From 546b05973f90eacf708c05f66e50d042c80423df Mon Sep 17 00:00:00 2001
From: Samuel Williams <samuelhwilliams@gmail.com>
Date: Mon, 25 Nov 2024 14:05:42 +0000
Subject: [PATCH] Add explicit policy for writing to notification queue

So that we can lock down read/writes on these queues.

https://mhclgdigital.atlassian.net/browse/FSPT-110
---
 .../addons/notification-queue-policy.yml      | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 copilot/fsd-authenticator/addons/notification-queue-policy.yml

diff --git a/copilot/fsd-authenticator/addons/notification-queue-policy.yml b/copilot/fsd-authenticator/addons/notification-queue-policy.yml
new file mode 100644
index 00000000..b609e782
--- /dev/null
+++ b/copilot/fsd-authenticator/addons/notification-queue-policy.yml
@@ -0,0 +1,29 @@
+Parameters:
+  App:
+    Type: String
+    Description: Your application's name.
+  Env:
+    Type: String
+    Description: The environment name your service, job, or workflow is being deployed to.
+  Name:
+    Type: String
+    Description: The name of the service, job, or workflow being deployed.
+
+Resources:
+  NotificationQueuePolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: NotificationQueuePolicy
+            Effect: Allow
+            Action:
+              - sqs:SendMessage
+            Resource:
+              - Fn::ImportValue: !Sub ${App}-${Env}-NotificationQueueArn
+
+Outputs:
+  NotificationQueuePolicyArn:
+    Description: "The ARN of the ManagedPolicy to attach to the task role."
+    Value: !Ref NotificationQueuePolicy