From f49fe2b35a38ee66abc6315462ee08ebbeec9f8b Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Tue, 3 Jan 2023 09:33:50 -0500 Subject: [PATCH] feat!: Add support for creating an associated dead-letter queue and queue policies (#46) Co-authored-by: Anton Babenko Resolves undefined --- README.md | 217 +++++++++++++++++++---- UPGRADE-4.0.md | 140 +++++++++++++++ examples/README.md | 8 + examples/complete/README.md | 101 +++++++++-- examples/complete/main.tf | 172 +++++++++++++----- examples/complete/outputs.tf | 324 +++++++++++++++++++++++++++++++++- examples/complete/versions.tf | 4 +- main.tf | 235 +++++++++++++++++++++--- outputs.tf | 45 ++++- variables.tf | 224 ++++++++++++++++++----- versions.tf | 4 +- wrappers/main.tf | 58 ++++-- 12 files changed, 1338 insertions(+), 194 deletions(-) create mode 100644 UPGRADE-4.0.md create mode 100644 examples/README.md diff --git a/README.md b/README.md index c62c22d..de4d43f 100644 --- a/README.md +++ b/README.md @@ -2,17 +2,132 @@ Terraform module which creates SQS resources on AWS. +[![SWUbanner](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner2-direct.svg)](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md) + ## Usage +### FIFO Queue + +```hcl +module "sqs" { + source = "terraform-aws-modules/sqs/aws" + + name = "fifo" + + fifo_queue = true + + tags = { + Environment = "dev" + } +} +``` + +### Queue Encrypted w/ Customer Managed KMS Key + +```hcl +module "sqs" { + source = "terraform-aws-modules/sqs/aws" + + name = "cmk" + + kms_master_key_id = "0d1ba9e8-9421-498a-9c8a-01e9772b2924" + kms_data_key_reuse_period_seconds = 3600 + + tags = { + Environment = "dev" + } +} +``` + +### Queue w/ Dead Letter Queue + ```hcl -module "user_queue" { +module "sqs" { source = "terraform-aws-modules/sqs/aws" - version = "~> 2.0" - name = "user" + name = "example" + + create_dlq = true + redrive_policy = { + # default is 5 for this module + maxReceiveCount = 10 + } + + tags = { + Environment = "dev" + } +} +``` + +### Subscribe Queue to SNS Topic + +```hcl +module "sns" { + source = "terraform-aws-modules/sns/aws" + version = ">= 5.0" + + name = "pub-sub" + + topic_policy_statements = { + sqs = { + sid = "SQSSubscribe" + actions = [ + "sns:Subscribe", + "sns:Receive", + ] + + principals = [{ + type = "AWS" + identifiers = ["*"] + }] + + conditions = [{ + test = "StringLike" + variable = "sns:Endpoint" + values = [module.sqs.queue_arn] + }] + } + } + + subscriptions = { + sqs = { + protocol = "sqs" + endpoint = module.sqs.queue_arn + } + } + + tags = { + Environment = "dev" + } +} + +module "sqs" { + source = "terraform-aws-modules/sqs/aws" + + name = "pub-sub" + + create_queue_policy = true + queue_policy_statements = { + sns = { + sid = "SNSPublish" + actions = ["sqs:SendMessage"] + + principals = [ + { + type = "Service" + identifiers = ["sns.amazonaws.com"] + } + ] + + condition = { + test = "ArnEquals" + variable = "aws:SourceArn" + values = [module.sns.topic_arn] + } + } + } tags = { - Service = "user" Environment = "dev" } } @@ -20,19 +135,28 @@ module "user_queue" { ## Examples -- [SQS queues with server-side encryption (SSE) using KMS and without SSE](https://github.com/terraform-aws-modules/terraform-aws-sqs/tree/master/examples/complete) +- [Complete](https://github.com/terraform-aws-modules/terraform-aws-sqs/tree/master/examples/complete) -## Conditional creation +## Conditional Creation -Sometimes you need to have a way to create SQS queue conditionally but Terraform does not allow to use `count` inside `module` block, so the solution is to specify argument `create`. +The following values are provided to toggle on/off creation of the associated resources as desired: ```hcl -# This SQS queue will not be created -module "user_queue" { +module "sqs" { source = "terraform-aws-modules/sqs/aws" - version = "~> 2.0" + # Disable creation of all resources create = false + + # Enable creation of queue policy + create_queue_policy = true + + # Enable creation of dead letter queue + create_dlq = true + + # Enable creation of dead letter queue policy + create_dlq_queue_policy = true + # ... omitted } ``` @@ -42,14 +166,14 @@ module "user_queue" { | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.63 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.36 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.63 | +| [aws](#provider\_aws) | >= 4.36 | ## Modules @@ -59,40 +183,73 @@ No modules. | Name | Type | |------|------| +| [aws_sqs_queue.dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | | [aws_sqs_queue.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | -| [aws_arn.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_sqs_queue_policy.dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_redrive_allow_policy.dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_redrive_allow_policy) | resource | +| [aws_sqs_queue_redrive_allow_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_redrive_allow_policy) | resource | +| [aws_sqs_queue_redrive_policy.dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_redrive_policy) | resource | +| [aws_sqs_queue_redrive_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_redrive_policy) | resource | +| [aws_iam_policy_document.dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [content\_based\_deduplication](#input\_content\_based\_deduplication) | Enables content-based deduplication for FIFO queues | `bool` | `false` | no | +| [content\_based\_deduplication](#input\_content\_based\_deduplication) | Enables content-based deduplication for FIFO queues | `bool` | `null` | no | | [create](#input\_create) | Whether to create SQS queue | `bool` | `true` | no | +| [create\_dlq](#input\_create\_dlq) | Determines whether to create SQS dead letter queue | `bool` | `false` | no | +| [create\_dlq\_queue\_policy](#input\_create\_dlq\_queue\_policy) | Whether to create SQS queue policy | `bool` | `false` | no | +| [create\_queue\_policy](#input\_create\_queue\_policy) | Whether to create SQS queue policy | `bool` | `false` | no | | [deduplication\_scope](#input\_deduplication\_scope) | Specifies whether message deduplication occurs at the message group or queue level | `string` | `null` | no | -| [delay\_seconds](#input\_delay\_seconds) | The time in seconds that the delivery of all messages in the queue will be delayed. An integer from 0 to 900 (15 minutes) | `number` | `0` | no | +| [delay\_seconds](#input\_delay\_seconds) | The time in seconds that the delivery of all messages in the queue will be delayed. An integer from 0 to 900 (15 minutes) | `number` | `null` | no | +| [dlq\_content\_based\_deduplication](#input\_dlq\_content\_based\_deduplication) | Enables content-based deduplication for FIFO queues | `bool` | `null` | no | +| [dlq\_deduplication\_scope](#input\_dlq\_deduplication\_scope) | Specifies whether message deduplication occurs at the message group or queue level | `string` | `null` | no | +| [dlq\_delay\_seconds](#input\_dlq\_delay\_seconds) | The time in seconds