feat: sns, sqs, dlq for Subscriptions (#554)

awslabs · Feb 4, 2022 · fcf6197 · fcf6197
1 parent bf36605
commit fcf6197
Show file tree

Hide file tree

Showing 2 changed files with 100 additions and 0 deletions.
diff --git a/cloudformation/subscriptions.yaml b/cloudformation/subscriptions.yaml
@@ -0,0 +1,99 @@
+#
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+#
+
+Resources:
+  SubscriptionsKey:
+    Type: 'AWS::KMS::Key'
+    Properties:
+      Description: Encryption key for rest hook queue that can be used by SNS
+      EnableKeyRotation: true
+      KeyPolicy:
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: 'sns.amazonaws.com'
+            Action:
+              - 'kms:Decrypt'
+              - 'kms:GenerateDataKey*'
+            Resource: '*'
+          - Sid: Allow administration of the key
+            Effect: Allow
+            Principal:
+              AWS: !Join ['', ['arn:aws:iam::', !Ref AWS::AccountId, ':root']]
+            Action:
+              - 'kms:*'
+            Resource: '*'
+
+  RestHookQueue:
+    Type: AWS::SQS::Queue
+    Properties:
+      KmsMasterKeyId: !Ref SubscriptionsKey
+      RedrivePolicy:
+        deadLetterTargetArn: !GetAtt RestHookDLQ.Arn
+        maxReceiveCount: 3
+
+  RestHookDLQ:
+    Type: AWS::SQS::Queue
+    Properties:
+      MessageRetentionPeriod: 1209600 # 14 days in seconds
+      KmsMasterKeyId: 'alias/aws/sqs'
+
+  RestHookQueuePolicy:
+    Type: AWS::SQS::QueuePolicy
+    Properties:
+      Queues: [!Ref RestHookQueue]
+      PolicyDocument:
+        Statement:
+          - Effect: Deny
+            Action:
+              - SQS:*
+            Resource:
+              - !GetAtt RestHookQueue.Arn
+            Principal: '*'
+            Condition:
+              Bool:
+                'aws:SecureTransport': false
+          - Effect: Allow
+            Action:
+              - SQS:SendMessage
+            Resource:
+              - !GetAtt RestHookQueue.Arn
+            Principal:
+              Service: 'sns.amazonaws.com'
+            Condition:
+              ArnEquals:
+                aws:SourceArn: !Ref SubscriptionsTopic
+
+  RestHookDLQPolicy:
+    Type: AWS::SQS::QueuePolicy
+    Properties:
+      Queues: [!Ref RestHookDLQ]
+      PolicyDocument:
+        Statement:
+          - Effect: Deny
+            Action:
+              - SQS:*
+            Resource:
+              - !GetAtt RestHookDLQ.Arn
+            Principal: '*'
+            Condition:
+              Bool:
+                'aws:SecureTransport': false
+
+  SubscriptionsTopic:
+    Type: AWS::SNS::Topic
+    Properties:
+      TopicName: 'SubscriptionsTopic'
+      KmsMasterKeyId: !Ref SubscriptionsKey
+
+  RestHookSubscription:
+    Type: 'AWS::SNS::Subscription'
+    Properties:
+      TopicArn: !Ref SubscriptionsTopic
+      Endpoint: !GetAtt RestHookQueue.Arn
+      Protocol: sqs
+      FilterPolicy:
+        channelType:
+          - 'rest-hook'
diff --git a/serverless.yaml b/serverless.yaml
@@ -862,6 +862,7 @@ resources:
   - ${file(cloudformation/elasticsearch.yaml)}
   - ${file(cloudformation/cognito.yaml)}
   - ${file(cloudformation/bulkExport.yaml)}
+  - ${file(cloudformation/subscriptions.yaml)}
   - Outputs:
       UserPoolId:
         Description: User pool id for the provisioning users.