Send messages from multiple SNS topics to a single Amazon SQS

Question

New to Terraform!

I am trying to send messages from two SNS topics SNSA and SNSB to an Amazon SQS everything is good when i do a plz plan in my local and "then" i try to deploy through JENKINS which gives me an error saying:

Error: error creating SNS topic subscription: AuthorizationError: User: arn:aws:sts::325400131687:assumed-role/JENKINSDEPLOY/ is not authorized to perform: 
SNS:Subscribe on resource: arn:aws:sns:us-east-1:453101592424:snsb

Interesting thing here is SNSA doesn't have this problem and i get an output saying aws_sns_topic_subscription.snsa: Creation complete after 1s

I gave same permissions to both the SNSs, My two cents is on the Roles/Perms which i think i messed up!! Because when i try to re-order the SNS topics in my MsgPerm.yml (placing SNSB first followed by SNSA) this time SNSB gets created and got the same error for SNSA

Any suggestions or comments related to this issue, will be appreciated, thanks

my roles and permissions are setup as below:

MsgPerm.yml

---
statements:
  -
    effect: "Allow"
    actions:
      - "sqs:AddPermission"
      - "sqs:CreateQueue"
      - "sqs:DeleteQueue"
      - "sqs:Get*"
      - "sqs:List*"
      - "sqs:PurgeQueue"
      - "sqs:RemovePermission"
      - "sqs:SetQueueAttributes"
      - "sqs:TagQueue"
      - "sqs:UnTagQueue"
    resources:
      - !Sub "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:myproject*"
  -
    effect: "Allow"
    actions:
      - "sqs:SendMessage"
      - "sqs:SendMessageBatch"
      - "sqs:ReceiveMessage"
      - "sqs:DeleteMessage"
      - "sqs:DeleteMessageBatch"
      - "sqs:DeleteQueue"
      - "sqs:CreateQueue"
      - "sqs:AddPermission"
      - "sqs:PurgeQueue"
      - "sqs:RemovePermission"
      - "sqs:TagQueue"
      - "sqs:UntagQueue"
      - "sqs:Set*"
      - "sqs:Get*"
      - "sqs:List*"
    resources:
      - !Sub "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:myproject*"
      - "arn:aws:sns:us-east-1:453101592424:snsa"
      - "arn:aws:sns:us-east-1:453101592424:snsb"
  -
    effect: "Allow"
    actions:
      - "sns:CreateTopic"
      - "sns:DeleteTopic"
      - "sns:Subscribe"
      - "sns:Unsubscribe"
      - "sns:AddPermission"
      - "sns:RemovePermission"
      - "sns:Receive"
      - "sns:Publish"
      - "sns:TagResource"
      - "sns:UntagResource"
      - "sns:Set*"
      - "sns:Get*"
      - "sns:List*"
    resources:
      - !Sub "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:PREFIX*"
      - "arn:aws:sns:us-east-1:453101592424:snsa"
      - "arn:aws:sns:us-east-1:453101592424:snsb"

JENKINSDEPLOY.yml

---
managedPolicyArns:
  -
    name: Enterprise/GoldenVPCRequirements
    cignamanaged: true
  -
    name: AmazonAPIGatewayAdministrator
    awsmanaged: true
  -
    name: MsgPerm
    awsmanaged: false
  -
    name: SecurityPerm
    awsmanaged: false

federated: true

and finally my sns.tf file

resource "aws_sns_topic_subscription" "snsa" {
  topic_arn = "arn:aws:sns:${var.datastore_account_region}:${var.datastore_account_id}:${var.sns_topic_snsa}"
  protocol  = "sqs"
  endpoint  = aws_sqs_queue.incoming.arn

  depends_on = [
    aws_sqs_queue.incoming
  ]
}


resource "aws_sns_topic_subscription" "snsb" {
  topic_arn = "arn:aws:sns:${var.datastore_account_region}:${var.datastore_account_id}:${var.sns_topic_snsb}"
  protocol  = "sqs"
  endpoint  = aws_sqs_queue.incoming.arn

  depends_on = [
    aws_sqs_queue.incoming
  ]
}

Answer 1

Your error message writes:

arn:aws:sns:us-east-1:453101592424:SNSB

but your policy uses (different case snsb ):

arn:aws:sns:us-east-1:453101592424:snsb

Topic names are case sensitive .