feat(sns): add signature version prop

packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns.js.snapshot/SNSInteg.template.json

@@ -110,6 +110,14 @@
      }
     ]
    }
+  },
+  "MyTopicSignatureVersionEDDB6A3B": {
+   "Type": "AWS::SNS::Topic",
+   "Properties": {
+    "DisplayName": "fooDisplayNameSignatureVersion",
+    "SignatureVersion": "2",
+    "TopicName": "fooTopicSignatureVersion"
+   }
   }
  },
  "Parameters": {

packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns.ts

@@ -40,6 +40,12 @@ class SNSInteg extends Stack {
       successFeedbackRole: feedbackRole,
       successFeedbackSampleRate: 50,
     });
+
+    new Topic(this, 'MyTopicSignatureVersion', {
+      topicName: 'fooTopicSignatureVersion',
+      displayName: 'fooDisplayNameSignatureVersion',
+      signatureVersion: '2',
+    });
   }
 }
 

packages/aws-cdk-lib/aws-sns/README.md

@@ -19,6 +19,19 @@ const topic = new sns.Topic(this, 'Topic', {
 });
 ```
 
+Add an SNS Topic to your stack with a specified signature version, which corresponds 
+to the hashing algorithm used while creating the signature of the notifications, 
+subscription confirmations, or unsubscribe confirmation messages sent by Amazon SNS.
+
+The default signature version is `1` (`SHA1`).
+SNS also supports signature version `2` (`SHA256`).
+
+```ts
+const topic = new sns.Topic(this, 'Topic', {
+  signatureVersion: '2',
+});
+```
+
 Note that FIFO topics require a topic name to be provided. The required `.fifo` suffix will be automatically generated and added to the topic name if it is not explicitly provided.
 
 ## Subscriptions

packages/aws-cdk-lib/aws-sns/lib/topic.ts

@@ -51,7 +51,7 @@ export interface TopicProps {
   /**
    * The list of delivery status logging configurations for the topic.
    *
-   * For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-topic-attributes.html.
+   * @see https://docs.aws.amazon.com/sns/latest/dg/sns-topic-attributes.html.
    *
    * @default None
    */
@@ -71,17 +71,27 @@ export interface TopicProps {
   /**
    * Adds a statement to enforce encryption of data in transit when publishing to the topic.
    *
-   * For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit.
+   * @see https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit.
    *
    * @default false
    */
   readonly enforceSSL?: boolean;
+
+  /**
+   * The signature version corresponds to the hashing algorithm used while creating the signature of the notifications,
+   * subscription confirmations, or unsubscribe confirmation messages sent by Amazon SNS.
+   *
+   * @see https://docs.aws.amazon.com/sns/latest/dg/sns-verify-signature-of-message.html.
+   *
+   * @default 1
+   */
+  readonly signatureVersion?: string;
 }
 
 /**
  * A logging configuration for delivery status of messages sent from SNS topic to subscribed endpoints.
  *
- * For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-topic-attributes.html.
+ * @see https://docs.aws.amazon.com/sns/latest/dg/sns-topic-attributes.html.
  */
 export interface LoggingConfig {
   /**
@@ -207,7 +217,7 @@ export class Topic extends TopicBase {
     if (props.fifo && props.topicName && !props.topicName.endsWith('.fifo')) {
       cfnTopicName = this.physicalName + '.fifo';
     } else if (props.fifo && !props.topicName) {
-      // Max lenght allowed by CloudFormation is 256, we subtract 5 to allow for ".fifo" suffix
+      // Max length allowed by CloudFormation is 256, we subtract 5 to allow for ".fifo" suffix
       const prefixName = Names.uniqueResourceName(this, {
         maxLength: 256 - 5,
         separator: '-',
@@ -217,6 +227,15 @@ export class Topic extends TopicBase {
       cfnTopicName = this.physicalName;
     }
 
+    if (
+      props.signatureVersion &&
+      !Token.isUnresolved(props.signatureVersion) &&
+      props.signatureVersion !== '1' &&
+      props.signatureVersion !== '2'
+    ) {
+      throw new Error(`signatureVersion must be "1" or "2", received: "${props.signatureVersion}"`);
+    }
+
     const resource = new CfnTopic(this, 'Resource', {
       archivePolicy: props.messageRetentionPeriodInDays ? {
         MessageRetentionPeriod: props.messageRetentionPeriodInDays,
@@ -226,6 +245,7 @@ export class Topic extends TopicBase {
       kmsMasterKeyId: props.masterKey && props.masterKey.keyArn,
       contentBasedDeduplication: props.contentBasedDeduplication,
       fifoTopic: props.fifo,
+      signatureVersion: props.signatureVersion,
       deliveryStatusLogging: Lazy.any({ produce: () => this.renderLoggingConfigs() }, { omitEmptyArray: true }),
     });
 

packages/aws-cdk-lib/aws-sns/test/sns.test.ts

@@ -156,6 +156,26 @@ describe('Topic', () => {
       })).toThrow(/Content based deduplication can only be enabled for FIFO SNS topics./);
 
     });
+
+    test('specify signatureVersion', () => {
+      const stack = new cdk.Stack();
+
+      new sns.Topic(stack, 'MyTopic', {
+        signatureVersion: '2',
+      });
+
+      Template.fromStack(stack).hasResourceProperties('AWS::SNS::Topic', {
+        'SignatureVersion': '2',
+      });
+    });
+
+    test('throw with incorrect signatureVersion', () => {
+      const stack = new cdk.Stack();
+
+      expect(() => new sns.Topic(stack, 'MyTopic', {
+        signatureVersion: '3',
+      })).toThrow(/signatureVersion must be "1" or "2", received: "3"/);
+    });
   });
 
   test('can add a policy to the topic', () => {