Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNS topic subscription to SQS in different account is recreated with every apply #178

Closed
hashibot opened this issue Jun 13, 2017 · 3 comments
Closed

SNS topic subscription to SQS in different account is recreated with every apply #178

hashibot opened this issue Jun 13, 2017 · 3 comments
Labels
bug Addresses a defect in current functionality. service/sns Issues and PRs that pertain to the sns service.

Comments

@hashibot
Copy link

This issue was originally opened by @e-gineer as hashicorp/terraform#6909. It was migrated here as part of the provider split. The original body of the issue is below.

When an SNS topic in AWS account 111111111111 is subscribed to publish messages to an SQS queue in a different AWS account 222222222222, the aws_sns_topic_subscription is successfully created but is not recorded in the terraform state so is continuously recreated on every subsequent terraform run.

Terraform Version

Terraform v0.6.16

Affected Resource(s)

  • aws_sns_topic_subscription

Terraform Configuration Files

resource "aws_sns_topic" "user_updates" {
  name = "user-updates-topic"
}

resource "aws_sns_topic_subscription" "user_updates_sqs_target" {
  topic_arn = "${aws_sns_topic.user_updates.arn}"
  protocol  = "sqs"
  endpoint  = "arn:aws:sqs:us-east-1:222222222222:sqs-queue-in-another-account"
}

Debug Output

https://gist.github.com/e-gineer/c7141b4c30dc0db120f1e8b9701a684a

Expected Behavior

The SNS topic subscription should be created only once from SNS in account 1 to the SQS in account 2. Future terraform runs should not recreate it.

Actual Behavior

When an SNS topic in AWS account 111111111111 is subscribed to publish messages to an SQS queue in a different AWS account 222222222222, the aws_sns_topic_subscription is successfully created but is not recorded in the terraform state so is continuously recreated on every subsequent terraform run.

Steps to Reproduce

  1. Establish two separate AWS accounts.
  2. In account 2, setup an SQS queue which allows SNS in account 1 to publish to it. This requires an SQS policy to allow the cross-account subscribe - please see below.
  3. terraform apply
  4. Accept the subscribe request by using the link that appears in the queue messages list. This completes the setup between SNS and SQS. (We do this immediately & automatically in software.)
  5. terraform apply

Important Factoids

Allowing cross-account publishing from the SNS topic in account 1 to the queue in account 2 is important. The SQS queue requires a policy similar to:

{
  "Version":"2012-10-17",
  "Id":"MyQueuePolicy",
  "Statement":[
    {
      "Sid":"Allow-Publishing-Of-Messages-for-Queue",
      "Effect":"Allow",
      "Principal":{
        "AWS":"111111111111"
      },
      "Action":[
        "sqs:SendMessage"
      ],
      "Resource":[
        "arn:aws:sns:us-east-1:222222222222:sqs-queue-in-another-account",
      ]
    }
  ]
}

References
@hashibot hashibot added the bug Addresses a defect in current functionality. label Jun 13, 2017
@radeksimko radeksimko added the service/sns Issues and PRs that pertain to the sns service. label Jan 25, 2018
@brandonstevens
Copy link
Contributor

Looks like this was fixed by hashicorp/terraform#9842 based on the discussion on the original issue, hashicorp/terraform#6909.

@bflad
Copy link
Contributor

bflad commented Jun 22, 2018

@brandonstevens great catch! 💯 It certainly seems that way. If there is still a lingering code/documentation issue here, please create a new issue following the issue template. Thanks!

@bflad bflad closed this as completed Jun 22, 2018
@ghost
Copy link

ghost commented Apr 5, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 5, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/sns Issues and PRs that pertain to the sns service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bflad @radeksimko @brandonstevens @hashibot