Troubleshooting Amazon SNS topic and S3 Bucket Configuration Notification Issues

Problem

When you attempt to create an aws_s3_bucket_notification resource using Terraform, you encounter the following error:

Error: putting S3 Bucket Notification Configuration: InvalidArgument: Unable to validate the following destination configurations

Prerequisites

• The AWS Command Line Interface (CLI) is installed and configured.

Cause

This error typically occurs when the IAM policy associated with your credentials does not grant the necessary permissions for the Amazon S3 service to publish events to the Amazon SNS topic.

Solution

To isolate the issue, use the AWS CLI to manually perform the same API requests that Terraform executes. This helps confirm whether the problem is with the IAM permissions rather than the Terraform configuration.

Procedure

1. Create a policy file named policy.json. This file defines the permissions for the S3 bucket to send notifications to the SNS topic. Replace the placeholder values for your environment.

   {
     "TopicConfigurations": [
       {
         "TopicArn": "arn:aws:sns:<region>:<aws-account-id>:foobarbaz",
         "Events": [
           "s3:ObjectCreated:*"
         ]
       }
     ]
   }

2. Create a shell script named createtopic.sh. This script creates the S3 bucket, the SNS topic, and attaches the policy from policy.json. Replace the placeholder values for your environment.

   #!/bin/sh
   aws s3api create-bucket --bucket <value> --region <value>
   aws sns create-topic --name foobarbaz --region <value>
   aws sns set-topic-attributes --topic-arn arn:aws:sns:<region>:<aws-account-id>:foobarbaz --attribute-name Policy --attribute-value file://policy.json --region <value>

3. Create a notification configuration file named notification.json. This file specifies the event types and the destination SNS topic. Replace the placeholder values for your environment.

   {
     "TopicConfigurations": [
       {
         "TopicArn": "arn:aws:sns:us-east-2:<aws-account-id>:foobarbaz",
         "Events": [
           "s3:ObjectCreated:*"
         ]
       }
     ]
   }

4. Create a second shell script named putnotification.sh. This script applies the notification configuration to the S3 bucket. Replace the placeholder values for your environment.

   #!/bin/sh
   aws s3api put-bucket-notification-configuration --bucket <value> --notification-configuration file://notification.json --region <value>

5. Make both scripts executable.

   $ chmod a+rx createtopic.sh
   $ chmod a+rx putnotification.sh

6. Execute the scripts sequentially to test the permissions.

   ## First, create the topic and set its attributes
   $ ./createtopic.sh
   
   ## Note the TopicArn from the output, then apply the notification configuration
   $ ./putnotification.sh

Outcome

• If you receive an error from the AWS CLI similar to the one from Terraform, you have confirmed that the issue is with the permissions in your IAM policy. You must update the policy to allow the required actions.
• If you can create the S3 bucket notification configuration successfully with the AWS CLI but not with Terraform, this may indicate an issue with the provider or your configuration. Review your Terraform configuration for any discrepancies with the manual steps.

Additional Information

• For more details on the required permissions, refer to the AWS documentation on S3 Event Notifications.
• For configuration details on the Terraform resource, see the aws_s3_bucket_notification documentation.