Terraform: sns topic subscription re-creating

Created on 13 Dec 2016 · 8Comments · Source: hashicorp/terraform

Hi All,

I am creating sns topic and subscription (Email).

#

resource "aws_sns_topic" "sysnotify" {
name = "sysnotifications"
}

resource "aws_sns_topic_subscription" "sysnotify" {
topic_arn = "${aws_sns_topic.sys_beheer_notify.id}"
protocol = "Email"
endpoint = "${var.sysmailbox}"
}

#

This works fine and shoot mail for subscription confirmation as well. But, it always try to re-create with every terraform plan/apply..

Can anyone suggest ?

Regards,
Sudhir

bug provideaws waiting-response

Source

sidhurana

Most helpful comment

@sidhurana I know this issue is closed, but I found the following code works for me by using local provisioner:

resource "aws_sns_topic" "autoscaling" {
  name = "${var.asg_name}-autoscaling-topic"

  provisioner "local-exec" {
    command = "aws --profile ${var.aws_profile} sns subscribe --topic-arn ${self.arn} --protocol email --notification-endpoint ${var.slack_team_alerts_channel}"
  }
}

The AWS SNS confirmation will be sent to the email endpoint for manual approval.

xueshanf on 29 Jun 2017

👍16

All 8 comments

Hi @sidhurana

Please can you post the output that show's it is recreating? This will help us

Thanks

Paul

stack72 on 13 Dec 2016

Hi @sidhurana,

Could you provide your whole configuration please? It seems that aws_sns_topic.sys_beheer_notify is missing in the one you provided.
Also, could you provider the output of the plan command after an apply?

For what I'm seeing, the issue comes from the protocol set to Email. The code validation is made on email and sms (lowercased), and not Email. As you pass it uppercased, it is "passing".
If you check the related documentation, you will have all the inputs you will need!

@stack72 I will improve the related ValidateFunc in order to check for lowercased protocols.

Thanks!

Ninir on 13 Dec 2016

Thanks for your prompt reply..

After changing ( Email to email ) it to lower case I got below error :

There are warnings and/or errors related to your configuration. Please
fix these before continuing.
Errors:

aws_sns_topic_subscription.sys_beheer_notification_subscription: Unsupported protocol (email) for SNS Topic

#

Below cloudwatch alarm is to check status and notify via email and restore as well.

resource "aws_cloudwatch_metric_alarm" "status_check" {
alarm_name = "${var.customer_name}-l01-Status-Check-Failed"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "2"
metric_name = "StatusCheckFailed"
namespace = "AWS/EC2"
statistic = "SampleCount"
threshold = "2"
period = "60"
alarm_description = "Status Check of Instance"
insufficient_data_actions = []
dimensions {
InstanceId = "${aws_instance.aps-l01.id}"
}
alarm_actions = ["${aws_sns_topic.sys_beheer_notify.id}", "arn:aws:automate:eu-west-1:ec2:recover"]
}

#

It's creating resource but not recording in terraform..So, with every run it shoots a mail to mailbox.. Seems something similar to #6909.

Path: changes

aws_sns_topic_subscription.sys_beheer_notification_subscription
arn: ""
confirmation_timeout_in_minutes: "1"
endpoint: "[email protected]"
endpoint_auto_confirms: "false"
protocol: "Email"
raw_message_delivery: "false"
topic_arn: "arn:aws:sns:eu-west-1:xxxxxxx:sys-beheer-notifications"

#

sidhurana on 13 Dec 2016

@sidhurana Terraform will not allow using email nor sms as per the documentation. As you probably read, it would technically be possible to do it, but unfornuately no way to detect the confirmation, excepted if we have a bigger timeout + a lot of retries, letting the time for the callee to confirm it... but it is kind of not testable, thus not very stable 😞

As stated in the TF documentation:

These are unsupported because the endpoint needs to be authorized and does not generate an ARN until the target email address has been validated. This breaks the Terraform model and as a result are not currently supported.

So for now, nothing better than doing it manually!

Ninir on 13 Dec 2016

😕2

@Ninir : Thanks for your reply.

sidhurana on 13 Dec 2016

@sidhurana I know this issue is closed, but I found the following code works for me by using local provisioner:

resource "aws_sns_topic" "autoscaling" {
  name = "${var.asg_name}-autoscaling-topic"

  provisioner "local-exec" {
    command = "aws --profile ${var.aws_profile} sns subscribe --topic-arn ${self.arn} --protocol email --notification-endpoint ${var.slack_team_alerts_channel}"
  }
}

The AWS SNS confirmation will be sent to the email endpoint for manual approval.

xueshanf on 29 Jun 2017

👍16

@xueshanf Thank you for your hint. It helped a lot :-)

You might want to add "--region" to correctly handle different regions. Otherwise AWSCLI might throw an error (which is pretty misleading, since there is no hint as to a region mismatch):

(local-exec): An error occurred (InvalidParameter) when calling the Subscribe operation: Invalid parameter: TopicArn

so command would look like this:

command = "aws --profile ${var.aws_profile} sns subscribe --region ${var.aws_region} --topic-arn ${self.arn} --protocol email --notification-endpoint ${var.slack_team_alerts_channel}"

TobiasOtto on 25 Apr 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.