sqs_fair_queueing/module_sqs_fair_queueing/lambda.tf

locals {
  # By default, We allow lambda to run 5 seconds less than the visibility timeout, unless
  # the visiblity timeout is > 300 (5 minutes)
  lambda_timeout = (var.source_sqs.visibility_timeout_seconds > 300 ? 300 : (var.source_sqs.visibility_timeout_seconds - 5))
}

resource "aws_lambda_event_source_mapping" "sqs_fair_queue" {
  event_source_arn                   = var.source_sqs.arn
  function_name                      = aws_lambda_function.sqs_fair_queue.arn
  batch_size                         = 100
  maximum_batching_window_in_seconds = 30 # How long to wait to gather a batch, max: 300
}

# To install prereqs:
#   pip install --target ./scripts jsonpath-ng
data "archive_file" "sqs_fair_queue" {
  type        = "zip"
  source_dir  = "${path.module}/scripts/"
  output_path = "${path.module}/tmp/sqs_fair_queue.zip"
}


resource "aws_lambda_function" "sqs_fair_queue" {
  filename      = data.archive_file.sqs_fair_queue.output_path
  function_name = "sqs_fair_queue_${var.sqs_prefix}"
  role          = aws_iam_role.sqs_fair_queue.arn
  handler       = "sqs_fair_queue.lambda_handler"
  timeout       = local.lambda_timeout
  # NOTE: If it can't handle the batch in the time alloted, there is a chance for duplicates.

  source_code_hash = data.archive_file.sqs_fair_queue.output_base64sha256

  runtime = "python3.9"

  environment {
    variables = {
      #"SOURCE_SQS_ARN" = var.source_sqs.arn # Not needed?
      "SOURCE_SQS_URL" = var.source_sqs.url
      "SQS_PREFIX"     = var.sqs_prefix
      "NUM_QUEUES"     = var.num_queues
      "HASH_JSONPATH"  = var.hash_jsonpath
      "DEBUG"          = var.debug
      "BOTODEBUG"      = var.botodebug
    }
  }

  # tfsec recommends tracing as a best practice
  tracing_config {
    mode = "Active"
  }

  tags = var.tags
}

resource "aws_lambda_permission" "sqs_fair_queue" {
  statement_id  = "AllowExecutionFromSQS"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.sqs_fair_queue.function_name
  principal     = "sqs.amazonaws.com"
  source_arn    = var.source_sqs.arn
}

data "aws_iam_policy_document" "sqs_fair_queue" {
  statement {
    sid       = "SQSIngest"
    effect    = "Allow"
    resources = [var.source_sqs.arn]
    # tfsec:ignore:aws-iam-no-policy-wildcards Wildcards are fine and useful
    actions = ["sqs:*"] # TODO: Nail down
    # Probably:
    #   "sqs:ReceiveMessage",
    #   "sqs:SendMessage",
    #   "sqs:GetQueueAttributes"
    #   "sqs:GetQueueUrl"
  }

  statement {
    sid       = "SQSPut"
    effect    = "Allow"
    resources = tolist(aws_sqs_queue.queue[*].arn)
    # tfsec:ignore:aws-iam-no-policy-wildcards Wildcards are fine and useful
    actions = ["sqs:*"] # TODO: Nail down
  }
}

resource "aws_iam_policy" "sqs_fair_queue" {
  name        = "sqs_fair_queue_${var.sqs_prefix}"
  path        = "/sqs_fair_queue/"
  description = "SQS Fair Queueing Lambda Policy"
  policy      = data.aws_iam_policy_document.sqs_fair_queue.json
  tags        = var.tags
}

data "aws_iam_policy_document" "lambda_trust" {
  statement {
    sid     = ""
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "sqs_fair_queue" {
  name               = "sqs_fair_queue_${var.sqs_prefix}"
  path               = "/sqs_fair_queue/"
  assume_role_policy = data.aws_iam_policy_document.lambda_trust.json
  tags               = var.tags
}

resource "aws_iam_role_policy_attachment" "sqs_fair_queue" {
  role       = aws_iam_role.sqs_fair_queue.name
  policy_arn = aws_iam_policy.sqs_fair_queue.arn
}

resource "aws_iam_role_policy_attachment" "aws_managed_lambda" {
  role       = aws_iam_role.sqs_fair_queue.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}