feat(sink): add AWS SNS sink for topic publishing

Adds a new SNS sink that publishes events to an Amazon SNS topic.

Features:
- Publishes events as JSON messages to configured topic ARN
- Supports custom endpoint URL for LocalStack testing
- Optional explicit credentials (falls back to default chain)
- WithoutSecrets config pattern for safe logging
- LocalStack container helper for integration tests

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: psteinroe

Cargo.lock

@@ -7,6 +7,9 @@ version = "0.1.0"
 default    = []
 test-utils = ["dep:ctor", "dep:testcontainers", "dep:testcontainers-modules"]
 
+# Sink features.
+sink-sns = ["dep:aws-sdk-sns", "dep:aws-config"]
+
 [dependencies]
 anyhow = { version = "1.0.98", default-features = false, features = ["std"] }
 chrono = { version = "0.4.41", default-features = false }
@@ -54,13 +57,18 @@ tikv-jemallocator = { version = "0.6.1", default-features = false, features = [
 ] }
 
 
+# Optional sink dependencies.
+aws-config  = { version = "1.6", optional = true, default-features = false, features = ["behavior-version-latest", "rt-tokio", "rustls"] }
+aws-sdk-sns = { version = "1.74", optional = true, default-features = false, features = ["behavior-version-latest", "rt-tokio", "rustls"] }
+
 ctor                   = { version = "0.4", optional = true }
 testcontainers         = { version = "0.23", optional = true, features = ["blocking"] }
-testcontainers-modules = { version = "0.11", optional = true, features = ["postgres", "blocking"] }
+testcontainers-modules = { version = "0.11", optional = true, features = ["postgres", "localstack", "blocking"] }
 
 [dev-dependencies]
-temp-env = "0.3"
-tempfile = "3.13"
+aws-sdk-sqs = { version = "1.74", default-features = false, features = ["behavior-version-latest", "rt-tokio", "rustls"] }
+temp-env    = "0.3"
+tempfile    = "3.13"
 
 [lints.clippy]
 fallible_impl_from        = "deny"

Cargo.toml

@@ -1,5 +1,8 @@
 use serde::Deserialize;
 
+#[cfg(feature = "sink-sns")]
+use crate::sink::sns::SnsSinkConfig;
+
 /// Sink destination configuration.
 ///
 /// Determines where replicated events are sent.
@@ -8,4 +11,8 @@ use serde::Deserialize;
 pub enum SinkConfig {
     /// In-memory sink for testing and development.
     Memory,
+
+    /// AWS SNS sink for topic publishing.
+    #[cfg(feature = "sink-sns")]
+    Sns(SnsSinkConfig),
 }

src/config/sink.rs

@@ -77,6 +77,19 @@ async fn run_pipeline(config: &PipelineConfig) -> EtlResult<()> {
     // Create sink based on configuration.
     let sink = match &config.sink {
         SinkConfig::Memory => AnySink::Memory(MemorySink::new()),
+
+        #[cfg(feature = "sink-sns")]
+        SinkConfig::Sns(cfg) => {
+            use crate::sink::sns::SnsSink;
+            let s = SnsSink::new(cfg.clone()).await.map_err(|e| {
+                etl::etl_error!(
+                    etl::error::ErrorKind::InvalidData,
+                    "Failed to create SNS sink",
+                    e.to_string()
+                )
+            })?;
+            AnySink::Sns(s)
+        }
     };
 
     // Create PgStream as an ETL destination
@@ -122,6 +135,13 @@ fn log_sink_config(config: &SinkConfig) {
         SinkConfig::Memory => {
             debug!("using memory sink");
         }
+
+        #[cfg(feature = "sink-sns")]
+        SinkConfig::Sns(cfg) => {
+            use crate::sink::sns::SnsSinkConfigWithoutSecrets;
+            let safe_cfg: SnsSinkConfigWithoutSecrets = cfg.into();
+            debug!(config = ?safe_cfg, "using sns sink");
+        }
     }
 }
 

src/core.rs

@@ -1,11 +1,17 @@
 mod base;
 pub mod memory;
 
+#[cfg(feature = "sink-sns")]
+pub mod sns;
+
 pub use base::Sink;
 
 use etl::error::EtlResult;
 use memory::MemorySink;
 
