Merge pull request #35 from NHSDigital/CCM-8237_resPolOverload

CCM-8237 resource policy overload

Author: aidenvaines-cgi

infrastructure/modules/sqs/data_iam_policy_document_sqs_queue.tf

@@ -20,35 +20,5 @@ data "aws_iam_policy_document" "sqs_queue" {
     }
   }
 
-  dynamic "statement" {
-    for_each = var.sns_source_arn != null ? [1] : []
-
-    content {
-      effect = "Allow"
-
-      principals {
-        type = "Service"
-        identifiers = [
-          "sns.amazonaws.com"
-        ]
-      }
-
-      actions = [
-        "sqs:SendMessage",
-        "sqs:SendMessageBatch",
-      ]
-
-      condition {
-        test     = "ArnEquals"
-        variable = "aws:SourceArn"
-        values = [
-          var.sns_source_arn
-        ]
-      }
-
-      resources = [
-        aws_sqs_queue.sqs_queue.arn,
-      ]
-    }
-  }
+  override_policy_documents = [var.sqs_policy_overload]
 }

infrastructure/modules/sqs/sqs_queue_policy.tf

@@ -2,3 +2,4 @@ resource "aws_sqs_queue_policy" "sqs_queue_policy" {
   queue_url = aws_sqs_queue.sqs_queue.id
   policy    = data.aws_iam_policy_document.sqs_queue.json
 }
+

infrastructure/modules/sqs/variables.tf

@@ -57,10 +57,10 @@ variable "sqs_kms_key_arn" {
   description = "ARN of the KMS key to encrypt SQS queue messages"
 }
 
-variable "sns_source_arn" {
+variable "sqs_policy_overload" {
   type        = string
-  description = "ARN of an sns resource allowed to send to this resource"
-  default     = null
+  description = "Optional additional policy to extend the SQS Resource Policy"
+  default     = ""
 }
 
 variable "allowed_arns" {