diff --git a/terraform/main.tf b/terraform/main.tf index db9985851..b310e575f 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -284,6 +284,20 @@ module "arpa_audit_report" { postgres_db_name = module.postgres.default_db_name } +data "aws_iam_policy_document" "publish_to_arpa_audit_report_queue" { + statement { + sid = "AllowPublishToQueue" + actions = ["sqs:SendMessage"] + resources = [module.arpa_audit_report.sqs_queue_arn] + } +} + +resource "aws_iam_role_policy" "api_task-publish_to_arpa_audit_report_queue" { + name_prefix = "send-arpa-audit-report-requests" + role = module.api.ecs_task_role_name + policy = data.aws_iam_policy_document.publish_to_arpa_audit_report_queue.json +} + module "postgres" { enabled = var.postgres_enabled source = "./modules/gost_postgres" diff --git a/terraform/modules/gost_api/outputs.tf b/terraform/modules/gost_api/outputs.tf index ec32ad586..2a289ac8d 100644 --- a/terraform/modules/gost_api/outputs.tf +++ b/terraform/modules/gost_api/outputs.tf @@ -24,6 +24,10 @@ output "ecs_service_arn" { value = join("", aws_ecs_service.default.*.id) } +output "ecs_task_role_name" { + value = join("", aws_iam_role.task.*.name) +} + output "arpa_audit_reports_bucket_arn" { value = module.arpa_audit_reports_bucket.bucket_arn } diff --git a/terraform/modules/sqs_consumer_task/README.md b/terraform/modules/sqs_consumer_task/README.md index b08f7224c..0830ccd56 100644 --- a/terraform/modules/sqs_consumer_task/README.md +++ b/terraform/modules/sqs_consumer_task/README.md @@ -67,6 +67,17 @@ This module configures the primary SQS queue policy to grant access for a publis the queue. If a DLQ is created, it may only receive messages from the primary queue (see above). The publisher is configured via the `sqs_publisher` input variable. +**Note:** This module only configures the *SQS queue policy* to *accept* messages sent by +a publisher principal; depending on how permissions are managed, additional permissions may +need to be granted in order for the publisher to *send* messages to the module's SQS queue. +In other words, even if an SQS queue policy states that messages may be accepted from a particular +source, that source may not have permissions in its own right to send messages out to the queue +in the first place. For example, in cases where an ECS task or Lambda function is acting as +the publisher, the execution role of that task/function may also need to be updated to give +permission for the task/function to perform `sqs:SendMessage` and/or `sqs:SendMessageBatch` +actions, with the ARN of this module's SQS queue (which can be obtained via the `sqs_queue_arn` +output) specified as a resource of that policy. + ##### Examples - Allow a specific IAM role to publish messages: @@ -124,6 +135,29 @@ The publisher is configured via the `sqs_publisher` input variable. } } ``` +- Attach a policy to a publisher's execution role that allows it to send messages to the queue. + - *Update the module source path, AWS account ID, and IAM role name according to your use-case!* + ```terraform + module "my_worker" { + source = "/path/to/sqs_consumer_task" + # ... + sqs_publisher = { + principal_type = "AWS" + principal_identifier = "arn:aws:iam::123456789876:role/my-publisher-role-name" + } + } + data "aws_iam_policy_document" "publish_to_my_worker_queue" { + statement { + sid = "AllowPublishToQueue" + actions = ["sqs:SendMessage", "sqs:SendMessageBatch"] + resources = [module.my_worker.sqs_queue_arn] + } + } + resource "aws_iam_role_policy" "my_publisher-publish_to_my_worker_queue" { + role = "my-publisher-role-name" # Must already exist + policy = data.aws_iam_policy_document.publish_to_my_worker_queue.json + } + ``` ### ECS Workers