[NRL-1158] Switch sns config for backups to match AWS examples

mattdean3-nhs · mattdean3-nhs · commit 15e1880f009f · 2025-08-21T10:19:22.000+01:00
diff --git a/terraform/account-wide-infrastructure/modules/backup-source/sns.tf b/terraform/account-wide-infrastructure/modules/backup-source/sns.tf
@@ -1,7 +1,6 @@
 resource "aws_sns_topic" "backup" {
   name              = "${local.resource_name_prefix}-notifications"
   kms_master_key_id = var.bootstrap_kms_key_arn
-  policy            = data.aws_iam_policy_document.allow_backup_to_sns.json
 }
 
 data "aws_iam_policy_document" "allow_backup_to_sns" {
@@ -19,12 +18,25 @@ data "aws_iam_policy_document" "allow_backup_to_sns" {
       identifiers = ["backup.amazonaws.com"]
     }
 
-    resources = ["*"]
+    resources = [
+      aws_sns_topic.backup.arn
+    ]
 
     sid = "allow_backup"
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = ["${data.aws_caller_identity.current.account_id}"]
+    }
   }
 }
 
+resource "aws_sns_topic_policy" "backup_sns_policy" {
+  arn    = aws_sns_topic.backup.arn
+  policy = data.aws_iam_policy_document.allow_backup_to_sns.json
+}
+
 resource "aws_sns_topic_subscription" "aws_backup_notifications_email_target" {
   count         = length(var.notification_target_email_addresses)
   topic_arn     = aws_sns_topic.backup.arn
