feat: Add data protection policy support (#43)

Co-authored-by: magreenbaum <magreenbaum>

Author: magreenbaum

README.md

@@ -135,13 +135,13 @@ module "sns_topic" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.56 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.62 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.56 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.62 |
 
 ## Modules
 
@@ -152,6 +152,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_sns_topic.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
+| [aws_sns_topic_data_protection_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_data_protection_policy) | resource |
 | [aws_sns_topic_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
 | [aws_sns_topic_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
@@ -166,6 +167,7 @@ No modules.
 | <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_create_subscription"></a> [create\_subscription](#input\_create\_subscription) | Determines whether an SNS subscription is created | `bool` | `true` | no |
 | <a name="input_create_topic_policy"></a> [create\_topic\_policy](#input\_create\_topic\_policy) | Determines whether an SNS topic policy is created | `bool` | `true` | no |
+| <a name="input_data_protection_policy"></a> [data\_protection\_policy](#input\_data\_protection\_policy) | A map of data protection policy statements | `string` | `null` | no |
 | <a name="input_delivery_policy"></a> [delivery\_policy](#input\_delivery\_policy) | The SNS delivery policy | `string` | `null` | no |
 | <a name="input_display_name"></a> [display\_name](#input\_display\_name) | The display name for the SNS topic | `string` | `null` | no |
 | <a name="input_enable_default_topic_policy"></a> [enable\_default\_topic\_policy](#input\_enable\_default\_topic\_policy) | Specifies whether to enable the default topic policy. Defaults to `true` | `bool` | `true` | no |

examples/complete/main.tf

@@ -25,6 +25,29 @@ module "default_sns" {
   name              = "${local.name}-default"
   signature_version = 2
 
+  data_protection_policy = jsonencode(
+    {
+      Description = "Deny Inbound Address"
+      Name        = "DenyInboundEmailAdressPolicy"
+      Statement = [
+        {
+          "DataDirection" = "Inbound"
+          "DataIdentifier" = [
+            "arn:aws:dataprotection::aws:data-identifier/EmailAddress",
+          ]
+          "Operation" = {
+            "Deny" = {}
+          }
+          "Principal" = [
+            "*",
+          ]
+          "Sid" = "DenyInboundEmailAddress"
+        },
+      ]
+      Version = "2021-06-01"
+    }
+  )
+
   tags = local.tags
 }
 

main.tf

@@ -154,3 +154,14 @@ resource "aws_sns_topic_subscription" "this" {
   subscription_role_arn           = try(each.value.subscription_role_arn, null)
   topic_arn                       = aws_sns_topic.this[0].arn
 }
+
+################################################################################
+# Data Protection Policy
+################################################################################
+
+resource "aws_sns_topic_data_protection_policy" "this" {
+  count = var.create && var.data_protection_policy != null && !var.fifo_topic ? 1 : 0
+
+  arn    = aws_sns_topic.this[0].arn
+  policy = var.data_protection_policy
+}

variables.tf

@@ -177,3 +177,13 @@ variable "subscriptions" {
   type        = any
   default     = {}
 }
+
+################################################################################
+# Data Protection Policy
+################################################################################
+
+variable "data_protection_policy" {
+  description = "A map of data protection policy statements"
+  type        = string
+  default     = null
+}

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.56"
+      version = ">= 4.62"
     }
   }
 }

wrappers/main.tf

@@ -26,4 +26,5 @@ module "wrapper" {
   topic_policy_statements         = try(each.value.topic_policy_statements, var.defaults.topic_policy_statements, {})
   create_subscription             = try(each.value.create_subscription, var.defaults.create_subscription, true)
   subscriptions                   = try(each.value.subscriptions, var.defaults.subscriptions, {})
+  data_protection_policy          = try(each.value.data_protection_policy, var.defaults.data_protection_policy, null)
 }