[Bug] Unexpected triggering of GetSubscriptionAttributes after deleting an aws_sns_topic_subscription resource

[emansawalhaa]

Terraform Core Version

1.5.7

AWS Provider Version

5.57.0

Affected Resource(s)

Hi All,

We're encountering a strange issue with Terraform (TF). After deleting any aws_sns_topic_subscription, TF generates an error related to the subscription's deletion (Subscription does not exist). Specifically, we've observed that the GetSubscriptionAttributes operation is triggered on the deleted subscriptions after they are unsubscribed.

This behavior is quite annoying, as it appears in CloudTrail logs. While it doesn't significantly affect the deletion process (TF successfully executes the deletion), errors about non-existent subscriptions are generated.

Could someone clarify if this behavior is expected? Why is TF checking the attributes of a deleted subscription's ARN after it has been unsubscribed/deleted?

thanks,

Expected Behavior

GetSubscriptionAttributes should not be triggered after an aws_sns_topic_subscription is deleted.

Actual Behavior

After deleting an aws_sns_topic_subscription, we consistently observe a Subscription does not exist error in the Terraform (TF) logs.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_sqs_queue" "terraform_queue" {
  name                       = eman-queue"
  delay_seconds              = 0
  max_message_size           = 262144
  receive_wait_time_seconds  = 0
  visibility_timeout_seconds = 120
  message_retention_seconds  = 1209600
  fifo_queue                 = false
}

resource "aws_sns_topic_subscription" "this" {
  topic_arn = "arn:aws:sns:us-east-1:123456789101:eman-test-topic"
  protocol  = "sqs"
  endpoint  = aws_sqs_queue.terraform_queue.arn
}

Steps to Reproduce

1. Enable TF_LOG_PROVIDER to capture detailed logs.
2. Delete the aws_sns_topic_subscription resource using Terraform configuration.
3. Review the Terraform apply logs.
4. Observe the error message "Subscription does not exist" in the logs, which appears after the deletion of the resource.

Debug Output

After enabling debug mode (TF_LOG_PROVIDER), you can observe the error in the Terraform logs:

2024-07-11T14:10:57.891Z [DEBUG] provider.terraform-provider-aws_v5.57.0_x5: [DEBUG] Waiting for state to become: []
2024-07-11T14:10:57.892Z [DEBUG] provider.terraform-provider-aws_v5.57.0_x5: HTTP ............
2024-07-11T14:10:57.899Z [DEBUG] provider.terraform-provider-aws_v5.57.0_x5: HTTP Response Received: http.status_code=404  .........
 <Error>
    <Type>Sender</Type>
    <Code>NotFound</Code>
    <Message>Subscription does not exist</Message>
  </Error>
  <RequestId>xx0dedc6-xxxx-xxxx-a806-b2cf1axf1cxx</RequestId>
</ErrorResponse>
2024-07-11T14:10:57.899Z [DEBUG] provider.terraform-provider-aws_v5.57.0_x5: request failed ......, NotFound: Subscription does not exist: rpc.method=GetSubscriptionAttributes tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.54/logging/tf_logger.go:45 a ........

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[acwwat]

@emansawalhaa For clarification, is it the correct interpretation that applying the Terraform configuration after removing the aws_sns_topic_subscription resource is successful (i.e. the subscription is deleted successfully), but you see an error in the log and CloudTrail for a failed call to the FindSubscriptionAttributesByARN API with a 404 response?

If so, this behavior is expected. During deletion, the Terraform resource code calls the Unsubscribe API which is asynchronous. It then needs to check for completion by polling for a a subscription attribute until the API returns a 404 indicating that the subscription is deleted. You can safely ignore the "error".

You may see similar pattern with other Terraform resources.