Aws_s3_bucket_notification fails with error InvalidArgument: Unable to validate the following destination configurations

I have the following script that creates an AWS SQS queue, S3 bucket and Event notification:

resource "aws_sqs_queue" "my_queue" {
  name                              = "my-queue"
  receive_wait_time_seconds         = 20
  kms_master_key_id                 = "alias/aws/sqs"
  kms_data_key_reuse_period_seconds = 300
}
resource "aws_sqs_queue_policy" "my_queue_policy" {
  queue_url = aws_sqs_queue.my_queue.id
  policy    = <<POLICY
{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "SQS:SendMessage",
      "Resource": "${aws_sqs_queue.my_queue.arn}",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "111111111111"
        },
        "ArnLike": {
          "aws:SourceArn": "${aws_s3_bucket.my_bucket.arn}"
        }
      }
    }
  ]
}
POLICY
}


resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-bucket"
  grant {
    type        = "CanonicalUser"
    permissions = ["FULL_CONTROL"]
    id          = data.aws_canonical_user_id.current_user.id
  }
    server_side_encryption_configuration {
          rule {
             apply_server_side_encryption_by_default {
                  sse_algorithm = "AES256"
                }
            }
        }
}
resource "aws_s3_bucket_public_access_block" "my_bucket" {
  bucket = aws_s3_bucket.my_bucket.id
  block_public_acls   = true
  block_public_policy = true
  ignore_public_acls  = true
  restrict_public_buckets = true
}
resource "aws_s3_bucket_notification" "my_bucket" {
  depends_on = [aws_sqs_queue.my_queue]

  bucket = aws_s3_bucket.my_bucket.id

  queue {
	id 			= aws_sqs_queue.my_queue.id
	queue_arn     = aws_sqs_queue.my_queue.arn
    events        = ["s3:ObjectCreated:*"]
  }
}

This worked perfectly fine the first time I ran it. Then I needed to alter my my-queue name. So I did and then tried applying my changes again with Terraform. Now it can no longer create the aws_s3_bucket_notification resource. It fails with this:

Error: error putting S3 Bucket Notification Configuration: InvalidArgument: Unable to validate the following d
        status code: 400, request id: ABC...., host id: HGJHKASDGYH...

So then I completely deleted resources above and re run it, I still get the same error that the bucket notification cannot validate.

Edit:

I managed to solve it. By removing encryption in the tf script I could again add the events. Then i could just add encryption back and rerun to enable encryption again,

1 Like

Spent a day trying to figure this out! Thanks for this post

I hit this one as well. Did you get to the root cause? Thank you!