I am trying to create a Cognito User Pool and I want it to be able to publish to an sns topic to send SMS messages. My main problem is that when I am trying to bound the resources on the sns topic policy document I am getting this error
Error: creating Cognito User Pool (my-user-pool): InvalidSmsRoleAccessPolicyException: Role does not have permission to publish with SNS
I am not very familiar with AWS and Terraform though so I am providing my configuration in case I've missed anything else.
resource "aws_cognito_user_pool" "my_user_pool" { name = "my-user-pool" password_policy { minimum_length = 8 require_lowercase = true require_uppercase = true require_numbers = true require_symbols = false temporary_password_validity_days = 7 } admin_create_user_config { allow_admin_create_user_only = true } auto_verified_attributes = ["phone_number"] mfa_configuration = "OPTIONAL" software_token_mfa_configuration { enabled = true } sms_configuration { external_id = local.cognito_my_sms_role_ext_id sns_caller_arn = aws_iam_role.my_cognito_sms_sender.arn } lifecycle { prevent_destroy = true } } resource "aws_cognito_user_pool_client" "my_cognito_client" { name = "my-cognito-client" user_pool_id = aws_cognito_user_pool.my_user_pool.id generate_secret = false explicit_auth_flows = ["ALLOW_ADMIN_USER_PASSWORD_AUTH", "ALLOW_REFRESH_TOKEN_AUTH"] enable_token_revocation = true } resource "aws_sns_topic" "my_update" { name = "my_update" kms_master_key_id = "alias/aws/sns" delivery_policy = file("sns_delivery_policy.json") } data "aws_iam_role" "my_service" { name = "my-service-eks-assume" } resource "aws_iam_role_policy_attachment" "my_cognito_user_access_attachment" { policy_arn = aws_iam_policy.my_cognito_access_policy.arn role = data.aws_iam_role.my_credentials_manager.name } resource "aws_iam_policy" "my_cognito_access_policy" { name = "my-cognito-access-policy" description = "Custom IAM policy for restricting Cognito actions" policy = data.aws_iam_policy_document.my_cognito_access_policy_document.json } data "aws_iam_policy_document" "my_cognito_access_policy_document" { statement { actions = ["cognito-idp:AdminInitiateAuth","cognito-idp:DescribeUserPoolClient","cognito-idp:AdminUserGlobalSignOut","cognito-idp:AdminCreateUser","cognito-idp:AdminSetUserPassword","cognito-idp:AdminUpdateUserAttributes","cognito-idp:DescribeUserPoolClient","cognito-idp:AdminGetUser","cognito-idp:AdminDisableUser","cognito-idp:AdminEnableUser","cognito-idp:AdminDeleteUser","cognito-idp:ListUsers","cognito-idp:AdminSetUserMFAPreference", ] resources = ["arn:aws:cognito-idp:${var.aws_region}:${var.aws_account_id}:userpool/${aws_cognito_user_pool.my_user_pool.id}"] } } data "aws_iam_policy_document" "my_cognito_assume_role_policy" { statement { actions = ["sts:AssumeRole"] principals { type = "Service" identifiers = ["cognito-idp.amazonaws.com"] } } } resource "aws_iam_role" "my_cognito_sms_sender" { name = "my-cognito-sms-sender" description = "Permissions to send SMS messages" assume_role_policy = data.aws_iam_policy_document.my_cognito_assume_role_policy.json } resource "aws_iam_policy" "my_sns_publish_policy" { name = "my-cognito-sns-publish-policy" policy = data.aws_iam_policy_document.my_update_sns_topic_policy.json tags = local.tags } resource "aws_iam_role_policy_attachment" "my_cognito_sns_publish_policy" { role = aws_iam_role.my_cognito_sms_sender.name policy_arn = aws_iam_policy.my_sns_publish_policy.arn } data "aws_iam_policy_document" "my_update_sns_topic_policy" { statement { actions = ["sns:Publish"] resources = [aws_sns_topic.my_update.arn] principals { type = "AWS" identifiers = [aws_cognito_user_pool.my_user_pool.arn] } }}If I do this instead:
ata "aws_iam_policy_document" "my_update_sns_topic_policy" { statement { actions = ["sns:Publish"] resources = ["*"] principals { type = "AWS" identifiers = [aws_cognito_user_pool.my_user_pool.arn] } }I don't get an error but it is required not to use "*" and be more restrictive.
I have tried multiple configurations the last couple of days, but it seems that it only work using an asterisk in resources.