AWS · AWS · AWS SQS & SNS
SNS Topic with Subscriptions
SNS standard/FIFO topic with encryption, delivery policies, and SQS/Lambda/email subscriptions.
Compare Messaging & Pub/Sub across clouds →
Verification
Live-testedReally deployed, verified, idempotent and destroyed in a cloud sandbox.
Conformance
- Static validation (fmt · validate · tflint)
- Security scan clean (Checkov)
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live-tested — applied, verified, destroyed
Last verified 2026-06-11 · how we verify
Details
- Type
- tf_module
- Provider / collection
- hashicorp/aws
- Target clouds
- aws
- Target OS
- —
- Version
- v1.0.0
- License
- LicenseRef-IaCBazaar-Commercial
$49.00
one-time · perpetual license + 12 months of updates
Included in the builder+ subscription.
Documentation
aws-sns
SNS standard or FIFO topic, encrypted at rest by default, with a TLS-only
least-privilege topic policy and typed SQS / Lambda / HTTPS / email
subscriptions. Works with Terraform and OpenTofu (>= 1.6), AWS provider
>= 6.0, < 7.0. FIFO naming (.fifo suffix) is automatic, and message signing
defaults to SHA-256 (signature version 2).
Status: static-validated, live-test pending. Ships under live-test quarantine — validated with
tofu fmt,tofu validate, andtflint. Real apply → publish → destroy against an AWS account is pending a cloud sandbox. Live testing will restrict subscriptions to SQS/Lambda endpoints, which auto-confirm; email/SMS/HTTP confirmations cannot be completed in automation.
What you get:
aws_sns_topic— standard or FIFO, always SSE-encrypted.aws_sns_topic_policy— a generated TLS-only, allow-listed policy (override with a fullpolicyJSON string if you need to).aws_sns_topic_subscription— a typed map of subscriptions with filter policies and per-subscription redrive (DLQ) support.
Secure defaults
- Encryption at rest always on: defaults to the AWS-managed
alias/aws/snskey; pass a CMK viakms_master_key_idfor full key control. - TLS-only topic policy: denies any
sns:Publish/sns:Subscribemade over a non-TLS connection (aws:SecureTransport = false). The account owner keeps management rights; IAM publishers and AWS service publishers are allow-listed (services pinned to theiraws:SourceArn), and cross-account subscribe is off unless you name accounts insubscriber_account_ids. - SHA-256 signing (
signature_version = 2) by default. - Subscriptions support redrive to a DLQ so failed deliveries are not lost;
use
raw_message_delivery = truefor SQS/HTTPS when you do not want the SNS envelope.
Usage
module "topic" {
source = "./aws-sns"
name = "events"
publisher_arns = [aws_iam_role.api.arn]
service_publishers = {
s3 = {
service = "s3.amazonaws.com"
source_arn = aws_s3_bucket.uploads.arn
}
}
subscriptions = {
worker_queue = {
protocol = "sqs"
endpoint = aws_sqs_queue.worker.arn
raw_message_delivery = true
redrive_policy = jsonencode({
deadLetterTargetArn = aws_sqs_queue.worker_dlq.arn
})
}
}
tags = { Environment = "prod" }
}
For FIFO: set fifo_topic = true — events becomes events.fifo automatically
(FIFO topics deliver only to SQS FIFO queues).
Inputs
| Name | Type | Default | Description |
|---|---|---|---|
name | string | — | Topic name; .fifo appended automatically for FIFO (required) |
fifo_topic | bool | false | Create a FIFO topic |
content_based_deduplication | bool | false | FIFO: dedupe on body hash |
fifo_throughput_scope | string | "Topic" | Topic or MessageGroup (high-throughput FIFO) |
display_name | string | null | From-name for email/SMS (≤100 chars) |
kms_master_key_id | string | "alias/aws/sns" | SSE key; pass a CMK for full control |
signature_version | number | 2 | 1 = SHA1, 2 = SHA256 |
tracing_config | string | "PassThrough" | X-Ray mode (PassThrough/Active) |
delivery_policy | string | null | JSON retry/throttle policy for HTTP/S |
create_topic_policy | bool | true | Attach the TLS-only + allow-list policy |
policy | string | null | Full JSON policy override |
publisher_arns | list(string) | [] | IAM principals allowed to publish |
service_publishers | map(object) | {} | {service, source_arn} AWS service publishers |
subscriber_account_ids | list(string) | [] | External accounts allowed to subscribe |
feedback_role_arns | map(object) | {} | Per-protocol delivery-status logging roles |
success_feedback_sample_rate | number | 0 | % of successful deliveries to log |
subscriptions | map(object) | {} | Typed subscriptions (see below) |
tags | map(string) | {} | Tags for the topic |
Each subscriptions entry: { protocol, endpoint, raw_message_delivery, filter_policy, filter_policy_scope, redrive_policy, confirmation_timeout, subscription_role_arn }. protocol is one of sqs, lambda, https,
http, email, email-json, sms, firehose, application; firehose
requires subscription_role_arn.
Outputs
topic_arn, topic_id, topic_name, topic_owner, subscription_arns.
Provider pin
aws = {
source = "hashicorp/aws"
version = ">= 6.0, < 7.0"
}
License
Commercial — LicenseRef-IaCBazaar-Commercial. © IaC Bazaar. Original work
(not derived from a third-party module).