CCM-8237 sqs resource policy overlaod

Author: aidenvaines-cgi

infrastructure/modules/sqs/data_iam_policy_document_sqs_queue.tf

@@ -19,36 +19,4 @@ data "aws_iam_policy_document" "sqs_queue" {
       identifiers = [var.aws_account_id]
     }
   }
-
-  dynamic "statement" {
-    for_each = var.sns_source_arn != null ? [1] : []
-
-    content {
-      effect = "Allow"
-
-      principals {
-        type = "Service"
-        identifiers = [
-          "sns.amazonaws.com"
-        ]
-      }
-
-      actions = [
-        "sqs:SendMessage",
-        "sqs:SendMessageBatch",
-      ]
-
-      condition {
-        test     = "ArnEquals"
-        variable = "aws:SourceArn"
-        values = [
-          var.sns_source_arn
-        ]
-      }
-
-      resources = [
-        aws_sqs_queue.sqs_queue.arn,
-      ]
-    }
-  }
 }

infrastructure/modules/sqs/sqs_queue_policy.tf

@@ -1,4 +1,7 @@
 resource "aws_sqs_queue_policy" "sqs_queue_policy" {
   queue_url = aws_sqs_queue.sqs_queue.id
-  policy    = data.aws_iam_policy_document.sqs_queue.json
+  policy    = jsonencode([
+    data.aws_iam_policy_document.sqs_queue.json,
+    var.sqs_policy_overload,
+  ])
 }

infrastructure/modules/sqs/variables.tf

@@ -57,10 +57,14 @@ variable "sqs_kms_key_arn" {
   description = "ARN of the KMS key to encrypt SQS queue messages"
 }
 
-variable "sns_source_arn" {
+variable "sqs_policy_overload" {
   type        = string
-  description = "ARN of an sns resource allowed to send to this resource"
+  description = "Optional additional policy to extend the SQS Resource Policy"
   default     = null
+  validation {
+    condition     = can(jsondecode(var.sqs_policy_overload))
+    error_message = "sqs_policy_overload must be a valid JSON."
+  }
 }
 
 variable "allowed_arns" {