Open ghost opened 5 years ago
I think this is Terraform issue .
I think this refers to subscriptions to a SNS topic. If terraform is used to create SQS subscriptions to a topic, terraform tries to recreate the subscription every time an apply is done. This okay, when we do an apply for the first time, but it is strange that terraform tries to create subscriptions even for subsequent applies.
I ran into this issue as well. The aws_sns_topic_subscription
resource gets flagged for recreation on every terraform plan
. I checked the tfstate file and saw that the entire resource doesn't show up, this certainly explains why it tries to recreate it every time. I am however unsure as to why the created resource never gets stored in the statefile.
I dove a little bit into the code of the provider and found my error, in my case I had protocol
set to "HTTPS"
instead of "https"
. The provider does a check to see if protocol
contains the string "http"
(lowercase) to see if it should wait for the confirmation_timeout_in_minutes
period for the subscription to finish (and there to be an ARN). Since http
isn't in HTTPS
it was never getting there and there was no arn to save in the state file.
Since HTTPS seems to work in the aws api it might be worth improving that contains check to handle that case instead of silently half-succeeding
I dove a little bit into the code of the provider and found my error, in my case I had
protocol
set to"HTTPS"
instead of"https"
. The provider does a check to see ifprotocol
contains the string"http"
(lowercase) to see if it should wait for theconfirmation_timeout_in_minutes
period for the subscription to finish (and there to be an ARN). Sincehttp
isn't inHTTPS
it was never getting there and there was no arn to save in the state file.Since HTTPS seems to work in the aws api it might be worth improving that contains check to handle that case instead of silently half-succeeding
Thank you @gwkunze ! This fixed it for me
I have the same issue on Terraform v0.11.14 when trying to subscribe SNS to SQS :(
And yes, I'm using lowercase sqs
as Protocol.
This happens on latest v0.12.19 as well with sqs and lamba protocols
+ confirmation_timeout_in_minutes = 1
endpoint = "arn:aws:sqs:us-east-1:XXXXXX:XXXXX"
+ endpoint_auto_confirms = false
+ confirmation_timeout_in_minutes = 1
endpoint = "arn:aws:lambda:us-east-1:XXXXX:function:XXXXX"
+ endpoint_auto_confirms = false
any updates?
any updates?
Any updates on this? Thanks.
I'm also interested in the outcome of this issue because all our team members are currently swamped by a flow of ongoing subscription emails....
Was anyone else able to resolve? I'm also running into this issue with an sns subscriptions. Every time we try to deploy, it requires us to re-subscribe to the sns topic. My protocol is already lower case "https".
Was anyone else able to resolve? I'm also running into this issue with an sns subscriptions. Every time we try to deploy, it requires us to re-subscribe to the sns topic. My protocol is already lower case "https".
@thestrongdev I found a workaround but it's extremely clumsy. I basically use the null_resource
of terraform where I call a python script to check if the user is already subscribed. It's triggered when the list of users to subscribe to the topic changes so that a user can also be removed from subscriptions if it's removed from the list.
P.S.: we use 'email' as protocol.
resource "null_resource" "update_sns_subscriptions" {
triggers = {
email_list_sha = sha256(jsonencode(var.users))
}
depends_on = [aws_sns_topic.key_age_monitoring]
provisioner "local-exec" {
command = <<-EOT
pip install boto3
/usr/bin/python3 ${path.module}/sns_subscribe.py --users '${jsonencode(var.users)}' --topic-arn ${aws_sns_topic.key_age_monitoring.arn}
EOT
}
}
this triggers the script
#!/usr/bin/env python3
import argparse
import json
import os
import boto3
STAGE = os.getenv("STAGE")
AWS_REGION = os.getenv("REGION")
AWS_ACCOUNT_NUMBER = os.getenv("AWS_ACCOUNT_NUMBER")
SNS_CLIENT = boto3.client("sns", region_name=AWS_REGION)
def get_subscriptions(topic_arn: str) -> list[dict[str, str]]:
return SNS_CLIENT.list_subscriptions_by_topic(TopicArn=topic_arn)["Subscriptions"]
def subscribe(email: str, topic_arn: str) -> None:
filter_policy = {"email": [email]}
SNS_CLIENT.subscribe(
TopicArn=topic_arn,
Protocol="email",
Endpoint=email,
Attributes={"FilterPolicy": json.dumps(filter_policy)},
)
def unsubscribe(subscriptions_arn: str) -> None:
SNS_CLIENT.unsubscribe(SubscriptionArn=subscriptions_arn)
def main() -> None:
parser = argparse.ArgumentParser(
description="Take user emails and the key monitoring SNS topic ARN as arguments."
)
parser.add_argument("--users", type=str, help="user emails")
parser.add_argument("--topic-arn", type=str, help="SNS key monitoring topic ARN")
args = parser.parse_args()
users = json.loads(args.users)
topic_arn = args.topic_arn
subscriptions = get_subscriptions(topic_arn)
subscription_arn_by_email: dict[str, str] = {}
if subscriptions:
subscription_arn_by_email = {
subscription["Endpoint"]: subscription["SubscriptionArn"]
for subscription in subscriptions
}
for user in users:
if user not in subscription_arn_by_email.keys():
subscribe(user, topic_arn)
for subscribed_email in subscription_arn_by_email.keys():
if (subscribed_email not in users) and (
subscription_arn_by_email[subscribed_email] != "PendingConfirmation"
):
subscriptions_arn = subscription_arn_by_email[subscribed_email]
unsubscribe(subscriptions_arn)
if __name__ == "__main__":
main()
Was experiencing this same issue when subscribing to SQS in another AWS Account.
Example:
resource "aws_sns_topic_subscription" "subscription" {
count = var.create_subscription == true ? 1 : 0
topic_arn = aws_sns_topic.topic[0].arn
protocol = "sqs"
endpoint = "arn:aws:sqs:${local.region}:${var.cross_account_aws_account_id}:Queue-Name"
raw_message_delivery = true
}
Was able to overcome this by polling the endpoint queue before terraform apply and hitting the SubscribeURL
in browser whilst apply is ongoing. Appreciate is not a concrete solution but stopped us having the re-create subscription issue 🤞
This issue was originally opened by @ap8475 as hashicorp/terraform#19593. It was migrated here as a result of the provider split. The original body of the issue is below.
Terraform Version
Terraform Configuration Files
lambda_function.tf
SNS.tf
terraform.tfvar
Debug Output
Whenever I am creating new Lambda , its always creating new subscription , does not keep state and tries to re-create the subscription at every apply .
Crash Output
N/A
Expected Behavior
Can we prevent it to creation of new subscription if old subscription are already there . Issue : we have 20 clients and we have created subscription for them but whenever we are doing our production deployment each time client getting confirmation mail for subscription . Ho we can prevent for reconfirmation if already they confirmed .
Actual Behavior
N/A
Steps to Reproduce
N/A
Additional Context
References
N/A