aws_s3_bucket_notification - lambda - append new instead of deleting all previous #501
Comments
hashibot
added
the
enhancement
|
so yeah. this is no bueno. the cause is that the notifications are a subresource of the bucket, right? and tf handles subresources of a resource as a single unit? |
|
Are there plans to circle back on the augment-vs-replace bucket notification model? I would think the fundamentals are there with the 'id' argument to transition to the former. Look at notifications setup for specific bucket, if new id...augment, if existing id...replace. Or has a deeper foundational architectural decision been made here that S3 buckets should not be shared across services? I can't imagine that the conclusion would be the datastore needing to know about every function making use of it to ensure those services are properly notified. It would be like a traditional database (e.g. mysql server) having to know of all of its consumers to ensure it can provide the data they need. Its an inversion of the client-server model. Just as scalability in compatibility testing between distributed application services warrants the use of consumer-driven contracts ... the consumer of an S3 bucket should define what it needs to successfully interact with the data. OUR SCENARIO: An application that uses domain-modeled lambdas that orchestrate an entire pipeline of input/output file processing to get raw data, clean/filter through NLP, and inevitably run through various stages of machine learning to generate insight. Each stage creates output artifacts which trigger the launch of the next lambda in the workflow. We want those artifacts in one place so that it is incredibly easy to access all the artifacts used in the journey and provide a quick mechanism to determine opportunities and gaps. |
|
Personally, I think there's a bigger issue (and potentially simpler solution) here - if terraform is to "support" AWS functionality, they simply need to mirror AWS support. That is, if AWS overrides it, they need to override it. In my opinion, having a split decision on "what functions and how" is much worse. Currently, AWS appends, and this is what terraform should do/support. |
|
+1 |
6 similar comments
|
+1 |
|
+1 |
|
+1 |
|
+1 |
|
+1 |
|
+1 |
|
Can we get an official statement from Hashicorp regarding the behavior of this resource? If the desire is to alter the behavior to support multiple notification 'attachments', I imagine there are those in the community (myself included) that wouldn't mind putting together a PR to make this work, with guidance from Hashicorp. In the project I'm working on, we're using SQS notifications where the same replace instead of add behavior is seen. We're trying to avoid bucket sprawl, but because of this behavior we're having to make an architectural decision that buckets:notifications need to be 1:1. This means we stand the chance of hitting the 100 bucket per account limit in AWS, as this is a design pattern we're likely to use in multiple projects (using S3 as a sort of drop box for batch file processing). |
|
@acobaugh I had a similar situation where I needed to send the s3 notification to multiple queues and ran up against this. I was able to work around it by sending the s3 notification to an SNS topic which was then configured to forward the notification into an arbitrary number of SQS queues. It's not as nice as just being able to attachment multiple notifications, but it works well and doesn't require 100 buckets. |
|
@bflad @jbardin @apparentlymart ^ ping -- it seems this very significant bug was accidentally classified as an "enhancement" and forgotten. The original was here: hashicorp/terraform#11536 This is pretty major functionality -- as of right now, Terraform has limited S3 notification to a single lambda function.
|
|
Hi all, This resource is exposing the functionality of the S3 PUT Bucket notification operation, which treats the entire notification set as a single object that must be replaced atomically. Because individual notification rules are not independently addressable, Terraform can't get any more granular than what it's already doing within the current design of the API. It would theoretically be possible to implement separate resource types like resource "aws_s3_bucket_notification_lambda_function" "example" {
bucket = "${var.LogBucket}"
id = "${var.customer}-LambdaFunction"
lambda_function_arn = "${aws_lambda_function.LambdaFunction.arn}"
events = ["s3:ObjectCreated:*"]
filter_suffix = "gz"
}Resource types like this would have to somehow avoid creating race conditions for other concurrent writers to the notification configuration for the same bucket, particularly if there were multiple resources of these types in the same configuration where Terraform itself might try to write them all concurrently. Since the underlying API provides no locking mechanism for this, it is not totally solvable. It may be partially solvable with certain caveats, but it would mean that these resources types would have quite complex implementations in relation to other resource types. I didn't originally set the labels here, but my guess is that the "enhancement" label here is representing that implementing management of individual rules in isolation from inside a single remote notification object would be additional functionality above what the underlying API provides and is thus an extension of the current behavior, not a fix for an implementation defect. |
|
Just throwing this out there that I'm experiencing pain around this same issue: resource "aws_s3_bucket_notification" "S3BucketNotification" {
bucket = "${data.aws_s3_bucket.S3Bucket.id}"
queue {
queue_arn = "${module.sqs.queue_arn}"
events = ["s3:ObjectCreated:*"]
filter_prefix = "${local.S3EventsPrefix}/"
filter_suffix = ".gz"
}
}Consider the above example, if I'm using multiple Terraform Workspaces to have staging, production, etc. environments operate on the same bucket, I'm going to overwrite every other notification set up for every other environment. This means if I apply any changes to staging, production is affected. So yeah, if this could be prioritized and a fix released, that would be absolutely fantastic. |
|
The problem is not with Hashicorp. The Problem is AWS and their poor API
for S3 events.
