def register_destination_publish_permission(self, template):
template.add_resource(
sns.TopicPolicy(
utils.valid_cloudformation_name(
self.bucket_notification_configuration.name, self.id,
'permission'),
Topics=[self.get_destination_arn()],
PolicyDocument={
"Version":
"2008-10-17",
"Id":
"PublicationPolicy",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": ["sns:Publish"],
"Resource": self.get_destination_arn(),
"Condition": {
"ArnEquals": {
"aws:SourceArn":
self.bucket_notification_configuration.
get_bucket_arn()
}
}
}]
}))
def add_topic_policy(self, topic):
"""Adds a topic policy to a topic object that allows it to be notified by the AWS Budgets
service.
:param topic: a sns.Topic object
:return: the sns.TopicPolicy object
"""
return self.add_resource(
sns.TopicPolicy(
"{}Policy".format(topic.title),
PolicyDocument={
"Id":
"BudgetTopicPolicy",
"Version":
"2012-10-17",
"Statement": [{
"Sid": "AWSBudgets-sns-notification",
"Effect": "Allow",
"Principal": {
"Service": "budgets.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": Ref(topic),
}],
},
Topics=[Ref(topic)],
))
def public_topic(base_name: str) -> (sns.Topic, sns.TopicPolicy):
topic = sns.Topic(f"{base_name}Topic")
topic_policy = sns.TopicPolicy(
f"{base_name}TopicPolicy",
Topics=[topic.ref()],
PolicyDocument=dict(
Version="2008-10-17",
Statement=[_owner_policy(topic),
_public_broadcast(topic)]),
)
return topic, topic_policy
def _add_pipeline_notifications(self, pipeline):
subscriptions = self._create_sns_subscriptions()
topic = sns.Topic(
'AppPipelineDeployments',
DisplayName='AppPipelineDeployments',
Subscription=subscriptions,
)
self._t.add_resource(topic)
topic_policy = sns.TopicPolicy(
'AllowCloudWatchEventsPublish',
PolicyDocument=Policy(Version='2012-10-17',
Statement=[
Statement(
Sid='AllowCloudWatchEventsToPublish',
Effect=Allow,
Action=[_sns.Publish],
Principal=Principal(
'Service',
'events.amazonaws.com'),
Resource=[topic.Ref()],
)
]),
Topics=[topic.Ref()],
)
self._t.add_resource(topic_policy)
sns_target = [events.Target(Id='1', Arn=topic.Ref())]
cw_event = events.Rule(
'PipelineEvents',
Description='CloudWatch Events Rule for app pipeline.',
EventPattern={
"source": ["aws.codepipeline"],
"detail-type": [
'CodePipeline Action Execution State Change',
],
'detail': {
'type': {
# Notify when a deploy fails/succeeds
# or when an approval is needed.
# We could also add something when any
# part of the pipeline fails.
'category': ['Deploy', 'Approval'],
},
'pipeline': [pipeline.Ref()],
}
},
Targets=sns_target,
)
self._t.add_resource(cw_event)
return topic
def allow_publish_policy(
self,
service: str,
name_suffix: str,
condition: Optional[ConditionType] = None) -> sns.TopicPolicy:
"""Return a policy allowing a service to publish to the topic.
:param service: service allowed to publish
:param name_suffix: a suffix used in the object name
:param condition: condition to be able to publish
"""
return sns.TopicPolicy(
name_to_id(f"{self.name}Policy{name_suffix}"),
Topics=[self.ref],
PolicyDocument=PolicyDocument(statements=[
Allow(
action="sns:Publish",
resource=self.ref,
principal={"Service": f"{service}.amazonaws.com"},
condition=condition,
)
]).as_dict,
)
]))
event = t.add_resource(
events.Rule("EventsRule",
Condition="IsMaster",
EventPattern={"source": ["aws.guardduty"]},
State="ENABLED",
Targets=[events.Target(
Arn=Ref(snstopic),
Id="sns",
)]))
# Allow events to send notifications to SNS
t.add_resource(
sns.TopicPolicy(
"SNSTopicPolicy",
Condition="IsMaster",
PolicyDocument=aws.Policy(Statement=[
aws.Statement(
Effect=aws.Allow,
Action=[
aws.Action("sns", "Publish"),
],
Principal=aws.Principal("Service", "events.amazonaws.com"),
Resource=[Ref(snstopic)],
),
]),
Topics=[Ref(snstopic)]))
print(t.to_json())
from troposphere import sns, Ref
from stacks.main.resources.bucket_updates_topic import bucket_updates_topic
bucket_updates_topic_policy = sns.TopicPolicy(
"BucketUpdatesTopicPolicy",
PolicyDocument={
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": "s3.amazonaws.com"},
"Action": "sns:Publish",
"Resource": "*",
}
],
},
Topics=[Ref(bucket_updates_topic)],
)
Sub('arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*'
)
])
])))
config_topic = template.add_resource(
sns.Topic('ConfigTopic',
TopicName=Sub('config-topic-${AWS::AccountId}'),
DisplayName='AWS Config Notification Topic'))
config_topic_policy = template.add_resource(
sns.TopicPolicy("ConfigTopicPolicy",
Topics=[Ref(config_topic)],
PolicyDocument=PolicyDocument(Statement=[
Statement(Sid='AWSConfigSNSPolicy',
Action=[awacs.sns.Publish],
Effect=Allow,
Resource=Ref(config_topic),
Principal=config_service_principal)
])))
email_notification = template.add_resource(
sns.SubscriptionResource('EmailNotification',
Endpoint=Ref(notification_email),
Protocol='email',
TopicArn=Ref(config_topic)))
config_recorder_role = template.add_resource(
iam.Role(
'ConfigRecorderRole',
AssumeRolePolicyDocument=PolicyDocument(Statement=[