that the delivery of all messages in the queue will be delayed. An integer from 0 to 900 (15 minutes) | `number` | `null` | no | +| [dlq\_kms\_data\_key\_reuse\_period\_seconds](#input\_dlq\_kms\_data\_key\_reuse\_period\_seconds) | The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. An integer representing seconds, between 60 seconds (1 minute) and 86,400 seconds (24 hours) | `number` | `null` | no | +| [dlq\_kms\_master\_key\_id](#input\_dlq\_kms\_master\_key\_id) | The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK | `string` | `null` | no | +| [dlq\_message\_retention\_seconds](#input\_dlq\_message\_retention\_seconds) | The number of seconds Amazon SQS retains a message. Integer representing seconds, from 60 (1 minute) to 1209600 (14 days) | `number` | `null` | no | +| [dlq\_name](#input\_dlq\_name) | This is the human-readable name of the queue. If omitted, Terraform will assign a random name | `string` | `null` | no | +| [dlq\_queue\_policy\_statements](#input\_dlq\_queue\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `any` | `{}` | no | +| [dlq\_receive\_wait\_time\_seconds](#input\_dlq\_receive\_wait\_time\_seconds) | The time for which a ReceiveMessage call will wait for a message to arrive (long polling) before returning. An integer from 0 to 20 (seconds) | `number` | `null` | no | +| [dlq\_redrive\_allow\_policy](#input\_dlq\_redrive\_allow\_policy) | The JSON policy to set up the Dead Letter Queue redrive permission, see AWS docs. | `any` | `{}` | no | +| [dlq\_sqs\_managed\_sse\_enabled](#input\_dlq\_sqs\_managed\_sse\_enabled) | Boolean to enable server-side encryption (SSE) of message content with SQS-owned encryption keys | `bool` | `true` | no | +| [dlq\_tags](#input\_dlq\_tags) | A mapping of additional tags to assign to the dead letter queue | `map(string)` | `{}` | no | +| [dlq\_visibility\_timeout\_seconds](#input\_dlq\_visibility\_timeout\_seconds) | The visibility timeout for the queue. An integer from 0 to 43200 (12 hours) | `number` | `null` | no | | [fifo\_queue](#input\_fifo\_queue) | Boolean designating a FIFO queue | `bool` | `false` | no | | [fifo\_throughput\_limit](#input\_fifo\_throughput\_limit) | Specifies whether the FIFO queue throughput quota applies to the entire queue or per message group | `string` | `null` | no | -| [kms\_data\_key\_reuse\_period\_seconds](#input\_kms\_data\_key\_reuse\_period\_seconds) | The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. An integer representing seconds, between 60 seconds (1 minute) and 86,400 seconds (24 hours) | `number` | `300` | no | +| [kms\_data\_key\_reuse\_period\_seconds](#input\_kms\_data\_key\_reuse\_period\_seconds) | The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. An integer representing seconds, between 60 seconds (1 minute) and 86,400 seconds (24 hours) | `number` | `null` | no | | [kms\_master\_key\_id](#input\_kms\_master\_key\_id) | The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK | `string` | `null` | no | -| [max\_message\_size](#input\_max\_message\_size) | The limit of how many bytes a message can contain before Amazon SQS rejects it. An integer from 1024 bytes (1 KiB) up to 262144 bytes (256 KiB) | `number` | `262144` | no | -| [message\_retention\_seconds](#input\_message\_retention\_seconds) | The number of seconds Amazon SQS retains a message. Integer representing seconds, from 60 (1 minute) to 1209600 (14 days) | `number` | `345600` | no | -| [name](#input\_name) | This is the human-readable name of the queue. If omitted, Terraform will assign a random name. | `string` | `null` | no | -| [name\_prefix](#input\_name\_prefix) | A unique name beginning with the specified prefix. | `string` | `null` | no | -| [policy](#input\_policy) | The JSON policy for the SQS queue | `string` | `""` | no | -| [receive\_wait\_time\_seconds](#input\_receive\_wait\_time\_seconds) | The time for which a ReceiveMessage call will wait for a message to arrive (long polling) before returning. An integer from 0 to 20 (seconds) | `number` | `0` | no | -| [redrive\_allow\_policy](#input\_redrive\_allow\_policy) | The JSON policy to set up the Dead Letter Queue redrive permission, see AWS docs. | `string` | `""` | no | -| [redrive\_policy](#input\_redrive\_policy) | The JSON policy to set up the Dead Letter Queue, see AWS docs. Note: when specifying maxReceiveCount, you must specify it as an integer (5), and not a string ("5") | `string` | `""` | no | -| [sqs\_managed\_sse\_enabled](#input\_sqs\_managed\_sse\_enabled) | Boolean to enable server-side encryption (SSE) of message content with SQS-owned encryption keys | `bool` | `false` | no | +| [max\_message\_size](#input\_max\_message\_size) | The limit of how many bytes a message can contain before Amazon SQS rejects it. An integer from 1024 bytes (1 KiB) up to 262144 bytes (256 KiB) | `number` | `null` | no | +| [message\_retention\_seconds](#input\_message\_retention\_seconds) | The number of seconds Amazon SQS retains a message. Integer representing seconds, from 60 (1 minute) to 1209600 (14 days) | `number` | `null` | no | +| [name](#input\_name) | This is the human-readable name of the queue. If omitted, Terraform will assign a random name | `string` | `null` | no | +| [override\_dlq\_queue\_policy\_documents](#input\_override\_dlq\_queue\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no | +| [override\_queue\_policy\_documents](#input\_override\_queue\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no | +| [queue\_policy\_statements](#input\_queue\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `any` | `{}` | no | +| [receive\_wait\_time\_seconds](#input\_receive\_wait\_time\_seconds) | The time for which a ReceiveMessage call will wait for a message to arrive (long polling) before returning. An integer from 0 to 20 (seconds) | `number` | `null` | no | +| [redrive\_allow\_policy](#input\_redrive\_allow\_policy) | The JSON policy to set up the Dead Letter Queue redrive permission, see AWS docs. | `any` | `{}` | no | +| [redrive\_policy](#input\_redrive\_policy) | The JSON policy to set up the Dead Letter Queue, see AWS docs. Note: when specifying maxReceiveCount, you must specify it as an integer (5), and not a string ("5") | `any` | `{}` | no | +| [source\_dlq\_queue\_policy\_documents](#input\_source\_dlq\_queue\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no | +| [source\_queue\_policy\_documents](#input\_source\_queue\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no | +| [sqs\_managed\_sse\_enabled](#input\_sqs\_managed\_sse\_enabled) | Boolean to enable server-side encryption (SSE) of message content with SQS-owned encryption keys | `bool` | `true` | no | | [tags](#input\_tags) | A mapping of tags to assign to all resources | `map(string)` | `{}` | no | -| [visibility\_timeout\_seconds](#input\_visibility\_timeout\_seconds) | The visibility timeout for the queue. An integer from 0 to 43200 (12 hours) | `number` | `30` | no | +| [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether `name` is used as a prefix | `bool` | `false` | no | +| [visibility\_timeout\_seconds](#input\_visibility\_timeout\_seconds) | The visibility timeout for the queue. An integer from 0 to 43200 (12 hours) | `number` | `null` | no | ## Outputs | Name | Description | |------|-------------| -| [sqs\_queue\_arn](#output\_sqs\_queue\_arn) | The ARN of the SQS queue | -| [sqs\_queue\_id](#output\_sqs\_queue\_id) | The URL for the created Amazon SQS queue | -| [sqs\_queue\_name](#output\_sqs\_queue\_name) | The name of the SQS queue | +| [dead\_letter\_queue\_arn](#output\_dead\_letter\_queue\_arn) | The ARN of the SQS queue | +| [dead\_letter\_queue\_id](#output\_dead\_letter\_queue\_id) | The URL for the created Amazon SQS queue | +| [dead\_letter\_queue\_name](#output\_dead\_letter\_queue\_name) | The name of the SQS queue | +| [dead\_letter\_queue\_url](#output\_dead\_letter\_queue\_url) | Same as `dead_letter_queue_id`: The URL for the created Amazon SQS queue | +| [queue\_arn](#output\_queue\_arn) | The ARN of the SQS queue | +| [queue\_id](#output\_queue\_id) | The URL for the created Amazon SQS queue | +| [queue\_name](#output\_queue\_name) | The name of the SQS queue | +| [queue\_url](#output\_queue\_url) | Same as `queue_id`: The URL for the created Amazon SQS queue | ## Authors diff --git a/UPGRADE-4.0.md b/UPGRADE-4.0.md new file mode 100644 index 0000000..2359ad9 --- /dev/null +++ b/UPGRADE-4.0.md @@ -0,0 +1,140 @@ +# Upgrade from v3.x to v4.x + +If you have any questions regarding this upgrade process, please consult the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-sns/tree/master/examples/complete) directory: + +If you find a bug, please open an issue with supporting configuration to reproduce. + +## List of backwards incompatible changes + +- `var.redrive_policy`, and `var.redrive_allow_policy` data types have changed from `string` to `any` which is a map of values. The conversion from a map to a jsonencoded string is now handled by the module +- `var.name_prefix` has been replaced with `var.use_name_prefix` which is a boolean that will use `var.name` as a prefix +- `var.policy` has been removed; users can create a policy via the queue policy or dead-letter queue policy which by default uses the associated queue ARN as the `resource` (avoids the chicken vs the egg scenario) + +## Additional changes + +### Added + +- When creating a FIFO queue, the `.fifo` postfix will now be automatically added to the queue name +- Added support for creating: + - Queue policy + - Dead letter queue + - Dead letter queue policy +- Redrive and redrive allow policies have been converted to their separate resources to avoid lifecycle conflicts; now you can create both the source queue and dead-letter queue in the same `terraform apply` without conflict +- The queue data source previously used to extract the queue name has been replaced since this is natively supported in the current AWS provider queue resource + +### Modified + +- `visibility_timeout_seconds` default value has been changed from `30` to `null` +- `message_retention_seconds` default value has been changed from `345600` to `null` +- `max_message_size` default value has been changed from `262144` to `null` +- `delay_seconds` default value has been changed from `0` to `null` +- `receive_wait_time_seconds` default value has been changed from `0` to `null` +- `content_based_deduplication` default value has been changed from `false` to `null` +- `sqs_managed_sse_enabled` default value has been changed from `false` to `true` (matches current default behavior but value is needed for internal logic evaluation) +- `kms_data_key_reuse_period_seconds` default value has been changed from `300` to `null` + +### Variable and output changes + +1. Removed variables: + + - `name_prefix` has been replaced with `use_name_prefix` which is a boolean that will use `name` as a prefix + - `policy` has been removed; users can create a policy via the queue policy or dead-letter queue policy which by default uses the associated queue ARN as the `resource` (avoids the chicken vs the egg scenario) + +2. Renamed variables: + + - None + +3. Added variables: + + - `use_name_prefix` + - `create_queue_policy` + - `source_queue_policy_documents` + - `override_queue_policy_documents` + - `queue_policy_statements` + - `create_dlq` + - `dlq_content_based_deduplication` + - `dlq_deduplication_scope` + - `dlq_delay_seconds` + - `dlq_kms_data_key_reuse_period_seconds` + - `dlq_kms_master_key_id` + - `dlq_message_retention_seconds` + - `dlq_name` + - `dlq_receive_wait_time_seconds` + - `dlq_redrive_allow_policy` + - `dlq_sqs_managed_sse_enabled` + - `dlq_visibility_timeout_seconds` + - `dlq_tags` + - `create_dlq_queue_policy` + - `source_dlq_queue_policy_documents` + - `override_dlq_queue_policy_documents` + - `dlq_queue_policy_statements` + +4. Removed outputs: + + - None + +5. Renamed outputs: + + - All output names have had the `sqs_` prefix removed + +6. Added outputs: + + - `queue_url` + - `dead_letter_queue_id` + - `dead_letter_queue_arn` + - `dead_letter_queue_url` + - `dead_letter_queue_name` + +## Upgrade Migrations + +Note: Only the affected attributes are shown below for brevity. + +### Before 3.x Example + +```hcl +module "sqs" { + source = "terraform-aws-modules/sqs/aws" + version = "~> 3.0" + + name_prefix = "example-" + + redrive_policy = jsonencoded({ + redrivePermission = "byQueue", + sourceQueueArns = [aws_sqs_queue.example.arn] + }) + redrive_allow_policy = jsonencoded({ + deadLetterTargetArn = aws_sqs_queue.example.arn + maxReceiveCount = 4 + }) + + policy = "..." +} +``` + +### After 4.x Example + +```hcl +module "sqs" { + source = "terraform-aws-modules/sns/aws" + version = "~> 4.0" + + name = "example" + use_name_prefix = true + + redrive_policy = { + redrivePermission = "byQueue", + sourceQueueArns = [aws_sqs_queue.example.arn] + } + redrive_allow_policy = { + deadLetterTargetArn = aws_sqs_queue.example.arn + maxReceiveCount = 4 + } + + # Can be used to utilize v3.x `var.policy` value without modification + # source_queue_policy_documents = ["..."] +} +``` + +### State Changes + +No state changes required. diff --git a/examples/README.md b/examples/README.md new file mode 100644 index 0000000..f417c0a --- /dev/null +++ b/examples/README.md @@ -0,0 +1,8 @@ +# Examples + +Please note - the examples provided serve two primary means: + +1. Show users working examples of the various ways in which the module can be configured and features supported +2. A means of testing/validating module changes + +Please do not mistake the examples provided as "best practices". It is up to users to consult the AWS service documentation for best practices, usage recommendations, etc. diff --git a/examples/complete/README.md b/examples/complete/README.md index e617da6..ca621a1 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -1,6 +1,14 @@ -# Complete SQS queues example - -Configuration in this directory creates 