Terraform: aws sns_topic resource policy self referencing issue
I have an s3 bucket that I would like to subscribe to an SNS topic. However the topics policy needs the topics arn embedded in it. I don't have the arn because the topic has not been created yet. Here is an example:
resource "aws_s3_bucket" "some_bucket" {
bucket = "some_bucket"
acl = "private"
region = "us-east-1"
}
resource "aws_sns_topic" "some_topic" {
name = "some_topic"
policy = <<EOF
{
"Version": "2008-10-17",
"Id": "example-ID",
"Statement": [{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish"
],
"Resource": "arn:aws:sns:", (this line must actually be the arn)
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:bucket_name"
}
}
}]
}
EOF
}
If you remove the "resource" line from the policy everything will be created fine however if you try to add an event to the s3 bucket it will tell you S3 does not have permission to publish to that resource. If I add the "resource" line back to the policy with hardcoded arn everything works as expected.
I tried adding #{aws_sns_topic.some_topic.arn} to the "resource" line in the policy but it resulted in a "* Self reference:" error.
Should terraform do this in multiple passes? or should a aws_sns_topic_policy resource be created?
Here is the aws doc that shows an example policy with the arn in it.
http://docs.aws.amazon.com/AmazonS3/latest/dev/ways-to-add-notification-config-to-bucket.html
wstaples
All 7 comments
I'd like to add that ${self.arn} doesn't work either.
gmiroshnykov
on 15 Jan 2016
+1 - Seeing the same issue here
desmondmorris
on 9 Feb 2016
This is similar to https://github.com/hashicorp/terraform/issues/5067 hence I think the short and long term solutions will be similar/same.
radeksimko
on 9 Feb 2016
FWIW, you can construct the ARN if you know the region and your AWS account ID, which you should ;-)
resource "aws_sns_topic" "mytopic" {
name = "mytopicname"
display_name = "mytopicname"
policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": [
"SNS:Publish"
],
"Resource": "arn:aws:sns:${var.region}:${var.account_id}:mytopicname",
"Condition": {
"ArnLike": {
"aws:SourceArn": "${aws_s3_bucket.mybucket.arn}"
}
}
}
]
}
EOF
}
mattupstate
on 12 Feb 2016
Hi @wstaples
Apologies for not getting back to you for so long for this issue. Recently, @radeksimko added a new resource to allow us to be better at doing this:
https://www.terraform.io/docs/providers/aws/r/sns_topic_policy.html
As you can see from the example, there is interpolation in there that allows us to reference the sns_topic name
Does this help?
Paul
stack72
on 26 Sep 2016
Hello! I'm going through waiting-response labeled issues and closing issues that haven't been responded to with a meaningful response in at least 2+ weeks. If this is still an issue, please open a new issue so we can start anew. Feel free to reference this existing issue to make a link between the two. Thanks!
mitchellh
on 1 Dec 2016
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 19 Apr 2020
Related issues
rkulagowski
ยท
3Comments
thebenwaters
ยท
3Comments
rjinski
ยท
3Comments
rnowosielski
ยท
3Comments
ketzacoatl
ยท
3Comments
Most helpful comment
FWIW, you can construct the ARN if you know the region and your AWS account ID, which you should ;-)