Troubleshooting Amazon SNS topic and S3 Bucket Configuration Notification Issues

Introduction

Many users leverage Amazon S3 Event Notifications to gain insight into actions taken against a specific S3 bucket (e.g., s3:ObjectRemoved:*). There are many permissions involved in the setup of this feature, which can make troubleshooting difficult for users [a]. 

Problem

When attempting to create the aws_s3_bucket_notification resource using Terraform, you encounter the following error:

Error: putting S3 Bucket Notification Configuration: InvalidArgument: Unable to validate the following destination configurations

Cause

Your IAM policy does not allow the S3 bucket to interact with the SNS service.

Solution

Use the AWS CLI tool to verify whether you can successfully perform the same API requests that Terraform is executing by replicating the same requests manually [c]:

1. 1. Execute $ touch createtopic.sh to create a new file.
   2. Paste the following content into your file and change necessary values.

      #!/bin/sh
      aws s3api create-bucket --bucket <value> --region <value>
      aws sns create-topic --name foobarbaz --region <value> 
      aws sns set-topic-attributes --topic-arn arn:aws:sns:<region>:<aws-account-id>:foobarbaz --attribute-name Policy --attribute-value file://policy.json --region <value>

   3. Execute $ chmod a+rx createtopic.sh
   4. Execute $ touch policy.json 
   5. Paste the following content into the file you just created and change necessary values.
      

      {
          "TopicConfigurations": [
              {
                  "TopicArn": "arn:aws:sns:<region>:<aws-account-id>:foobarbaz",
                  "Events": [
                      "s3:ObjectCreated:*"
                  ]
              }
          ]
      }

       
   6. Create another file $ touch putnotification.sh
   7. Paste the following content into the file and change necessary values.

   8. #!/bin/sh
      aws s3api put-bucket-notification-configuration --bucket <value> --notification-configuration file://notification.json --region <value>

   9. Execute $ chmod a+rx putnotification.sh  
   10. Execute $ touch notification.json
   11. Paste the following content into the file  you just created and change necessary values.

       1. {
              "TopicConfigurations": [
                  {
                      "TopicArn": "arn:aws:sns:us-east-2:<aws-account-id>:foobarbaz",
                      "Events": [
                          "s3:ObjectCreated:*"
                      ]
                  }
              ]
          }

   12. Execute the first script you created: $ ./createtopic.sh, then confirm the TopicArn in the output.
   13. Execute the second script you created:$ ./putnotification.sh

Outcome

• If you receive an error from AWS that is similar to the one you encountered within Terraform, then you've confirmed that you'll need to address the permissions set within your IAM policy.
• If you are able to successfully create an S3 bucket notification configuration through the use of the AWS CLI tool, then please reach out to HashiCorp Support for more assistance. Please inform the engineer that you followed the steps within this article and provide the URL [d].

Additional Information

• [a] https://docs.aws.amazon.com/AmazonS3/latest/userguide/NotificationHowTo.html

• [b] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification  

• [c] https://aws.amazon.com/cli/ 

• [d] https://support.hashicorp.com/hc/en-us