fix(sns): topic policy is not created even if enforceSSL enabled (#31569

) ### Issue # (if applicable) Closes #31558. ### Reason for this change  SNS topic policy is not created even if `enforceSSL` is enabled, until calling `addToResourcePolicy` method. But, originally, the policy should be created without calling the `addToResourcePolicy` method. ### Description of changes  The topic policy is created first if the `enforceSSL` is enabled. ### Description of how you validated changes  Unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* Co-authored-by: GZ <[email protected]>
aws · Jan 31, 2025 · b3975c5 · b3975c5
1 parent 330a919
commit b3975c5
Show file tree

Hide file tree

Showing 11 changed files with 233 additions and 62 deletions.
diff --git a/...s-topic-policy.js.snapshot/SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA.assets.json b/...s-topic-policy.js.snapshot/SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA.assets.json
diff --git a/...nteg/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyStack.assets.json b/...nteg/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyStack.assets.json
diff --git a/...eg/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyStack.template.json b/...eg/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyStack.template.json
@@ -59,6 +59,20 @@
    "Properties": {
     "PolicyDocument": {
      "Statement": [
+      {
+       "Action": "sns:Publish",
+       "Condition": {
+        "Bool": {
+         "aws:SecureTransport": "false"
+        }
+       },
+       "Effect": "Deny",
+       "Principal": "*",
+       "Resource": {
+        "Ref": "TopicAddPolicy7DB03706"
+       },
+       "Sid": "AllowPublishThroughSSLOnly"
+      },
       {
        "Action": "sns:Publish",
        "Effect": "Allow",
@@ -68,8 +82,26 @@
        "Resource": {
         "Ref": "TopicAddPolicy7DB03706"
        },
-       "Sid": "0"
-      },
+       "Sid": "1"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "Topics": [
+     {
+      "Ref": "TopicAddPolicy7DB03706"
+     }
+    ]
+   }
+  },
+  "TopicWithSSLC879A4EA": {
+   "Type": "AWS::SNS::Topic"
+  },
+  "TopicWithSSLPolicy3E7ECD75": {
+   "Type": "AWS::SNS::TopicPolicy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
       {
        "Action": "sns:Publish",
        "Condition": {
@@ -80,7 +112,7 @@
        "Effect": "Deny",
        "Principal": "*",
        "Resource": {
-        "Ref": "TopicAddPolicy7DB03706"
+        "Ref": "TopicWithSSLC879A4EA"
        },
        "Sid": "AllowPublishThroughSSLOnly"
       }
@@ -89,7 +121,7 @@
     },
     "Topics": [
      {
-      "Ref": "TopicAddPolicy7DB03706"
+      "Ref": "TopicWithSSLC879A4EA"
      }
     ]
    }

diff --git a/...-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/cdk.out b/...-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/cdk.out
diff --git a/...k-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/integ.json b/...k-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/integ.json
diff --git a/...esting/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/manifest.json b/...esting/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/manifest.json
diff --git a/...dk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/tree.json b/...dk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/tree.json