Im trying to subscribe my sqs queue from account A to sns topic in account B but my sqs to sns subscription is failing on terraform apply after 2 minutes because its not able to auto confirm the subscription.
plan:
aws_sns_topic_subscription.storetime_offset_sqs_queue: Still creating... [2m0s elapsed]
╷
│ Error: waiting for SNS Topic Subscription (arn:aws:sns:eu-west-1:473655411111:store-eta-published:9b9de7b2-c240-46f2-a345-45431a123994) confirmation: timeout while waiting for state to become 'false' (last state: 'true', timeout: 2m0s)
│
│ with aws_sns_topic_subscription.store_eta_published_sqs_queue,
│ on store-eta-published-sqs.tf line 92, in resource "aws_sns_topic_subscription" "store_eta_published_sqs_queue":
│ 92: resource "aws_sns_topic_subscription" "store_eta_published_sqs_queue" {
│
╵
╷
│ Error: waiting for SNS Topic Subscription (arn:aws:sns:eu-west-1:473655411111:store-time-offset-changed:ba4e0185-9697-499b-9710-c154c2e22545) confirmation: timeout while waiting for state to become 'false' (last state: 'true', timeout: 2m0s)
│
│ with aws_sns_topic_subscription.storetime_offset_sqs_queue,
│ on storetime-offset-sqs.tf line 92, in resource "aws_sns_topic_subscription" "storetime_offset_sqs_queue":
│ 92: resource "aws_sns_topic_subscription" "storetime_offset_sqs_queue" {
│
╵
Exited with code exit status 1
sns policy:
resource "aws_sns_topic_policy" "cross_account_policy" {
count = length(local.topic_names)
arn = aws_sns_topic.sns_topics.*.arn[count.index]
policy = <<EOF
{
"Version": "2008-10-17",
"Id": "maverick_cross_account_subscription_policy",
"Statement": [
{
"Effect":"Allow",
"Principal":{
"AWS":"392607711111"
},
"Action":"sns:subscribe",
"Resource":"${aws_sns_topic.sns_topics.*.arn[count.index]}"
}
]
}
EOF
}
sqs policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "topic-subscription-arn:arn:aws:sns:eu-west-1:473655411111:store-time-offset-changed",
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:SendMessage",
"Resource": "dplus-storetime-offset-queue",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:sns:eu-west-1:473655411111:store-time-offset-changed"
}
}
}
]
}
sqs sub:
resource "aws_sns_topic_subscription" "store_eta_published_sqs_queue" {
provider = aws.reactor-eu-west-1
topic_arn = local.store_eta_published_topic_arn
protocol = "sqs"
endpoint = aws_sqs_queue.store_eta_published_sqs_queue.arn
}
SQS:
resource "aws_sqs_queue" "store_eta_published_sqs_queue" {
name = local.store_eta_published_queue_name
delay_seconds = 0
fifo_queue = false
content_based_deduplication = false
visibility_timeout_seconds = 60
receive_wait_time_seconds = 0
redrive_policy = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.store_eta_published_sqs_queue_dead_letter.arn}\",\"maxReceiveCount\":${local.queue_retry_count}}"
depends_on = [aws_sqs_queue.store_eta_published_sqs_queue_dead_letter]
message_retention_seconds = 345600 # SQS default
}
resource "aws_sqs_queue" "store_eta_published_sqs_queue_dead_letter" {
name = "${local.store_eta_published_queue_name}-dead-letter"
fifo_queue = false
policy = ""
}
data "aws_iam_policy_document" "store_eta_published_sqs_queue" {
statement {
sid = "topic-subscription-arn:${local.store_eta_published_topic_arn}"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["473655411111"]
}
actions = ["sqs:SendMessage"]
resources = [aws_sqs_queue.store_eta_published_sqs_queue.name]
}
}
resource "aws_sqs_queue_policy" "store_eta_published_sqs_queue" {
queue_url = aws_sqs_queue.store_eta_published_sqs_queue.id
policy = data.aws_iam_policy_document.store_eta_published_sqs_queue.json
}
provider setup:
provider "aws" {
alias = "reactor-eu-west-1"
region = "eu-west-1"
access_key = data.aws_secretsmanager_secret_version.current-reactor-access-key.secret_string
secret_key = data.aws_secretsmanager_secret_version.current-reactor-secret-key.secret_string
}