Auto-Healing SNS Subscriptions in AWS SAM: A Solution for Large Enterprises

• The Challenge: Vanishing Subscriptions
• The Solution: Auto-Healing with AWS SAM
  • Define the SNS Topic in SAM:
  • Reference the SNS Topic in Lambda Environment Variables:
  • Add “Emails” Subscription in SAM:
  • Lambda Code: Drift Detection and Auto-Subscription
• Why This Approach is Essential
• Get the Complete Solution
• Conclusion

In large organizations, maintaining SNS Topic subscriptions can be a headache. Accidental unsubscribes from group emails or manual deletions by team members can disrupt critical notifications. Today, we’ll tackle this problem head-on with a robust solution using AWS SAM (Serverless Application Model), Lambda functions, and automated drift detection.

The Challenge: Vanishing Subscriptions

You know the frustration if you’ve ever managed SNS Topics in a large-scale environment. Subscriptions mysteriously turn off, leading to missed alerts and communication breakdowns. This issue is widespread when:

• Group Email Unsubscribes: Someone clicks the dreaded “unsubscribe” button in a group email.
• Manual Deletions: Team members might remove subscriptions, intentionally or not, through the AWS console or CLI.

The Solution: Auto-Healing with AWS SAM

We’ll walk through a step-by-step solution that leverages the power of AWS SAM to create a self-correcting system:

Define the SNS Topic in SAM:

• Use your SAM template to declare an SNS Topic with a clear, unique name.

  ErrorSNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: "ErrorNotification-SNS"
      Tags:
        - Key: Publisher
          Value: AWS
        - Key: Department
          Value: IT
        - Key: CostCenter
          Value: "12345"
        - Key: Owner
          Value: "PBKN"
        - Key: Project
          Value: "LogSubGenApp"

Reference the SNS Topic in Lambda Environment Variables:

• Make your Lambda function aware of the SNS Topic by referencing it in your Lambda’s environment variables.

      Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
        Variables:
          PARAM1: VALUE
          JAVA_TOOL_OPTIONS: -XX:+TieredCompilation -XX:TieredStopAtLevel=1
          SNS_TOPIC_ARN: !Ref ErrorSNSTopic

Add “Emails” Subscription in SAM:

• Ensure that the desired email addresses are automatically subscribed during deployment.

  ErrorSubscription1:
    Type: AWS::SNS::Subscription
    Properties:
      Endpoint: email1@google.com
      Protocol: email
      TopicArn: !Ref 'ErrorSNSTopic'
  ErrorSubscription2:
    Type: AWS::SNS::Subscription
    Properties:
      Endpoint: email2@yahoo.com
      Protocol: email
      TopicArn: !Ref 'ErrorSNSTopic'

Lambda Code: Drift Detection and Auto-Subscription

• Utilize the AWS SDK in your Lambda function to:
  • Fetch the SNS Topic’s ARN.
  • List all active subscriptions.
  • Compare the active list against your intended “Emails” list.
  • If any discrepancies are found, re-subscribe the missing emails.
  • Finally, publish your message to the SNS Topic.

try (SnsClient snsClient = SnsClient.create()) {
            String errorMsg = "Something unexpected happened! Go check your system " + message;
            errorMsg = errorMsg.concat(System.lineSeparator());
            errorMsg = errorMsg.concat("Go to https://ap-south-1.console.aws.amazon.com/console/home?region=ap-south-1#");
            String topicArn = System.getenv("SNS_TOPIC_ARN"); //SNS Topic created using SAM
            List<Subscription> currentSubscriptions = listSNSSubscriptions(snsClient);
            List<String> currentSubscriptionsEmail = new ArrayList<>();
            for (Subscription subscription : currentSubscriptions) {
                if (subscription.protocol().equals("email")) {
                    currentSubscriptionsEmail.add(subscription.endpoint());
                }
            }
            List<String> definedSubscriptions = Arrays
                    .asList("email1@google.com", "email2@yahoo.com");
            for (String driftedEmail : definedSubscriptions) {
                if (!currentSubscriptionsEmail.contains(driftedEmail)) {
                    subEmail(snsClient, topicArn, driftedEmail);
                }
            }
            pubTopic(snsClient, errorMsg, topicArn);
        }

Why This Approach is Essential

You might wonder, “Why not just rely on the SAM template?” Unfortunately, SAM (and AWS CloudFormation) detect subscription drifts but can’t automatically correct them even when you re-deploy. Our Lambda function bridges this gap, actively ensuring the correct email addresses are always subscribed.

Get the Complete Solution

You can find the full source code for this project on GitHub: https://github.com/pbkn/LogSubGenApp

This source code is based on Error Notification – Logs Subscription Filter – AWS Log Subscription Filter: A Hands-On Guide with AWS SAM

Conclusion

Don’t let unreliable SNS subscriptions hinder your communication. Implement this auto-healing solution to streamline maintenance and guarantee your critical notifications reach the right people, every time.