pulumi-aws icon indicating copy to clipboard operation
pulumi-aws copied to clipboard

Published 20 hours ago verified publisher icon pulumi

email protocol for SNS topic subscriptions

Open brandonbloom opened this issue 7 years ago • 7 comments

Got this error: aws:sns/topicSubscription:TopicSubscription resource 'blah' has a problem: expected protocol to be one of [application http https lambda sms sqs], got email

Documentation suggests that email is a valid value: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-subscription.html

brandonbloom avatar Jul 26 '18 18:07 brandonbloom

Thanks for the report!

@lukehoban this appears to be a limitation of the underlying Terraform provider: https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_sns_topic_subscription.go#L43-L55

pgavlin avatar Jul 26 '18 19:07 pgavlin

Right - and the docs describe why:

Unsupported protocols include the following:

email -- delivery of message via SMTP email-json -- delivery of JSON-encoded message via SMTP

These are unsupported because the endpoint needs to be authorized and does not generate an ARN until the target email address has been validated. This breaks the Terraform model and as a result are not currently supported.

This same reason would make it hard for Pulumi to support this in a simple way. In theory, a higher-level component could be designed which blocked the resource creation indefinitely waiting for manual approval (effectively polling internally for the approval validation to have succeeded). But this would be quite different than normal AWS resources, and may be unexpected as a default part of new aws.sns.TopicSubscription.

lukehoban avatar Jul 26 '18 19:07 lukehoban

I'm struggling with a similar problem with certificates now too. The idiom there seems to be to create a aws:acm:CertificateValidation resource, which waits for validation to complete the create operation. Although, I haven't been able to get this to succeed yet (help with this would be appreciated!), but the approach seems sensible: Introduce an extra resource to act as an indirection. It's creation operation is just a wait/poll until the validation occurs, and then and only then does the ARN get returned.

brandonbloom avatar Jul 27 '18 03:07 brandonbloom

Going to close this out as the original issue is "by design" for now based on upstream providers, but has a workaround as described in pulumi/pulumi-aws#1868 if really needed. The aws:acm:CertificateValidation should definitely work (many users successfully using that) - so if there are issues with that one - we should open a new issue.

lukehoban avatar Jan 23 '20 21:01 lukehoban

I've just published an article showing a dynamic provider which can wait, poll or as explained do nothing as (probably newish) AWS provides the ReturnSubscriptionArn option which as the name suggests just returns the ARN regardless of the confirmation state.

So if I'm not missing anything it might be possible for Pulumi to allow email & email-json in the aws.sns.TopicSubscription resource. At least for my use case it works totally fine so far.

Pinging you because it's closed @brandonbloom @pgavlin @lukehoban

CanRau avatar Sep 12 '20 20:09 CanRau

Thanks for the heads up @CanRau! Will add this to triage to take a look.

leezen avatar Sep 12 '20 20:09 leezen

Hi,

is there a solution provided by Terraform on this?

imaginarynik avatar Mar 29 '21 14:03 imaginarynik