From a931fa13478a53951f87013ad9adb7473443f325 Mon Sep 17 00:00:00 2001
From: Ivan Chekaldin <ivan.chekaldin@blackboard.com>
Date: Fri, 19 Aug 2022 11:00:42 -0400
Subject: [PATCH 1/3] Fix permission issue when SNS subscription target is in a
 different AWS account

---
 plugins/modules/sns_topic.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/plugins/modules/sns_topic.py b/plugins/modules/sns_topic.py
index 7bf643cb96e..a6c6b3a014f 100644
--- a/plugins/modules/sns_topic.py
+++ b/plugins/modules/sns_topic.py
@@ -523,13 +523,16 @@ def _set_topic_subs_attributes(self):
                 # subscription isn't defined in desired, skipping
                 continue
 
+            raw_message = self.desired_subscription_attributes[sub_key].get('RawMessageDelivery')
+            if raw_message is None:
+                continue
+
             try:
                 sub_current_attributes = self.connection.get_subscription_attributes(SubscriptionArn=sub_arn)['Attributes']
             except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
                 self.module.fail_json_aws(e, "Couldn't get subscription attributes for subscription %s" % sub_arn)
 
-            raw_message = self.desired_subscription_attributes[sub_key].get('RawMessageDelivery')
-            if raw_message is not None and 'RawMessageDelivery' in sub_current_attributes:
+            if 'RawMessageDelivery' in sub_current_attributes:
                 if sub_current_attributes['RawMessageDelivery'].lower() != raw_message.lower():
                     changed = True
                     if not self.check_mode:

From e04c146f2bfa4864dfdf68ee6c3c9cc6d97350d9 Mon Sep 17 00:00:00 2001
From: Ivan Chekaldin <ivan.chekaldin@blackboard.com>
Date: Tue, 30 Aug 2022 15:11:14 -0400
Subject: [PATCH 2/3] Check any attributes instead of just RawMessageDelivery

---
 plugins/modules/sns_topic.py | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/plugins/modules/sns_topic.py b/plugins/modules/sns_topic.py
index a6c6b3a014f..4ce9ba88a18 100644
--- a/plugins/modules/sns_topic.py
+++ b/plugins/modules/sns_topic.py
@@ -519,20 +519,17 @@ def _set_topic_subs_attributes(self):
         for sub in list_topic_subscriptions(self.connection, self.module, self.topic_arn):
             sub_key = (sub['Protocol'], sub['Endpoint'])
             sub_arn = sub['SubscriptionArn']
-            if sub_key not in self.desired_subscription_attributes:
+            if sub_key not in self.desired_subscription_attributes or not self.desired_subscription_attributes[sub_key]:
                 # subscription isn't defined in desired, skipping
                 continue
 
-            raw_message = self.desired_subscription_attributes[sub_key].get('RawMessageDelivery')
-            if raw_message is None:
-                continue
-
             try:
                 sub_current_attributes = self.connection.get_subscription_attributes(SubscriptionArn=sub_arn)['Attributes']
             except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
                 self.module.fail_json_aws(e, "Couldn't get subscription attributes for subscription %s" % sub_arn)
 
-            if 'RawMessageDelivery' in sub_current_attributes:
+            raw_message = self.desired_subscription_attributes[sub_key].get('RawMessageDelivery')
+            if raw_message is not None and 'RawMessageDelivery' in sub_current_attributes:
                 if sub_current_attributes['RawMessageDelivery'].lower() != raw_message.lower():
                     changed = True
                     if not self.check_mode:

From be763fb9a866693d1794f73ee916e47a5fe85ac5 Mon Sep 17 00:00:00 2001
From: Mark Chappell <mchappel@redhat.com>
Date: Fri, 3 Feb 2023 14:18:10 +0100
Subject: [PATCH 3/3] minor tweaks

---
 changelogs/fragments/sns_topic-cross-account.yml | 2 ++
 plugins/modules/sns_topic.py                     | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/fragments/sns_topic-cross-account.yml

diff --git a/changelogs/fragments/sns_topic-cross-account.yml b/changelogs/fragments/sns_topic-cross-account.yml
new file mode 100644
index 00000000000..968811b7693
--- /dev/null
+++ b/changelogs/fragments/sns_topic-cross-account.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- sns_topic - avoid fetching attributes from subscribers when not setting them, this can cause permissions issues (https://github.com/ansible-collections/community.aws/pull/1418).
diff --git a/plugins/modules/sns_topic.py b/plugins/modules/sns_topic.py
index 4ce9ba88a18..bcaf44a8840 100644
--- a/plugins/modules/sns_topic.py
+++ b/plugins/modules/sns_topic.py
@@ -519,8 +519,8 @@ def _set_topic_subs_attributes(self):
         for sub in list_topic_subscriptions(self.connection, self.module, self.topic_arn):
             sub_key = (sub['Protocol'], sub['Endpoint'])
             sub_arn = sub['SubscriptionArn']
-            if sub_key not in self.desired_subscription_attributes or not self.desired_subscription_attributes[sub_key]:
-                # subscription isn't defined in desired, skipping
+            if not self.desired_subscription_attributes.get(sub_key):
+                # subscription attributes aren't defined in desired, skipping
                 continue
 
             try: