feat: Creating SNS/SQS policies should be optional (terraform-aws-modules#54)

Author: bmurphey

README.md

@@ -84,14 +84,14 @@ module "s3_bucket" {
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.12.6, < 0.14 |
-| aws | >= 3.0, < 4.0 |
+| terraform | >= 0.12.6 |
+| aws | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | >= 3.0, < 4.0 |
+| aws | >= 3.0 |
 
 ## Inputs
 

examples/notification/README.md

@@ -19,18 +19,18 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.12.6, < 0.14 |
-| aws | >= 3.0, < 4.0 |
-| null | ~> 2 |
-| random | ~> 2 |
+| terraform | >= 0.12.6 |
+| aws | >= 3.0 |
+| null | >= 2 |
+| random | >= 2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | >= 3.0, < 4.0 |
-| null | ~> 2 |
-| random | ~> 2 |
+| aws | >= 3.0 |
+| null | >= 2 |
+| random | >= 2 |
 
 ## Inputs
 

examples/notification/main.tf

@@ -76,6 +76,26 @@ resource "aws_sqs_queue" "this" {
   name  = "${random_pet.this.id}-${count.index}"
 }
 
+# SQS policy created outside of the module
+data "aws_iam_policy_document" "sqs_external" {
+  statement {
+    effect  = "Allow"
+    actions = ["sqs:SendMessage"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["s3.amazonaws.com"]
+    }
+
+    resources = [aws_sqs_queue.this[0].arn]
+  }
+}
+
+resource "aws_sqs_queue_policy" "allow_external" {
+  queue_url = aws_sqs_queue.this[0].id
+  policy    = data.aws_iam_policy_document.sqs_external.json
+}
+
 module "all_notifications" {
   source = "../../modules/notification"
 
@@ -129,4 +149,6 @@ module "all_notifications" {
     }
   }
 
+  # Creation of policy is handled outside of the module
+  create_sqs_policy = false
 }

examples/notification/versions.tf

@@ -1,9 +1,9 @@
 terraform {
-  required_version = ">= 0.12.6, < 0.14"
+  required_version = ">= 0.12.6"
 
   required_providers {
-    aws    = ">= 3.0, < 4.0"
-    random = "~> 2"
-    null   = "~> 2"
+    aws    = ">= 3.0"
+    random = ">= 2"
+    null   = ">= 2"
   }
 }

examples/s3-replication/README.md

@@ -21,17 +21,17 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.12.6, < 0.14 |
-| aws | >= 3.0, < 4.0 |
-| random | ~> 2 |
+| terraform | >= 0.12.6 |
+| aws | >= 3.0 |
+| random | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | >= 3.0, < 4.0 |
-| aws.replica | >= 3.0, < 4.0 |
-| random | ~> 2 |
+| aws | >= 3.0 |
+| aws.replica | >= 3.0 |
+| random | >= 2.0 |
 
 ## Inputs
 

examples/s3-replication/versions.tf

@@ -1,8 +1,8 @@
 terraform {
-  required_version = ">= 0.12.6, < 0.14"
+  required_version = ">= 0.12.6"
 
   required_providers {
-    aws    = ">= 3.0, < 4.0"
-    random = "~> 2"
+    aws    = ">= 3.0"
+    random = ">= 2.0"
   }
 }

modules/notification/README.md

@@ -7,15 +7,15 @@ Creates S3 bucket notification resource with all supported types of deliveries:
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.12.6, < 0.14 |
-| aws | >= 3.0, < 4.0 |
-| random | ~> 2 |
+| terraform | >= 0.12.6 |
+| aws | >= 3.0 |
+| random | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | >= 3.0, < 4.0 |
+| aws | >= 3.0 |
 
