Merge pull request #185 from bmbferreira/adds-missing-permissions-for…

…-encrypted-sns-topics

adds missing permissions for encrypted sns topics

README.md

@@ -313,6 +313,7 @@ No modules.
 | required\_tags\_resource\_types | Resource types to check for tags. | `list(string)` | `[]` | no |
 | resource\_types | A list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail). See relevant part of AWS Docs for available types. | `list(string)` | `[]` | no |
 | s3\_bucket\_public\_access\_prohibited\_exclusion | Comma-separated list of known allowed public Amazon S3 bucket names. | `string` | `"example,CSV"` | no |
+| sns\_kms\_key\_id | The ARN of the KMS key used to encrypt the Amazon SNS topic. | `string` | `null` | no |
 | tags | Tags to apply to AWS Config resources | `map(string)` | `{}` | no |
 | vpc\_sg\_authorized\_ports | Object with values as Comma-separated list of ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash. example, '443,1020-1025' | ```object({ authorizedTcpPorts = optional(string, null) authorizedUdpPorts = optional(string, null) })``` | `{}` | no |
 

examples/encrypted-sns-topic/main.tf

@@ -0,0 +1,76 @@
+data "aws_partition" "current" {}
+
+#
+# AWS Config Logs Bucket
+#
+
+module "config_logs" {
+  source  = "trussworks/logs/aws"
+  version = "~> 10"
+
+  s3_bucket_name     = var.config_logs_bucket
+  allow_config       = true
+  config_logs_prefix = "config"
+  force_destroy      = true
+}
+
+#
+# SNS Topic
+#
+
+data "aws_iam_policy_document" "config" {
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [module.config.aws_config_role_arn]
+    }
+    actions   = ["SNS:Publish"]
+    resources = [aws_sns_topic.config.arn]
+  }
+}
+
+resource "aws_sns_topic" "config" {
+  name              = var.config_name
+  kms_master_key_id = module.sns_key.key_arn
+}
+
+resource "aws_sns_topic_policy" "config" {
+  arn    = aws_sns_topic.config.arn
+  policy = data.aws_iam_policy_document.config.json
+}
+
+#
+# KMS Key for SNS
+#
+module "sns_key" {
+  source      = "terraform-aws-modules/kms/aws"
+  version     = "~> 1.5.0"
+  description = "Key for SNS usage"
+  key_usage   = "ENCRYPT_DECRYPT"
+
+  # Policy
+  key_users = [module.config.aws_config_role_arn]
+
+  # Aliases
+  aliases = ["theydo/sns"]
+}
+
+#
+# AWS Config
+#
+
+module "config" {
+  source = "../../"
+
+  config_name          = var.config_name
+  config_logs_bucket   = module.config_logs.aws_logs_bucket
+  config_logs_prefix   = "config"
+  config_sns_topic_arn = aws_sns_topic.config.arn
+  sns_kms_key_id       = module.sns_key.key_arn
+
+  tags = {
+    "Automation" = "Terraform"
+    "Name"       = var.config_name
+  }
+}

examples/encrypted-sns-topic/variables.tf

@@ -0,0 +1,11 @@
+variable "config_name" {
+  type = string
+}
+
+variable "config_logs_bucket" {
+  type = string
+}
+
+variable "region" {
+  type = string
+}

iam.tf

@@ -17,6 +17,30 @@ data "aws_iam_policy_document" "aws_config_policy" {
     ]
   }
 
+  dynamic "statement" {
+    for_each = var.sns_kms_key_id != null ? [1] : []
+    content {
+      sid    = "AWSAllowKMSKeyUsage"
+      effect = "Allow"
+      actions = [
+        "kms:Decrypt",
+        "kms:GenerateDataKey*"
+      ]
+      resources = [var.sns_kms_key_id]
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.sns_kms_key_id != null ? [1] : []
+    content {
+      sid    = "AWSAllowSNSPublish"
+      effect = "Allow"
+      actions = [
+        "sns:Publish"
+      ]
+      resources = [var.config_sns_topic_arn]
+    }
+  }
 
   statement {
     sid    = "AWSConfigBucketExistenceCheck"

variables.tf

@@ -551,3 +551,9 @@ variable "vpc_sg_authorized_ports" {
   })
   default = {}
 }
+
+variable "sns_kms_key_id" {
+  description = "The ARN of the KMS key used to encrypt the Amazon SNS topic."
+  type        = string
+  default     = null
+}