2 SQS queues - with server-side encryption (SSE) using specified KMS key and without SSE. +# Complete SQS Queue Example + +Configuration in this directory creates: +- Queue using module default settings +- FIFO (first-in, first-out) queue +- Unencrypted queue (encryption disabled) +- Queue encrypted with customer managed KMS key +- Queue encrypted with default SQS SSE (server-side encryption) w/ separate dead-letter queue + - Dead letter queue created in separate module definition +- Queue with dead-letter queue created in the same module defintion w/ queue policies for both the source queue and dead-letter queue +- Disabled queue (no resources created) ## Usage @@ -19,30 +27,33 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.63 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.36 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.63 | +| [aws](#provider\_aws) | >= 4.36 | ## Modules | Name | Source | Version | |------|--------|---------| -| [sqs\_dlq\_allow\_redrive\_policy](#module\_sqs\_dlq\_allow\_redrive\_policy) | ../../ | n/a | -| [users\_encrypted](#module\_users\_encrypted) | ../../ | n/a | -| [users\_encrypted\_with\_sse](#module\_users\_encrypted\_with\_sse) | ../../ | n/a | -| [users\_unencrypted](#module\_users\_unencrypted) | ../../ | n/a | +| [cmk\_encrypted\_sqs](#module\_cmk\_encrypted\_sqs) | ../../ | n/a | +| [default\_sqs](#module\_default\_sqs) | ../../ | n/a | +| [disabled\_sqs](#module\_disabled\_sqs) | ../../ | n/a | +| [fifo\_sqs](#module\_fifo\_sqs) | ../../ | n/a | +| [sqs\_with\_dlq](#module\_sqs\_with\_dlq) | ../../ | n/a | +| [sse\_encrypted\_dlq\_sqs](#module\_sse\_encrypted\_dlq\_sqs) | ../../ | n/a | +| [sse\_encrypted\_sqs](#module\_sse\_encrypted\_sqs) | ../../ | n/a | +| [unencrypted\_sqs](#module\_unencrypted\_sqs) | ../../ | n/a | ## Resources | Name | Type | |------|------| | [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_sqs_queue_policy.users_unencrypted_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | ## Inputs @@ -53,8 +64,68 @@ No inputs. | Name | Description | |------|-------------| -| [users\_encrypted\_sqs\_queue\_arn](#output\_users\_encrypted\_sqs\_queue\_arn) | The ARN of the SQS queue | -| [users\_encrypted\_sqs\_queue\_id](#output\_users\_encrypted\_sqs\_queue\_id) | The URL for the created Amazon SQS queue | -| [users\_unencrypted\_sqs\_queue\_arn](#output\_users\_unencrypted\_sqs\_queue\_arn) | The ARN of the SQS queue | -| [users\_unencrypted\_sqs\_queue\_id](#output\_users\_unencrypted\_sqs\_queue\_id) | The URL for the created Amazon SQS queue | +| [cmk\_encrypted\_sqs\_dlq\_arn](#output\_cmk\_encrypted\_sqs\_dlq\_arn) | The ARN of the SQS queue | +| [cmk\_encrypted\_sqs\_dlq\_id](#output\_cmk\_encrypted\_sqs\_dlq\_id) | The URL for the created Amazon SQS queue | +| [cmk\_encrypted\_sqs\_dlq\_name](#output\_cmk\_encrypted\_sqs\_dlq\_name) | The name of the SQS queue | +| [cmk\_encrypted\_sqs\_dlq\_url](#output\_cmk\_encrypted\_sqs\_dlq\_url) | Same as `dead_letter_queue_id`: The URL for the created Amazon SQS queue | +| [cmk\_encrypted\_sqs\_queue\_arn](#output\_cmk\_encrypted\_sqs\_queue\_arn) | The ARN of the SQS queue | +| [cmk\_encrypted\_sqs\_queue\_id](#output\_cmk\_encrypted\_sqs\_queue\_id) | The URL for the created Amazon SQS queue | +| [cmk\_encrypted\_sqs\_queue\_name](#output\_cmk\_encrypted\_sqs\_queue\_name) | The name of the SQS queue | +| [cmk\_encrypted\_sqs\_queue\_url](#output\_cmk\_encrypted\_sqs\_queue\_url) | Same as `queue_id`: The URL for the created Amazon SQS queue | +| [default\_sqs\_dlq\_arn](#output\_default\_sqs\_dlq\_arn) | The ARN of the SQS queue | +| [default\_sqs\_dlq\_id](#output\_default\_sqs\_dlq\_id) | The URL for the created Amazon SQS queue | +| [default\_sqs\_dlq\_name](#output\_default\_sqs\_dlq\_name) | The name of the SQS queue | +| [default\_sqs\_dlq\_url](#output\_default\_sqs\_dlq\_url) | Same as `dead_letter_queue_id`: The URL for the created Amazon SQS queue | +| [default\_sqs\_queue\_arn](#output\_default\_sqs\_queue\_arn) | The ARN of the SQS queue | +| [default\_sqs\_queue\_id](#output\_default\_sqs\_queue\_id) | The URL for the created Amazon SQS queue | +| [default\_sqs\_queue\_name](#output\_default\_sqs\_queue\_name) | The name of the SQS queue | +| [default\_sqs\_queue\_url](#output\_default\_sqs\_queue\_url) | Same as `queue_id`: The URL for the created Amazon SQS queue | +| [disabled\_sqs\_dlq\_arn](#output\_disabled\_sqs\_dlq\_arn) | The ARN of the SQS queue | +| [disabled\_sqs\_dlq\_id](#output\_disabled\_sqs\_dlq\_id) | The URL for the created Amazon SQS queue | +| [disabled\_sqs\_dlq\_name](#output\_disabled\_sqs\_dlq\_name) | The name of the SQS queue | +| [disabled\_sqs\_dlq\_url](#output\_disabled\_sqs\_dlq\_url) | Same as `dead_letter_queue_id`: The URL for the created Amazon SQS queue | +| [disabled\_sqs\_queue\_arn](#output\_disabled\_sqs\_queue\_arn) | The ARN of the SQS queue | +| [disabled\_sqs\_queue\_id](#output\_disabled\_sqs\_queue\_id) | The URL for the created Amazon SQS queue | +| [disabled\_sqs\_queue\_name](#output\_disabled\_sqs\_queue\_name) | The name of the SQS queue | +| [disabled\_sqs\_queue\_url](#output\_disabled\_sqs\_queue\_url) | Same as `queue_id`: The URL for the created Amazon SQS queue | +| [fifo\_sqs\_dlq\_arn](#output\_fifo\_sqs\_dlq\_arn) | The ARN of the SQS queue | +| [fifo\_sqs\_dlq\_id](#output\_fifo\_sqs\_dlq\_id) | The URL for the created Amazon SQS queue | +| [fifo\_sqs\_dlq\_name](#output\_fifo\_sqs\_dlq\_name) | The name of the SQS queue | +| [fifo\_sqs\_dlq\_url](#output\_fifo\_sqs\_dlq\_url) | Same as `dead_letter_queue_id`: The URL for the created Amazon SQS queue | +| [fifo\_sqs\_queue\_arn](#output\_fifo\_sqs\_queue\_arn) | The ARN of the SQS queue | +| [fifo\_sqs\_queue\_id](#output\_fifo\_sqs\_queue\_id) | The URL for the created Amazon SQS queue | +| [fifo\_sqs\_queue\_name](#output\_fifo\_sqs\_queue\_name) | The name of the SQS queue | +| [fifo\_sqs\_queue\_url](#output\_fifo\_sqs\_queue\_url) | Same as `queue_id`: The URL for the created Amazon SQS queue | +| [sqs\_with\_dlq\_dlq\_arn](#output\_sqs\_with\_dlq\_dlq\_arn) | The ARN of the SQS queue | +| [sqs\_with\_dlq\_dlq\_id](#output\_sqs\_with\_dlq\_dlq\_id) | The URL for the created Amazon SQS queue | +| [sqs\_with\_dlq\_dlq\_name](#output\_sqs\_with\_dlq\_dlq\_name) | The name of the SQS queue | +| [sqs\_with\_dlq\_dlq\_url](#output\_sqs\_with\_dlq\_dlq\_url) | Same as `dead_letter_queue_id`: The URL for the created Amazon SQS queue | +| [sqs\_with\_dlq\_queue\_arn](#output\_sqs\_with\_dlq\_queue\_arn) | The ARN of the SQS queue | +| [sqs\_with\_dlq\_queue\_id](#output\_sqs\_with\_dlq\_queue\_id) | The URL for the created Amazon SQS queue | +| [sqs\_with\_dlq\_queue\_name](#output\_sqs\_with\_dlq\_queue\_name) | The name of the SQS queue | +| [sqs\_with\_dlq\_queue\_url](#output\_sqs\_with\_dlq\_queue\_url) | Same as `queue_id`: The URL for the created Amazon SQS queue | +| [sse\_encrypted\_dlq\_sqs\_dlq\_arn](#output\_sse\_encrypted\_dlq\_sqs\_dlq\_arn) | The ARN of the SQS queue | +| [sse\_encrypted\_dlq\_sqs\_dlq\_id](#output\_sse\_encrypted\_dlq\_sqs\_dlq\_id) | The URL for the created Amazon SQS queue | +| [sse\_encrypted\_dlq\_sqs\_dlq\_name](#output\_sse\_encrypted\_dlq\_sqs\_dlq\_name) | The name of the SQS queue | +| [sse\_encrypted\_dlq\_sqs\_dlq\_url](#output\_sse\_encrypted\_dlq\_sqs\_dlq\_url) | Same as `dead_letter_queue_id`: The URL for the created Amazon SQS queue | +| [sse\_encrypted\_dlq\_sqs\_queue\_arn](#output\_sse\_encrypted\_dlq\_sqs\_queue\_arn) | The ARN of the SQS queue | +| [sse\_encrypted\_dlq\_sqs\_queue\_id](#output\_sse\_encrypted\_dlq\_sqs\_queue\_id) | The URL for the created Amazon SQS queue | +| [sse\_encrypted\_dlq\_sqs\_queue\_name](#output\_sse\_encrypted\_dlq\_sqs\_queue\_name) | The name of the SQS queue | +| [sse\_encrypted\_dlq\_sqs\_queue\_url](#output\_sse\_encrypted\_dlq\_sqs\_queue\_url) | Same as `queue_id`: The URL for the created Amazon SQS queue | +| [sse\_encrypted\_sqs\_dlq\_arn](#output\_sse\_encrypted\_sqs\_dlq\_arn) | The ARN of the SQS queue | +| [sse\_encrypted\_sqs\_dlq\_id](#output\_sse\_encrypted\_sqs\_dlq\_id) | The URL for the created Amazon SQS queue | +| [sse\_encrypted\_sqs\_dlq\_name](#output\_sse\_encrypted\_sqs\_dlq\_name) | The name of the SQS queue | +| [sse\_encrypted\_sqs\_dlq\_url](#output\_sse\_encrypted\_sqs\_dlq\_url) | Same as `dead_letter_queue_id`: The URL for the created Amazon SQS queue | +| [sse\_encrypted\_sqs\_queue\_arn](#output\_sse\_encrypted\_sqs\_queue\_arn) | The ARN of the SQS queue | +| [sse\_encrypted\_sqs\_queue\_id](#output\_sse\_encrypted\_sqs\_queue\_id) | The URL for the created Amazon SQS queue | +| [sse\_encrypted\_sqs\_queue\_name](#output\_sse\_encrypted\_sqs\_queue\_name) | The name of the SQS queue | +| [sse\_encrypted\_sqs\_queue\_url](#output\_sse\_encrypted\_sqs\_queue\_url) | Same as `queue_id`: The URL for the created Amazon SQS queue | +| [unencrypted\_sqs\_dlq\_arn](#output\_unencrypted\_sqs\_dlq\_arn) | The ARN of the SQS queue | +| [unencrypted\_sqs\_dlq\_id](#output\_unencrypted\_sqs\_dlq\_id) | The URL for the created Amazon SQS queue | +| [unencrypted\_sqs\_dlq\_name](#output\_unencrypted\_sqs\_dlq\_name) | The name of the SQS queue | +| [unencrypted\_sqs\_dlq\_url](#output\_unencrypted\_sqs\_dlq\_url) | Same as `dead_letter_queue_id`: The URL for the created Amazon SQS queue | +| [unencrypted\_sqs\_queue\_arn](#output\_unencrypted\_sqs\_queue\_arn) | The ARN of the SQS queue | +| [unencrypted\_sqs\_queue\_id](#output\_unencrypted\_sqs\_queue\_id) | The URL for the created Amazon SQS queue | +| [unencrypted\_sqs\_queue\_name](#output\_unencrypted\_sqs\_queue\_name) | The name of the SQS queue | +| [unencrypted\_sqs\_queue\_url](#output\_unencrypted\_sqs\_queue\_url) | Same as `queue_id`: The URL for the created Amazon SQS queue | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 83c4c84..2e38c07 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -1,81 +1,159 @@ provider "aws" { - region = "eu-west-1" + region = local.region } data "aws_caller_identity" "current" {} -resource "aws_kms_key" "this" {} +locals { + name = "ex-${basename(path.cwd)}" + region = "eu-west-1" -module "users_unencrypted" { + tags = { + Name = local.name + Example = "complete" + Repository = "github.com/terraform-aws-modules/terraform-aws-sqs" + } +} + +################################################################################ +# SQS Module +################################################################################ + +module "default_sqs" { source = "../../" - name = "users-unencrypted" + name = "${local.name}-default" - tags = { - Secure = "false" - } + tags = local.tags } -module "users_encrypted" { +module "fifo_sqs" { source = "../../" - name_prefix = "users-encrypted-" + # `.fifo` is automatically appended to the name + # This also means that `use_name_prefix` cannot be used on FIFO queues + name = local.name + fifo_queue = true - kms_master_key_id = aws_kms_key.this.id + tags = local.tags +} - tags = { - Secure = "true" - } +module "unencrypted_sqs" { + source = "../../" + + name = "${local.name}-unencrypted" + sqs_managed_sse_enabled = false + + tags = local.tags } -module "users_encrypted_with_sse" { +module "cmk_encrypted_sqs" { source = "../../" - name_prefix = "users-encrypted-sse-" + name = "${local.name}-cmk" + use_name_prefix = true + + kms_master_key_id = aws_kms_key.this.id + kms_data_key_reuse_period_seconds = 3600 + + tags = local.tags +} + +module "sse_encrypted_sqs" { + source = "../../" + name = "${local.name}-sse" sqs_managed_sse_enabled = true - tags = { - Secure = "true" + # Dead letter queue + redrive_policy = { + deadLetterTargetArn = module.sse_encrypted_dlq_sqs.queue_arn + maxReceiveCount = 10 } -} + tags = local.tags +} -module "sqs_dlq_allow_redrive_policy" { +module "sse_encrypted_dlq_sqs" { source = "../../" - name_prefix = "sqs-dlq-allow-redrive-policy-example" + # This is a separate queue used as a dead letter queue for the above example + # instead of the module creating both the queue and dead letter queue together - redrive_allow_policy = jsonencode({ - redrivePermission = "byQueue", - sourceQueueArns = [module.users_encrypted.sqs_queue_arn] - }) + name = "${local.name}-sse-dlq" + sqs_managed_sse_enabled = true - tags = { - Secure = "true" + # Dead letter queue + dlq_redrive_allow_policy = { + sourceQueueArns = [module.sse_encrypted_sqs.queue_arn] } + + tags = local.tags } -resource "aws_sqs_queue_policy" "users_unencrypted_policy" { - queue_url = module.users_unencrypted.sqs_queue_id - - policy = < 0 ? 1 : 0 + + queue_url = aws_sqs_queue.this[0].url + redrive_policy = jsonencode(var.redrive_policy) +} + +resource "aws_sqs_queue_redrive_policy" "dlq" { + count = var.create && var.create_dlq ? 1 : 0 + + queue_url = aws_sqs_queue.this[0].url + redrive_policy = jsonencode( + merge( + { + deadLetterTargetArn = aws_sqs_queue.dlq[0].arn + maxReceiveCount = 5 + }, + var.redrive_policy + ) + ) +} + +################################################################################ +# Dead Letter Queue +################################################################################ + +locals { + inter_dlq_name = try(coalesce(var.dlq_name, "${var.name}-dlq"), "") + dlq_name = var.fifo_queue ? "${trimsuffix(local.inter_dlq_name, ".fifo")}.fifo" : local.inter_dlq_name + + dlq_sqs_managed_sse_enabled = coalesce(var.dlq_sqs_managed_sse_enabled, var.sqs_managed_sse_enabled) +} + +resource "aws_sqs_queue" "dlq" { + count = var.create && var.create_dlq ? 