 ## Inputs
 
@@ -24,6 +24,8 @@ Creates S3 bucket notification resource with all supported types of deliveries:
 | bucket | Name of S3 bucket to use | `string` | `""` | no |
 | bucket\_arn | ARN of S3 bucket to use in policies | `string` | `null` | no |
 | create | Whether to create this resource or not? | `bool` | `true` | no |
+| create\_sns\_policy | Whether to create a policy for SNS permissions or not? | `bool` | `true` | no |
+| create\_sqs\_policy | Whether to create a policy for SQS permissions or not? | `bool` | `true` | no |
 | lambda\_notifications | Map of S3 bucket notifications to Lambda function | `any` | `{}` | no |
 | sns\_notifications | Map of S3 bucket notifications to SNS topic | `any` | `{}` | no |
 | sqs\_notifications | Map of S3 bucket notifications to SQS queue | `any` | `{}` | no |

modules/notification/main.tf

@@ -74,7 +74,7 @@ data "aws_arn" "queue" {
 }
 
 data "aws_iam_policy_document" "sqs" {
-  for_each = var.sqs_notifications
+  for_each = var.create_sqs_policy ? var.sqs_notifications : tomap({})
 
   statement {
     sid = "AllowSQSS3BucketNotification"
@@ -101,15 +101,15 @@ data "aws_iam_policy_document" "sqs" {
 }
 
 resource "aws_sqs_queue_policy" "allow" {
-  for_each = var.sqs_notifications
+  for_each = var.create_sqs_policy ? var.sqs_notifications : tomap({})
 
   queue_url = lookup(each.value, "queue_id", lookup(local.queue_ids, each.key, null))
   policy    = data.aws_iam_policy_document.sqs[each.key].json
 }
 
 # SNS Topic
 data "aws_iam_policy_document" "sns" {
-  for_each = var.sns_notifications
+  for_each = var.create_sns_policy ? var.sns_notifications : tomap({})
 
   statement {
     sid = "AllowSNSS3BucketNotification"
@@ -136,7 +136,7 @@ data "aws_iam_policy_document" "sns" {
 }
 
 resource "aws_sns_topic_policy" "allow" {
-  for_each = var.sns_notifications
+  for_each = var.create_sns_policy ? var.sns_notifications : tomap({})
 
   arn    = each.value.topic_arn
   policy = data.aws_iam_policy_document.sns[each.key].json

modules/notification/variables.tf

@@ -4,6 +4,18 @@ variable "create" {
   default     = true
 }
 
+variable "create_sns_policy" {
+  description = "Whether to create a policy for SNS permissions or not?"
+  type        = bool
+  default     = true
+}
+
+variable "create_sqs_policy" {
+  description = "Whether to create a policy for SQS permissions or not?"
+  type        = bool
+  default     = true
+}
+
 variable "bucket" {
   description = "Name of S3 bucket to use"
   type        = string
@@ -18,18 +30,18 @@ variable "bucket_arn" {
 
 variable "lambda_notifications" {
   description = "Map of S3 bucket notifications to Lambda function"
-  type        = any # map(map(any)) is better, but Terraform 0.12.25 panics
+  type        = any
   default     = {}
 }
 
 variable "sqs_notifications" {
   description = "Map of S3 bucket notifications to SQS queue"
-  type        = any # map(map(any)) is better, but Terraform 0.12.25 panics
+  type        = any
   default     = {}
 }
 
 variable "sns_notifications" {
   description = "Map of S3 bucket notifications to SNS topic"
-  type        = any # map(map(any)) is better, but Terraform 0.12.25 panics
+  type        = any
   default     = {}
 }

modules/notification/versions.tf

@@ -1,8 +1,8 @@
 terraform {
-  required_version = ">= 0.12.6, < 0.14"
+  required_version = ">= 0.12.6"
 
   required_providers {
-    aws    = ">= 3.0, < 4.0"
-    random = "~> 2"
+    aws    = ">= 3.0"
+    random = ">= 2.0"
   }
 }

versions.tf

@@ -1,7 +1,7 @@
 terraform {
-  required_version = ">= 0.12.6, < 0.14"
+  required_version = ">= 0.12.6"
 
   required_providers {
-    aws = ">= 3.0, < 4.0"
+    aws = ">= 3.0"
   }
 }