# An SNS queue for email alerts
resource "aws_sns_topic" "account-alerts" {
  name              = "account-alerts"
  tags = merge(var.standard_tags, var.tags)
}

resource "aws_sns_topic_policy" "account-alerts" {
  arn    = aws_sns_topic.account-alerts.arn
  policy = data.aws_iam_policy_document.account-alerts.json
}

data "aws_iam_policy_document" "account-alerts" {
  statement {
    sid = "AllowAllAccountsToPublish"
    actions = [ "SNS:Publish" ]
    effect = "Allow"
    resources = [ aws_sns_topic.account-alerts.arn ]
    principals {
      type = "AWS"
      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
    }
  }
}

# Unfortunately, terraform does not support email destinations