add policy to allow config to write to SNS

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: git://github.com/pre-commit/pre-commit-hooks
-    rev: v2.5.0
+    rev: v3.1.0
     hooks:
       - id: check-json
       - id: check-merge-conflict
@@ -12,17 +12,17 @@ repos:
       - id: trailing-whitespace
 
   - repo: git://github.com/igorshubovych/markdownlint-cli
-    rev: v0.22.0
+    rev: v0.23.1
     hooks:
       - id: markdownlint
 
   - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.30.0
+    rev: v1.31.0
     hooks:
       - id: terraform_docs
       - id: terraform_fmt
 
   - repo: git://github.com/golangci/golangci-lint
-    rev: v1.25.0
+    rev: v1.27.0
     hooks:
       - id: golangci-lint

examples/sns-topic/main.tf

@@ -1,10 +1,12 @@
+data "aws_partition" "current" {}
+
 #
 # AWS Config Logs Bucket
 #
 
 module "config_logs" {
   source  = "trussworks/logs/aws"
-  version = "~> 5"
+  version = "~> 8"
 
   s3_bucket_name     = var.config_logs_bucket
   region             = var.region
@@ -17,10 +19,31 @@ module "config_logs" {
 # SNS Topic
 #
 
+data "aws_iam_policy_document" "config" {
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [module.config.aws_config_role_arn]
+    }
+    actions   = ["SNS:Publish"]
+    resources = [aws_sns_topic.config.arn]
+  }
+}
+
 resource "aws_sns_topic" "config" {
   name = var.config_name
 }
 
+resource "aws_sns_topic_policy" "config" {
+  arn    = aws_sns_topic.config.arn
+  policy = data.aws_iam_policy_document.config.json
+}
+
+#
+# AWS Config
+#
+
 module "config" {
   source = "../../"