SNS event source with SqsSubscriptionObject overwrites existing queue policy

[ejafarli]

Description:
When configuring SAM with an SNS event source with SqsSubscriptionObject, sam deploy overwrites the existing policy attached to the queue.

https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-sns.html#sam-function-sns-sqssubscription

Steps to reproduce the issue:

1. Used the following template to create SAM app.
   snstemplate.yaml.zip

2. Check queue policy prior to deploy command

3. Check queue policy after sam deploy

Observed result:
Existing policy on the queue is replaced by a policy that grants SNS sendMessage permission to the queue.

Expected result:
Policy should be appended into existing policy statement.

[jfuss]

@hawflau Not sure if this is actually a bug. SAM will produce a new Sqs Policy resource, which doesn't know about any state a Queue has. SAM is stateless, so this is expected. This sounds like a feature request out to SQS to allow multiple Queue Policy Resources on the same queue. Otherwise this is expected behavior.

[ejafarli]

@hawflau Not sure if this is actually a bug. SAM will produce a new Sqs Policy resource, which doesn't know about any state a Queue has. SAM is stateless, so this is expected. This sounds like a feature request out to SQS to allow multiple Queue Policy Resources on the same queue. Otherwise this is expected behavior.

The feature isn't supported by SQS, but what we do on our EventBridge service in a similar situation is to grab the existing policy attached to the queue and then append the permission we want and use the combined policy so that original permission do not get overriden.