search

sst / ion

SST v3
https://sst.dev
MIT License
1.98k stars 229 forks source link

Wrong permissions attached to SQS queue subscribed to a SNS topic #590

Open felipemotarocha opened 3 months ago

felipemotarocha commented 3 months ago

I have a SQS queue that is subscribed to two different SNS topics. Here's a small sample of my code:

    const admissionFormSubmittedTopic = new sst.aws.SnsTopic(
      'AdmissionFormSubmitted'
    )
    admissionFormSubmittedTopic.subscribeQueue(
      queues.CreditAnalysisRequested.arn
    )
    admissionFormSubmittedTopic.subscribeQueue(
      queues.UpsertPatientOnCelcoinRequested.arn
    )
    admissionFormSubmittedTopic.subscribeQueue(
      queues.UpsertPatientOnCelcashRequested.arn
    )
    const guarantorAdmissionFormSubmittedTopic = new sst.aws.SnsTopic(
      'GuarantorAdmissionFormSubmitted'
    )
    guarantorAdmissionFormSubmittedTopic.subscribeQueue(
      queues.GuarantorCreditAnalysisRequested.arn
    )
    guarantorAdmissionFormSubmittedTopic.subscribeQueue(
      queues.UpsertPatientOnCelcoinRequested.arn
    )

The problem is that the permissions of the "UpsertPatientOnCelcashRequested" queue are wrong. Here's what I have on the AWS Console:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:sa-east-1:476738463198:doutor-sim-prod-UpsertPatientOnCelcoinRequestedQueue",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:sns:sa-east-1:476738463198:doutor-sim-prod-GuarantorAdmissionFormSubmittedTopic"
        }
      }
    }
  ]
}

So the messages that arrives on the "AdmissionFormSubmitted" topic are not being sent to this queue. This is currently breaking my app.

Can someone help me with this? Thanks.

jayair commented 3 months ago

I'm not following. How is UpsertPatientOnCelcashRequested created? And what permissions were you expecting it to have?

relsunkaev commented 1 week ago

I'm having a similar issue where it doesn't seem to be possible to subscribe a queue to multiple SNS topics. The deployment times out on creating the second subscriber policy.

fwang commented 6 days ago

yeah I see your error. It's caused by each subscribe() call try to update the queue's policy.

Let me think about the fix.