1 : 0 + + content_based_deduplication = try(coalesce(var.dlq_content_based_deduplication, var.content_based_deduplication), null) + deduplication_scope = try(coalesce(var.dlq_deduplication_scope, var.deduplication_scope), null) + delay_seconds = try(coalesce(var.dlq_delay_seconds, var.delay_seconds), null) + # If source queue is FIFO, DLQ must also be FIFO and vice versa + fifo_queue = var.fifo_queue + fifo_throughput_limit = var.fifo_throughput_limit + kms_data_key_reuse_period_seconds = try(coalesce(var.dlq_kms_data_key_reuse_period_seconds, var.kms_data_key_reuse_period_seconds), null) + kms_master_key_id = local.dlq_sqs_managed_sse_enabled ? null : try(coalesce(var.dlq_kms_master_key_id, var.kms_master_key_id), null) + max_message_size = var.max_message_size + message_retention_seconds = try(coalesce(var.dlq_message_retention_seconds, var.message_retention_seconds), null) + name = var.use_name_prefix ? null : local.dlq_name + name_prefix = var.use_name_prefix ? "${local.dlq_name}-" : null + receive_wait_time_seconds = try(coalesce(var.dlq_receive_wait_time_seconds, var.receive_wait_time_seconds), null) + sqs_managed_sse_enabled = local.dlq_sqs_managed_sse_enabled + visibility_timeout_seconds = try(coalesce(var.dlq_visibility_timeout_seconds, var.visibility_timeout_seconds), null) + + tags = merge(var.tags, var.dlq_tags) +} + +################################################################################ +# Queue Policy +################################################################################ + +data "aws_iam_policy_document" "dlq" { + count = var.create && var.create_dlq && var.create_dlq_queue_policy ? 1 : 0 + + source_policy_documents = var.source_dlq_queue_policy_documents + override_policy_documents = var.override_dlq_queue_policy_documents + + dynamic "statement" { + for_each = var.dlq_queue_policy_statements + + content { + sid = try(statement.value.sid, null) + actions = try(statement.value.actions, null) + not_actions = try(statement.value.not_actions, null) + effect = try(statement.value.effect, null) + resources = try(statement.value.resources, [aws_sqs_queue.dlq[0].arn]) + not_resources = try(statement.value.not_resources, null) + + dynamic "principals" { + for_each = try(statement.value.principals, []) + + content { + type = principals.value.type + identifiers = principals.value.identifiers + } + } + + dynamic "not_principals" { + for_each = try(statement.value.not_principals, []) + + content { + type = not_principals.value.type + identifiers = not_principals.value.identifiers + } + } + + dynamic "condition" { + for_each = try(statement.value.conditions, []) + + content { + test = condition.value.test + values = condition.value.values + variable = condition.value.variable + } + } + } + } +} + +resource "aws_sqs_queue_policy" "dlq" { + count = var.create && var.create_dlq && var.create_dlq_queue_policy ? 1 : 0 + + queue_url = aws_sqs_queue.dlq[0].url + policy = data.aws_iam_policy_document.dlq[0].json +} + +################################################################################ +# Re-drive Allow Policy +################################################################################ + +resource "aws_sqs_queue_redrive_allow_policy" "this" { + count = var.create && !var.create_dlq && length(var.redrive_allow_policy) > 0 ? 1 : 0 + + queue_url = aws_sqs_queue.this[0].url + redrive_allow_policy = jsonencode(var.redrive_allow_policy) +} - arn = aws_sqs_queue.this[0].arn +resource "aws_sqs_queue_redrive_allow_policy" "dlq" { + count = var.create && var.create_dlq ? 1 : 0 + queue_url = aws_sqs_queue.dlq[0].url + redrive_allow_policy = jsonencode(merge( + { + redrivePermission = "byQueue", + sourceQueueArns = [aws_sqs_queue.this[0].arn] + }, + var.dlq_redrive_allow_policy) + ) } diff --git a/outputs.tf b/outputs.tf index 5c830b7..32a1a5e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,14 +1,47 @@ -output "sqs_queue_id" { +################################################################################ +# Queue +################################################################################ + +output "queue_id" { description = "The URL for the created Amazon SQS queue" - value = try(aws_sqs_queue.this[0].id, "") + value = try(aws_sqs_queue.this[0].id, null) } -output "sqs_queue_arn" { +output "queue_arn" { description = "The ARN of the SQS queue" - value = try(aws_sqs_queue.this[0].arn, "") + value = try(aws_sqs_queue.this[0].arn, null) +} + +output "queue_url" { + description = "Same as `queue_id`: The URL for the created Amazon SQS queue" + value = try(aws_sqs_queue.this[0].url, null) +} + +output "queue_name" { + description = "The name of the SQS queue" + value = try(aws_sqs_queue.this[0].name, null) +} + +################################################################################ +# Dead Letter Queue +################################################################################ + +output "dead_letter_queue_id" { + description = "The URL for the created Amazon SQS queue" + value = try(aws_sqs_queue.dlq[0].id, null) +} + +output "dead_letter_queue_arn" { + description = "The ARN of the SQS queue" + value = try(aws_sqs_queue.dlq[0].arn, null) +} + +output "dead_letter_queue_url" { + description = "Same as `dead_letter_queue_id`: The URL for the created Amazon SQS queue" + value = try(aws_sqs_queue.dlq[0].url, null) } -output "sqs_queue_name" { +output "dead_letter_queue_name" { description = "The name of the SQS queue" - value = try(data.aws_arn.this[0].resource, "") + value = try(aws_sqs_queue.dlq[0].name, null) } diff --git a/variables.tf b/variables.tf index 27359d4..dd2a69a 100644 --- a/variables.tf +++ b/variables.tf @@ -4,110 +4,246 @@ variable "create" { default = true } -variable "name" { - description = "This is the human-readable name of the queue. If omitted, Terraform will assign a random name." - type = string +################################################################################ +# Queue +################################################################################ + +variable "content_based_deduplication" { + description = "Enables content-based deduplication for FIFO queues" + type = bool default = null } -variable "name_prefix" { - description = "A unique name beginning with the specified prefix." +variable "deduplication_scope" { + description = "Specifies whether message deduplication occurs at the message group or queue level" type = string default = null } -variable "visibility_timeout_seconds" { - description = "The visibility timeout for the queue. An integer from 0 to 43200 (12 hours)" +variable "delay_seconds" { + description = "The time in seconds that the delivery of all messages in the queue will be delayed. An integer from 0 to 900 (15 minutes)" type = number - default = 30 + default = null } -variable "message_retention_seconds" { - description = "The number of seconds Amazon SQS retains a message. Integer representing seconds, from 60 (1 minute) to 1209600 (14 days)" +variable "fifo_queue" { + description = "Boolean designating a FIFO queue" + type = bool + default = false +} + +variable "fifo_throughput_limit" { + description = "Specifies whether the FIFO queue throughput quota applies to the entire queue or per message group" + type = string + default = null +} + +variable "kms_data_key_reuse_period_seconds" { + description = "The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. An