| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120 |
- locals {
- # By default, We allow lambda to run 5 seconds less than the visibility timeout, unless
- # the visiblity timeout is > 300 (5 minutes)
- lambda_timeout = (var.source_sqs.visibility_timeout_seconds > 300 ? 300 : (var.source_sqs.visibility_timeout_seconds - 5))
- }
- resource "aws_lambda_event_source_mapping" "sqs_fair_queue" {
- event_source_arn = var.source_sqs.arn
- function_name = aws_lambda_function.sqs_fair_queue.arn
- batch_size = 100
- maximum_batching_window_in_seconds = 30 # How long to wait to gather a batch, max: 300
- }
- # To install prereqs:
- # pip install --target ./scripts jsonpath-ng
- data "archive_file" "sqs_fair_queue" {
- type = "zip"
- source_dir = "${path.module}/scripts/"
- output_path = "${path.module}/tmp/sqs_fair_queue.zip"
- }
- resource "aws_lambda_function" "sqs_fair_queue" {
- filename = data.archive_file.sqs_fair_queue.output_path
- function_name = "sqs_fair_queue_${var.sqs_prefix}"
- role = aws_iam_role.sqs_fair_queue.arn
- handler = "sqs_fair_queue.lambda_handler"
- timeout = local.lambda_timeout
- # NOTE: If it can't handle the batch in the time alloted, there is a chance for duplicates.
- source_code_hash = data.archive_file.sqs_fair_queue.output_base64sha256
- runtime = "python3.9"
- environment {
- variables = {
- #"SOURCE_SQS_ARN" = var.source_sqs.arn # Not needed?
- "SOURCE_SQS_URL" = var.source_sqs.url
- "SQS_PREFIX" = var.sqs_prefix
- "NUM_QUEUES" = var.num_queues
- "HASH_JSONPATH" = var.hash_jsonpath
- }
- }
- # tfsec recommends tracing as a best practice
- tracing_config {
- mode = "Active"
- }
- tags = var.tags
- }
- resource "aws_lambda_permission" "sqs_fair_queue" {
- statement_id = "AllowExecutionFromSQS"
- action = "lambda:InvokeFunction"
- function_name = aws_lambda_function.sqs_fair_queue.function_name
- principal = "sqs.amazonaws.com"
- source_arn = var.source_sqs.arn
- }
- data "aws_iam_policy_document" "sqs_fair_queue" {
- statement {
- sid = "SQSIngest"
- effect = "Allow"
- resources = [var.source_sqs.arn]
- # tfsec:ignore:aws-iam-no-policy-wildcards Wildcards are fine and useful
- actions = ["sqs:*"] # TODO: Nail down
- # Probably:
- # "sqs:ReceiveMessage",
- # "sqs:SendMessage",
- # "sqs:GetQueueAttributes"
- # "sqs:GetQueueUrl"
- }
- statement {
- sid = "SQSPut"
- effect = "Allow"
- resources = tolist(aws_sqs_queue.queue[*].arn)
- # tfsec:ignore:aws-iam-no-policy-wildcards Wildcards are fine and useful
- actions = ["sqs:*"] # TODO: Nail down
- }
- }
- resource "aws_iam_policy" "sqs_fair_queue" {
- name = "sqs_fair_queue_${var.sqs_prefix}"
- path = "/sqs_fair_queue/"
- description = "SQS Fair Queueing Lambda Policy"
- policy = data.aws_iam_policy_document.sqs_fair_queue.json
- tags = var.tags
- }
- data "aws_iam_policy_document" "lambda_trust" {
- statement {
- sid = ""
- effect = "Allow"
- actions = ["sts:AssumeRole"]
- principals {
- type = "Service"
- identifiers = ["lambda.amazonaws.com"]
- }
- }
- }
- resource "aws_iam_role" "sqs_fair_queue" {
- name = "sqs_fair_queue_${var.sqs_prefix}"
- path = "/sqs_fair_queue/"
- assume_role_policy = data.aws_iam_policy_document.lambda_trust.json
- tags = var.tags
- }
- resource "aws_iam_role_policy_attachment" "sqs_fair_queue" {
- role = aws_iam_role.sqs_fair_queue.name
- policy_arn = aws_iam_policy.sqs_fair_queue.arn
- }
- resource "aws_iam_role_policy_attachment" "aws_managed_lambda" {
- role = aws_iam_role.sqs_fair_queue.name
- policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
- }
|
