Эхлэл Бүгдийг харах Тусламж
Бүртгүүлэх Нэвтрэх
AFS
/
xdr-terraform-modules
2
0
Салаа 0
Файлууд Асуудлууд 0 Хуулах хүсэлтүүд 0 Мэдлэгийн сан
Мод: 5713a943b8
Салаанууд Тагууд
xdr-terraform-m...
/
base
/
customer_portal_lambda
/
sqs.tf

sqs.tf 2.9 KB
Түүх Анхны өгөгдөл

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788 
  1. 

  2. resource "aws_sqs_queue" "sqs_queue" {
    3. 

  3.   name                              = "portal-scheduler.fifo"
    4. 

  4.   visibility_timeout_seconds        = 900    # wait 15 minutes; this should always be equal or greater than the lambda timeout or we can get duplicate messages
    5. 

  5.   message_retention_seconds         = 604800 # Keep a message in the queue for 7 days
    6. 

  6.   receive_wait_time_seconds         = 0      # how long to wait for a message before returning
    7. 

  7.   redrive_policy                    = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.sqs_queue_dlq.arn}\",\"maxReceiveCount\":1}"
    8. 

  8.   fifo_queue                        = true
    9. 

  9.   content_based_deduplication       = true
    10. 

  10.   deduplication_scope               = "queue"
    11. 

  11.   fifo_throughput_limit             = "perQueue"
    12. 

  12.   tags                              = merge(local.standard_tags, var.tags)
    13. 

  13.   kms_master_key_id                 = aws_kms_key.sqs_key.id
    14. 

  14.   kms_data_key_reuse_period_seconds = 3600
    15. 

  15. }
    16. 

  16. 

  17. # Dead Letter queue
    18. 

  18. resource "aws_sqs_queue" "sqs_queue_dlq" {
    19. 

  19.   name                              = "portal-scheduler-dlq.fifo"
    20. 

  20.   fifo_queue                        = true
    21. 

  21.   tags                              = merge(local.standard_tags, var.tags)
    22. 

  22.   kms_master_key_id                 = aws_kms_key.sqs_key.id
    23. 

  23.   kms_data_key_reuse_period_seconds = 3600
    24. 

  24. }
    25. 

  25. 

  26. data "aws_iam_policy_document" "sqs_policy" {
    27. 

  27.   statement {
    28. 

  28.     effect = "Allow"
    29. 

  29. 

  30.     principals {
    31. 

  31.       identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
    32. 

  32.       type        = "AWS"
    33. 

  33.     }
    34. 

  34. 

  35.     actions = ["SQS:*"]
    36. 

  36. 

  37.     resources = [aws_sqs_queue.sqs_queue.arn]
    38. 

  38. 

  39.   }
    40. 

  40. }
    41. 

  41. 

  42. resource "aws_sqs_queue_policy" "sqs_policy_attach" {
    43. 

  43.   policy    = data.aws_iam_policy_document.sqs_policy.json
    44. 

  44.   queue_url = aws_sqs_queue.sqs_queue.id
    45. 

  45. }
    46. 

  46. 

  47. resource "aws_kms_key" "sqs_key" {
    48. 

  48.   description         = "Encryption of SQS queue for portal-scheduler"
    49. 

  49.   policy              = data.aws_iam_policy_document.sqs_kms_policy.json
    50. 

  50.   enable_key_rotation = true
    51. 

  51. }
    52. 

  52. 

  53. data "aws_iam_policy_document" "sqs_kms_policy" {
    54. 

  54. 	# checkov:skip=CKV_AWS_109: see tfsec aws-iam-no-policy-wildcard ignore comment
    55. 

  55. 	# checkov:skip=CKV_AWS_111: see tfsec aws-iam-no-policy-wildcard ignore comment
    56. 

  56.   statement {
    57. 

  57.     sid    = "AllowServices"
    58. 

  58.     effect = "Allow"
    59. 

  59.     principals {
    60. 

  60.       identifiers = ["cloudwatch.amazonaws.com", "sqs.amazonaws.com", "lambda.amazonaws.com"]
    61. 

  61.       type        = "Service"
    62. 

  62.     }
    63. 

  63.     actions = [
    64. 

  64.       "kms:GenerateDataKey",
    65. 

  65.       "kms:Decrypt"
    66. 

  66.     ]
    67. 

  67.     # tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
    68. 

  68.     resources = ["*"]
    69. 

  69.   }
    70. 

  70.   # allow account to modify/manage key
    71. 

  71.   statement {
    72. 

  72.     sid    = "AllowThisAccount"
    73. 

  73.     effect = "Allow"
    74. 

  74.     principals {
    75. 

  75.       identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
    76. 

  76.       type        = "AWS"
    77. 

  77.     }
    78. 

  78.     actions = [
    79. 

  79.       "kms:*"
    80. 

  80.     ]
    81. 

  81.     resources = ["*"]
    82. 

  82.   }
    83. 

  83. }
    84. 

  84. 

  85. resource "aws_kms_alias" "sqs_key_alias" {
    86. 

  86.   name          = "alias/portal-scheduler-key"
    87. 

  87.   target_key_id = aws_kms_key.sqs_key.key_id
    88. 

  88. }
    89.