Menu
I'm trying to set up an SNS topic with AWS CloudFormation. I'm able to get the topics and its SQS subscriptions up and running, but I couldn't find a way to specify the delivery status logging options (the ones that tell the topic to write its logs to cloudwatch).
The official SNS/Cloudformation docs say nothing about this capability.
I found here that apparently it's not implemented yet. Does anyone have up-to-date status about this?
Below is the template (fragment) I have:
SNSBouncesTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: SNS-Bounces
Subscription:
- Endpoint: !GetAtt
- SQSBouncesQueue
- Arn
Protocol: sqs
TopicName: SNS-Bounces
The SQSBouncesQueue is another resource of the stack that handles the SNS messages.
723
In your CloudFormation template, if you simply reference your SNS topic, then you'll get the ARN. So you can use that as input to your nested CloudFormation template.
At the moment, CloudFormation does not support enabling SNS Delivery Status Logging.
You'll need to use either the console, SDK or CLI. If you still need to use CloudFormation workflow then review the following workaround below :
This workaround involves using a Lambda-backed custom resource to enable SNS Delivery Status logging by adding the necessary attributes to the SNS Topic.
A custom resource essentially triggers a Lambda function when your CFN stack is created, updated, or deleted.
To set up the topic attributes, you would need the following:
a) An IAM role with the permissions for the SNS service to assume the role. It should include the following:
Permissions :
Actions :
"logs:CreateLogGroup"
"logs:CreateLogStream”
"logs:PutLogEvents”
"logs:PutMetricFilter"
"logs:PutRetentionPolicy"
b) An SNS Topic
c) The custom resource that takes in the IAM Role ARN and the SNS Topic ARN and invokes a Lambda function that sets the topic attributes accordingly.
In the Lambda function, you will need to specify the SNS TopicArn, set the topic attributes using set_topic_attributes() method. For the AttributeName, you will have to specify it as “LambdaSuccessFeedbackRoleArn” to set the attribute for a successful delivery and as “LambdaFailureFeedbackRoleArn” to set the attribute for a failed delivery.
Note:
The AttributeValue for both successful and failed would be the ARN of an IAM Role with access to modify the CloudWatch logs.
This function should be called twice, once to set the attribute for a successful delivery and another to set the attribute for a failed delivery.
158
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
