I'm currently building out terraform code that allows s3 buckets to send notifications to an sns topic once an object has been created.
Here's a code snippet:
// Creates SNS Topic
resource "aws_sns_topic" "topic" {
name = "topic-name"
}
//Creates Policy thats allows s3 bucket to publish data
data "aws_iam_policy_document" "iam_policy" {
statement {
effect = "Allow"
actions = [
"SNS:Publish"
]
resources = [
aws_sns_topic.topic.arn
]
}
}
resource "aws_sns_topic_policy" "topic_policy" {
arn = aws_sns_topic.topic.arn
policy = data.aws_iam_policy_document.iam_policy.json
}
// This sent alerts to sns topic when there's an object created in S3 bucket
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.s3-bucket.id
topic {
topic_arn = aws_sns_topic.topic.arn
events = ["s3:ObjectCreated:*"]
}
}
The terraform code creates all of the infrastructure, but when it's time to create the policy I receive this error.
aws_sns_topic_policy.topic_policy: Creating...
aws_sns_topic_policy.topic_policy: Still creating... [10s elapsed]
aws_sns_topic_policy.topic_policy: Still creating... [20s elapsed]
aws_sns_topic_policy.topic_policy: Still creating... [30s elapsed]
aws_sns_topic_policy.topic_policy: Still creating... [40s elapsed]
aws_sns_topic_policy.topic_policy: Still creating... [50s elapsed]
aws_sns_topic_policy.topic_policy: Still creating... [1m0s elapsed]
aws_sns_topic_policy.topic_policy: Still creating... [1m10s elapsed]
aws_sns_topic_policy.topic_policy: Still creating... [1m20s elapsed]
aws_sns_topic_policy.topic_policy: Still creating... [1m30s elapsed]
aws_sns_topic_policy.topic_policy: Still creating... [1m40s elapsed]
aws_sns_topic_policy.topic_policy: Still creating... [1m50s elapsed]
│ Error: setting SNS Topic (arn:aws:sns:<REGION>:<ACCOUNTID>:topic-name) attribute (Policy): InvalidParameter: Invalid parameter: Policy Error: null
│ status code: 400, request id:
│
│ on sns.tf line 19, in resource "aws_sns_topic_policy" "topic_policy":
│ 19: resource "aws_sns_topic_policy" "topic_policy" {
│
╵
╷
│ Error: putting S3 Bucket Notification Configuration: InvalidArgument: Unable to validate the following destination configurations
│ status code: 400, request id: , host id:
│
│ on sns.tf line 26, in resource "aws_s3_bucket_notification" "bucket_notification":
│ 26: resource "aws_s3_bucket_notification" "bucket_notification" {
I've tried using this format of the sns topic policy, with same error.
// Creates SNS Topic
resource "aws_sns_topic" "topic" {
name = "topic-name"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sns:Publish",
"Resource": "${aws_sns_topic.topic.arn}",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::${aws_s3_bucket.s3-bucket.id}"
}
}
}
]
}
POLICY
}
// This sends alerts to sns topic when there's an object created in S3 bucket
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.s3-bucket.id
topic {
topic_arn = aws_sns_topic.topic.arn
events = ["s3:ObjectCreated:*"]
}
}
I managed to get it to work with the following policy doc:
data "aws_iam_policy_document" "iam_policy" {
statement {
effect = "Allow"
actions = ["SNS:Publish"]
resources = [aws_sns_topic.topic.arn]
principals {
type = "Service"
identifiers = ["s3.amazonaws.com"]
}
}
}
All I added was the principals section, that is all.
Full code here:
https://github.com/heldersepu/hs-scripts/blob/master/TerraForm/sns/main.tf