This is a huge design bug of AWS.
…On Sat, Jan 19, 2019 at 1:26 AM David Lewis ***@***.***> wrote:
Just throwing this out there that I'm experiencing pain around this same
issue:
resource "aws_s3_bucket_notification" "S3BucketNotification" {
bucket = "${data.aws_s3_bucket.S3Bucket.id}"
queue {
queue_arn = "${module.sqs.queue_arn}"
events = ["s3:ObjectCreated:*"]
filter_prefix = "${local.S3EventsPrefix}/"
filter_suffix = ".gz"
}
}
Consider the above example, if I'm using multiple Terraform Workspaces to
have staging, production, etc. environments operate on the same bucket, I'm
going to overwrite every other notification set up for every other
environment. This means if I apply any changes to staging, production is
affected. So yeah, if this could be prioritized and a fix released, that
would be absolutely fantastic.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#501 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB-znxjPve9oGIIuu4fJ_VJuXoYj1_wMks5vElgVgaJpZM4N49yk>
.
--
Regards,
Ofer Eliassaf
|
|
It looks like it's possible to get and put a bucket's notification configuration, so no, not a limitation on AWS's side. It should be possible to put a configuration rule and store the Relevant docs: |
|
Biggest issue seems to be that you can not have two rules with overlapping prefixes. So even if you could define multiple separate rules for one bucket, you could not define two Lambdas to be triggered for same prefix.
|
|
I am getting the same issue. Are there any workarounds? |
|
@ethicalmohit I've stopped managing these with Terraform. Best workaround I've come across so far :). |
I think the design flaw mentioned here is the lack of granularity of the AWS service. Yes, you can put/set, and maybe it isn't a big deal in this specific scenario, as contention is unlikely, but seems like this could represent a TOCTOU bug. If two teams were managing these things with terraform, the concern may be that |
|
Any update on this? |
|
It's really a very dangerous function. When you apply a new rule on an existing s3 bucket, all existing rules will be deleted without any prompt warning and can't be rolled back. |
|
The problem is not in Terraform.
It's an aws API bug.
The workaround i found is a dispatcher mechanism in which, a single lambda
is registered, and when it is called, it send a SNS notification with the
path. All the multiple lambdas I have listen to this SNS topic and are
triggered.
This works great and highly reccomended.
בתאריך יום ה׳, 30 באפר׳ 2020, 18:10, מאת Bryan Yang <
[email protected]>:
… It's really a very dangerous function. When you apply a new rule on an
existing s3 bucket, all existing rules will be deleted without any prompt
warning and can't be rolled back.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#501 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAP3HHYYOWLDYXH6OVLLVZLRPGIFNANCNFSM4DPD3SSA>
.
