Merge pull request #24 from terraform-modules/feature-sqs

enable sqs code
terraform-modules · Mar 28, 2022 · dbd4d53 · dbd4d53
2 parents 9b8f0aa + 58e365f
commit dbd4d53
Show file tree

Hide file tree

Showing 5 changed files with 132 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -71,3 +71,5 @@
 * 0.2.3 -- 2022-03-28
   - code 0.2.2 fixes for json.loads and API limits (#20, #22)
 
+* 0.2.4 -- 2022-03-28
+  - add code to enable sqs
diff --git a/README.md b/README.md
@@ -116,11 +116,18 @@ No modules.
 | [aws_lambda_permission.allow_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_sns_topic.topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
 | [aws_sns_topic_policy.topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
+| [aws_sns_topic_subscription.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [aws_sqs_queue.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
+| [aws_sqs_queue.queue_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
+| [aws_sqs_queue_policy.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
+| [aws_sqs_queue_policy.queue_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy.lambda_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lambda_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.queue_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.queue_sqs_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
@@ -134,7 +141,7 @@ No modules.
 | <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
 | <a name="input_dynamodb_table_name"></a> [dynamodb\_table\_name](#input\_dynamodb\_table\_name) | Different DynamoDB table name to override default of var.name | `string` | `null` | no |
 | <a name="input_enable_sns"></a> [enable\_sns](#input\_enable\_sns) | Enable use of SNS for reporting errors | `bool` | `false` | no |
-| <a name="input_enable_sqs"></a> [enable\_sqs](#input\_enable\_sqs) | Enable use of SQS for SNS to send errors | `bool` | `false` | no |
+| <a name="input_enable_sqs"></a> [enable\_sqs](#input\_enable\_sqs) | Enable use of SQS for SNS to send errors. Requires the use of enable\_sns as well | `bool` | `false` | no |
 | <a name="input_lambda_environment_variables"></a> [lambda\_environment\_variables](#input\_lambda\_environment\_variables) | Map of lambda environment variables and values | `map(string)` | <pre>{<br>  "DNS_RR_TimeToLive": 60,<br>  "DynamoDBName": null,<br>  "HeritageIdentifier": "dynr53",<br>  "HeritageTXTRecordPrefix": "_txt",<br>  "MaxApiRetry": 10,<br>  "SleepTime": 60,<br>  "SnsEnable": false,<br>  "SnsTopicArn": "",<br>  "TagKeyCname": "boc:dns:cname",<br>  "TagKeyHostName": "boc:dns:name",<br>  "TagKeyZone": "boc:dns:zone"<br>}</pre> | no |
 | <a name="input_lambda_environment_variables_override"></a> [lambda\_environment\_variables\_override](#input\_lambda\_environment\_variables\_override) | Map of lambda environment variables and values to override from the defaults | `map(string)` | `{}` | no |
 | <a name="input_lambda_name"></a> [lambda\_name](#input\_lambda\_name) | Different Lambda name to override default of var.name | `string` | `null` | no |

diff --git a/sqs.tf b/sqs.tf
@@ -0,0 +1,120 @@
+locals {
+  sqs_name   = var.sqs_queue_name != null ? var.sqs_queue_name : local.name
+  enable_sqs = var.enable_sns && var.enable_sqs
+}
+
+resource "aws_sqs_queue" "queue_deadletter" {
+  count = var.create && local.enable_sqs ? 1 : 0
+  # delay=0 retention=4d max=256k visibility=1h
+  name                       = format("%v-deadletter", local.sqs_name)
+  delay_seconds              = 0
+  max_message_size           = 262144
+  message_retention_seconds  = 345600
+  receive_wait_time_seconds  = 15
+  visibility_timeout_seconds = 3600
+
+  kms_master_key_id                 = "alias/aws/sqs"
+  kms_data_key_reuse_period_seconds = 300
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    { "Name" = format("%v-deadletter", local.sqs_name) },
+  )
+
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
+}
+
+resource "aws_sqs_queue_policy" "queue_deadletter" {
+  count     = var.create && local.enable_sqs ? 1 : 0
+  queue_url = aws_sqs_queue.queue_deadletter[0].id
+  policy    = data.aws_iam_policy_document.queue_sqs_deadletter[0].json
+}
+
+data "aws_iam_policy_document" "queue_sqs_deadletter" {
+  count = var.create && local.enable_sqs ? 1 : 0
+  statement {
+    sid       = "AllowSQSReceiveMessage"
+    effect    = "Allow"
+    actions   = ["SQS:ReceiveMessage"]
+    resources = [aws_sqs_queue.queue_deadletter[0].arn]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_sqs_queue.queue[0].arn]
+    }
+  }
+}
+
+resource "aws_sqs_queue" "queue" {
+  count = var.create && local.enable_sqs ? 1 : 0
+  # delay=0 retention=7d max=256k visibity=2h
+  name                       = local.sqs_name
+  delay_seconds              = 0
+  max_message_size           = 262144
+  message_retention_seconds  = 604800
+  receive_wait_time_seconds  = 0
+  visibility_timeout_seconds = 600
+
+  redrive_policy = <<EOP
+{
+  "deadLetterTargetArn":"${aws_sqs_queue.queue_deadletter[0].arn}",
+  "maxReceiveCount":100
+}
+EOP
+
+  kms_master_key_id                 = "alias/aws/sqs"
+  kms_data_key_reuse_period_seconds = 300
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    { "Name" = local.sqs_name },
+  )
+
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
+}
+
+resource "aws_sqs_queue_policy" "queue" {
+  count     = var.create && local.enable_sqs ? 1 : 0
+  queue_url = aws_sqs_queue.queue[0].id
+  policy    = data.aws_iam_policy_document.queue_sqs[0].json
+}
+
+data "aws_iam_policy_document" "queue_sqs" {
+  count = var.create && local.enable_sqs ? 1 : 0
+  statement {
+    sid       = "AllowSNSSendMessage"
+    effect    = "Allow"
+    actions   = ["SQS:SendMessage"]
+    resources = [aws_sqs_queue.queue[0].arn]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_sns_topic.topic[0].arn]
+    }
+  }
+}
+
+resource "aws_sns_topic_subscription" "queue" {
+  count     = var.create && local.enable_sqs ? 1 : 0
+  protocol  = "sqs"
+  topic_arn = aws_sns_topic.topic[0].arn
+  endpoint  = aws_sqs_queue.queue[0].arn
+}
diff --git a/variables.tf b/variables.tf
@@ -59,7 +59,7 @@ variable "enable_sns" {
 }
 
 variable "enable_sqs" {
-  description = "Enable use of SQS for SNS to send errors"
+  description = "Enable use of SQS for SNS to send errors. Requires the use of enable_sns as well"
   type        = bool
   default     = false
 }
diff --git a/version.tf b/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "0.2.3"
+  _module_version = "0.2.4"
 }