In sns/main.tf set the Firehose SNS subscription
resource "aws_sns_topic_subscription" "report_target" {
topic_arn = aws_sns_topic.subscription_calamiteit_events.arn
endpoint = var.aws_firehose_delivery_stream.arn
protocol = "firehose"
subscription_role_arn = aws_iam_role.iam_for_sns_firehose.arn
}
Now the tricky part is setting subscription_role_arn. This role needs both rights to assume role under SNS and a policy that allows it to write into Firehose.
In sns/main.tf create an iam role as mentioned above:
resource "aws_iam_role" "iam_for_sns_firehose" {
name = "iam_role_${aws_sns_topic.subscription_calamiteit_events.name}"
assume_role_policy = data.aws_iam_policy_document.iam_role_for_sns_firehose.json
managed_policy_arns = [aws_iam_policy.iam_for_sns_firehose.arn]
}
In sns/policy.tf
data "aws_iam_policy_document" "iam_role_for_sns_firehose" {
statement {
actions = [
"sts:AssumeRole"
]
principals {
type = "Service"
identifiers = [
"sns.amazonaws.com"
]
}
}
}
data "aws_iam_policy_document" "iam_policy_for_sns_firehose" {
statement {
actions = [
"firehose:DescribeDeliveryStream",
"firehose:ListDeliveryStreams",
"firehose:ListTagsForDeliveryStream",
"firehose:PutRecord",
"firehose:PutRecordBatch"
]
effect = "Allow"
resources = [
"arn:aws:firehose:*:*:*"
]
}
}
In firehose/main.tf we need to create a Firehose
resource "aws_iam_role" "firehose_extended_s3_configuration_role" {
name = "iam_for_csa_pdm_subscriptions_report_firehose_extended_s3"
assume_role_policy = data.aws_iam_policy_document.iam_for_firehose_extended_s3_configuration_policy.json
}
output "aws_firehose_delivery_stream_role" {
value = aws_iam_role.firehose_extended_s3_configuration_role
}
In firehose/policy.tf
data "aws_iam_policy_document" "iam_for_firehose_extended_s3_configuration_policy" {
statement {
actions = [
"sts:AssumeRole"
]
principals {
type = "Service"
identifiers = [
"firehose.amazonaws.com"
]
}
effect = "Allow"
}
}