我有一个用于在 Terraform 中创建 SQS 队列的模块。
这是我的 main.tf 在 modules/sqs 下的样子:
data "aws_iam_policy_document" "my_policy" {
statement {
sid = ""
effect = "Allow"
actions = ["sqs:SendMessage"]
principals {
type = "Service"
identifiers = ["sns.amazonaws.com"]
}
resources = ["arn:aws:sqs:us-west-2:123456:${var.sqs_queue_name}"]
condition {
test = "ArnEquals"
variable = "aws:SourceArn"
values = ["${var.sns_arn}"]
}
}
version = "2008-10-17"
}
resource "aws_sqs_queue" "my_queue" {
name = var.sqs_queue_name
receive_wait_time_seconds = var.receive_wait_time_seconds
visibility_timeout_seconds = var.visibility_timeout_seconds
message_retention_seconds = var.message_retention_seconds
max_message_size = var.max_message_size
delay_seconds = var.delay_seconds
policy = data.aws_iam_policy_document.my_policy.json
}
在我的根目录 main.tf 上有这个。哪个工作得很好,我可以创建队列。
module "aws_sqs_my_queue" {
source = "./modules/sqs"
sqs_queue_name = "MyQueue"
receive_wait_time_seconds = 20
visibility_timeout_seconds = 60
sns_arn = "${module.aws_sns_my_topic.sns_arn}"
}
现在我的问题是我必须为 aws_sqs_my_queue 设置死信队列,并且 DLQ 的访问策略与我的数据源 my_policy 上设置的不同。如何设置具有不同访问策略但使用 my_queue 资源创建 SQS 队列的另一个队列。
我的 terraform 版本是 v0.12.0
答案 0 :(得分:0)
通常 DLQ 的默认 SQS 策略就足够了:
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
resource "aws_sqs_queue" "dlq" {
name = "my-dlq"
policy = <<-EOL
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:my-dlq"
}
]
}
EOL
}