+#[cfg(feature = "sink-sns")]
+use sns::SnsSink;
+
 use crate::types::TriggeredEvent;
 
 /// Wrapper enum for all supported sink types.
@@ -16,6 +22,10 @@ use crate::types::TriggeredEvent;
 pub enum AnySink {
     /// In-memory sink for testing and development.
     Memory(MemorySink),
+
+    #[cfg(feature = "sink-sns")]
+    /// AWS SNS sink for topic publishing.
+    Sns(SnsSink),
 }
 
 impl Sink for AnySink {
@@ -26,6 +36,9 @@ impl Sink for AnySink {
     async fn publish_events(&self, events: Vec<TriggeredEvent>) -> EtlResult<()> {
         match self {
             AnySink::Memory(sink) => sink.publish_events(events).await,
+
+            #[cfg(feature = "sink-sns")]
+            AnySink::Sns(sink) => sink.publish_events(events).await,
         }
     }
 }

src/sink/mod.rs

@@ -0,0 +1,239 @@
+//! AWS SNS sink for publishing events to an Amazon SNS topic.
+//!
+//! Publishes each event as a JSON message to the configured topic ARN.
+//! The sink uses the AWS SDK for async message delivery.
+//!
+//! # Payload Extensions
+//!
+//! This sink does not require any specific payload extensions. However, you can
+//! use payload extensions to add SNS message attributes:
+//!
+//! ```sql
+//! payload_extensions = '[
+//!   {"key": "message_group_id", "value": "orders"},
+//!   {"key": "subject", "value": "New Order"}
+//! ]'
+//! ```
+
+use aws_sdk_sns::Client;
+use etl::error::EtlResult;
+use serde::{Deserialize, Serialize};
+use std::sync::Arc;
+use tracing::info;
+
+use crate::sink::Sink;
+use crate::types::TriggeredEvent;
+
+/// Configuration for the AWS SNS sink.
+///
+/// This intentionally does not implement [`Serialize`] to avoid accidentally
+/// leaking secrets (AWS credentials, endpoint URLs) in serialized forms.
+#[derive(Clone, Debug, Deserialize)]
+pub struct SnsSinkConfig {
+    /// SNS topic ARN to publish messages to.
+    pub topic_arn: String,
+
+    /// AWS region (e.g., "us-east-1").
+    pub region: String,
+
+    /// Optional custom endpoint URL for LocalStack testing.
+    #[serde(default)]
+    pub endpoint_url: Option<String>,
+
+    /// Optional AWS access key ID (uses default credentials chain if not set).
+    #[serde(default)]
+    pub access_key_id: Option<String>,
+
+    /// Optional AWS secret access key (uses default credentials chain if not set).
+    #[serde(default)]
+    pub secret_access_key: Option<String>,
+}
+
+/// Configuration for the AWS SNS sink without sensitive data.
+///
+/// Safe to serialize and log. Use this for debugging and metrics.
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct SnsSinkConfigWithoutSecrets {
+    /// SNS topic ARN to publish messages to.
+    pub topic_arn: String,
+
+    /// AWS region.
+    pub region: String,
+
+    /// Whether a custom endpoint is configured.
+    pub has_custom_endpoint: bool,
+
+    /// Whether explicit credentials are configured.
+    pub has_explicit_credentials: bool,
+}
+
+impl From<SnsSinkConfig> for SnsSinkConfigWithoutSecrets {
+    fn from(config: SnsSinkConfig) -> Self {
+        Self {
+            topic_arn: config.topic_arn,
+            region: config.region,
+            has_custom_endpoint: config.endpoint_url.is_some(),
+            has_explicit_credentials: config.access_key_id.is_some(),
+        }
+    }
+}
+
+impl From<&SnsSinkConfig> for SnsSinkConfigWithoutSecrets {
+    fn from(config: &SnsSinkConfig) -> Self {
+        Self {
+            topic_arn: config.topic_arn.clone(),
+            region: config.region.clone(),
+            has_custom_endpoint: config.endpoint_url.is_some(),
+            has_explicit_credentials: config.access_key_id.is_some(),
+        }
+    }
+}
+
+/// Sink that publishes events to an AWS SNS topic.
+///
+/// Each event is serialized as JSON and published to the configured topic.
+/// The sink uses the AWS SDK with automatic retry handling.
+#[derive(Clone)]
+pub struct SnsSink {
+    /// AWS SNS client.
+    client: Arc<Client>,
+
+    /// Topic ARN to publish messages to.
+    topic_arn: String,
+}
+
+impl SnsSink {
+    /// Creates a new SNS sink from configuration.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the AWS client cannot be configured.
