PSA-compliant SNS topic module with mandatory encryption, secure access policies, and multi-protocol subscription support.
Explore the docs »
View Demo
·
Report Bug
·
Request Feature
Full auto-generated documentation of inputs, outputs, and resources: TERRAFORM-DOCS.md
Table of Contents
This module creates PSA-compliant Amazon SNS Topics with integrated encryption and restrictive access policies. It supports various subscription types including Lambda, SQS, Email, and HTTPS webhooks.
- Encryption by Default: Mandatory support for SSE-KMS using AWS managed or customer-managed keys.
- Secure Policies: Automatically generates an access policy that restricts publishing and management to the owning account.
- Subscription Management: Simplified bulk subscription for multiple protocols.
- Permission Automation: Automatically creates necessary Lambda and SQS permissions for SNS integration.
- FIFO Support: Full support for First-In-First-Out topics and deduplication.
module "sns" {
source = "./terraform-aws-sns"
project_name = "myapp"
environment = "prod"
topic_name = "system-alerts"
display_name = "System Alerts"
}module "alerts" {
source = "./terraform-aws-sns"
project_name = "security"
environment = "prod"
sqs_subscriptions = [
{
queue_arn = "arn:aws:sqs:region:account:security-queue"
protocol = "sqs"
}
]
email_subscriptions = [
{
email_address = "admin@example.com"
protocol = "email"
}
]
}- Mandatory Encryption: Topics are encrypted at rest using KMS.
- Account Lockdown: The default policy prevents cross-account publishing unless explicitly configured.
- SSL Enforcement: Access policies include a
Denystatement for all non-HTTPS requests to the SNS service. - SourceAccount Validation: Policies use
aws:SourceAccountconditions to prevent cross-service confused deputy attacks.
This module implements the following PSA compliance features (referencing 01-Strukturierte_PSA_Anforderungen_Allgemein.pdf):
- Req 3.50-01 (Encryption): KMS encryption mandatory for message data at rest.
- Req 3.50-04 (Transport): SSL/TLS enforcement via service-linked policies.
- Req 3.69 (Access Control): Least-privilege IAM policies generated by default.
- Auditability: All topic management actions are traceable via CloudTrail (integrated by default).
- Check the SQS Queue policy (this module attempts to create it, but ensure no conflicts exist).
- Verify the SNS topic is correctly encrypted (SQS needs
kms:Decryptandkms:GenerateDataKeypermissions if using a custom CMK).
- AWS SNS requires manual confirmation for email subscriptions. Check the recipient's inbox for the "AWS Notification - Subscription Confirmation" email.
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| terraform | >=1.3 |
| aws | ~> 5.0 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
No modules.
| Name | Type |
|---|---|
| aws_lambda_permission.sns_invoke | resource |
| aws_sns_topic.this | resource |
| aws_sns_topic_policy.this | resource |
| aws_sns_topic_subscription.application | resource |
| aws_sns_topic_subscription.email | resource |
| aws_sns_topic_subscription.http | resource |
| aws_sns_topic_subscription.lambda | resource |
| aws_sns_topic_subscription.sms | resource |
| aws_sns_topic_subscription.sqs | resource |
| aws_sqs_queue_policy.sns_access | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.default | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| application_subscriptions | List of application subscriptions | list(object({ |
[] |
no |
| content_based_deduplication | Enables content-based deduplication for FIFO topics | bool |
false |
no |
| create_lambda_permissions | Whether to create Lambda permissions for SNS to invoke the function | bool |
true |
no |
| create_sqs_permissions | Whether to create SQS queue policies for SNS to send messages | bool |
true |
no |
| delivery_policy | The SNS delivery policy | string |
"" |
no |
| display_name | The display name for the SNS topic | string |
"" |
no |
| email_subscriptions | List of email subscriptions | list(object({ |
[] |
no |
| environment | Environment (e.g., prod, dev, test) | string |
n/a | yes |
| fifo_topic | Boolean indicating whether or not to create a FIFO (first-in-first-out) topic | bool |
false |
no |
| http_subscriptions | List of HTTP/HTTPS subscriptions | list(object({ |
[] |
no |
| kms_master_key_id | The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK | string |
"alias/aws/sns" |
no |
| lambda_subscriptions | List of Lambda subscriptions | list(object({ |
[] |
no |
| name_prefix | Prefix for resource names (if not provided, will use project-environment pattern) | string |
"" |
no |
| policy | The fully-formed AWS IAM policy setup for the SNS topic | string |
"" |
no |
| project_name | Name of the project | string |
n/a | yes |
| sms_subscriptions | List of SMS subscriptions | list(object({ |
[] |
no |
| sqs_subscriptions | List of SQS subscriptions | list(object({ |
[] |
no |
| tags | Additional tags for all resources | map(string) |
{} |
no |
| topic_name | Name of the SNS topic (if empty, will use project-environment pattern) | string |
"" |
no |
| Name | Description |
|---|---|
| application_subscription_arns | ARNs of the application subscriptions |
| email_subscription_arns | ARNs of the email subscriptions |
| http_subscription_arns | ARNs of the HTTP/HTTPS subscriptions |
| lambda_subscription_arns | ARNs of the Lambda subscriptions |
| sms_subscription_arns | ARNs of the SMS subscriptions |
| sqs_subscription_arns | ARNs of the SQS subscriptions |
| topic_arn | The ARN of the SNS topic |
| topic_id | The ID of the SNS topic |
| topic_name | The name of the SNS topic |
| topic_owner | The AWS Account ID of the SNS topic owner |