# Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights served. # SPDX-License-Identifier: MIT-0 # # Permission is hereby granted, free of charge, to any person taining a copy of this # software and associated documentation files (the oftware"), to deal in the Software # without restriction, including without limitation the rights use, copy, modify, # merge, publish, distribute, sublicense, and/or sell copies the Software, and to # permit persons to whom the Software is furnished to do so. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY ND, EXPRESS OR IMPLIED, # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF RCHANTABILITY, FITNESS FOR A # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL E AUTHORS OR COPYRIGHT # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, ETHER IN AN ACTION # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN NNECTION WITH THE # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ########################### # SQS Resources & modules # ########################### resource "aws_sqs_queue" "sqs_queue" { name = var.sqs_queue_name visibility_timeout_seconds = var.visibility_timeout_seconds kms_master_key_id = var.kms_key_arn redrive_policy = jsonencode({ deadLetterTargetArn = aws_sqs_queue.dlq.arn maxReceiveCount = 1 }) } resource "aws_sqs_queue" "dlq" { name = join("_", [var.sqs_queue_name, "dlq"]) visibility_timeout_seconds = var.visibility_timeout_seconds kms_master_key_id = var.kms_key_arn } resource "aws_sqs_queue_policy" "sqs_queue_policy" { queue_url = aws_sqs_queue.sqs_queue.id policy = data.aws_iam_policy_document.sqs_policy.json } data "aws_iam_policy_document" "sqs_policy" { source_policy_documents = [ data.aws_iam_policy_document.allow_principal.json, data.aws_iam_policy_document.allow_s3.json ] } data "aws_iam_policy_document" "allow_principal" { statement { actions = [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:GetQueueAttributes", "sqs:DeleteMessage" ] principals { type = "AWS" identifiers = [data.aws_caller_identity.current.account_id] } resources = [ aws_sqs_queue.sqs_queue.arn ] condition { test = "Bool" variable = "aws:SecureTransport" values = ["true"] } } } data "aws_iam_policy_document" "allow_s3" { statement { actions = [ "sqs:SendMessage", ] principals { type = "Service" identifiers = ["s3.amazonaws.com"] } resources = [ aws_sqs_queue.sqs_queue.arn ] condition { test = "ArnLike" variable = "aws:SourceArn" values = ["arn:aws:s3:*:*:${local.bucket_name}"] } condition { test = "StringEquals" variable = "aws:SourceAccount" values = [data.aws_caller_identity.current.account_id] } condition { test = "Bool" variable = "aws:SecureTransport" values = ["true"] } } } data "aws_iam_policy_document" "dlq_allow_principal" { statement { actions = [ "sqs:SendMessage", ] principals { type = "AWS" identifiers = [data.aws_caller_identity.current.account_id] } resources = [ aws_sqs_queue.dlq.arn ] condition { test = "Bool" variable = "aws:SecureTransport" values = ["true"] } } } resource "aws_sqs_queue_policy" "dlq_queue_policy" { queue_url = aws_sqs_queue.dlq.id policy = data.aws_iam_policy_document.dlq_allow_principal.json }