From cac6e52ac70a859ae20bf3e96973f40c0477b207 Mon Sep 17 00:00:00 2001
From: Allan Denot <adenot@gmail.com>
Date: Wed, 25 Mar 2020 18:17:27 +1100
Subject: [PATCH] Adding policy to allow SNS from any source

---
 lambda-slack.tf |  3 ++-
 sns-topic.tf    | 30 ++++++++++++++++++++++++++++--
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/lambda-slack.tf b/lambda-slack.tf
index e6a619b..a31c26d 100644
--- a/lambda-slack.tf
+++ b/lambda-slack.tf
@@ -35,6 +35,7 @@ resource "aws_iam_policy" "default" {
       "Action": [
         "logs:CreateLogStream",
         "logs:PutLogEvents",
+        "logs:CreateLogGroup",
         "cloudwatch:*"
       ],
       "Resource": [
@@ -94,5 +95,5 @@ resource "aws_sns_topic_subscription" "lambda_subscription" {
   topic_arn  = aws_sns_topic.default.arn
   protocol   = "lambda"
   endpoint   = aws_lambda_function.default[0].arn
-  depends_on = ["aws_lambda_function.default"]
+  depends_on = [aws_lambda_function.default]
 }
diff --git a/sns-topic.tf b/sns-topic.tf
index 2c0e302..2366083 100644
--- a/sns-topic.tf
+++ b/sns-topic.tf
@@ -7,12 +7,38 @@ resource "aws_sns_topic" "default" {
 }
 
 resource "aws_sns_topic_policy" "default" {
-  arn = aws_sns_topic.default.arn
+  arn    = aws_sns_topic.default.arn
+  policy = length(var.account_ids) != 0 ? data.aws_iam_policy_document.sns[0].json : data.aws_iam_policy_document.sns_all[0].json
+}
+
+data "aws_iam_policy_document" "sns_all" {
+  count = length(var.account_ids) != 0 ? 0 : 1
+
+  policy_id = "allow-publish-clients"
+
+  statement {
+    actions = [
+      "SNS:Publish"
+    ]
 
-  policy = data.aws_iam_policy_document.sns.json
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    resources = [
+      aws_sns_topic.default.arn,
+    ]
+
+    sid = "allow-publish-clients-stmt"
+  }
 }
 
 data "aws_iam_policy_document" "sns" {
+  count = length(var.account_ids) != 0 ? 1 : 0
+
   policy_id = "allow-publish-clients"
 
   statement {