Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(aws-sns): addSubscription() doesn't lead to working subscription

See original GitHub issue

To subscribe an SNS to an SQS, you can write something like

myTopic.addSubscription(new SqsSubscription(mySqs));

and then your messages will disappear.

Reproduction Steps

mySqs = new Queue(this, 'MyQ');
myTopic = new Topic(this, 'MyTopic');
myTopic.addSubscription(new SqsSubscription(mySqs));

What did you expect to happen?

Everything necessary to get the SNS publishing messages into the SQS should be handled. Or at least tell me what I need to do in addition to get it working.

What actually happened?

Messages disappeared into the void.

Environment

**CDK CLI Version: ** 1.78.0
**Framework Version: ** 1.78.0
Node.js Version: v14.3.0
OS : MacOS and CircleCI docker runners
Language (Version): TypeScript (4.1.3)

Other

For it to actually work, you need

a CMK used by the SNS (and maybe also the SQS, not sure)
a policy on the CMK (details below)
a policy on the SQS (details below)

I’m not sure the Right Way for cdk to do this. Ideally,

calling new SqsSubscription(mySqs) would validate that the SQS has a policy that looks reasonable and has a CMK
calling mySns.addSubscription() would validate that the SNS involved has a CMK and that it has a reasonable policy

Working code snippet for The Next Person:

key = new kms.Key(this, 'Key);
key.addToResourcePolicy(
  new PolicyStatement({
    sid: 'Allow SNS to use this key',
    effect: iam.Effect.ALLOW,
    principals: [new iam.ServicePrincipal('sns.amazonaws.com')],
    actions: ['kms:Decrypt', 'kms:GenerateDataKey'],
    resources: ['*'],
  }),
);

mySqs = new aws-sqs.Queue(this, 'MyQ', {
  encryption: aws-sqs.QueueEncryption.KMS,
  encryptionMasterKey: key,
});
mySqs.addToResourcePolicy(
  new PolicyStatement({
    sid: 'allow sqs actions',
    effect: Effect.ALLOW,
    principals: [new AccountRootPrincipal()],
    actions: ['sqs:*'],
    resources: ['*'],
  }),
);
const allowSns = new PolicyStatement({
  sid: 'allow publishing from the sns',
  effect: Effect.ALLOW,
  principals: [new ServicePrincipal('sns.amazonaws.com')],
  actions: ['sqs:sendMessage'],
  resources: ['*'],
});
allowSns.addCondition('ArnLike', {
  // Annoyingly, you can't just ref the ARN. Chicken & egg.
  // Or at least I don't know how to get around the issue without resorting to L1 stuff.
  'aws:SourceArn': `arn:aws:sns:${props.env.region}:${props.env.account}:${mySnsName}`,
});
mySqs.addToResourcePolicy(allowSns);

myTopic = new aws-sns.Topic(this, 'MyTopic', {
  topicName: mySnsName,
  masterKey: key,
});
myTopic.addSubscription(new aws-sns-subscriptions.SqsSubscription(mySqs));

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Reactions:6
Comments:9 (4 by maintainers)

Top GitHub Comments

2reactions

ahammondcommented, Oct 20, 2021

@ayozemr you must use a CMK and not sqs.QueueEncryption.KMS_MANAGED for this. Otherwise you can’t grant the SNS permissions necessary to publish to your queue. And yes, that’s kind of the point of this bug. At the very least, IMHO, cdk should throw an error if you try to .addSubscription() to an encrypted queue without having the CMK, etc set up.

1reaction

ayozemrcommented, Oct 27, 2021

@ahammond thanks for the info, will modify code with that in mind

And yes, throwing and error would help a lot to know whats the problem. Because you end in a situation where events don’t reach SQS with no info why.

Thanks again