From de8f4fc97e6b3fd5237bcca956ab0292b2686d37 Mon Sep 17 00:00:00 2001 From: magreenbaum Date: Fri, 7 Apr 2023 14:07:36 -0400 Subject: [PATCH 1/4] add data protection policy support --- README.md | 6 ++++-- examples/complete/main.tf | 23 +++++++++++++++++++++++ main.tf | 10 ++++++++++ variables.tf | 10 ++++++++++ versions.tf | 2 +- wrappers/main.tf | 1 + 6 files changed, 49 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index fbbf6a2..92b40d4 100644 --- a/README.md +++ b/README.md @@ -135,13 +135,13 @@ module "sns_topic" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.56 | +| [aws](#requirement\_aws) | >= 4.62 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.56 | +| [aws](#provider\_aws) | >= 4.62 | ## Modules @@ -152,6 +152,7 @@ No modules. | Name | Type | |------|------| | [aws_sns_topic.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | +| [aws_sns_topic_data_protection_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_data_protection_policy) | resource | | [aws_sns_topic_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource | | [aws_sns_topic_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | @@ -166,6 +167,7 @@ No modules. | [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no | | [create\_subscription](#input\_create\_subscription) | Determines whether an SNS subscription is created | `bool` | `true` | no | | [create\_topic\_policy](#input\_create\_topic\_policy) | Determines whether an SNS topic policy is created | `bool` | `true` | no | +| [data\_protection\_policy](#input\_data\_protection\_policy) | A map of data protection policy statements | `string` | `null` | no | | [delivery\_policy](#input\_delivery\_policy) | The SNS delivery policy | `string` | `null` | no | | [display\_name](#input\_display\_name) | The display name for the SNS topic | `string` | `null` | no | | [enable\_default\_topic\_policy](#input\_enable\_default\_topic\_policy) | Specifies whether to enable the default topic policy. Defaults to `true` | `bool` | `true` | no | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 1bf6670..4f7d64f 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -25,6 +25,29 @@ module "default_sns" { name = "${local.name}-default" signature_version = 2 + data_protection_policy = jsonencode( + { + Description = "Test" + Name = "Test" + Statement = [ + { + "DataDirection" = "Inbound" + "DataIdentifier" = [ + "arn:aws:dataprotection::aws:data-identifier/EmailAddress", + ] + "Operation" = { + "Deny" = {} + } + "Principal" = [ + "*", + ] + "Sid" = "Deny" + }, + ] + Version = "2021-06-01" + } + ) + tags = local.tags } diff --git a/main.tf b/main.tf index b86d974..718f50e 100644 --- a/main.tf +++ b/main.tf @@ -154,3 +154,13 @@ resource "aws_sns_topic_subscription" "this" { subscription_role_arn = try(each.value.subscription_role_arn, null) topic_arn = aws_sns_topic.this[0].arn } + +################################################################################ +# Data Protection Policy +################################################################################ + +resource "aws_sns_topic_data_protection_policy" "this" { + count = var.create && var.data_protection_policy != null && !var.fifo_topic ? 1 : 0 + arn = aws_sns_topic.this[0].arn + policy = var.data_protection_policy +} diff --git a/variables.tf b/variables.tf index 9ad2955..485f2b7 100644 --- a/variables.tf +++ b/variables.tf @@ -177,3 +177,13 @@ variable "subscriptions" { type = any default = {} } + +################################################################################ +# Data Protection Policy +################################################################################ + +variable "data_protection_policy" { + description = "A map of data protection policy statements" + type = string + default = null +} diff --git a/versions.tf b/versions.tf index f6b386d..2884bdd 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.56" + version = ">= 4.62" } } } diff --git a/wrappers/main.tf b/wrappers/main.tf index 24da9b7..88a6b19 100644 --- a/wrappers/main.tf +++ b/wrappers/main.tf @@ -26,4 +26,5 @@ module "wrapper" { topic_policy_statements = try(each.value.topic_policy_statements, var.defaults.topic_policy_statements, {}) create_subscription = try(each.value.create_subscription, var.defaults.create_subscription, true) subscriptions = try(each.value.subscriptions, var.defaults.subscriptions, {}) + data_protection_policy = try(each.value.data_protection_policy, var.defaults.data_protection_policy, null) } From 2868f010a708d4ccc57e7695a1206610ca177535 Mon Sep 17 00:00:00 2001 From: magreenbaum Date: Sat, 8 Apr 2023 09:13:26 -0400 Subject: [PATCH 2/4] update description, name, and sid --- examples/complete/main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 4f7d64f..f6123b5 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -27,11 +27,11 @@ module "default_sns" { data_protection_policy = jsonencode( { - Description = "Test" - Name = "Test" + Description = "Deny Inbound Address" + Name = "DenyInboundEmailAdressPolicy" Statement = [ { - "DataDirection" = "Inbound" + "DataDirection" = "Outbound" "DataIdentifier" = [ "arn:aws:dataprotection::aws:data-identifier/EmailAddress", ] @@ -41,7 +41,7 @@ module "default_sns" { "Principal" = [ "*", ] - "Sid" = "Deny" + "Sid" = "DenyInboundEmailAddress" }, ] Version = "2021-06-01" From 0c62f142507bc10e677782f30c7a4c75d2bc1db6 Mon Sep 17 00:00:00 2001 From: magreenbaum Date: Sat, 8 Apr 2023 10:26:02 -0400 Subject: [PATCH 3/4] change datadirection to inbound --- examples/complete/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index f6123b5..6a1ffd1 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -31,7 +31,7 @@ module "default_sns" { Name = "DenyInboundEmailAdressPolicy" Statement = [ { - "DataDirection" = "Outbound" + "DataDirection" = "Inbound" "DataIdentifier" = [ "arn:aws:dataprotection::aws:data-identifier/EmailAddress", ] From a0ee02513e69d5c862388d0940d1b0c623d485af Mon Sep 17 00:00:00 2001 From: magreenbaum Date: Sat, 8 Apr 2023 14:21:22 -0400 Subject: [PATCH 4/4] add line after count argument --- main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 718f50e..f9e0cbe 100644 --- a/main.tf +++ b/main.tf @@ -160,7 +160,8 @@ resource "aws_sns_topic_subscription" "this" { ################################################################################ resource "aws_sns_topic_data_protection_policy" "this" { - count = var.create && var.data_protection_policy != null && !var.fifo_topic ? 1 : 0 + count = var.create && var.data_protection_policy != null && !var.fifo_topic ? 1 : 0 + arn = aws_sns_topic.this[0].arn policy = var.data_protection_policy }