fix: SNS policy to match attach update

lacework · Mar 24, 2023 · 4d33c67 · 4d33c67
1 parent 101cbcd
commit 4d33c67
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 3 deletions.
diff --git a/examples/existing-cloudtrail-without-sns-topic/README.md b/examples/existing-cloudtrail-without-sns-topic/README.md
@@ -7,12 +7,15 @@ the example named [existing-cloudtrail](https://registry.terraform.io/modules/la
 
 **IMPORTANT:** The new SNS topic must be created in the same region as the existing CloudTrail.
 
+**IMPORTANT:** The existing `cloudtrail_name` is required for the SNS Topic policy.
+
 ## Inputs
 
 | Name                      | Description                                               | Type     |
 | ------------------------- | --------------------------------------------------------- | -------- |
 | `use_existing_cloudtrail` | Set this to `true` to use an existing CloudTrail.         | `bool`   |
 | `bucket_arn`              | The S3 bucket ARN configured in the existing CloudTrail.  | `string` |
+| `cloudtrail_name`         | The name of the existing CloudTrail                       | `string` |
 
 **IMPORTANT:** This example does not modify your CloudTrail, therefore, you must enable
 SNS delivery notifications manually and point to the generated SNS topic.
@@ -41,6 +44,7 @@ module "lacework_cloudtrail" {
 
   use_existing_cloudtrail = true
   bucket_arn              = "bucket ARN from existing cloudtrail"
+  cloudtrail_name         = "lacework-cloudtrail"
 }
 ```
 

diff --git a/examples/existing-cloudtrail-without-sns-topic/main.tf b/examples/existing-cloudtrail-without-sns-topic/main.tf
@@ -9,6 +9,7 @@ module "aws_cloudtrail" {
 
   # Use an existing CloudTrail
   use_existing_cloudtrail = true
-  bucket_arn              = "arn:aws:s3:::lacework-ct-bucket-8805c0bf"
-  bucket_name             = "lacework-ct-bucket-8805c0bf"
+  bucket_arn              = "arn:aws:s3:::lacework-ct-bucket-4d857633"
+  bucket_name             = "lacework-ct-bucket-4d857633"
+  cloudtrail_name         = "lacework-cloudtrail"
 }
diff --git a/main.tf b/main.tf
@@ -358,9 +358,17 @@ data "aws_iam_policy_document" "sns_topic_policy" {
     for_each = !var.use_s3_bucket_notification ? [1] : []
     content {
       actions   = ["SNS:Publish"]
-      sid       = "AWSCloudTrailSNSPolicy20131101"
+      sid       = "AWSCloudTrailSNSPolicy20150319"
       resources = [local.sns_topic_arn]
 
+      effect = "Allow"
+
+      condition {
+        test = "StringEquals"
+        variable = "AWS:SourceArn"
+        values = ["arn:aws:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"]
+      }
+
       principals {
         type        = "Service"
         identifiers = ["cloudtrail.amazonaws.com"]