BATIAI-2169: add sqs rw (#11)

* BATIAI-2169: Adding sqs option * Precommit * Changelog
CMS-Enterprise · Dec 5, 2023 · 115da20 · 115da20
1 parent 5a0ca3d
commit 115da20
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,2 @@
 .terraform.lock.hcl
-.terraform/
+.terraform/
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,3 +3,8 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+# 1.0.0
+
+* Striking 1.0.0 release
+* Adding sqs flag
diff --git a/README.md b/README.md
@@ -1,2 +1,2 @@
 # batcave-tf-irsa
-This repo is a Terraform module that contains the code to create IAM roles and policies for the implementation of [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) in Batcave clusters.
+This repo is a Terraform module that contains the code to create IAM roles and policies for the implementation of [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) in Batcave clusters.
diff --git a/policies.tf b/policies.tf
@@ -178,10 +178,50 @@ resource "aws_iam_role_policy_attachment" "secrets-manager" {
   role       = aws_iam_role.this[0].name
   policy_arn = aws_iam_policy.secrets-manager[0].arn
 }
+
+################################################################################
 # CloudWatch Policy for container insights
 ################################################################################
 resource "aws_iam_role_policy_attachment" "insights_policy" {
   count      = var.create_role && var.attach_insights_policy ? 1 : 0
   role       = aws_iam_role.this[0].name
   policy_arn = "arn:${local.partition}:iam::aws:policy/CloudWatchAgentServerPolicy"
 }
+
+################################################################################
+# SQS Policy
+################################################################################
+locals {
+  sqs_read_write_permissions = [
+    "sqs:GetQueueUrl",
+    "sqs:DeleteMessage",
+    "sqs:ReceiveMessage",
+    "sqs:SendMessage",
+    "sqs:GetQueueAttributes"
+  ]
+}
+data "aws_iam_policy_document" "sqs_read_write" {
+  count = var.create_role && length(var.sqs_read_write_arns) > 0 ? 1 : 0
+
+  statement {
+    sid       = "SQSReadWrite"
+    actions   = local.sqs_read_write_permissions
+    resources = var.sqs_read_write_arns
+  }
+}
+resource "aws_iam_policy" "sqs_read_write" {
+  count = var.create_role && length(var.sqs_read_write_arns) > 0 ? 1 : 0
+
+  name_prefix = "${var.policy_name_prefix}${var.app_name}-"
+  path        = var.role_path
+  description = "SQS Read/Write"
+  policy      = data.aws_iam_policy_document.sqs_read_write[0].json
+
+  tags = var.tags
+}
+resource "aws_iam_role_policy_attachment" "sqs_read_write" {
+  count = var.create_role && length(var.sqs_read_write_arns) > 0 ? 1 : 0
+
+  role       = aws_iam_role.this[0].name
+  policy_arn = aws_iam_policy.sqs_read_write[0].arn
+}
diff --git a/variables.tf b/variables.tf
@@ -163,3 +163,8 @@ variable "attach_insights_policy" {
   type        = bool
   default     = false
 }
+variable "sqs_read_write_arns" {
+  description = "List of SQS ARNs to allow read/write access to"
+  type        = list(string)
+  default     = []
+}