aws · mergify · Mar 17, 2021 · Sep 26, 2020 · Sep 27, 2020 · Oct 15, 2020
diff --git a/packages/@aws-cdk/aws-sns/lib/policy.ts b/packages/@aws-cdk/aws-sns/lib/policy.ts
@@ -12,6 +12,11 @@ export interface TopicPolicyProps {
    * The set of topics this policy applies to.
    */
   readonly topics: ITopic[];
+  /**
+   * IAM policy document to apply to topic(s).
+   */
+  readonly policyDocument: PolicyDocument;
+
 }
 
 /**
@@ -21,19 +26,15 @@ export class TopicPolicy extends Resource {
   /**
    * The IAM policy document for this policy.
    */
-  public readonly document = new PolicyDocument({
-    // statements must be unique, so we use the statement index.
-    // potantially SIDs can change as a result of order change, but this should
-    // not have an impact on the policy evaluation.
-    // https://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage_SpecialInfo.html
-    assignSids: true,
-  });
+  public readonly document: PolicyDocument;
 
   constructor(scope: Construct, id: string, props: TopicPolicyProps) {
     super(scope, id);
 
+    this.document = props.policyDocument;
+
     new CfnTopicPolicy(this, 'Resource', {
-      policyDocument: this.document,
+      policyDocument: props.policyDocument,
       topics: props.topics.map(t => t.topicArn),
     });
   }

diff --git a/packages/@aws-cdk/aws-sns/lib/topic-base.ts b/packages/@aws-cdk/aws-sns/lib/topic-base.ts
@@ -96,7 +96,7 @@ export abstract class TopicBase extends Resource implements ITopic {
    */
   public addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult {
     if (!this.policy && this.autoCreatePolicy) {
-      this.policy = new TopicPolicy(this, 'Policy', { topics: [this] });
+      this.policy = new TopicPolicy(this, 'Policy', { topics: [this], policyDocument: new iam.PolicyDocument({ assignSids: true }) });
     }
 
     if (this.policy) {

diff --git a/packages/@aws-cdk/aws-sns/test/test.sns.ts b/packages/@aws-cdk/aws-sns/test/test.sns.ts
@@ -276,6 +276,51 @@ export = {
     test.done();
   },
 
+  'TopicPolicy can be created'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const topic = new sns.Topic(stack, 'MyTopic');
+    const ps = new iam.PolicyStatement({
+      actions: ['service:statement0'],
+      principals: [new iam.ArnPrincipal('arn')],
+    });
+
+    // WHEN
+    new sns.TopicPolicy(stack, 'topicpolicy', { topics: [topic], policyDocument: new iam.PolicyDocument({ assignSids: true, statements: [ps] }) });
+
+    // THEN
+    expect(stack).toMatch({
+      'Resources': {
+        'MyTopic86869434': {
+          'Type': 'AWS::SNS::Topic',
+        },
+        'topicpolicyF8CF12FD': {
+          'Type': 'AWS::SNS::TopicPolicy',
+          'Properties': {
+            'PolicyDocument': {
+              'Statement': [
+                {
+                  'Action': 'service:statement0',
+                  'Effect': 'Allow',
+                  'Principal': { 'AWS': 'arn' },
+                  'Sid': '0',
+                },
+              ],
+              'Version': '2012-10-17',
+            },
+            'Topics': [
+              {
+                'Ref': 'MyTopic86869434',
+              },
+            ],
+          },
+        },
+      },
+    });
+
+    test.done();
+  },
+
   'topic resource policy includes unique SIDs'(test: Test) {
     const stack = new cdk.Stack();