From f50328520f1de820d46885fe5236bcdc3ac70d4f Mon Sep 17 00:00:00 2001
From: martin-nhs <martin.taylor22@nhs.net>
Date: Thu, 15 Feb 2024 12:27:30 +0000
Subject: [PATCH] [PRMT-4482] Added policy statement to enforce HTTPS on SNS
 topics.

---
 terraform/sns-topic.tf | 62 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

diff --git a/terraform/sns-topic.tf b/terraform/sns-topic.tf
index 60566f93..fbf11ab1 100644
--- a/terraform/sns-topic.tf
+++ b/terraform/sns-topic.tf
@@ -98,3 +98,65 @@ data "aws_sns_topic" "alarm_notifications" {
   name = "${var.environment}-alarm-notifications-sns-topic"
 }
 
+resource "aws_sns_topic_policy" "deny_http" {
+  for_each = toset(local.sns_arns)
+
+  arn = each.value
+
+  policy = <<EOF
+{
+  "Version": "2008-10-17",
+  "Id": "__default_policy_ID",
+  "Statement": [
+    {
+      "Sid": "__default_statement_ID",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": [
+        "SNS:GetTopicAttributes",
+        "SNS:SetTopicAttributes",
+        "SNS:AddPermission",
+        "SNS:RemovePermission",
+        "SNS:DeleteTopic",
+        "SNS:Subscribe",
+        "SNS:ListSubscriptionsByTopic",
+        "SNS:Publish",
+        "SNS:Receive"
+      ],
+      "Resource": "${each.value}",
+      "Condition": {
+        "StringEquals": {
+          "AWS:SourceOwner": "${data.aws_caller_identity.current.account_id}"
+        }
+      }
+    },
+    {
+      "Sid": "DenyHTTPSubscription",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": "sns:Subscribe",
+      "Resource": "${each.value}",
+      "Condition": {
+        "StringEquals": {
+          "sns:Protocol": "http"
+        }
+      }
+    },
+    {
+      "Sid": "DenyHTTPPublish",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": "SNS:Publish",
+      "Resource": "${each.value}",
+      "Condition": {
+        "Bool": {
+          "aws:SecureTransport": "false"
+        }
+      }
+    }
+  ]
+}
+EOF
+}
\ No newline at end of file