diff --git a/CHANGELOG.md b/CHANGELOG.md
index 135cd3b..8393157 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -71,3 +71,5 @@
* 0.2.3 -- 2022-03-28
- code 0.2.2 fixes for json.loads and API limits (#20, #22)
+* 0.2.4 -- 2022-03-28
+ - add code to enable sqs
diff --git a/README.md b/README.md
index 93e1627..5d82a6f 100644
--- a/README.md
+++ b/README.md
@@ -116,11 +116,18 @@ No modules.
| [aws_lambda_permission.allow_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_sns_topic.topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
| [aws_sns_topic_policy.topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
+| [aws_sns_topic_subscription.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [aws_sqs_queue.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
+| [aws_sqs_queue.queue_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
+| [aws_sqs_queue_policy.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
+| [aws_sqs_queue_policy.queue_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy.lambda_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
| [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.lambda_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.queue_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.queue_sqs_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
@@ -134,7 +141,7 @@ No modules.
| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
| [dynamodb\_table\_name](#input\_dynamodb\_table\_name) | Different DynamoDB table name to override default of var.name | `string` | `null` | no |
| [enable\_sns](#input\_enable\_sns) | Enable use of SNS for reporting errors | `bool` | `false` | no |
-| [enable\_sqs](#input\_enable\_sqs) | Enable use of SQS for SNS to send errors | `bool` | `false` | no |
+| [enable\_sqs](#input\_enable\_sqs) | Enable use of SQS for SNS to send errors. Requires the use of enable\_sns as well | `bool` | `false` | no |
| [lambda\_environment\_variables](#input\_lambda\_environment\_variables) | Map of lambda environment variables and values | `map(string)` | {
"DNS_RR_TimeToLive": 60,
"DynamoDBName": null,
"HeritageIdentifier": "dynr53",
"HeritageTXTRecordPrefix": "_txt",
"MaxApiRetry": 10,
"SleepTime": 60,
"SnsEnable": false,
"SnsTopicArn": "",
"TagKeyCname": "boc:dns:cname",
"TagKeyHostName": "boc:dns:name",
"TagKeyZone": "boc:dns:zone"
} | no |
| [lambda\_environment\_variables\_override](#input\_lambda\_environment\_variables\_override) | Map of lambda environment variables and values to override from the defaults | `map(string)` | `{}` | no |
| [lambda\_name](#input\_lambda\_name) | Different Lambda name to override default of var.name | `string` | `null` | no |
diff --git a/sqs.tf b/sqs.tf
index e69de29..8f18e3d 100644
--- a/sqs.tf
+++ b/sqs.tf
@@ -0,0 +1,120 @@
+locals {
+ sqs_name = var.sqs_queue_name != null ? var.sqs_queue_name : local.name
+ enable_sqs = var.enable_sns && var.enable_sqs
+}
+
+resource "aws_sqs_queue" "queue_deadletter" {
+ count = var.create && local.enable_sqs ? 1 : 0
+ # delay=0 retention=4d max=256k visibility=1h
+ name = format("%v-deadletter", local.sqs_name)
+ delay_seconds = 0
+ max_message_size = 262144
+ message_retention_seconds = 345600
+ receive_wait_time_seconds = 15
+ visibility_timeout_seconds = 3600
+
+ kms_master_key_id = "alias/aws/sqs"
+ kms_data_key_reuse_period_seconds = 300
+
+ tags = merge(
+ local.base_tags,
+ var.tags,
+ { "Name" = format("%v-deadletter", local.sqs_name) },
+ )
+
+ lifecycle {
+ ignore_changes = [tags["boc:tf_module_version"]]
+ }
+}
+
+resource "aws_sqs_queue_policy" "queue_deadletter" {
+ count = var.create && local.enable_sqs ? 1 : 0
+ queue_url = aws_sqs_queue.queue_deadletter[0].id
+ policy = data.aws_iam_policy_document.queue_sqs_deadletter[0].json
+}
+
+data "aws_iam_policy_document" "queue_sqs_deadletter" {
+ count = var.create && local.enable_sqs ? 1 : 0
+ statement {
+ sid = "AllowSQSReceiveMessage"
+ effect = "Allow"
+ actions = ["SQS:ReceiveMessage"]
+ resources = [aws_sqs_queue.queue_deadletter[0].arn]
+
+ principals {
+ type = "AWS"
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "ArnEquals"
+ variable = "aws:SourceArn"
+ values = [aws_sqs_queue.queue[0].arn]
+ }
+ }
+}
+
+resource "aws_sqs_queue" "queue" {
+ count = var.create && local.enable_sqs ? 1 : 0
+ # delay=0 retention=7d max=256k visibity=2h
+ name = local.sqs_name
+ delay_seconds = 0
+ max_message_size = 262144
+ message_retention_seconds = 604800
+ receive_wait_time_seconds = 0
+ visibility_timeout_seconds = 600
+
+ redrive_policy = <