CODEWITHSUNDEEP
amazon-web-servicesterraformsnowflake-cloud-data-platformamazon-snssnowpipe
user6308605
user6308605

Reputation: 731

Amazon SNS (Terraform) Invalid parameter: Policy statement action out of service scope

I want to create an IAM policy document and attached two values taken from snowflake error integration as Trusted Relationship in the policy. Following this tutorial Step 5.

The idea is that to add SF_AWS_IAM_USER_ARN and SF_AWS_EXTERNAL_ID created from SNOWFLAKE NOTIFICATION INTEGRATION to the policy.

The integration is succesfully created.

This is part of my code:

resource "random_id" "random" {
  byte_length = 8
}
resource "aws_sns_topic" "my_sns_topic" {
  name = "${var.bucket_name}-errors-${random_id.random.id}"
}

data "aws_iam_policy_document" "snowflake_notification_error" {
  version = "2008-10-17"
  statement {
    sid = "__default_statement_ID"
    actions = [
      "SNS:GetTopicAttributes",
      "SNS:SetTopicAttributes",
      "SNS:AddPermission",
      "SNS:RemovePermission",
      "SNS:DeleteTopic",
      "SNS:Subscribe",
      "SNS:ListSubscriptionsByTopic",
      "SNS:Publish",
      "SNS:Receive",
    ]
    principals {
      type        = "AWS"
      identifiers = ["*"]
    }
    resources = [aws_sns_topic.my_sns_topic.arn]
    condition {
      test     = "StringEquals"
      variable = "AWS:SourceOwner"
      values   = [data.aws_caller_identity.current.account_id]
    }
  }
  statement {
    sid = "allow_s3_notification"
    principals {
      type        = "Service"
      identifiers = ["s3.amazonaws.com"]
    }

    actions   = ["SNS:Publish"]
    resources = [aws_sns_topic.my_sns_topic.arn]
    condition {
      test     = "ArnLike"
      variable = "aws:SourceArn"
      values   = [data.aws_s3_bucket.bucket.arn]
    }
  }
  statement {
    sid = "allow_snowflake_subscription"
    principals {
      type        = "AWS"
      identifiers = [snowflake_storage_integration.integration.storage_aws_iam_user_arn]
    }

    actions   = ["SNS:Subscribe"]
    resources = [aws_sns_topic.my_sns_topic.arn]
  }

# Error starts in this block I believe
# The json file looks like in the tutorial shown.
  statement {
    sid = "allow_error_integration"

    principals {
      type        = "AWS"
      identifiers = [snowflake_notification_integration.error_integration.aws_sns_iam_user_arn]
    }
    actions = ["sts:AssumeRole"]
    condition {
      test     = "StringEquals"
      variable = "sts:ExternalId"
      values   = [snowflake_notification_integration.error_integration.aws_sns_external_id]
    }
    resources = [aws_sns_topic.my_sns_topic.arn]
  }
}

# ERROR HERE
resource "aws_sns_topic_policy" "snowflake_s3_pipe_notification_error" {
  arn    = aws_sns_topic.my_sns_topic.arn
  policy = data.aws_iam_policy_document.snowflake_notification_error.json
}

The error is:

Error: InvalidParameter: Invalid parameter: Policy statement action out of service scope!status code: 400, request id: 5c75a285-294b-56b7-ad4d-f915d5e0b01b

with module.datalake_dev["my-snowpipe"].module.s3_integration.aws_sns_topic_policy.snowflake_notification_error, on ../snowflake/s3_integration/s3_integration/error_integration.tf line 79, in resource "aws_sns_topic_policy" "snowflake_notification_error": 79: resource "aws_sns_topic_policy" "snowflake_notification_error" {

Upvotes: 2

Views: 4998

Answers (1)

rjferguson
rjferguson

Reputation: 623

The action "SNS:Receive" is not allowed to be in the policy statement. All of the allowed actions are listed in the AWS documentation at https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-language-api-permissions-reference.html#sns-valid-policy-actions

Upvotes: 2

Related Questions