From de21c4bdda68d6c9f1c14c7d4d0d8604b06929a6 Mon Sep 17 00:00:00 2001 From: Ivan Chekaldin <39010411+ichekaldin@users.noreply.github.com> Date: Fri, 3 Feb 2023 08:36:28 -0500 Subject: [PATCH] sns_topic - Fix Permission Issue for Cross Account Subscriptions (#1418) sns_topic - Fix Permission Issue for Cross Account Subscriptions SUMMARY sns_topic currently fails with the following error if it has any cross account subscriptions: Couldn't get subscription attributes for subscription arn:aws:sns:us-east-1:123412341234:my-sns-topic-name:555950dc-7c5f-416c-8f8e-e8f38eabfa54: An error occurred (AuthorizationError) when calling the GetSubscriptionAttributes operation: Not authorized to access this subscription This happens, for example, when a Lambda function in account A is subscribed to an SNS topic in account B, as described here. I believe this was caused by #640. I am not sure how to write a test for this specific situation as it would require multiple AWS accounts. ISSUE TYPE Bugfix Pull Request COMPONENT NAME sns_topic ADDITIONAL INFORMATION - community.aws.sns_topic: name: my-sns-topic-in-account-123412341234 subscriptions: - endpoint: "arn:aws:lambda:us-east-1:567856785678:function:my-lambda-function-in-account-567856785678" protocol: lambda state: present Reviewed-by: Mark Chappell --- changelogs/fragments/sns_topic-cross-account.yml | 2 ++ plugins/modules/sns_topic.py | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 changelogs/fragments/sns_topic-cross-account.yml diff --git a/changelogs/fragments/sns_topic-cross-account.yml b/changelogs/fragments/sns_topic-cross-account.yml new file mode 100644 index 00000000000..968811b7693 --- /dev/null +++ b/changelogs/fragments/sns_topic-cross-account.yml @@ -0,0 +1,2 @@ +bugfixes: +- sns_topic - avoid fetching attributes from subscribers when not setting them, this can cause permissions issues (https://github.com/ansible-collections/community.aws/pull/1418). diff --git a/plugins/modules/sns_topic.py b/plugins/modules/sns_topic.py index 7bf643cb96e..bcaf44a8840 100644 --- a/plugins/modules/sns_topic.py +++ b/plugins/modules/sns_topic.py @@ -519,8 +519,8 @@ def _set_topic_subs_attributes(self): for sub in list_topic_subscriptions(self.connection, self.module, self.topic_arn): sub_key = (sub['Protocol'], sub['Endpoint']) sub_arn = sub['SubscriptionArn'] - if sub_key not in self.desired_subscription_attributes: - # subscription isn't defined in desired, skipping + if not self.desired_subscription_attributes.get(sub_key): + # subscription attributes aren't defined in desired, skipping continue try: