CCM-12995: Adding sns topic policy for sub

Author: sidnhs

infrastructure/terraform/modules/eventsub/sns_topic_policy.tf

@@ -0,0 +1,77 @@
+resource "aws_sns_topic" "main" {
+  name = "my-topic-with-policy"
+}
+
+resource "aws_sns_topic_policy" "main" {
+  arn = aws_sns_topic.main.arn
+
+  policy = data.aws_iam_policy_document.sns_topic_policy.json
+}
+
+data "aws_iam_policy_document" "sns_topic_policy" {
+  policy_id = "__default_policy_ID"
+
+  statement {
+    actions = [
+      "SNS:Subscribe",
+      "SNS:SetTopicAttributes",
+      "SNS:RemovePermission",
+      "SNS:Receive",
+      "SNS:Publish",
+      "SNS:ListSubscriptionsByTopic",
+      "SNS:GetTopicAttributes",
+      "SNS:DeleteTopic",
+      "SNS:AddPermission",
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceOwner"
+
+      values = [
+        var.aws_account_id,
+      ]
+    }
+
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    resources = [
+      aws_sns_topic.test.arn,
+    ]
+
+    sid = "AllowAllSNSActionsFromAccount"
+  }
+
+  statement {
+    actions = [
+      "SNS:Publish",
+    ]
+
+    condition {
+      test     = "ArnLike"
+      variable = "AWS:SourceArn"
+
+      values = [
+        "arn:aws:sns:${var.region}:${var.shared_infra_account_id}:nhs-*-core-to-supplier-events",
+      ]
+    }
+
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    resources = [
+      aws_sns_topic.test.arn,
+    ]
+
+    sid = "AllowAllSNSActionsFromSharedAccount"
+  }
+}

infrastructure/terraform/modules/eventsub/variables.tf

@@ -108,3 +108,9 @@ variable "force_destroy" {
   description = "When enabled will force destroy event-cache S3 bucket"
   default     = false
 }
+
+variable "shared_infra_account_id" {
+  type        = string
+  description = "The AWS Account ID of the shared infrastructure account"
+  default     = "000000000000"
+}