I am trying to create a Cognito User Pool and I want it to be able to publish to an sns topic to send SMS messages. My main problem is that when I am trying to bound the resources on the sns topic policy document I am getting this error
Error: creating Cognito User Pool (my-user-pool): InvalidSmsRoleAccessPolicyException: Role does not have permission to publish with SNS
I am not very familiar with AWS and Terraform though so I am providing my configuration in case I’ve missed anything else.
resource "aws_cognito_user_pool" "my_user_pool" {
name = "my-user-pool"
password_policy {
minimum_length = 8
require_lowercase = true
require_uppercase = true
require_numbers = true
require_symbols = false
temporary_password_validity_days = 7
}
admin_create_user_config {
allow_admin_create_user_only = true
}
auto_verified_attributes = ["phone_number"]
mfa_configuration = "OPTIONAL"
software_token_mfa_configuration {
enabled = true
}
sms_configuration {
external_id = local.cognito_my_sms_role_ext_id
sns_caller_arn = aws_iam_role.my_cognito_sms_sender.arn
}
lifecycle {
prevent_destroy = true
}
}
resource "aws_cognito_user_pool_client" "my_cognito_client" {
name = "my-cognito-client"
user_pool_id = aws_cognito_user_pool.my_user_pool.id
generate_secret = false
explicit_auth_flows = ["ALLOW_ADMIN_USER_PASSWORD_AUTH", "ALLOW_REFRESH_TOKEN_AUTH"]
enable_token_revocation = true
}
resource "aws_sns_topic" "my_update" {
name = "my_update"
kms_master_key_id = "alias/aws/sns"
delivery_policy = file("sns_delivery_policy.json")
}
data "aws_iam_role" "my_service" {
name = "my-service-eks-assume"
}
resource "aws_iam_role_policy_attachment" "my_cognito_user_access_attachment" {
policy_arn = aws_iam_policy.my_cognito_access_policy.arn
role = data.aws_iam_role.my_credentials_manager.name
}
resource "aws_iam_policy" "my_cognito_access_policy" {
name = "my-cognito-access-policy"
description = "Custom IAM policy for restricting Cognito actions"
policy = data.aws_iam_policy_document.my_cognito_access_policy_document.json
}
data "aws_iam_policy_document" "my_cognito_access_policy_document" {
statement {
actions = [
"cognito-idp:AdminInitiateAuth",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:AdminUserGlobalSignOut",
"cognito-idp:AdminCreateUser",
"cognito-idp:AdminSetUserPassword",
"cognito-idp:AdminUpdateUserAttributes",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:AdminGetUser",
"cognito-idp:AdminDisableUser",
"cognito-idp:AdminEnableUser",
"cognito-idp:AdminDeleteUser",
"cognito-idp:ListUsers",
"cognito-idp:AdminSetUserMFAPreference",
]
resources = ["arn:aws:cognito-idp:${var.aws_region}:${var.aws_account_id}:userpool/${aws_cognito_user_pool.my_user_pool.id}"]
}
}
data "aws_iam_policy_document" "my_cognito_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["cognito-idp.amazonaws.com"]
}
}
}
resource "aws_iam_role" "my_cognito_sms_sender" {
name = "my-cognito-sms-sender"
description = "Permissions to send SMS messages"
assume_role_policy = data.aws_iam_policy_document.my_cognito_assume_role_policy.json
}
resource "aws_iam_policy" "my_sns_publish_policy" {
name = "my-cognito-sns-publish-policy"
policy = data.aws_iam_policy_document.my_update_sns_topic_policy.json
tags = local.tags
}
resource "aws_iam_role_policy_attachment" "my_cognito_sns_publish_policy" {
role = aws_iam_role.my_cognito_sms_sender.name
policy_arn = aws_iam_policy.my_sns_publish_policy.arn
}
data "aws_iam_policy_document" "my_update_sns_topic_policy" {
statement {
actions = ["sns:Publish"]
resources = [aws_sns_topic.my_update.arn]
principals {
type = "AWS"
identifiers = [aws_cognito_user_pool.my_user_pool.arn]
}
}
}
If I do this instead:
ata "aws_iam_policy_document" "my_update_sns_topic_policy" {
statement {
actions = ["sns:Publish"]
resources = ["*"]
principals {
type = "AWS"
identifiers = [aws_cognito_user_pool.my_user_pool.arn]
}
}
I don’t get an error but it is required not to use “*” and be more restrictive.
I have tried multiple configurations the last couple of days, but it seems that it only work using an asterisk in resources.