Terraform-provider-aws: aws_sns_topic_subscription doesn't support unconfirmed endpoints

Yes, please! 😁

FWIW, looks like this is a new-ish feature of the service, became available in the SDK in June 2018.

• https://github.com/aws/aws-sdk-go/blob/master/CHANGELOG.md#release-v11360-2018-06-01

Starting to look at this

It's not looking pretty - creation appears to work fine, but it all falls over in the destruction department. It is not possible (by any means, API or console) to delete a subscription before it is confirmed. This seems like a fundamentally pointless restriction and I have asked AWS why it is the case, but it seems to have been this way for a long time so I'm not expecting any changes any time soon.

It would be possible to simply accept this restriction and report the error to the user during destruction, but this would then mean that an infrastructure deployment would be impossible to destroy if it includes an unconfirmed subscription. Making the failure non-fatal would mean that destroying a subscription does not necessarily destroy that subscription (if it were unconfirmed when the destroy command was performed, then the recipient subsequently confirmed the subscription, then it would be active but untracked by terraform).

So I'm not entirely sure what to do about this now. The HTTP/S subscription presumably suffers from this same problem if I specify auto-accepts on a subscription that doesn't actually auto-accept. I might have to look into how that is handled.

@lxop any additional updates on this? It seems these are automatically deleted after 72 hours if not yet confirmed. This edge-case may be acceptable or perhaps a hard-fail option to hard-fail if cleanup is not possible.

resource "aws_sns_topic_subscription" "topic-subscription" {
  topic_arn       = "${aws_sns_topic.topic.arn}"
  protocol        = "email"
  endpoint        = "${var.email_address}"
  require_cleanup = true
}

@bryanlalexander no update yet - I haven't had much time to work on it. I was/am considering this approach, but I'm not sure about how good it is to introduce a failure-mode to the destroy operation. It would need to also have a way to change the requirement after removing the resource block, otherwise a user could find themself stuck unable to destroy their infrastructure because the resource block that is failing doesn't exist anymore.
In saying that, I suppose the user could simply re-add a resource block with the appropriate name, and update the requirement there.

@alex-aire I'm happy to invest the time, if we can come to an agreeable solution. @bflad do you have a preference for a path forward on this item?

Any progress on this? I would love to have this included.

Not sure if I'm having the same issue, or a slightly different one with the same potential solution. I'm registering a subscription with the pagerduty HTTPS API, the subscription auto confirms, and I can confirm that in the console, but every subsequent build fails with "Error: Protocol http/https is only supported for endpoints which auto confirms!"

I'm also having similar issues to @crobo1337 with similar messages, setting up pager duty subs.

@crobo1337 @sagagliardo Re the PagerDuty issues, there are 2 different URLs in the docs: https://events.pagerduty.com/x-ere/{INTEGRATION_KEY} in the text and https://events.pagerduty.com/integration/{INTEGRATION_KEY}/enqueue in the screenshots. Only the second one (/integration/{INTEGRATION_KEY}/enqueue) would work for me. Hope that helps.