller_identity.current.account_id}"
+        }
+      }
+    },
+    {
+      "Sid": "DenyHTTPSubscription",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": "sns:Subscribe",
+      "Resource": "${each.value}",
+      "Condition": {
+        "StringEquals": {
+          "sns:Protocol": "http"
+        }
+      }
+    },
+    {
+      "Sid": "DenyHTTPPublish",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": "SNS:Publish",
+      "Resource": "${each.value}",
+      "Condition": {
+        "Bool": {
+          "aws:SecureTransport": "false"
+        }
+      }
+    }
+  ]
+}
+EOF
 }
\ No newline at end of file