|
|
@bryanyang0528 Yes - exactly the reason I first created this issue 3+ years ago. But I believe somewhere a while back (can't keep track at this point since this ticket has been moved/re-opened 4-5x) it was mentioned that the problem is the Amazon API available for lambda? That said, I really think this is something that should be brought up and fixed (be it Amazon or TF) quickly. |
|
@ventz I'm not sure if terraform could refer to this project serverless-plugin-existing-s3? This serverless plugin will fetch all existing rules, add a new rule, and deploy them together for implementing this function. |
|
@bryanyang0528 That would be fantastic! |
|
Hi folks 👋 The core of this
The current maintainers are still very hesitant to implement a custom solution of individual notification management since this would be extremely prone to S3 eventual consistency behaviors and unable to handle race conditions across Terraform AWS Provider instances. Our best recommendation would still be to reach out to the S3 service team about this particular API via AWS Support cases or discussions with your Technical Account Manager, should you have one. However, I did want to mention here the feature request for Terraform and Terraform AWS Provider to give an error message for conflicting resources in configurations, which falls under the provider-wide enhancement proposal of #14394. By adding this link here it will add a reference to that issue so we can include it as a use case when thinking about the implementation details about that particular enhancement. Please feel free to 👍 and provide feedback about that enhancement there. |
|
We solved this issue by using a null resource which calls a python script with the necessary arguments. The script pulls the existing notifications into memory, adds the new one and uploads them all again to s3. The reason we needed this is because we use both Serverless and Terraform and needed a way to handle bucket notifications across stacks. |
Hi @harrydaniels-IW, that's the best idea I've heard yet. Are you willing to share that script with us? |
|
boto3 Best case scenario, my company moves all of our bucket notification rules to terraform. Otherwise I will continue to manage my bucket notifications via boto3 + some custom logic (rather than terraform). Not ideal, but it works. |
|
I made a Terraform module to manage S3 notifications to Lambda without deleting existing ones. It's still in alpha, but it's works on my own infrastructure. |
|
+1! My team (data engineering) is working out a POC for moving everything over to terraform but this is a huge issue for us since we have a ton of different s3 triggers from our main bucket. Is this fix currently in the pipeline? |
If you can do this via Python why can't Terraform do it? People are blaming the AWS API but surely you're consuming the python boto3 sdk? |
|
I also ran into an issue here! Hoping Hashicorp can sort out an official solution soon. Considering this idea:
And considering @Blaked84 has already done some of the work:
I forked the above repo and implemented something similar using a bash script as Ruby isn't a possibility in my team's current setup. Available here if it helps save anyone some work: https://github.com/walter9388/s3_bucket_notification_lambda |
|
+1 also running into this issue. |
|
For additional context, This deploys a custom resource lambda under the hood, code for this pattern uses boto3 for API calls (custom lambda code). |
Summary: Pull Request resolved: #2360 For the terraform resource aws_s3_bucket_notification, there is an issue that two or more separate aws_s3_bucket_notification statements would only use the last one applied, which means the last one would override whatever bucket notifications set by previous aws_s3_bucket_notification. (hashicorp/terraform-provider-aws#501) So refactoring the code to put the aws_s3_bucket_notification as a separate folder so that it could apply all notification settings. Reviewed By: joe1234wu Differential Revision: D51150073 Privacy Context Container: L1199492 fbshipit-source-id: b6acd23e66578c47990d6229722ae9fd1e72b774
Since bucket notifications can only be managed once, if an implementer wants additional notifications on the bucket, they must be managed outside this module. If you give this variable as `true`, you *must* add a bucket notification to the lambda given in outputs as `scan_lambda_function_arn`. See [this issue (#510) on the provider](hashicorp/terraform-provider-aws#501 (comment)) for more details on the topic. This patch does not include updated README.md because I see that terraform_docs is not included in the pre-commit configuration, so I assume it is done by your pipeline.
|
+1 please fix |
* MC-39238: Implement IMU parsing * MC-39238: consume IMU metadata * MC-39838: fix pre commit rules * MC-39238: consume IMU metadata tests * MC-39294: Selector on dev crashing due to invalid json (hashicorp#499) * MC-39294 filter chunk messages from video ingestion Co-authored-by: Afonso Sousa <[email protected]> * MC-39239 send message to mdfp for imu ingestion * MC-39238: Fix SDR not sending messages to MDFParser --------- Co-authored-by: Rogerio Peixoto <[email protected]> Co-authored-by: Afonso Sousa <[email protected]> Co-authored-by: Afonso Sousa <[email protected]>
|
Any update on this? We too have a shared bucket used and managed by multiple teams and terraform project (by design). We too want to have the ability to append our lambda notification without removing other's. |
and others
This issue was originally opened by @ventz as hashicorp/terraform#11536. It was migrated here as part of the provider split. The original body of the issue is below.
Terraform Version
Terraform v0.8.5
Affected Resource(s)
If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.
Terraform Configuration Files
Debug Output
N/A
Panic Output
N/A
Expected Behavior
It should appends the added lambda functions to the existing S3 Event notification set - in this case, the existing set of lambda functions.
Actual Behavior
It deletes all existing lambda functions, and adds the new one. It seems to treat the item as a single value, instead of a list which contains multiple items.
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform apply -parallelism=1
Important Factoids
N/A - full access, admin account.
References
Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:
I found this which seems semi-related: hashicorp/terraform#6934
However, that's more about the end-user creating multiple functions/resources as events.
The text was updated successfully, but these errors were encountered: