Aws_s3_bucket_notification fails with error InvalidArgument: Unable to validate the following destination configurations

Terraform Providers AWS
1

I have the following script that creates an AWS SQS queue, S3 bucket and Event notification:

resource "aws_sqs_queue" "my_queue" {
  name                              = "my-queue"
  receive_wait_time_seconds         = 20
  kms_master_key_id                 = "alias/aws/sqs"
  kms_data_key_reuse_period_seconds = 300
}
resource "aws_sqs_queue_policy" "my_queue_policy" {
  queue_url = aws_sqs_queue.my_queue.id
  policy    = <<POLICY
{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "SQS:SendMessage",
      "Resource": "${aws_sqs_queue.my_queue.arn}",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "111111111111"
        },
        "ArnLike": {
          "aws:SourceArn": "${aws_s3_bucket.my_bucket.arn}"
        }
      }
    }
  ]
}
POLICY
}


resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-bucket"
  grant {
    type        = "CanonicalUser"
    permissions = ["FULL_CONTROL"]
    id          = data.aws_canonical_user_id.current_user.id
  }
    server_side_encryption_configuration {
          rule {
             apply_server_side_encryption_by_default {
                  sse_algorithm = "AES256"
                }
            }
        }
}
resource "aws_s3_bucket_public_access_block" "my_bucket" {
  bucket = aws_s3_bucket.my_bucket.id
  block_public_acls   = true
  block_public_policy = true
  ignore_public_acls  = true
  restrict_public_buckets = true
}
resource "aws_s3_bucket_notification" "my_bucket" {
  depends_on = [aws_sqs_queue.my_queue]

  bucket = aws_s3_bucket.my_bucket.id

  queue {
	id 			= aws_sqs_queue.my_queue.id
	queue_arn     = aws_sqs_queue.my_queue.arn
    events        = ["s3:ObjectCreated:*"]
  }
}

This worked perfectly fine the first time I ran it. Then I needed to alter my my-queue name. So I did and then tried applying my changes again with Terraform. Now it can no longer create the aws_s3_bucket_notification resource. It fails with this:

Error: error putting S3 Bucket Notification Configuration: InvalidArgument: Unable to validate the following d
        status code: 400, request id: ABC...., host id: HGJHKASDGYH...

So then I completely deleted resources above and re run it, I still get the same error that the bucket notification cannot validate.

Edit:

I managed to solve it. By removing encryption in the tf script I could again add the events. Then i could just add encryption back and rerun to enable encryption again,

2 Likes
2

Spent a day trying to figure this out! Thanks for this post

3

I hit this one as well. Did you get to the root cause? Thank you!

2 Likes
4

is there any root cause yet ? am really stuck on but need to make sure there is no event triggering objects in existing old encrypted s3 can be added only if you disable encryption at first and reenable it again after adding s3_event

5

posting for reference:

make sure to add permissions for s3 to perform “SQS:SendMessage” as described in Walkthrough: Configuring a bucket for notifications (SNS topic or SQS queue) - Amazon Simple Storage Service

{
    "Version": "2012-10-17",
    "Id": "example-ID",
    "Statement": [
        {
            "Sid": "example-statement-ID",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "SQS:SendMessage"
            ],
            "Resource": "SQS-queue-ARN",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:s3:*:*:awsexamplebucket1"
                },
                "StringEquals": {
                    "aws:SourceAccount": "bucket-owner-account-id"
                }
            }
        }
    ]
}