Attach less restrictive SNS policies to topics

[jdheyburn]

Background

When no policy is attached to an SNS topic, the default SNS topic is used, which is very permissive for what actions are typically required against it.

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:REGION:ACC_ID:test",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "ACC_ID"
        }
      }
    }
  ]
}

Desired Change

Attach topic policies to the SNS topics to replace the defaults assigned to them.

E.g.

data "aws_iam_policy_document" "metric_alarms" {
  policy_id = "metric_alarms"

  statement {
    sid    = "__secure_statement_ID"
    effect = "Allow"
    principals {
      type        = "AWS"
      identifiers = ["*"]
    }

    resources = [
      aws_sns_topic.metric_alarms[0].arn
    ]
    actions = [
      "SNS:Subscribe",
      "SNS:Receive",
      "SNS:Publish",
    ]

    condition {
      test     = "StringEquals"
      variable = "AWS:SourceOwner"

      values = [
        data.aws_caller_identity.current.account_id,
      ]
    }
  }
}

resource "aws_sns_topic_policy" "metric_alarms" {
  count = var.enable_negative_match_alerts ? 1 : 0
  arn   = aws_sns_topic.metric_alarms[0].arn

  policy = data.aws_iam_policy_document.metric_alarms.json
}