integer representing seconds, between 60 seconds (1 minute) and 86,400 seconds (24 hours)" type = number - default = 345600 + default = null +} + +variable "kms_master_key_id" { + description = "The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK" + type = string + default = null } variable "max_message_size" { description = "The limit of how many bytes a message can contain before Amazon SQS rejects it. An integer from 1024 bytes (1 KiB) up to 262144 bytes (256 KiB)" type = number - default = 262144 + default = null } -variable "delay_seconds" { - description = "The time in seconds that the delivery of all messages in the queue will be delayed. An integer from 0 to 900 (15 minutes)" +variable "message_retention_seconds" { + description = "The number of seconds Amazon SQS retains a message. Integer representing seconds, from 60 (1 minute) to 1209600 (14 days)" type = number - default = 0 + default = null +} + +variable "name" { + description = "This is the human-readable name of the queue. If omitted, Terraform will assign a random name" + type = string + default = null +} + +variable "use_name_prefix" { + description = "Determines whether `name` is used as a prefix" + type = bool + default = false } variable "receive_wait_time_seconds" { description = "The time for which a ReceiveMessage call will wait for a message to arrive (long polling) before returning. An integer from 0 to 20 (seconds)" type = number - default = 0 + default = null } -variable "policy" { - description = "The JSON policy for the SQS queue" - type = string - default = "" +variable "redrive_allow_policy" { + description = "The JSON policy to set up the Dead Letter Queue redrive permission, see AWS docs." + type = any + default = {} } variable "redrive_policy" { description = "The JSON policy to set up the Dead Letter Queue, see AWS docs. Note: when specifying maxReceiveCount, you must specify it as an integer (5), and not a string (\"5\")" - type = string - default = "" + type = any + default = {} } -variable "redrive_allow_policy" { - description = "The JSON policy to set up the Dead Letter Queue redrive permission, see AWS docs." - type = string - default = "" +variable "sqs_managed_sse_enabled" { + description = "Boolean to enable server-side encryption (SSE) of message content with SQS-owned encryption keys" + type = bool + default = true } -variable "fifo_queue" { - description = "Boolean designating a FIFO queue" +variable "visibility_timeout_seconds" { + description = "The visibility timeout for the queue. An integer from 0 to 43200 (12 hours)" + type = number + default = null +} + +variable "tags" { + description = "A mapping of tags to assign to all resources" + type = map(string) + default = {} +} + +################################################################################ +# Queue Policy +################################################################################ + +variable "create_queue_policy" { + description = "Whether to create SQS queue policy" type = bool default = false } -variable "content_based_deduplication" { - description = "Enables content-based deduplication for FIFO queues" +variable "source_queue_policy_documents" { + description = "List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s" + type = list(string) + default = [] +} + +variable "override_queue_policy_documents" { + description = "List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid`" + type = list(string) + default = [] +} + +variable "queue_policy_statements" { + description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage" + type = any + default = {} +} + +################################################################################ +# Dead Letter Queue +################################################################################ + +variable "create_dlq" { + description = "Determines whether to create SQS dead letter queue" type = bool default = false } -variable "kms_master_key_id" { - description = "The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK" +variable "dlq_content_based_deduplication" { + description = "Enables content-based deduplication for FIFO queues" + type = bool + default = null +} + +variable "dlq_deduplication_scope" { + description = "Specifies whether message deduplication occurs at the message group or queue level" type = string default = null } -variable "sqs_managed_sse_enabled" { - description = "Boolean to enable server-side encryption (SSE) of message content with SQS-owned encryption keys" - type = bool - default = false +variable "dlq_delay_seconds" { + description = "The time in seconds that the delivery of all messages in the queue will be delayed. An integer from 0 to 900 (15 minutes)" + type = number + default = null } -variable "kms_data_key_reuse_period_seconds" { +variable "dlq_kms_data_key_reuse_period_seconds" { description = "The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. An integer representing seconds, between 60 seconds (1 minute) and 86,400 seconds (24 hours)" type = number - default = 300 + default = null } -variable "deduplication_scope" { - description = "Specifies whether message deduplication occurs at the message group or queue level" +variable "dlq_kms_master_key_id" { + description = "The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK" type = string default = null } -variable "fifo_throughput_limit" { - description = "Specifies whether the FIFO queue throughput quota applies to the entire queue or per message group" +variable "dlq_message_retention_seconds" { + description = "The number of seconds Amazon SQS retains a message. Integer representing seconds, from 60 (1 minute) to 1209600 (14 days)" + type = number + default = null +} + +variable "dlq_name" { + description = "This is the human-readable name of the queue. If omitted, Terraform will assign a random name" type = string default = null } -variable "tags" { - description = "A mapping of tags to assign to all resources" +variable "dlq_receive_wait_time_seconds" { + description = "The time for which a ReceiveMessage call will wait for a message to arrive (long polling) before returning. An integer from 0 to 20 (seconds)" + type = number + default = null +} + +variable "dlq_redrive_allow_policy" { + description = "The JSON policy to set up the Dead Letter Queue redrive permission, see AWS docs." + type = any + default = {} +} + +variable "dlq_sqs_managed_sse_enabled" { + description = "Boolean to enable server-side encryption (SSE) of message content with SQS-owned encryption keys" + type = bool + default = true +} + +variable "dlq_visibility_timeout_seconds" { + description = "The visibility timeout for the queue. An integer from 0 to 43200 (12 hours)" + type = number + default = null +} + +variable "dlq_tags" { + description = "A mapping of additional tags to assign to the dead letter queue" type = map(string) default = {} } + +################################################################################ +# Dead