21/02/2020 – AWS SNS – Lambda Notification not working when created from CloudFormation

Objective: Create a SNS topic subscription to a lambda function (when something publishes to the topic, we want to run a lambda function)

If we do it manually trough the console, it works just fine.

After creating the subscription, AWS will automatically add a trigger to the lambda function, which will allow the topic to invoke the lambda

Here, for example, on the “LambdaTest” topic, I created a subscription to the “test” lambda, and this is what I see on the lambda:

Problem: that will not happen if we create the topic + subscription using CloudFormation as AWS won’t create the trigger we see on the left.

“Common sense” would say that, you can create the lambda and the topic on CloudFormation (something like this):

and AWS will create the trigger automatically as well (like it does from the console) – but that is not the case.

You need to create the trigger yourself as well – which kind of creates a “chicken and egg” situation because the topic needs to point to the lambda (as a subscription) and the lambda needs a trigger (EventSource) needs to point to the topic.

Fortunately (or not – who knows?) from cloudformation you can create SNS subscription to lambdas that don’t yet exist (only the console enforces an existing lambda by throwing a “ResourceNotFoundException” error message).

Alternatively, you can add an “AWS::Lambda::Permission” to your fucntion, which allows the SNS Topic to call the Lambda Function. These are called “Resource-based policy” and enable you to grant usage permission to other accounts on a per-resource basis. You also use a resource-based policy to allow an AWS service to invoke your function.