+    pub async fn new(
+        config: SnsSinkConfig,
+    ) -> Result<Self, Box<dyn std::error::Error + Send + Sync>> {
+        let region = aws_sdk_sns::config::Region::new(config.region);
+
+        let mut sdk_config_loader = aws_config::defaults(aws_config::BehaviorVersion::latest())
+            .region(region);
+
+        // Configure custom endpoint if provided (for LocalStack).
+        if let Some(endpoint) = &config.endpoint_url {
+            sdk_config_loader = sdk_config_loader.endpoint_url(endpoint);
+        }
+
+        // Configure explicit credentials if provided.
+        if let (Some(access_key), Some(secret_key)) =
+            (&config.access_key_id, &config.secret_access_key)
+        {
+            sdk_config_loader = sdk_config_loader.credentials_provider(
+                aws_sdk_sns::config::Credentials::new(
+                    access_key.clone(),
+                    secret_key.clone(),
+                    None,
+                    None,
+                    "pgstream",
+                ),
+            );
+        }
+
+        let sdk_config = sdk_config_loader.load().await;
+        let client = Client::new(&sdk_config);
+
+        Ok(Self {
+            client: Arc::new(client),
+            topic_arn: config.topic_arn,
+        })
+    }
+}
+
+impl Sink for SnsSink {
+    fn name() -> &'static str {
+        "sns"
+    }
+
+    async fn publish_events(&self, events: Vec<TriggeredEvent>) -> EtlResult<()> {
+        if events.is_empty() {
+            return Ok(());
+        }
+
+        info!(
+            "publishing {} events to SNS topic '{}'",
+            events.len(),
+            self.topic_arn
+        );
+
+        for event in &events {
+            // Build JSON object manually since TriggeredEvent doesn't implement Serialize.
+            let mut json_obj = serde_json::json!({
+                "id": event.id.id,
+                "created_at": event.id.created_at.to_rfc3339_opts(chrono::SecondsFormat::Millis, true),
+                "payload": event.payload,
+                "stream_id": format!("{:?}", event.stream_id),
+            });
+
+            // Add optional fields.
+            if let Some(ref metadata) = event.metadata {
+                json_obj["metadata"] = metadata.clone();
+            }
+            if let Some(lsn) = event.lsn {
+                json_obj["lsn"] = serde_json::json!(lsn.to_string());
+            }
+
+            let message = serde_json::to_string(&json_obj).map_err(|e| {
+                etl::etl_error!(
+                    etl::error::ErrorKind::InvalidData,
+                    "Failed to serialize event to JSON",
+                    e.to_string()
+                )
+            })?;
+
+            // Publish message to SNS topic.
+            self.client
+                .publish()
+                .topic_arn(&self.topic_arn)
+                .message(&message)
+                .send()
+                .await
+                .map_err(|e| {
+                    etl::etl_error!(
+                        etl::error::ErrorKind::InvalidData,
+                        "Failed to publish message to SNS",
+                        e.to_string()
+                    )
+                })?;
+        }
+
+        Ok(())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_sink_name() {
+        assert_eq!(SnsSink::name(), "sns");
+    }
+
+    #[test]
+    fn test_config_without_secrets() {
+        let config = SnsSinkConfig {
+            topic_arn: "arn:aws:sns:us-east-1:123456789:my-topic".to_string(),
+            region: "us-east-1".to_string(),
+            endpoint_url: Some("http://localhost:4566".to_string()),
+            access_key_id: Some("AKIAIOSFODNN7EXAMPLE".to_string()),
+            secret_access_key: Some("secret".to_string()),
+        };
+
+        let without_secrets: SnsSinkConfigWithoutSecrets = (&config).into();
+
+        assert_eq!(
+            without_secrets.topic_arn,
+            "arn:aws:sns:us-east-1:123456789:my-topic"
+        );
+        assert_eq!(without_secrets.region, "us-east-1");
+        assert!(without_secrets.has_custom_endpoint);
+        assert!(without_secrets.has_explicit_credentials);
+    }
+}