aws sns_topic resource policy self referencing issue

[wstaples]

I have an s3 bucket that I would like to subscribe to an SNS topic. However the topics policy needs the topics arn embedded in it. I don't have the arn because the topic has not been created yet. Here is an example:

resource "aws_s3_bucket" "some_bucket" {
    bucket = "some_bucket"
    acl = "private"
    region = "us-east-1"
}


resource "aws_sns_topic" "some_topic" {
    name = "some_topic"
    policy = <<EOF
{
    "Version": "2008-10-17",
    "Id": "example-ID",
    "Statement": [{
        "Sid": "example-statement-ID",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": [
            "SNS:Publish"
        ],
        "Resource": "arn:aws:sns:", (this line must actually be the arn)
        "Condition": {
            "ArnLike": {
                "aws:SourceArn": "arn:aws:s3:*:*:bucket_name"
            }
        }
    }]
}
EOF
}

If you remove the "resource" line from the policy everything will be created fine however if you try to add an event to the s3 bucket it will tell you S3 does not have permission to publish to that resource. If I add the "resource" line back to the policy with hardcoded arn everything works as expected.

I tried adding #{aws_sns_topic.some_topic.arn} to the "resource" line in the policy but it resulted in a "* Self reference:" error.

Should terraform do this in multiple passes? or should a aws_sns_topic_policy resource be created?

Here is the aws doc that shows an example policy with the arn in it.
http://docs.aws.amazon.com/AmazonS3/latest/dev/ways-to-add-notification-config-to-bucket.html

[gmiroshnykov]

I'd like to add that ${self.arn} doesn't work either.

[desmondmorris]

+1 - Seeing the same issue here

[radeksimko]

This is similar to #5067 hence I think the short and long term solutions will be similar/same.

See #3267

[mattupstate]

FWIW, you can construct the ARN if you know the region and your AWS account ID, which you should ;-)

resource "aws_sns_topic" "mytopic" {
  name = "mytopicname"
  display_name = "mytopicname"
  policy = <<EOF
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "SNS:Publish"
            ],
            "Resource": "arn:aws:sns:${var.region}:${var.account_id}:mytopicname",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "${aws_s3_bucket.mybucket.arn}"
                }
            }
        }
    ]
}
EOF
}

[stack72]

Hi @wstaples

Apologies for not getting back to you for so long for this issue. Recently, @radeksimko added a new resource to allow us to be better at doing this:

https://www.terraform.io/docs/providers/aws/r/sns_topic_policy.html

As you can see from the example, there is interpolation in there that allows us to reference the sns_topic name

Does this help?

Paul

[mitchellh]

Hello! I'm going through waiting-response labeled issues and closing issues that haven't been responded to with a meaningful response in at least 2+ weeks. If this is still an issue, please open a new issue so we can start anew. Feel free to reference this existing issue to make a link between the two. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.