Pavel.Solovyenko
Reputation: 66
AWS S3 events handling with SNS using terraform
Trying to setup AWS S3 Event Rule but events aren't being caught. Possibly I'm missing something in thr event-pattern or sns aim policy. To test It I'm creating email subscription using aws console because terraform doesn't support sns email subscription at this moment of time. Did anybody have the same issues?
Event rule declaration:
resource "aws_cloudwatch_event_rule" "this" {
name = "some-rule"
is_enabled = true
description = "some-rule"
event_pattern = <<PATTERN
{
"source": [
"aws.s3"
],
"detail-type": [
"Events S3"
],
"detail": {
"eventSource": [
"s3.amazonaws.com"
],
"eventName": [
"CopyObject",
"CompleteMultipartUpload",
"PutObject"
],
"requestParameters": {
"bucketName": [
"${local.bucket_name}"
]
}
}
}
PATTERN
}
SNS topic declaration:
resource "aws_cloudwatch_event_target" "this" {
rule = aws_cloudwatch_event_rule.this.name
target_id = null
arn = aws_sns_topic.topic.arn
}
resource "aws_sns_topic" "topic" {
name = "some-topic"
kms_master_key_id = data.aws_kms_key.common_key.key_id
policy = <<POLICY
{
"Version":"2012-10-17",
"Statement":[{
"Effect": "Allow",
"Principal": {"Service":"s3.amazonaws.com"},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:${var.aws_region}:${data.aws_caller_identity.current.account_id}:some-topic",
"Condition":{
"ArnLike":{"aws:SourceArn":"${aws_s3_bucket.artifact-store.arn}"}
}
}]
}
POLICY
}
What is interesting that alternative approach is working:
resource "aws_s3_bucket_notification" "s3_notif" {
bucket = "${aws_s3_bucket.artifact-store.id}"
topic {
topic_arn = "${aws_sns_topic.topic.arn}"
events = [
"s3:ObjectCreated:*",
]
}
}
Upvotes: 0
Views: 1545
Answers (1)
Pavel.Solovyenko
Reputation: 66
RCA: I forgot to add CloudWatch permissions to be able to publish sns messages:
resource "aws_sns_topic_policy" "default" {
count = 1
arn = aws_sns_topic.topic.arn
policy = "${data.aws_iam_policy_document.sns_topic_policy_cw.0.json}"
}
resource "aws_sns_topic_policy" "default2" {
count = 1
arn = aws_sns_topic.topic.arn
policy = "${data.aws_iam_policy_document.sns_topic_policy_s3.0.json}"
}
data "aws_iam_policy_document" "sns_topic_policy_cw" {
count = "1"
statement {
sid = "Allow CloudwatchEvents"
actions = ["sns:Publish"]
resources = [aws_sns_topic.topic.arn]
principals {
type = "Service"
identifiers = ["events.amazonaws.com"]
}
}
}
Terraform: CloudWatch Event that notifies SNS
Upvotes: 1
Related Questions
- Error putting S3 notification configuration error
- setting up event pattern in cloud watch event rule
- Create AWS CloudWatch Event rule for S3 prefix
- AWS Cloudtrail Event for S3 Bucket in Terraform
- Cloudwatch Custom Events SQS fails to work
- Enable S3 Bucket Object level events to CloudTrail trail and forward object level events to CloudWatch log group in terraform?
- Terraform for AWS: How to have multiple events per S3 bucket filtered on object path?
- Terraform: CloudWatch Event that notifies SNS
- Trigger ECS Task from S3 Event
- can we use cloudwatch events on s3 object with serverless