Changes to default policy with AWS:SourceAccount break services that still use AWS:SourceOwner

[windowsvysta]

Description

Hi, I was playing around with ElastiCache notifications to a SNS topic created with this module, but they were not arriving as expected. However, with a SNS topic created by hand with the default policy worked. After a bit of digging, I found out that the default policy provided by SNS still has the AWS:SourceOwner key.

According to the AWS Documentation, the key is deprecated but some services are still using it and not the new AWS:SourceAccount key.

Rolling back the module version worked.

Versions

6.1.3

Reproduction Code

1. Define a SNS topic with just the name and deploy it
2. Link the topic to an ElastiCache replication group
3. Create a log destination for the notification or a topic subscription
4. Trigger an ElastiCache event, like test-failover

Expected behavior

The events should be sent to the log and/or the subscribers. Should be that way for all services that publish to SNS.

Actual behavior

The events are not being sent to the topic due to mismatch between the condition keys with the default policy. The AWS-provided default policy works, however, but it won't work for new services that use AWS:SourceAccount.

Additional notes

I suggest creating a new default policy with two statements, one with AWS:SourceOwner, and the other one with AWS:SourceAccount to accomodate for both situations.

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days