mirror of
synced 2025-02-20 11:48:24 -06:00
This commit adds support for new helper function which is used to normalise and validate JSON string. Signed-off-by: Krzysztof Wilczynski <krzysztof.wilczynski@linux.com>
179 lines
4.7 KiB
179 lines
4.7 KiB
package aws
import (
func resourceAwsSnsTopicPolicy() *schema.Resource {
return &schema.Resource{
Create: resourceAwsSnsTopicPolicyUpsert,
Read: resourceAwsSnsTopicPolicyRead,
Update: resourceAwsSnsTopicPolicyUpsert,
Delete: resourceAwsSnsTopicPolicyDelete,
Schema: map[string]*schema.Schema{
"arn": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
"policy": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateJsonString,
DiffSuppressFunc: suppressEquivalentAwsPolicyDiffs,
func resourceAwsSnsTopicPolicyUpsert(d *schema.ResourceData, meta interface{}) error {
arn := d.Get("arn").(string)
req := sns.SetTopicAttributesInput{
TopicArn: aws.String(arn),
AttributeName: aws.String("Policy"),
AttributeValue: aws.String(d.Get("policy").(string)),
// Retry the update in the event of an eventually consistent style of
// error, where say an IAM resource is successfully created but not
// actually available. See https://github.com/hashicorp/terraform/issues/3660
log.Printf("[DEBUG] Updating SNS Topic Policy: %s", req)
stateConf := &resource.StateChangeConf{
Pending: []string{"retrying"},
Target: []string{"success"},
Refresh: resourceAwsSNSUpdateRefreshFunc(meta, req),
Timeout: 3 * time.Minute,
MinTimeout: 3 * time.Second,
_, err := stateConf.WaitForState()
if err != nil {
return err
return resourceAwsSnsTopicPolicyRead(d, meta)
func resourceAwsSnsTopicPolicyRead(d *schema.ResourceData, meta interface{}) error {
snsconn := meta.(*AWSClient).snsconn
attributeOutput, err := snsconn.GetTopicAttributes(&sns.GetTopicAttributesInput{
TopicArn: aws.String(d.Id()),
if err != nil {
if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == "NotFound" {
log.Printf("[WARN] SNS Topic (%s) not found, error code (404)", d.Id())
return nil
return err
if attributeOutput.Attributes == nil {
log.Printf("[WARN] SNS Topic (%q) attributes not found (nil)", d.Id())
return nil
attrmap := attributeOutput.Attributes
policy, ok := attrmap["Policy"]
if !ok {
log.Printf("[WARN] SNS Topic (%q) policy not found in attributes", d.Id())
return nil
d.Set("policy", policy)
return nil
func resourceAwsSnsTopicPolicyDelete(d *schema.ResourceData, meta interface{}) error {
accountId, err := getAccountIdFromSnsTopicArn(d.Id())
if err != nil {
return err
req := sns.SetTopicAttributesInput{
TopicArn: aws.String(d.Id()),
AttributeName: aws.String("Policy"),
// It is impossible to delete a policy or set to empty
// (confirmed by AWS Support representative)
// so we instead set it back to the default one
AttributeValue: aws.String(buildDefaultSnsTopicPolicy(d.Id(), accountId)),
// Retry the update in the event of an eventually consistent style of
// error, where say an IAM resource is successfully created but not
// actually available. See https://github.com/hashicorp/terraform/issues/3660
log.Printf("[DEBUG] Resetting SNS Topic Policy to default: %s", req)
stateConf := &resource.StateChangeConf{
Pending: []string{"retrying"},
Target: []string{"success"},
Refresh: resourceAwsSNSUpdateRefreshFunc(meta, req),
Timeout: 3 * time.Minute,
MinTimeout: 3 * time.Second,
_, err = stateConf.WaitForState()
if err != nil {
return err
return nil
func getAccountIdFromSnsTopicArn(arn string) (string, error) {
// arn:aws:sns:us-west-2:123456789012:test-new
re := regexp.MustCompile("^arn:aws:sns:[^:]+:([0-9]{12}):.+")
matches := re.FindStringSubmatch(arn)
if len(matches) != 2 {
return "", fmt.Errorf("Unable to get account ID from ARN (%q)", arn)
return matches[1], nil
func buildDefaultSnsTopicPolicy(topicArn, accountId string) string {
return fmt.Sprintf(`{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
"Action": [
"Resource": "%s",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "%s"
}`, topicArn, accountId)