New to Terraform!
I am trying to send messages from two SNS topics SNSA
and SNSB
to an Amazon SQS
everything is good when i do a plz plan
in my local and "then" i try to deploy through JENKINS which gives me an error saying:
Error: error creating SNS topic subscription: AuthorizationError: User: arn:aws:sts::325400131687:assumed-role/JENKINSDEPLOY/ is not authorized to perform:
SNS:Subscribe on resource: arn:aws:sns:us-east-1:453101592424:snsb
Interesting thing here is SNSA doesn't have this problem and i get an output saying aws_sns_topic_subscription.snsa: Creation complete after 1s
I gave same permissions to both the SNSs, My two cents is on the Roles/Perms
which i think i messed up!! Because when i try to re-order the SNS topics in my MsgPerm.yml
(placing SNSB first followed by SNSA) this time SNSB gets created and got the same error for SNSA
Any suggestions or comments related to this issue, will be appreciated, thanks
my roles and permissions are setup as below:
MsgPerm.yml
---
statements:
-
effect: "Allow"
actions:
- "sqs:AddPermission"
- "sqs:CreateQueue"
- "sqs:DeleteQueue"
- "sqs:Get*"
- "sqs:List*"
- "sqs:PurgeQueue"
- "sqs:RemovePermission"
- "sqs:SetQueueAttributes"
- "sqs:TagQueue"
- "sqs:UnTagQueue"
resources:
- !Sub "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:myproject*"
-
effect: "Allow"
actions:
- "sqs:SendMessage"
- "sqs:SendMessageBatch"
- "sqs:ReceiveMessage"
- "sqs:DeleteMessage"
- "sqs:DeleteMessageBatch"
- "sqs:DeleteQueue"
- "sqs:CreateQueue"
- "sqs:AddPermission"
- "sqs:PurgeQueue"
- "sqs:RemovePermission"
- "sqs:TagQueue"
- "sqs:UntagQueue"
- "sqs:Set*"
- "sqs:Get*"
- "sqs:List*"
resources:
- !Sub "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:myproject*"
- "arn:aws:sns:us-east-1:453101592424:snsa"
- "arn:aws:sns:us-east-1:453101592424:snsb"
-
effect: "Allow"
actions:
- "sns:CreateTopic"
- "sns:DeleteTopic"
- "sns:Subscribe"
- "sns:Unsubscribe"
- "sns:AddPermission"
- "sns:RemovePermission"
- "sns:Receive"
- "sns:Publish"
- "sns:TagResource"
- "sns:UntagResource"
- "sns:Set*"
- "sns:Get*"
- "sns:List*"
resources:
- !Sub "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:PREFIX*"
- "arn:aws:sns:us-east-1:453101592424:snsa"
- "arn:aws:sns:us-east-1:453101592424:snsb"
JENKINSDEPLOY.yml
---
managedPolicyArns:
-
name: Enterprise/GoldenVPCRequirements
cignamanaged: true
-
name: AmazonAPIGatewayAdministrator
awsmanaged: true
-
name: MsgPerm
awsmanaged: false
-
name: SecurityPerm
awsmanaged: false
federated: true
and finally my sns.tf
file
resource "aws_sns_topic_subscription" "snsa" {
topic_arn = "arn:aws:sns:${var.datastore_account_region}:${var.datastore_account_id}:${var.sns_topic_snsa}"
protocol = "sqs"
endpoint = aws_sqs_queue.incoming.arn
depends_on = [
aws_sqs_queue.incoming
]
}
resource "aws_sns_topic_subscription" "snsb" {
topic_arn = "arn:aws:sns:${var.datastore_account_region}:${var.datastore_account_id}:${var.sns_topic_snsb}"
protocol = "sqs"
endpoint = aws_sqs_queue.incoming.arn
depends_on = [
aws_sqs_queue.incoming
]
}
Your error message writes:
arn:aws:sns:us-east-1:453101592424:SNSB
but your policy uses (different case snsb
):
arn:aws:sns:us-east-1:453101592424:snsb
Topic names are case sensitive .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.