From 6c50b37f663ad50806fbdea23a86fc9d7305df71 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Wed, 6 Sep 2023 09:41:49 -0400
Subject: [PATCH] fix

---
 cloudtrail/s3.tf     |  8 +++---
 cloudtrail/sns.s3.tf | 58 ++++++++++++++++++++++++++------------------
 2 files changed, 38 insertions(+), 28 deletions(-)

diff --git a/cloudtrail/s3.tf b/cloudtrail/s3.tf
index 35bb3c9..d4c1459 100644
--- a/cloudtrail/s3.tf
+++ b/cloudtrail/s3.tf
@@ -110,9 +110,9 @@ resource "aws_s3_bucket_notification" "this" {
   bucket = aws_s3_bucket.this.id
 
   topic {
-    topic_arn = try(aws_sns_topic.cloudtrail_s3[0].arn, null)
-    events    = ["s3:ObjectCreated:*"]
-    #    filter_suffix = ".log"
+    topic_arn     = try(aws_sns_topic.cloudtrail_s3[0].arn, null)
+    events        = ["s3:ObjectCreated:*"]
+    filter_prefix = "cloudtrail/"
+    #    filter_suffix = ".json.gz"
   }
 }
-
diff --git a/cloudtrail/sns.s3.tf b/cloudtrail/sns.s3.tf
index 9369edb..c2be174 100644
--- a/cloudtrail/sns.s3.tf
+++ b/cloudtrail/sns.s3.tf
@@ -18,39 +18,49 @@ resource "aws_sns_topic_policy" "cloudtrail_s3" {
 
 data "aws_iam_policy_document" "cloudtrail_s3_topic" {
   policy_id = format("%v_s3_topic", local.s3_name)
+  ##   statement {
+  ##     sid    = "CloudtrailS3SNSPermissions"
+  ##     effect = "Allow"
+  ##     principals {
+  ##       type        = "AWS"
+  ##       identifiers = ["*"]
+  ##     }
+  ##     actions = [
+  ##       "sns:Subscribe",
+  ##       "sns:SetTopicAttributes",
+  ##       "sns:RemovePermission",
+  ##       "sns:Receive",
+  ##       "sns:Publish",
+  ##       "sns:ListSubscriptionsByTopic",
+  ##       "sns:GetTopicAttributes",
+  ##       "sns:DeleteTopic",
+  ##       "sns:AddPermission",
+  ##     ]
+  ##     condition {
+  ##       test     = "StringEquals"
+  ##       variable = "AWS:SourceOwner"
+  ##       values   = [local.account_id]
+  ##     }
+  ##     resources = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""]
+  ##   }
   statement {
-    sid    = "CloudtrailS3SNSPermissions"
+    sid    = "CloudTrailSNSS3Policy"
     effect = "Allow"
     principals {
-      type        = "AWS"
-      identifiers = ["*"]
+      type        = "Service"
+      identifiers = ["s3.amazonaws.com"]
     }
-    actions = [
-      "sns:Subscribe",
-      "sns:SetTopicAttributes",
-      "sns:RemovePermission",
-      "sns:Receive",
-      "sns:Publish",
-      "sns:ListSubscriptionsByTopic",
-      "sns:GetTopicAttributes",
-      "sns:DeleteTopic",
-      "sns:AddPermission",
-    ]
+    actions   = ["sns:Publish"]
+    resources = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""]
     condition {
       test     = "StringEquals"
       variable = "AWS:SourceOwner"
       values   = [local.account_id]
     }
-    resources = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""]
-  }
-  statement {
-    sid    = "CloudTrailSNSPolicy"
-    effect = "Allow"
-    principals {
-      type        = "Service"
-      identifiers = ["cloudtrail.amazonaws.com"]
+    condition {
+      test     = "ArnLike"
+      variable = "AWS:SourceArn"
+      values   = [aws_s3_bucket.this.arn]
     }
-    actions   = ["sns:Publish"]
-    resources = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""]
   }
 }