feat: Add policy to allow writing to Anghammarad

docs/005-default-parameter-store-locations.md

@@ -3,13 +3,14 @@
 A number of constructs from the library define parameters to get configuration from Parameter Store. Each of these parameters configures a default path.
 The below table lists those paths, the parameter that sets them, the expected value type and which construct the parameter is defined within.
 
-| Path                                  | Parameter              | Type                         | Construct                  |
-| ------------------------------------- | ---------------------- | ---------------------------- | -------------------------- |
-| /account/vpc/primary/id               | VpcId                  | AWS::EC2::VPC::Id            | GuVpc.fromIdParameter      |
-| /account/vpc/primary/subnets/public   | PublicSubnets          | List\<AWS::EC2::Subnet::Id\> | GuVpc.subnetsFromParameter |
-| /account/vpc/primary/subnets/private  | PrivateSubnets         | List\<AWS::EC2::Subnet::Id\> | GuVpc.subnetsFromParameter |
-| /account/services/artifact.bucket     | DistributionBucketName | String                       | GuGetDistributablePolicy   |
-| /account/services/logging.stream.name | LoggingStreamName      | String                       | GuLogShippingPolicy        |
+| Path                                    | Parameter              | Type                         | Construct                  |
+| --------------------------------------- | ---------------------- | ---------------------------- | -------------------------- |
+| /account/vpc/primary/id                 | VpcId                  | AWS::EC2::VPC::Id            | GuVpc.fromIdParameter      |
+| /account/vpc/primary/subnets/public     | PublicSubnets          | List\<AWS::EC2::Subnet::Id\> | GuVpc.subnetsFromParameter |
+| /account/vpc/primary/subnets/private    | PrivateSubnets         | List\<AWS::EC2::Subnet::Id\> | GuVpc.subnetsFromParameter |
+| /account/services/artifact.bucket       | DistributionBucketName | String                       | GuGetDistributablePolicy   |
+| /account/services/logging.stream.name   | LoggingStreamName      | String                       | GuLogShippingPolicy        |
+| /account/services/anghammarad.topic.arn | AnghammaradSnsArn      | String                       | AnghammaradSenderPolicy    |
 
 
 ## Pattern-specific default Parameter Store locations

src/constructs/core/parameters/anghammarad.ts

@@ -0,0 +1,35 @@
+import { isSingletonPresentInStack } from "../../../utils/test";
+import type { GuStack } from "../stack";
+import { GuStringParameter } from "./base";
+
+/**
+ * Creates a CloudFormation parameter to a SSM Parameter Store item that holds the ARN of the Anghammarad SNS topic.
+ * This parameter is implemented as a singleton, meaning only one can ever be added to a stack and will be reused if necessary.
+ *
+ * @see https://github.com/guardian/anghammarad
+ */
+export class AnghammaradTopicParameter extends GuStringParameter {
+  private static instance: AnghammaradTopicParameter | undefined;
+
+  private constructor(scope: GuStack) {
+    super(scope, "AnghammaradSnsArn", {
+      fromSSM: true,
+      default: "/account/services/anghammarad.topic.arn",
+      description: "SSM parameter containing the ARN of the Anghammarad SNS topic",
+    });
+  }
+
+  /**
+   * Returns a pre-existing parameter in the stack.
+   * If no parameter exists, creates a new parameter.
+   *
+   * @param stack the stack to operate on
+   */
+  public static getInstance(stack: GuStack): AnghammaradTopicParameter {
+    if (!this.instance || !isSingletonPresentInStack(stack, this.instance)) {
+      this.instance = new AnghammaradTopicParameter(stack);
+    }
+
+    return this.instance;
+  }
+}

src/constructs/iam/policies/anghammarad.test.ts

@@ -0,0 +1,60 @@
+import "@aws-cdk/assert/jest";
+import { SynthUtils } from "@aws-cdk/assert/lib/synth-utils";
+import type { SynthedStack } from "../../../utils/test";
+import { attachPolicyToTestRole, simpleGuStackForTesting } from "../../../utils/test";
+import type { GuStack } from "../../core";
+import { AnghammaradTopicParameter } from "../../core/parameters/anghammarad";
+import { AnghammaradSenderPolicy } from "./anghammarad";
+
+describe("AnghammaradSenderPolicy", () => {
+  const getParams = (stack: GuStack) => {
+    const json = SynthUtils.toCloudFormation(stack) as SynthedStack;
+    return Object.keys(json.Parameters);
+  };
+
+  it("should add a parameter to the stack if it is not already defined", () => {
+    const stack = simpleGuStackForTesting();
+
+    // an empty stack should only have `Stage` which GuStack adds
+    expect(getParams(stack)).toEqual(["Stage"]);
+
+    // add the policy
+    attachPolicyToTestRole(stack, AnghammaradSenderPolicy.getInstance(stack));
+    expect(getParams(stack)).toEqual(["Stage", "AnghammaradSnsArn"]);
+  });
+
+  it("should not add a parameter to the stack if it already exists", () => {
+    const stack = simpleGuStackForTesting();
+
+    // an empty stack should only have `Stage` which GuStack adds
+    expect(getParams(stack)).toEqual(["Stage"]);
+
+    // explicitly add an AnghammaradTopicParameter
+    AnghammaradTopicParameter.getInstance(stack);
+    expect(getParams(stack)).toEqual(["Stage", "AnghammaradSnsArn"]);
+
+    // add the policy
+    attachPolicyToTestRole(stack, AnghammaradSenderPolicy.getInstance(stack));
+    expect(getParams(stack)).toEqual(["Stage", "AnghammaradSnsArn"]);
+  });
+
+  it("should define a policy that would allow writing to SNS", () => {
+    const stack = simpleGuStackForTesting();
+    attachPolicyToTestRole(stack, AnghammaradSenderPolicy.getInstance(stack));
+
+    expect(stack).toHaveResource("AWS::IAM::Policy", {
+      PolicyDocument: {
+        Version: "2012-10-17",
+        Statement: [
+          {
+            Action: "sns:Publish",
+            Effect: "Allow",
+            Resource: {
+              Ref: "AnghammaradSnsArn",
+            },
+          },
+        ],
+      },
+    });
+  });
+});

src/constructs/iam/policies/anghammarad.ts

@@ -0,0 +1,32 @@
+import { isSingletonPresentInStack } from "../../../utils/test";
+import type { GuStack } from "../../core";
+import { AnghammaradTopicParameter } from "../../core/parameters/anghammarad";
+import { GuAllowPolicy } from "./base-policy";
+
+/**
+ * Creates an `AWS::IAM::Policy` to grant `sns:Publish` permission to the Anghammarad topic.
+ * An `AnghammaradSnsArn` parameter will be automatically added to the stack when needed.
+ *
+ * @see AnghammaradTopicParameter
+ * @see https://github.com/guardian/anghammarad
+ */
+export class AnghammaradSenderPolicy extends GuAllowPolicy {
+  private static instance: AnghammaradSenderPolicy | undefined;
+
+  private constructor(scope: GuStack) {
+    const anghammaradTopicParameter = AnghammaradTopicParameter.getInstance(scope);
+
+    super(scope, "GuSESSenderPolicy", {
+      actions: ["sns:Publish"],
+      resources: [anghammaradTopicParameter.valueAsString],
+    });
+  }
+
+  public static getInstance(stack: GuStack): AnghammaradSenderPolicy {
+    if (!this.instance || !isSingletonPresentInStack(stack, this.instance)) {
+      this.instance = new AnghammaradSenderPolicy(stack);
+    }
+
+    return this.instance;
+  }
+}