githubwebhooks: allow infosec-prod account to access unfiltered GitHub stream

indygreg · indygreg · commit f652f8dd8e3f · 2017-12-20T14:48:15.000-08:00
This was requested by @gene1wood so infosec can monitor GitHub activity.
diff --git a/githubwebhooks/iam-roles.tf b/githubwebhooks/iam-roles.tf
@@ -146,3 +146,22 @@ resource "aws_iam_role_policy" "lambda_github_webhooks_pulse" {
     role = "${aws_iam_role.lambda_github_webhooks_pulse.id}"
     policy = "${data.aws_iam_policy_document.lambda_github_webhooks_pulse.json}"
 }
+
+data "aws_iam_policy_document" "sns_webhooks_all" {
+    # Grant access to infosec-prod account.
+    statement = {
+        sid = "github_webhooks_all_infosec_subscribe"
+        effect = "Allow"
+        actions = [
+            "SNS:ListSubscriptionsByTopic",
+            "SNS:Subscribe",
+        ]
+        resources = [
+            "${aws_sns_topic.webhooks_all.arn}",
+        ]
+        principals {
+            type = "AWS"
+            identifiers = ["371522382791"]
+        }
+    }
+}
diff --git a/githubwebhooks/sns.tf b/githubwebhooks/sns.tf
@@ -2,6 +2,11 @@ resource "aws_sns_topic" "webhooks_all" {
     name = "github-webhooks-all"
 }
 
+resource "aws_sns_topic_policy" "webhooks_all" {
+    arn = "${aws_sns_topic.webhooks_all.arn}"
+    policy = "${data.aws_iam_policy_document.sns_webhooks_all.json}"
+}
+
 resource "aws_sns_topic" "webhooks_public" {
     name = "github-webhooks-public"
 }

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,11 @@ resource "aws_sns_topic" "webhooks_all" {`
`2`	`2`	`name = "github-webhooks-all"`
`3`	`3`	`}`
`4`	`4`
	`5`	`+resource "aws_sns_topic_policy" "webhooks_all" {`
	`6`	`+ arn = "${aws_sns_topic.webhooks_all.arn}"`
	`7`	`+ policy = "${data.aws_iam_policy_document.sns_webhooks_all.json}"`
	`8`	`+}`
	`9`	`+`
`5`	`10`	`resource "aws_sns_topic" "webhooks_public" {`
`6`	`11`	`name = "github-webhooks-public"`
`7`	`12`	`}`