github.com/nov1n/terraform@v0.7.9-0.20161103151050-bf6852f38e28/website/source/docs/providers/aws/r/sns_topic_subscription.html.markdown (about) 1 --- 2 layout: "aws" 3 page_title: "AWS: sns_topic_subscription" 4 sidebar_current: "docs-aws-resource-sns-topic-subscription" 5 description: |- 6 Provides a resource for subscribing to SNS topics. 7 --- 8 9 # aws\_sns\_topic\_subscription 10 11 Provides a resource for subscribing to SNS topics. Requires that an SNS topic exist for the subscription to attach to. 12 This resource allows you to automatically place messages sent to SNS topics in SQS queues, send them as HTTP(S) POST requests 13 to a given endpoint, send SMS messages, or notify devices / applications. The most likely use case for Terraform users will 14 probably be SQS queues. 15 16 ~> **NOTE:** If SNS topic and SQS queue are in different AWS regions it is important to place the "aws_sns_topic_subscription" into the terraform configuration of the region with the SQS queue. If "aws_sns_topic_subscription" is placed in the terraform configuration of the region with the SNS topic terraform will fail to create the subscription. 17 18 ~> **NOTE:** If SNS topic and SQS queue are in different AWS accounts it is important to place the "aws_sns_topic_subscription" into the terraform configuration of the account with the SQS queue. If "aws_sns_topic_subscription" is placed in the terraform configuration of the account with the SNS topic terraform creates the subscriptions but does not keep state and tries to re-create the subscription at every apply. 19 20 ~> **NOTE:** If SNS topic and SQS queue are in different AWS accounts and different AWS regions it is important to recognize that the subscription needs to be initiated from the account with the SQS queue but in the region of the SNS topic. 21 22 ## Example Usage 23 24 You can directly supply a topic and ARN by hand in the `topic_arn` property along with the queue ARN: 25 26 ``` 27 resource "aws_sns_topic_subscription" "user_updates_sqs_target" { 28 topic_arn = "arn:aws:sns:us-west-2:432981146916:user-updates-topic" 29 protocol = "sqs" 30 endpoint = "arn:aws:sqs:us-west-2:432981146916:terraform-queue-too" 31 } 32 ``` 33 34 Alternatively you can use the ARN properties of a managed SNS topic and SQS queue: 35 36 ``` 37 resource "aws_sns_topic" "user_updates" { 38 name = "user-updates-topic" 39 } 40 41 resource "aws_sqs_queue" "user_updates_queue" { 42 name = "user-updates-queue" 43 } 44 45 resource "aws_sns_topic_subscription" "user_updates_sqs_target" { 46 topic_arn = "${aws_sns_topic.user_updates.arn}" 47 protocol = "sqs" 48 endpoint = "${aws_sqs_queue.user_updates_queue.arn}" 49 } 50 ``` 51 You can subscribe SNS topics to SQS queues in different Amazon accounts and regions: 52 53 ``` 54 /* 55 # 56 # Variables 57 # 58 */ 59 variable "sns" { 60 default = { 61 account-id = "111111111111" 62 role-name = "service/service-hashicorp-terraform" 63 name = "example-sns-topic" 64 display_name = "example" 65 region = "us-west-1" 66 } 67 } 68 69 variable "sqs" { 70 default = { 71 account-id = "222222222222" 72 role-name = "service/service-hashicorp-terraform" 73 name = "example-sqs-queue" 74 region = "us-east-1" 75 } 76 } 77 78 data "aws_iam_policy_document" "sns-topic-policy" { 79 policy_id = "__default_policy_ID" 80 81 statement { 82 actions = [ 83 "SNS:Subscribe", 84 "SNS:SetTopicAttributes", 85 "SNS:RemovePermission", 86 "SNS:Receive", 87 "SNS:Publish", 88 "SNS:ListSubscriptionsByTopic", 89 "SNS:GetTopicAttributes", 90 "SNS:DeleteTopic", 91 "SNS:AddPermission", 92 ] 93 94 condition { 95 test = "StringEquals" 96 variable = "AWS:SourceOwner" 97 98 values = [ 99 "${var.sns["account-id"]}", 100 ] 101 } 102 103 effect = "Allow" 104 105 principals { 106 type = "AWS" 107 identifiers = ["*"] 108 } 109 110 resources = [ 111 "arn:aws:sns:${var.sns["region"]}:${var.sns["account-id"]}:${var.sns["name"]}", 112 ] 113 114 sid = "__default_statement_ID" 115 } 116 117 statement { 118 actions = [ 119 "SNS:Subscribe", 120 "SNS:Receive", 121 ] 122 123 condition { 124 test = "StringLike" 125 variable = "SNS:Endpoint" 126 127 values = [ 128 "arn:aws:sqs:${var.sqs["region"]}:${var.sqs["account-id"]}:${var.sqs["name"]}", 129 ] 130 } 131 132 effect = "Allow" 133 134 principals { 135 type = "AWS" 136 identifiers = ["*"] 137 } 138 139 resources = [ 140 "arn:aws:sns:${var.sns["region"]}:${var.sns["account-id"]}:${var.sns["name"]}", 141 ] 142 143 sid = "__console_sub_0" 144 } 145 } 146 147 data "aws_iam_policy_document" "sqs-queue-policy" { 148 policy_id = "arn:aws:sqs:${var.sqs["region"]}:${var.sqs["account-id"]}:${var.sqs["name"]}/SQSDefaultPolicy" 149 150 statement { 151 sid = "example-sns-topic" 152 effect = "Allow" 153 154 principals { 155 type = "AWS" 156 identifiers = ["*"] 157 } 158 159 actions = [ 160 "SQS:SendMessage", 161 ] 162 163 resources = [ 164 "arn:aws:sqs:${var.sqs["region"]}:${var.sqs["account-id"]}:${var.sqs["name"]}", 165 ] 166 167 condition { 168 test = "ArnEquals" 169 variable = "aws:SourceArn" 170 171 values = [ 172 "arn:aws:sns:${var.sns["region"]}:${var.sns["account-id"]}:${var.sns["name"]}", 173 ] 174 } 175 } 176 } 177 178 # provider to manage SNS topics 179 provider "aws" { 180 alias = "sns" 181 region = "${var.sns["region"]}" 182 183 assume_role { 184 role_arn = "arn:aws:iam::${var.sns["account-id"]}:role/${var.sns["role-name"]}" 185 session_name = "sns-${var.sns["region"]}" 186 } 187 } 188 189 # provider to manage SQS queues 190 provider "aws" { 191 alias = "sqs" 192 region = "${var.sqs["region"]}" 193 194 assume_role { 195 role_arn = "arn:aws:iam::${var.sqs["account-id"]}:role/${var.sqs["role-name"]}" 196 session_name = "sqs-${var.sqs["region"]}" 197 } 198 } 199 200 # provider to subscribe SQS to SNS (using the SQS account but the SNS region) 201 provider "aws" { 202 alias = "sns2sqs" 203 region = "${var.sns["region"]}" 204 205 assume_role { 206 role_arn = "arn:aws:iam::${var.sqs["account-id"]}:role/${var.sqs["role-name"]}" 207 session_name = "sns2sqs-${var.sns["region"]}" 208 } 209 } 210 211 resource "aws_sns_topic" "sns-topic" { 212 provider = "aws.sns" 213 name = "${var.sns["name"]}" 214 display_name = "${var.sns["display_name"]}" 215 policy = "${data.aws_iam_policy_document.sns-topic-policy.json}" 216 } 217 218 resource "aws_sqs_queue" "sqs-queue" { 219 provider = "aws.sqs" 220 name = "${var.sqs["name"]}" 221 policy = "${data.aws_iam_policy_document.sqs-queue-policy.json}" 222 } 223 224 resource "aws_sns_topic_subscription" "sns-topic" { 225 provider = "aws.sns2sqs" 226 topic_arn = "${aws_sns_topic.sns-topic.arn}" 227 protocol = "sqs" 228 endpoint = "${aws_sqs_queue.sqs-queue.arn}" 229 } 230 ``` 231 232 ## Argument Reference 233 234 The following arguments are supported: 235 236 * `topic_arn` - (Required) The ARN of the SNS topic to subscribe to 237 * `protocol` - (Required) The protocol to use. The possible values for this are: `sqs`, `lambda`, `application`. (`http` or `https` are partially supported, see below) (`email`, `sms`, are options but unsupported, see below). 238 * `endpoint` - (Required) The endpoint to send data to, the contents will vary with the protocol. (see below for more information) 239 * `endpoint_auto_confirms` - (Optional) Boolean indicating whether the end point is capable of [auto confirming subscription](http://docs.aws.amazon.com/sns/latest/dg/SendMessageToHttp.html#SendMessageToHttp.prepare) e.g., PagerDuty (default is false) 240 * `confirmation_timeout_in_minutes` - (Optional) Integer indicating number of minutes to wait in retying mode for fetching subscription arn before marking it as failure. Only applicable for http and https protocols (default is 1 minute). 241 * `raw_message_delivery` - (Optional) Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property). 242 243 ### Protocols supported 244 245 Supported SNS protocols include: 246 247 * `lambda` -- delivery of JSON-encoded message to a lambda function 248 * `sqs` -- delivery of JSON-encoded message to an Amazon SQS queue 249 * `application` -- delivery of JSON-encoded message to an EndpointArn for a mobile app and device 250 251 Partially supported SNS protocols include: 252 253 * `http` -- delivery of JSON-encoded messages via HTTP. Supported only for the end points that auto confirms the subscription. 254 * `https` -- delivery of JSON-encoded messages via HTTPS. Supported only for the end points that auto confirms the subscription. 255 256 Unsupported protocols include the following: 257 258 * `email` -- delivery of message via SMTP 259 * `email-json` -- delivery of JSON-encoded message via SMTP 260 * `sms` -- delivery text message 261 262 These are unsupported because the endpoint needs to be authorized and does not 263 generate an ARN until the target email address has been validated. This breaks 264 the Terraform model and as a result are not currently supported. 265 266 ### Specifying endpoints 267 268 Endpoints have different format requirements according to the protocol that is chosen. 269 270 * SQS endpoints come in the form of the SQS queue's ARN (not the URL of the queue) e.g: `arn:aws:sqs:us-west-2:432981146916:terraform-queue-too` 271 * Application endpoints are also the endpoint ARN for the mobile app and device. 272 273 274 ## Attributes Reference 275 276 The following attributes are exported: 277 278 * `id` - The ARN of the subscription 279 * `topic_arn` - The ARN of the topic the subscription belongs to 280 * `protocol` - The protocol being used 281 * `endpoint` - The full endpoint to send data to (SQS ARN, HTTP(S) URL, Application ARN, SMS number, etc.) 282 * `arn` - The ARN of the subscription stored as a more user-friendly property 283 284 285 ## Import 286 287 SNS Topic Subscriptions can be imported using the `subscription arn`, e.g. 288 289 ``` 290 $ terraform import aws_sns_topic_subscription.user_updates_sqs_target arn:aws:sns:us-west-2:0123456789012:my-topic:8a21d249-4329-4871-acc6-7be709c6ea7f 291 ```