Home > Blockchain >  how to tie bucket names down to resources created calling a module
how to tie bucket names down to resources created calling a module

Time:10-20

The below code works when i create the resources but i would like to tie each SQS created with a different s3 bucket.for example.I want CloudTrail_SQS_Management_Event/CloudTrail_DLQ_Management_Event to use a bucket called "management_sqs_bucket and CloudTrail_SQS_Data_Event/CloudTrail_DLQ_Data_Event to use bucket called "data_sqs_bucket and for the bucket names to reflect accordingly on the queue policies.

SQS/variables.tf

variable "sqs_queue_name"{
  description = "The name of different SQS to be created"
  type        = string
}

variable "dead_queue_name"{
  description = "The name of different Dead Queues to be created"
  type        = string
}

variable "max_receive_count" {
    type = number
}

SQS/iam.tf

data "aws_iam_policy_document" "policy_document"{
  statement{
    actions = [
      "sqs:DeleteMessage",
      "sqs:GetQueueUrl",
      "sqs:ReceiveMessage",
      "sqs:SendMessage",
      "sqs:SetQueueAttributes"
    ]
    effect = "Allow"
    resources = values(aws_sqs_queue.sqs)[*].arn
  }
resource "aws_sqs_queue_policy" "Cloudtrail_SQS_Policy" {

  queue_url = aws_sqs_queue.CloudTrail_SQS.id

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Id": "sqspolicy",
  "Statement": [
    {
      "Sid": "AllowSQSInvocation",
      "Effect": "Allow",
      "Principal": {"AWS":"*"},
      "Action": "sqs:*",
      "Resource": "${aws_sqs_queue.CloudTrail_SQS.arn}",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:s3:::${var.cloudtrail_event_log_bucket_name}"
        }
      }
    }
  ]
}
POLICY
}

resource "aws_sqs_queue_policy" "CloudTrail_SQS_DLQ"{

    queue_url = aws_sqs_queue.CloudTrail_SQS_DLQ.id

    policy = <<POLICY
{
  "Version": "2012-10-17",
  "Id": "sqspolicy",
  "Statement": [
    {
      "Sid": "DLQ Policy",
      "Effect": "Allow",
      "Principal": {"AWS":"*"},
      "Action": "sqs:*",
      "Resource": "${aws_sqs_queue.CloudTrail_SQS_DLQ.arn}",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:s3:::${var.cloudtrail_event_log_bucket_name}"
        }
      }
    }
  ]
}
POLICY
}


SQS/main.tf

resource "aws_sqs_queue" "sqs" {
  name  = var.sqs_queue_name

  redrive_policy = jsonencode({
    deadLetterTargetArn = aws_sqs_queue.dlq.arn
    maxReceiveCount     = var.max_receive_count
  })
}

resource "aws_sqs_queue" "dlq" {
  name  = var.dead_queue_name
}

SQS/output.tf

output "sqs_queue_id"{
    value       =   values(aws_sqs_queue.sqs)[*].id
    description = "The URL for the created Amazon SQS queue."
}

output "sqs_queue_arn" {
  value       =  values(aws_sqs_queue.sqs)[*].arn
  description = "The ARN of the SQS queue."
}

variable.tf

variable "queue_names" {
  default = [
    {
      sqs_name = "CloudTrail_SQS_Management_Event"
      dlq_name = "CloudTrail_DLQ_Management_Event"
    },
    {
      sqs_name = "CloudTrail_SQS_Data_Event"
      dlq_name = "CloudTrail_DLQ_Data_Event"
    }
  ]
}

module "sqs_queue" {
  source = "../SQS"
  for_each = {
    for sqs, dlq in var.queue_names : sqs => dlq
  }
  sqs_queue_name    = each.value.sqs_name
  dead_queue_name   = each.value.dlq_name
  max_receive_count = var.max_receive_count 
}

CodePudding user response:

From what I understand I believe this is what you would want to do:

variables.tf:

variable "queue_names" {
  default = [
    {
      sqs_name      = "CloudTrail_SQS_Management_Event"
      dlq_name      = "CloudTrail_DLQ_Management_Event"
      bucket_name   = "management_sqs_bucket"
    },
    {
      sqs_name      = "CloudTrail_SQS_Data_Event"
      dlq_name      = "CloudTrail_DLQ_Data_Event"
      bucket_name   = "data_sqs_bucket"
    }
  ]
}

main.tf:

module "my_sqs" {
  source = "./my_sqs"
  for_each = {
    for q in var.queue_names : q.sqs_name => q
  }
  sqs_queue_name                   = each.value.sqs_name
  dead_queue_name                  = each.value.dlq_name
  max_receive_count                = 4
  cloudtrail_event_log_bucket_name = each.value.bucket_name
}

Also, I see that some code duplication for aws_sqs_queue_policy because you have both the SQS queue and the DLQ. This can be refactored to something like this:

iam.tf:

data "aws_iam_policy_document" "policy_document" {
  statement {
    actions = [
      "sqs:DeleteMessage",
      "sqs:GetQueueUrl",
      "sqs:ReceiveMessage",
      "sqs:SendMessage",
      "sqs:SetQueueAttributes"
    ]
    effect    = "Allow"
    resources = aws_sqs_queue.sqs[*].arn
  }
}

locals {
  queue_data = [
    {
      id  = aws_sqs_queue.sqs.id
      arn = aws_sqs_queue.sqs.arn
    },
    {
      id  = aws_sqs_queue.dlq.id
      arn = aws_sqs_queue.dlq.arn
    }
  ]
}

resource "aws_sqs_queue_policy" "sqs_policy" {
  # This can be achieved with for_each similar to what we have in main.tf, but I did not want to complicate it
  count = length(aws_sqs_queue.sqs[*])

  queue_url = local.queue_data[count.index].id

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Id": "sqspolicy",
  "Statement": [
    {
      "Sid": "AllowSQSInvocation",
      "Effect": "Allow",
      "Principal": {"AWS":"*"},
      "Action": "sqs:*",
      "Resource": "${local.queue_data[count.index].arn}",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:s3:::${var.cloudtrail_event_log_bucket_name}"
        }
      }
    }
  ]
}
POLICY
}

Page link:https//www.codepudding.com/Blockchain/159426.html

Prev:Access S3 from lambda using assume role
Next:Can using incremental (but unique) IDs as a partition key create hot partitions in DynamoDB?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding