Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Amazon SNS server-side encryption #6502

Merged
merged 1 commit into from
Nov 19, 2018
Merged

Add support for Amazon SNS server-side encryption #6502

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions aws/resource_aws_sns_topic.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ var SNSAttributeMap = map[string]string{
"http_failure_feedback_role_arn": "HTTPFailureFeedbackRoleArn",
"http_success_feedback_role_arn": "HTTPSuccessFeedbackRoleArn",
"http_success_feedback_sample_rate": "HTTPSuccessFeedbackSampleRate",
"kms_master_key_id": "KmsMasterKeyId",
"lambda_failure_feedback_role_arn": "LambdaFailureFeedbackRoleArn",
"lambda_success_feedback_role_arn": "LambdaSuccessFeedbackRoleArn",
"lambda_success_feedback_sample_rate": "LambdaSuccessFeedbackSampleRate",
Expand Down Expand Up @@ -109,6 +110,10 @@ func resourceAwsSnsTopic() *schema.Resource {
Type: schema.TypeString,
Optional: true,
},
"kms_master_key_id": {
Type: schema.TypeString,
Optional: true,
},
"lambda_success_feedback_role_arn": {
Type: schema.TypeString,
Optional: true,
Expand Down
38 changes: 38 additions & 0 deletions aws/resource_aws_sns_topic_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,35 @@ func TestAccAWSSNSTopic_deliveryStatus(t *testing.T) {
})
}

func TestAccAWSSNSTopic_encryption(t *testing.T) {
attributes := make(map[string]string)

rName := acctest.RandString(10)

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
IDRefreshName: "aws_sns_topic.test_topic",
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSSNSTopicDestroy,
Steps: []resource.TestStep{
{
Config: testAccAWSSNSTopicConfig_withEncryption(rName),
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSSNSTopicExists("aws_sns_topic.test_topic", attributes),
resource.TestCheckResourceAttr("aws_sns_topic.test_topic", "kms_master_key_id", "alias/aws/sns"),
),
},
{
Config: testAccAWSSNSTopicConfig_withName(rName),
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSSNSTopicExists("aws_sns_topic.test_topic", attributes),
resource.TestCheckResourceAttr("aws_sns_topic.test_topic", "kms_master_key_id", ""),
),
},
},
})
}

func testAccCheckAWSNSTopicHasPolicy(n string, expectedPolicyText string) resource.TestCheckFunc {
return func(s *terraform.State) error {
rs, ok := s.RootModule().Resources[n]
Expand Down Expand Up @@ -593,3 +622,12 @@ EOF
}
`, r, r, r)
}

func testAccAWSSNSTopicConfig_withEncryption(r string) string {
return fmt.Sprintf(`
resource "aws_sns_topic" "test_topic" {
name = "terraform-test-topic-%s"
kms_master_key_id = "alias/aws/sns"
}
`, r)
}
10 changes: 10 additions & 0 deletions website/docs/r/sns_topic.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,15 @@ EOF
}
```

## Example with Server-side encryption (SSE)

```hcl
resource "aws_sns_topic" "user_updates" {
name = "user-updates-topic"
kms_master_key_id = "alias/aws/sns"
}
```

## Message Delivery Status Arguments

The `<endpoint>_success_feedback_role_arn` and `<endpoint>_failure_feedback_role_arn` arguments are used to give Amazon SNS write access to use CloudWatch Logs on your behalf. The `<endpoint>_success_feedback_sample_rate` argument is for specifying the sample rate percentage (0-100) of successfully delivered messages. After you configure the `<endpoint>_failure_feedback_role_arn` argument, then all failed message deliveries generate CloudWatch Logs.
Expand All @@ -64,6 +73,7 @@ The following arguments are supported:
* `http_success_feedback_role_arn` - (Optional) The IAM role permitted to receive success feedback for this topic
* `http_success_feedback_sample_rate` - (Optional) Percentage of success to sample
* `http_failure_feedback_role_arn` - (Optional) IAM role for failure feedback
* `kms_master_key_id` - (Optional) The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK. For more information, see [Key Terms](https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: We should probably note this as ID or ARN, as both are allowed.

* `lambda_success_feedback_role_arn` - (Optional) The IAM role permitted to receive success feedback for this topic
* `lambda_success_feedback_sample_rate` - (Optional) Percentage of success to sample
* `lambda_failure_feedback_role_arn` - (Optional) IAM role for failure feedback
Expand Down