Skip to content

Commit

Permalink
add feadback from colifran
Browse files Browse the repository at this point in the history
  • Loading branch information
msambol committed Feb 20, 2024
1 parent ca9c2cd commit bd87f7f
Show file tree
Hide file tree
Showing 5 changed files with 30 additions and 29 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -32,15 +32,14 @@ new TopicPolicy(stack, 'TopicPolicy', {
const topicAddPolicy = new Topic(stack, 'TopicAddPolicy', {
topicName: 'topicAddPolicy',
displayName: 'topicDisplayNameAddPolicy',
enforceSSL: true,
});

topicAddPolicy.addToResourcePolicy(new PolicyStatement({
principals: [new ServicePrincipal('s3.amazonaws.com')],
actions: ['sns:Publish'],
resources: [topicAddPolicy.topicArn],
}), {
enforceSSL: true,
});
}));

new IntegTest(app, 'SNSTopicPolicyInteg', {
testCases: [stack],
Expand Down
10 changes: 5 additions & 5 deletions packages/aws-cdk-lib/aws-sns/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -232,18 +232,18 @@ const topicPolicy = new sns.TopicPolicy(this, 'Policy', {
});
```

Similiarly for `addToResourcePolicy`, you can enforce SSL by setting the `enforceSSL` flag:
Similiarly you can enforce SSL by setting the `enforceSSL` flag on the topic:

```ts
const topic = new sns.Topic(this, 'TopicAddPolicy');
const topic = new sns.Topic(this, 'TopicAddPolicy', {
enforceSSL: true,
});

topic.addToResourcePolicy(new iam.PolicyStatement({
principals: [new iam.ServicePrincipal('s3.amazonaws.com')],
actions: ['sns:Publish'],
resources: [topic.topicArn],
}), {
enforceSSL: true,
});
}));
```

## Delivery status logging
Expand Down
25 changes: 8 additions & 17 deletions packages/aws-cdk-lib/aws-sns/lib/topic-base.ts
Original file line number Diff line number Diff line change
Expand Up @@ -51,28 +51,14 @@ export interface ITopic extends IResource, notifications.INotificationRuleTarget
* will be automatically created upon the first call to `addToResourcePolicy`. If
* the topic is imported (`Topic.import`), then this is a no-op.
*/
addToResourcePolicy(statement: iam.PolicyStatement, addToResourcePolicyProps?: AddToResourcePolicyProps): iam.AddToResourcePolicyResult;
addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult;

/**
* Grant topic publishing permissions to the given identity
*/
grantPublish(identity: iam.IGrantable): iam.Grant;
}

/**
* Properties for adding a resource policy
*/
export interface AddToResourcePolicyProps {
/**
* Adds a statement to enforce encryption of data in transit when publishing to the topic.
*
* For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit.
*
* @default false
*/
readonly enforceSSL?: boolean;
}

/**
* Either a new or imported Topic
*/
Expand All @@ -92,6 +78,11 @@ export abstract class TopicBase extends Resource implements ITopic {
*/
protected abstract readonly autoCreatePolicy: boolean;

/**
* Adds a statement to enforce encryption of data in transit when publishing to the topic.
*/
protected enforceSSL?: boolean;

private policy?: TopicPolicy;

constructor(scope: Construct, id: string, props: ResourceProps = {}) {
Expand Down Expand Up @@ -139,15 +130,15 @@ export abstract class TopicBase extends Resource implements ITopic {
* will be automatically created upon the first call to `addToResourcePolicy`. If
* the topic is imported (`Topic.import`), then this is a no-op.
*/
public addToResourcePolicy(statement: iam.PolicyStatement, addToResourcePolicyProps?: AddToResourcePolicyProps): iam.AddToResourcePolicyResult {
public addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult {
if (!this.policy && this.autoCreatePolicy) {
this.policy = new TopicPolicy(this, 'Policy', { topics: [this] });
}

if (this.policy) {
this.policy.document.addStatements(statement);

if (addToResourcePolicyProps?.enforceSSL) {
if (this.enforceSSL) {
this.policy.document.addStatements(this.createSSLPolicyDocument());
}
return { statementAdded: true, policyDependable: this.policy };
Expand Down
11 changes: 11 additions & 0 deletions packages/aws-cdk-lib/aws-sns/lib/topic.ts
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,15 @@ export interface TopicProps {
* @default - do not archive messages
*/
readonly messageRetentionPeriodInDays?: number;

/**
* Adds a statement to enforce encryption of data in transit when publishing to the topic.
*
* For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit.
*
* @default false
*/
readonly enforceSSL?: boolean;
}

/**
Expand Down Expand Up @@ -174,6 +183,8 @@ export class Topic extends TopicBase {
physicalName: props.topicName,
});

this.enforceSSL = props.enforceSSL;

if (props.contentBasedDeduplication && !props.fifo) {
throw new Error('Content based deduplication can only be enabled for FIFO SNS topics.');
}
Expand Down
8 changes: 4 additions & 4 deletions packages/aws-cdk-lib/aws-sns/test/sns.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -189,16 +189,16 @@ describe('Topic', () => {
test('can add a policy to the topic enforcing ssl', () => {
// GIVEN
const stack = new cdk.Stack();
const topic = new sns.Topic(stack, 'Topic');
const topic = new sns.Topic(stack, 'Topic', {
enforceSSL: true,
});

// WHEN
topic.addToResourcePolicy(new iam.PolicyStatement({
resources: ['*'],
actions: ['sns:*'],
principals: [new iam.ArnPrincipal('arn')],
}), {
enforceSSL: true,
});
}));

// THEN
Template.fromStack(stack).hasResourceProperties('AWS::SNS::TopicPolicy', {
Expand Down

0 comments on commit bd87f7f

Please sign in to comment.