fix(schedules): Add policy to sns topics to allow eventbridge trigger

jyecusch · jyecusch · commit a434f7295ebd · 2021-10-27T19:53:41.000+11:00
diff --git a/packages/plugins/aws/src/resources/schedule.test.ts b/packages/plugins/aws/src/resources/schedule.test.ts
@@ -1,3 +1,16 @@
+// Copyright 2021, Nitric Technologies Pty Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
 import { cronToAwsCron } from './schedule';
 
 describe('Cron Expression Conversion', () => {
@@ -78,7 +91,7 @@ describe('Cron Expression Conversion', () => {
 		describe('When converting the expression', () => {
 			let awsExpValues: string[] = [];
 			beforeAll(() => {
-				// Expected result = '0/1 * ? * 1 *'
+				// Expected result = '0/1 * ? * 2-4 *'
 				awsExpValues = cronToAwsCron(exp).split(' ');
 			});
 
diff --git a/packages/plugins/aws/src/resources/schedule.ts b/packages/plugins/aws/src/resources/schedule.ts
@@ -137,6 +137,35 @@ export class NitricScheduleEventBridge extends pulumi.ComponentResource {
 				},
 				defaultResourceOptions,
 			);
+
+			const snsTopicSchedulePolicy = topic.sns.arn.apply((arn) =>
+				aws.iam.getPolicyDocument({
+					// TODO: According to the docs, 'conditions' are not supported for a policy involving EventBridge
+					// See: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-resource-based.html#eb-sns-permissions
+					//  "You can't use of Condition blocks in Amazon SNS topic policies for EventBridge."
+					// This means any EventBridge rule will be able to publish to this topic.
+					policyId: '__default_policy_ID',
+					statements: [
+						{
+							sid: '__default_statement_ID',
+							effect: 'Allow',
+							actions: ['SNS:Publish'],
+							principals: [
+								{
+									type: 'Service',
+									identifiers: ['events.amazonaws.com'],
+								},
+							],
+							resources: [arn],
+						},
+					],
+				}),
+			);
+
+			new aws.sns.TopicPolicy(`${schedule.name}Target${topic.name}Policy`, {
+				arn: topic.sns.arn,
+				policy: snsTopicSchedulePolicy.apply((snsTopicPolicy) => snsTopicPolicy.json),
+			});
 		}
 
 		this.registerOutputs({
