Adding SNS topic allow to SQS policy

HamiltonHord · HamiltonHord · commit fcc7abeab68d · 2024-01-31T14:28:25.000-08:00
diff --git a/autotagging.tf b/autotagging.tf
@@ -17,7 +17,7 @@ resource "aws_lambda_function" "auto_tagging" {
 
   environment {
     variables = {
-      UNWRAP_SNS_ENVELOPE     = var.sns_topic_arn == "" ? false : true
+      UNWRAP_SNS_ENVELOPE = var.sns_topic_arn == "" ? false : true
     }
   }
 
@@ -37,7 +37,7 @@ resource "aws_sqs_queue" "auto_tagging" {
   count = var.enable_auto_tagging == true ? 1 : 0
 
   name                       = "${var.sqs_queue_name}-auto_tagging"
-  policy                     = data.aws_iam_policy_document.auto_tagging_sqs[0].json
+  policy                     = var.sns_topic_arn == "" ? data.aws_iam_policy_document.auto_tagging_sqs[0].json : data.aws_iam_policy_document.auto_tagging_sns[0].json
   visibility_timeout_seconds = var.sqs_visibility_timeout_seconds
   delay_seconds              = var.sqs_delay_seconds
 
@@ -98,6 +98,26 @@ data "aws_iam_policy_document" "auto_tagging_sqs" {
   }
 }
 
+data "aws_iam_policy_document" "auto_tagging_sns" {
+  count = var.sns_topic_arn == "" ? 0 : 1
+
+  statement {
+    effect = "Allow"
+    principals {
+      type        = ""
+      identifiers = [""]
+    }
+    actions   = ["sqs:SendMessage"]
+    resources = ["arn:aws:sqs:*:*:${var.sqs_queue_name}-auto_tagging", ]
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [var.sns_topic_arn]
+    }
+  }
+
+}
+
 data "aws_iam_policy_document" "auto_tagging_sqs_dl" {
   count = var.enable_auto_tagging == true ? 1 : 0
 
diff --git a/main.tf b/main.tf
@@ -170,7 +170,7 @@ resource "aws_lambda_event_source_mapping" "this_lambda_events" {
 resource "aws_sqs_queue" "this_sqs" {
   count                      = local.enable_group_events ? 0 : 1
   name                       = var.sqs_queue_name
-  policy                     = data.aws_iam_policy_document.this_sqs_queue_policy_data.json
+  policy                     = var.sns_topic_arn == "" ? data.aws_iam_policy_document.this_sqs_queue_policy_data.json : data.aws_iam_policy_document.this_sns_to_sqs[0].json
   visibility_timeout_seconds = var.sqs_visibility_timeout_seconds
   delay_seconds              = var.sqs_delay_seconds
   redrive_policy = jsonencode({
@@ -312,6 +312,27 @@ data "aws_iam_policy_document" "this_sqs_queue_policy_data" {
   }
 }
 
+data "aws_iam_policy_document" "this_sns_to_sqs" {
+  count = var.sns_topic_arn == "" ? 0 : 1
+
+  statement {
+    effect = "Allow"
+    principals {
+      type        = ""
+      identifiers = [""]
+    }
+    actions   = ["sqs:SendMessage"]
+    resources = local.enable_group_events ? ["arn:aws:sqs:*:*:${var.sqs_group_queue_name}", "arn:aws:sqs:*:*:${var.sqs_fifo_queue_name}.fifo"] : ["arn:aws:sqs:*:*:${var.sqs_queue_name}"]
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [var.sns_topic_arn]
+    }
+  }
+
+}
+
+
 data "aws_iam_policy_document" "this_dead_letter_queue_policy" {
   statement {
     sid    = "DLQSendMessages"
