From 918a80efd9a8850a95192602e1ec0059d046c011 Mon Sep 17 00:00:00 2001
From: Razvan Cosma <75040720+razvan-moj@users.noreply.github.com>
Date: Thu, 21 Jul 2022 19:07:46 +0300
Subject: [PATCH] add SNS policy (#5)

* SNS policy
---
 README.md |  3 +++
 sns.tf    | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 sns.tf

diff --git a/README.md b/README.md
index 13fb0ce..d71b8e3 100644
--- a/README.md
+++ b/README.md
@@ -40,11 +40,13 @@ No modules.
 | [auth0_rule_config.aws_saml_provider_name](https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/rule_config) | resource |
 | [aws_iam_policy.iam_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.s3_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.sns_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.sqs_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.vpc_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.github_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.iam_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.s3_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.sns_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.sqs_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.vpc_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_saml_provider.auth0](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | resource |
@@ -53,6 +55,7 @@ No modules.
 | [aws_iam_policy_document.federated_role_trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.iam_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.s3_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.sns_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sqs_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.vpc_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
diff --git a/sns.tf b/sns.tf
new file mode 100644
index 0000000..ef66133
--- /dev/null
+++ b/sns.tf
@@ -0,0 +1,48 @@
+data "aws_iam_policy_document" "sns_for_github" {
+
+  statement {
+    sid    = "AllowListDescribe"
+    effect = "Allow"
+    actions = [
+      "sns:ListPlatformApplications",
+      "sns:ListSubscriptions",
+      "sns:ListTagsForResource",
+      "sns:ListTopics"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "AllowPublishOwn"
+    effect = "Allow"
+    actions = [
+      "sns:Publish",
+      "sns:GetPlatformApplicationAttributes",
+      "sns:GetSubscriptionAttributes",
+      "sns:GetTopicAttributes",
+      "sns:GetEndpointAttributes",
+      "sns:GetSubscriptionAttributes",
+      "sns:Publish"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      variable = "aws:PrincipalTag/GithubTeam"
+      values   = ["*:$${aws:ResourceTag/GithubTeam}:*"]
+    }
+  }
+
+}
+
+resource "aws_iam_policy" "sns_for_github" {
+  policy = data.aws_iam_policy_document.sns_for_github.json
+  name   = "sns-for-github"
+  tags = {
+    GithubTeam = "webops"
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "sns_for_github" {
+  role       = aws_iam_role.github_access.name
+  policy_arn = aws_iam_policy.sns_for_github.arn
+}