Skip to content

feat(sns): support DataProtectionPolicy for SNS topics #35473

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

feat(sns): support DataProtectionPolicy for SNS topics #35473

wants to merge 11 commits into from

Conversation

pahud
Copy link
Contributor

@pahud pahud commented Sep 12, 2025
edited
Loading

Issue # (if applicable)

Closes #34136.

Reason for this change

The SNS Topic L2 construct was missing support for the DataProtectionPolicy property that is available in the underlying CloudFormation resource (AWS::SNS::Topic). Users currently need to use escape hatches or create custom constructs to add data protection policies to SNS topics, which reduces the value proposition of using L2 constructs and creates additional complexity for teams implementing data protection requirements.

Description of changes

Added native DataProtectionPolicy support to the SNS Topic L2 construct following the established aws-logs DataProtectionPolicy pattern with SNS-specific enhancements:

  • Interface-based design: IDataProtectionPolicy interface for extensibility and custom implementations
  • DataProtectionPolicy class: Main implementation with constructor validation and CloudFormation binding
  • Enhanced type safety: Static type checking methods and symbol-based runtime identification
  • Extended TopicProps interface: Added optional dataProtectionPolicy property to enable policy configuration
  • Comprehensive DataIdentifier support: 90+ managed data identifiers plus support for custom regex-based identifiers
  • SNS-specific policy structure: Includes DataDirection, Principal, and SampleRate fields required by SNS
  • Full JSII compatibility: All APIs use JSII-compatible types for cross-language support
  • Optimized CloudFormation integration: Uses static ARN format to avoid CloudFormation intrinsic functions

Key implementation improvements over aws-logs pattern:

  • Interface-based design for better extensibility
  • Enhanced validation with detailed error messages
  • SNS-specific policy statement structure
  • Modern S3 interface usage (IBucket vs IBucketRef)
  • Static ARN generation for better CloudFormation performance

Testing:

  • Unit tests: Added 12+ comprehensive tests covering DataProtectionPolicy functionality, Topic integration, validation, custom identifiers, error handling, and edge cases
  • Integration tests: Created new integration test integ.sns-data-protection-policy.ts with CloudFormation template validation
  • Pattern consistency: Verified implementation follows and improves upon aws-logs DataProtectionPolicy pattern

Description of how you validated changes

  • Unit tests: Added 12+ comprehensive tests covering all DataProtectionPolicy functionality including validation, custom identifiers, error handling, type checking, and CloudFormation generation. All existing SNS tests pass with no regressions.
  • Integration tests: Created comprehensive integration test with multiple policy configurations to verify proper CloudFormation template generation and AWS::SNS::Topic resource configuration.
  • Build validation: Full TypeScript compilation, linting, and aws-cdk-lib build passes successfully.
  • Pattern consistency: Verified implementation follows established aws-logs DataProtectionPolicy pattern while adding appropriate SNS-specific enhancements.
  • AWS documentation compliance: Verified generated policies match AWS SNS data protection policy documentation exactly.
  • JSII compatibility: Confirmed all public APIs are JSII-compatible for cross-language support.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added feature-request A feature should be added or improved. p2 labels Sep 12, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team September 12, 2025 14:56
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Sep 12, 2025
@pahud pahud marked this pull request as ready for review September 12, 2025 16:26
@pahud pahud marked this pull request as draft September 12, 2025 16:26
@pahud pahud marked this pull request as ready for review September 12, 2025 17:52
@pahud pahud marked this pull request as draft September 12, 2025 18:46
@pahud pahud marked this pull request as ready for review September 15, 2025 13:05
@pahud pahud marked this pull request as draft September 16, 2025 01:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS. feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

@aws-cdk/sns: Topic missing DataProtectionPolicy
1 participant
@pahud