private createClusterEventNotifications()

in packages/constructs/L3/analytics/datawarehouse-l3-construct/lib/datawarehouse-l3-construct.ts [303:408]

• 97 lines of code
• 1 McCabe index (conditional complexity)

  private createClusterEventNotifications(
    clusterName: string,
    scheduledActions: CfnScheduledAction[],
    eventNotifications: EventNotificationsProps,
  ) {
    const topic = new Topic(this.scope, 'cluster-events-sns-topic', {
      topicName: this.props.naming.resourceName('cluster-events'),
    });
    const enforceSslStatement = new PolicyStatement({
      sid: 'EnforceSSL',
      effect: Effect.DENY,
      actions: [
        'sns:Publish',
        'sns:RemovePermission',
        'sns:SetTopicAttributes',
        'sns:DeleteTopic',
        'sns:ListSubscriptionsByTopic',
        'sns:GetTopicAttributes',
        'sns:Receive',
        'sns:AddPermission',
        'sns:Subscribe',
      ],
      resources: ['*'],
      conditions: {
        Bool: {
          'aws:SecureTransport': 'false',
        },
      },
    });
    enforceSslStatement.addAnyPrincipal();
    topic.addToResourcePolicy(enforceSslStatement);

    MdaaNagSuppressions.addCodeResourceSuppressions(
      topic,
      [
        {
          id: 'AwsSolutions-SNS2',
          reason: 'Redshift event subscriptions do not currently support an encrypted SNS topic.',
        },
        {
          id: 'NIST.800.53.R5-SNSEncryptedKMS',
          reason: 'Redshift event subscriptions do not currently support an encrypted SNS topic.',
        },
        {
          id: 'HIPAA.Security-SNSEncryptedKMS',
          reason: 'Redshift event subscriptions do not currently support an encrypted SNS topic.',
        },
        {
          id: 'PCI.DSS.321-SNSEncryptedKMS',
          reason: 'Redshift event subscriptions do not currently support an encrypted SNS topic.',
        },
      ],
      true,
    );

    //Allow redshift events to be published to the Topic
    const publishPolicyStatement = new PolicyStatement({
      sid: 'Publish Policy',
      effect: Effect.ALLOW,
      actions: [
        'SNS:GetTopicAttributes',
        'SNS:SetTopicAttributes',
        'SNS:AddPermission',
        'SNS:RemovePermission',
        'SNS:DeleteTopic',
        'SNS:Subscribe',
        'SNS:ListSubscriptionsByTopic',
        'SNS:Publish',
      ],
      resources: [topic.topicArn],
      conditions: {
        StringEquals: {
          'AWS:SourceOwner': this.account,
        },
      },
    });
    publishPolicyStatement.addAnyPrincipal();
    topic.addToResourcePolicy(publishPolicyStatement);

    // subscribe to sns topic if email-ids are present
    eventNotifications?.email?.forEach(email => {
      topic.addSubscription(new EmailSubscription(email.trim()));
    });

    const clusterEventNotificationSubProps: CfnEventSubscriptionProps = {
      subscriptionName: clusterName,
      sourceType: 'cluster',
      sourceIds: [clusterName],
      severity: eventNotifications.severity,
      eventCategories: eventNotifications.eventCategories,
      snsTopicArn: topic.topicArn,
    };

    new CfnEventSubscription(this.scope, `cluster-event-notifications-sub`, clusterEventNotificationSubProps);

    const actionEventNotificationSubProps: CfnEventSubscriptionProps = {
      subscriptionName: `${clusterName}-scheduled-actions`,
      sourceType: 'scheduled-action',
      sourceIds: scheduledActions.map(x => x.scheduledActionName),
      severity: eventNotifications.severity,
      eventCategories: eventNotifications.eventCategories,
      snsTopicArn: topic.topicArn,
    };

    new CfnEventSubscription(this.scope, `scheduled-action-event-notifications-sub`, actionEventNotificationSubProps);
  }