diff --git a/terraform/iam.tf b/terraform/iam.tf index b281deb7..fc4083de 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -106,3 +106,42 @@ resource "aws_iam_role_policy_attachment" "sre_bot_bucket" { role = aws_iam_role.sre-bot.name policy_arn = aws_iam_policy.sre_bot_bucket.arn } + +# Create an IAM role and policy to allow the SRE Bot to access the SQS queue +resource "aws_iam_role" "sre_bot_sqs_access_role" { + name = "sre_bot_sqs_access_role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + Service = "ecs-tasks.amazonaws.com", + }, + Action = "sts:AssumeRole", + }, + ], + }) +} + +# Create an IAM policy to allow the SRE Bot to access the SQS queue via the role +resource "aws_iam_role_policy" "sre_bot_sqs_access_policy" { + name = "sre_bot_sqs_access_policy" + role = aws_iam_role.sre_bot_sqs_access_role.id + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = [ + "sqs:SendMessage", + "sqs:ReceiveMessage", + "sqs:DeleteMessage", + ], + Resource = aws_sqs_queue.sre_bot_fifo_queue.arn, + }, + ], + }) +} diff --git a/terraform/sqs.tf b/terraform/sqs.tf new file mode 100644 index 00000000..1b6f7879 --- /dev/null +++ b/terraform/sqs.tf @@ -0,0 +1,22 @@ +# Create a FIFO SQS queue for the SRE Bot +resource "aws_sqs_queue" "sre_bot_fifo_queue" { + name = "sre-bot-fifo-queue.fifo" + fifo_queue = true # Make sure that it is FIFO queue + content_based_deduplication = true # Enable content-based deduplication + delay_seconds = 0 # Specify delay time for messages + visibility_timeout_seconds = 30 # Specify the visibility timeout + + depends_on = [aws_sqs_queue.sre_bot_dead_letter_queue] + + # Specify dead-letter queue (DLQ) settings + redrive_policy = jsonencode({ + deadLetterTargetArn = aws_sqs_queue.sre_bot_dead_letter_queue.arn + maxReceiveCount = 5 # Number of times a message is delivered before sending to DLQ + }) +} + +# Dead-letter queue resource, which is used to store messages that cannot be processed +resource "aws_sqs_queue" "sre_bot_dead_letter_queue" { + name = "sre-bot-dead-letter-queue.fifo" + fifo_queue = true +}