Terraform 覆盖资源中的 aws_iam_policy_document

Question

我有一个用于在 Terraform 中创建 SQS 队列的模块。

这是我的 main.tf 在 modules/sqs 下的样子：

data "aws_iam_policy_document" "my_policy" {
  statement {
    sid = ""
    effect  = "Allow"
    actions = ["sqs:SendMessage"]
    principals {
      type        = "Service"
      identifiers = ["sns.amazonaws.com"]
    }
    resources = ["arn:aws:sqs:us-west-2:123456:${var.sqs_queue_name}"]
    condition {
      test     = "ArnEquals"
      variable = "aws:SourceArn"
      values   = ["${var.sns_arn}"]
    }

  }

  version = "2008-10-17"
}

resource "aws_sqs_queue" "my_queue" {
  name                      = var.sqs_queue_name
  receive_wait_time_seconds = var.receive_wait_time_seconds
  visibility_timeout_seconds = var.visibility_timeout_seconds
  message_retention_seconds = var.message_retention_seconds
  max_message_size = var.max_message_size
  delay_seconds = var.delay_seconds
  policy = data.aws_iam_policy_document.my_policy.json
}

在我的根 main.tf 我有这个。效果很好，我可以创建队列。

module "aws_sqs_my_queue" {
  source = "./modules/sqs"

  sqs_queue_name = "MyQueue"
  receive_wait_time_seconds = 20
  visibility_timeout_seconds = 60
  sns_arn = "${module.aws_sns_my_topic.sns_arn}"
}

现在我的问题是我必须为 aws_sqs_my_queue 设置死信队列，并且 DLQ 的访问策略与在我的数据源 my_policy 上设置的访问策略不同。如何设置另一个具有不同访问策略但使用 my_queue 资源创建 SQS 队列的队列。

我的 terraform 版本是 v0.12.0

Answer 1

通常，DLQ 的默认 SQS 策略就足够了：

data "aws_caller_identity" "current" {}

data "aws_region" "current" {}

resource "aws_sqs_queue" "dlq" {

  name = "my-dlq"

  policy = <<-EOL
  {
    "Version": "2008-10-17",
    "Id": "__default_policy_ID",
    "Statement": [
      {
        "Sid": "__owner_statement",
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        },
        "Action": "SQS:*",
        "Resource": "arn:aws:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:my-dlq"
      }
    ]
  }
  EOL

}