Letter Queue Policy +################################################################################ + +variable "create_dlq_queue_policy" { + description = "Whether to create SQS queue policy" + type = bool + default = false +} + +variable "source_dlq_queue_policy_documents" { + description = "List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s" + type = list(string) + default = [] +} + +variable "override_dlq_queue_policy_documents" { + description = "List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid`" + type = list(string) + default = [] +} + +variable "dlq_queue_policy_statements" { + description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage" + type = any + default = {} +} diff --git a/versions.tf b/versions.tf index 5a9fd0f..803290c 100644 --- a/versions.tf +++ b/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.63" + version = ">= 4.36" } } } diff --git a/wrappers/main.tf b/wrappers/main.tf index 7111675..f6cd2b9 100644 --- a/wrappers/main.tf +++ b/wrappers/main.tf @@ -3,23 +3,43 @@ module "wrapper" { for_each = var.items - create = try(each.value.create, var.defaults.create, true) - name = try(each.value.name, var.defaults.name, null) - name_prefix = try(each.value.name_prefix, var.defaults.name_prefix, null) - visibility_timeout_seconds = try(each.value.visibility_timeout_seconds, var.defaults.visibility_timeout_seconds, 30) - message_retention_seconds = try(each.value.message_retention_seconds, var.defaults.message_retention_seconds, 345600) - max_message_size = try(each.value.max_message_size, var.defaults.max_message_size, 262144) - delay_seconds = try(each.value.delay_seconds, var.defaults.delay_seconds, 0) - receive_wait_time_seconds = try(each.value.receive_wait_time_seconds, var.defaults.receive_wait_time_seconds, 0) - policy = try(each.value.policy, var.defaults.policy, "") - redrive_policy = try(each.value.redrive_policy, var.defaults.redrive_policy, "") - redrive_allow_policy = try(each.value.redrive_allow_policy, var.defaults.redrive_allow_policy, "") - fifo_queue = try(each.value.fifo_queue, var.defaults.fifo_queue, false) - content_based_deduplication = try(each.value.content_based_deduplication, var.defaults.content_based_deduplication, false) - kms_master_key_id = try(each.value.kms_master_key_id, var.defaults.kms_master_key_id, null) - sqs_managed_sse_enabled = try(each.value.sqs_managed_sse_enabled, var.defaults.sqs_managed_sse_enabled, false) - kms_data_key_reuse_period_seconds = try(each.value.kms_data_key_reuse_period_seconds, var.defaults.kms_data_key_reuse_period_seconds, 300) - deduplication_scope = try(each.value.deduplication_scope, var.defaults.deduplication_scope, null) - fifo_throughput_limit = try(each.value.fifo_throughput_limit, var.defaults.fifo_throughput_limit, null) - tags = try(each.value.tags, var.defaults.tags, {}) + create = try(each.value.create, var.defaults.create, true) + content_based_deduplication = try(each.value.content_based_deduplication, var.defaults.content_based_deduplication, null) + deduplication_scope = try(each.value.deduplication_scope, var.defaults.deduplication_scope, null) + delay_seconds = try(each.value.delay_seconds, var.defaults.delay_seconds, null) + fifo_queue = try(each.value.fifo_queue, var.defaults.fifo_queue, false) + fifo_throughput_limit = try(each.value.fifo_throughput_limit, var.defaults.fifo_throughput_limit, null) + kms_data_key_reuse_period_seconds = try(each.value.kms_data_key_reuse_period_seconds, var.defaults.kms_data_key_reuse_period_seconds, null) + kms_master_key_id = try(each.value.kms_master_key_id, var.defaults.kms_master_key_id, null) + max_message_size = try(each.value.max_message_size, var.defaults.max_message_size, null) + message_retention_seconds = try(each.value.message_retention_seconds, var.defaults.message_retention_seconds, null) + name = try(each.value.name, var.defaults.name, null) + use_name_prefix = try(each.value.use_name_prefix, var.defaults.use_name_prefix, false) + receive_wait_time_seconds = try(each.value.receive_wait_time_seconds, var.defaults.receive_wait_time_seconds, null) + redrive_allow_policy = try(each.value.redrive_allow_policy, var.defaults.redrive_allow_policy, {}) + redrive_policy = try(each.value.redrive_policy, var.defaults.redrive_policy, {}) + sqs_managed_sse_enabled = try(each.value.sqs_managed_sse_enabled, var.defaults.sqs_managed_sse_enabled, true) + visibility_timeout_seconds = try(each.value.visibility_timeout_seconds, var.defaults.visibility_timeout_seconds, null) + tags = try(each.value.tags, var.defaults.tags, {}) + create_queue_policy = try(each.value.create_queue_policy, var.defaults.create_queue_policy, false) + source_queue_policy_documents = try(each.value.source_queue_policy_documents, var.defaults.source_queue_policy_documents, []) + override_queue_policy_documents = try(each.value.override_queue_policy_documents, var.defaults.override_queue_policy_documents, []) + queue_policy_statements = try(each.value.queue_policy_statements, var.defaults.queue_policy_statements, {}) + create_dlq = try(each.value.create_dlq, var.defaults.create_dlq, false) + dlq_content_based_deduplication = try(each.value.dlq_content_based_deduplication, var.defaults.dlq_content_based_deduplication, null) + dlq_deduplication_scope = try(each.value.dlq_deduplication_scope, var.defaults.dlq_deduplication_scope, null) + dlq_delay_seconds = try(each.value.dlq_delay_seconds, var.defaults.dlq_delay_seconds, null) + dlq_kms_data_key_reuse_period_seconds = try(each.value.dlq_kms_data_key_reuse_period_seconds, var.defaults.dlq_kms_data_key_reuse_period_seconds, null) + dlq_kms_master_key_id = try(each.value.dlq_kms_master_key_id, var.defaults.dlq_kms_master_key_id, null) + dlq_message_retention_seconds = try(each.value.dlq_message_retention_seconds, var.defaults.dlq_message_retention_seconds, null) + dlq_name = try(each.value.dlq_name, var.defaults.dlq_name, null) + dlq_receive_wait_time_seconds = try(each.value.dlq_receive_wait_time_seconds, var.defaults.dlq_receive_wait_time_seconds, null) + dlq_redrive_allow_policy = try(each.value.dlq_redrive_allow_policy, var.defaults.dlq_redrive_allow_policy, {}) + dlq_sqs_managed_sse_enabled = try(each.value.dlq_sqs_managed_sse_enabled, var.defaults.dlq_sqs_managed_sse_enabled, true) + dlq_visibility_timeout_seconds = try(each.value.dlq_visibility_timeout_seconds, var.defaults.dlq_visibility_timeout_seconds, null) + dlq_tags = try(each.value.dlq_tags, var.defaults.dlq_tags, {}) + create_dlq_queue_policy = try(each.value.create_dlq_queue_policy, var.defaults.create_dlq_queue_policy, false) + source_dlq_queue_policy_documents = try(each.value.source_dlq_queue_policy_documents, var.defaults.source_dlq_queue_policy_documents, []) + override_dlq_queue_policy_documents = try(each.value.override_dlq_queue_policy_documents, var.defaults.override_dlq_queue_policy_documents, []) + dlq_queue_policy_statements = try(each.value.dlq_queue_policy_statements, var.defaults.dlq_queue_policy_statements, {}) }