Adding policy to allow SNS from any source

DNXLabs · Mar 25, 2020 · cac6e52 · cac6e52
1 parent 309d7d6
commit cac6e52
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 3 deletions.
diff --git a/lambda-slack.tf b/lambda-slack.tf
@@ -35,6 +35,7 @@ resource "aws_iam_policy" "default" {
       "Action": [
         "logs:CreateLogStream",
         "logs:PutLogEvents",
+        "logs:CreateLogGroup",
         "cloudwatch:*"
       ],
       "Resource": [
@@ -94,5 +95,5 @@ resource "aws_sns_topic_subscription" "lambda_subscription" {
   topic_arn  = aws_sns_topic.default.arn
   protocol   = "lambda"
   endpoint   = aws_lambda_function.default[0].arn
-  depends_on = ["aws_lambda_function.default"]
+  depends_on = [aws_lambda_function.default]
 }
diff --git a/sns-topic.tf b/sns-topic.tf
@@ -7,12 +7,38 @@ resource "aws_sns_topic" "default" {
 }
 
 resource "aws_sns_topic_policy" "default" {
-  arn = aws_sns_topic.default.arn
+  arn    = aws_sns_topic.default.arn
+  policy = length(var.account_ids) != 0 ? data.aws_iam_policy_document.sns[0].json : data.aws_iam_policy_document.sns_all[0].json
+}
+
+data "aws_iam_policy_document" "sns_all" {
+  count = length(var.account_ids) != 0 ? 0 : 1
+
+  policy_id = "allow-publish-clients"
+
+  statement {
+    actions = [
+      "SNS:Publish"
+    ]
 
-  policy = data.aws_iam_policy_document.sns.json
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    resources = [
+      aws_sns_topic.default.arn,
+    ]
+
+    sid = "allow-publish-clients-stmt"
+  }
 }
 
 data "aws_iam_policy_document" "sns" {
+  count = length(var.account_ids) != 0 ? 1 : 0
+
   policy_id = "allow-publish-clients"
 
   statement {