terraform-provider-awscc icon indicating copy to clipboard operation
terraform-provider-awscc copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

awscc_sns_topic_policy - resource creation failling

Open alex-torres1980 opened this issue 1 year ago • 2 comments

Terraform CLI and Terraform AWS Cloud Control Provider Version

Admin:~/environment/us-east-1 $ terraform -v Terraform v1.4.6 on linux_amd64

  • provider registry.terraform.io/hashicorp/aws v5.13.0
  • provider registry.terraform.io/hashicorp/awscc v0.58.0

Your version of Terraform is out of date! The latest version is 1.5.5. You can update by downloading from https://www.terraform.io/downloads.html Admin:~/environment/us-east-1 $

Affected Resource(s)

  • awscc_sns_topic_policy

Terraform Configuration Files

Below is the code I am running using (terraform apply). In the first resource I am using regular aws resource to create my topic and I want to associate a policy to the created Topic.

#adding SNS resource with policy using aws resource resource "aws_sns_topic" "test" { name = "my-topic-with-policy-awscc" }

resource "awscc_sns_topic_policy" "awspolicy" { topics = ["${aws_sns_topic.test.arn}"] policy_document = <<EOF { "Version": "2012-10-17", "id": "xx-yy-zz", "Statement": [ { "Sid": "step1", "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Action": [ "SNS:Subscribe", "SNS:SetTopicAttributes", "SNS:RemovePermission" ], "Resource": "${aws_sns_topic.test.arn}" } ] } EOF }

Debug Output

N/A

Expected Behavior

Get the topic created and associate the policy to the new Topic using the awscc_sns_topic_policy resource.

Actual Behavior

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:

  • create

Terraform planned the following actions, but then encountered a problem:

aws_sns_topic.test will be created

  • resource "aws_sns_topic" "test" {
    • arn = (known after apply)
    • content_based_deduplication = false
    • fifo_topic = false
    • id = (known after apply)
    • name = "my-topic-with-policy-awscc"
    • name_prefix = (known after apply)
    • owner = (known after apply)
    • policy = (known after apply)
    • signature_version = (known after apply)
    • tags_all = (known after apply)
    • tracing_config = (known after apply) }

awscc_sns_topic_policy.awspolicy will be created

  • resource "awscc_sns_topic_policy" "awspolicy" {
    • id = (known after apply)
    • policy_document = (known after apply)
    • topics = [
      • (known after apply), ] }

Plan: 2 to add, 0 to change, 0 to destroy. ╷ │ Error: Terraform Resource Identifier Not Found │ │ Terraform resource primary identifier not found in State. This is typically an error with the Terraform provider implementation. Original Error: 1 error occurred: │ * An unexpected error was encountered trying to build a value. This is always an error in the provider. Please report the following to the provider developer: │ │ Received null value, however the target type cannot handle null values. Use the corresponding types package type, a pointer type or a custom type that handles null values. │ │ Path: id │ Target Type: string │ Suggested types Type: basetypes.StringValue │ Suggested Pointer Type: *string

Steps to Reproduce

Create a tf file and run Terraform init and then terraform apply.

Important Factoids

I am running from cloud9 environment. FYI, I was able to create topic and associate the policy using the original aws resource (aws_sns_topic_policy)

alex-torres1980 avatar Aug 22 '23 00:08 alex-torres1980

upstream issue on CCAPI side where READ operations is not supported.

sample test:

aws cloudcontrol create-resource \
  --type-name AWS::SNS::TopicPolicy \
  --desired-state file://desired.json

aws cloudcontrol get-resource-request-status --request-token $TOKEN

aws cloudcontrol get-resource --type-name AWS::SNS::TopicPolicy --identifier arn:aws:sns:us-east-1:204034886740:mytopic | jq ".ResourceDescription.Properties | fromjson"

Error:

An error occurred (InvalidRequestException) when calling the GetResource operation: AWS::SNS::TopicPolicy Handler returned status FAILED: Read operation is not supported. (HandlerErrorCode: InvalidRequest, RequestToken: e1dbe9f8-59a4-4c82-be7d-cf158f8a30b6)

wellsiau-aws avatar Aug 22 '23 03:08 wellsiau-aws

This resource does not have read handler on CCAPI, which can be confirmed on the handler permission below:

{
  "typeName" : "AWS::SNS::TopicPolicy",
  "description" : "Schema for AWS::SNS::TopicPolicy",
  "sourceUrl" : "https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-sns.git",
  . . . 
  "handlers" : {
    "create" : {
      "permissions" : [ "sns:SetTopicAttributes" ]
    },
    "update" : {
      "permissions" : [ "sns:SetTopicAttributes" ]
    },
    "read" : {
      "permissions" : [ ]
    },
    "delete" : {
      "permissions" : [ "sns:SetTopicAttributes" ]
    },
    "list" : {
      "permissions" : [ ]
    }
  }
}

wellsiau-aws avatar Aug 28 '23 16:08 wellsiau-aws

As alternative to AWS::SNS::TopicPolicy, we introduced the AWS::SNS::TopicInlinePolicy which can be attached to unique SNS Topic. As such, the resource AWS::SNS::TopicPolicy is not provision-able from AWSCC perspective.

I would recommend to suppress resources that does not have read or list handler.

wellsiau-aws avatar Apr 09 '24 22:04 wellsiau-aws

Closing this , in favor of tracking #1533 for resource suppression.

wellsiau-aws avatar Apr 09 '24 23:04 wellsiau-aws