Topics have no permissions to invoke lambda

[sylwit]

This is a Bug Report

Description

For bug reports:

• What went wrong?

if you want a notification to call a lambda, the topic doesn't have permission to invoke it

• What did you expect should have happened?

Topic should be able to invoke the lambda defined in notification

• What was the config you used?

custom:
    notifications:
      - protocol: email
        endpoint: notification@foo.org
      - protocol: lambda
        endpoint:
          Fn::Join:
            - ":"
            - - "arn:aws:lambda"
              - Ref: "AWS::Region"
              - Ref: "AWS::AccountId"
              - "function"
              - ${self:service}-${self:provider.stage}-snsToSlack

• What stacktrace or error message from your provider did you see?

No error

For feature proposals:

• What is the use case that should be solved. The more detail you describe this in the easier it is to understand for us.
• If there is additional config how would it look

Similar or dependent issues:

Additional Data

• Serverless Framework Version: 1.25
• Stack Trace:
• Provider Error messages:

Subscribing a lambda to a topic isn't enough to make it invokable. Topic must also have permission to call lambda. Here are some readings that helped me to figure out the problem https://iangilham.com/2016/03/22/Sns-trigger-lambda-via-cloudformation.html (Permission for the Topic to invoke the Lambda), https://aws.amazon.com/blogs/mobile/invoking-aws-lambda-functions-via-amazon-sns/ (Preparing the Lambda function for invocation)

I was going to make a PR, instead I ended up adding events to my lambda as so:

  snsToSlack:
    handler: snsToSlack.handler
    runtime: nodejs6.10
    package:
      include:
        - snsToSlack.js
    events:
      - sns:
          topicName: ${self:custom.prefix}-alerts-ok
          arn:
            Fn::Join:
              - ":"
              - - "arn:aws:sns"
                - Ref: "AWS::Region"
                - Ref: "AWS::AccountId"
                - ${self:custom.prefix}-alerts-ok

      - sns:
          topicName: ${self:custom.prefix}-alerts-alarm
          arn:
            Fn::Join:
              - ":"
              - - "arn:aws:sns"
                - Ref: "AWS::Region"
                - Ref: "AWS::AccountId"
                - ${self:custom.prefix}-alerts-alarm

[rodrigogs]

Any way around this? I dont really want to plug my sns topics in the lambdas, because there are lots of them.

[adikari]

We need to update the plugin so that when there is a lambda as protocol, appropriate iam permission is also added. Happy for someone to create a PR for this.

[rodrigogs]

I really need it, so I can put some effort to develop this feature. If anybody could help me to figure out the best way, it would be great.