feat: add SQS queue & grant FastAPI Lambda access (#6)

Author: patheard

infra/env/dev/api-gateway/terragrunt.hcl

@@ -3,7 +3,7 @@ include {
 }
 
 dependencies {
-  paths = ["../network"]
+  paths = ["../network", "../sqs"]
 }
 
 dependency "network" {
@@ -16,9 +16,21 @@ dependency "network" {
   }
 }
 
+dependency "sqs" {
+  config_path = "../sqs"
+
+  mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
+  mock_outputs = {
+    message_queue_arn = ""
+    message_queue_url = ""
+  }
+}
+
 inputs = {
   lambda_subnet_ids         = dependency.network.outputs.lambda_subnet_ids
   lambda_security_group_id  = dependency.network.outputs.lambda_security_group_id
+  message_queue_arn         = dependency.sqs.outputs.message_queue_arn
+  message_queue_url         = dependency.sqs.outputs.message_queue_url
 }
 
 terraform {

infra/env/dev/sqs/terragrunt.hcl

@@ -0,0 +1,12 @@
+include {
+  path = find_in_parent_folders()
+}
+
+inputs = {
+  lambda_producer_function_name = "FastAPI"
+  max_receive_count             = 5
+}
+
+terraform {
+  source = "../../../modules//sqs"
+}

infra/modules/api-gateway/lambda.tf

@@ -18,6 +18,12 @@ resource "aws_lambda_function" "api_lambda" {
     mode = "PassThrough"
   }
 
+  environment {
+    variables = {
+      message_queue_url = var.message_queue_url
+    }
+  }
+
   tags = {
     Name    = "${var.project_name}-function"
     Project = var.project_name
@@ -35,6 +41,32 @@ resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
 }
 
+resource "aws_iam_role_policy_attachment" "lambda_sqs_producer_policy_attachment" {
+  role       = aws_iam_role.api_lambda_role.name
+  policy_arn = aws_iam_policy.lambda_sqs_producer_policy.arn
+}
+
+resource "aws_iam_policy" "lambda_sqs_producer_policy" {
+  name        = "LambdaSqsProducer"
+  description = "IAM policy for creating messages in an SQS queue"
+  path        = "/"
+  policy      = data.aws_iam_policy_document.lambda_sqs_producer_policy.json
+}
+
+data "aws_iam_policy_document" "lambda_sqs_producer_policy" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "sqs:GetQueueAttributes",
+      "sqs:GetQueueUrl",
+      "sqs:SendMessage*"
+    ]
+    resources = [
+      var.message_queue_arn
+    ]
+  }
+}
+
 data "aws_iam_policy_document" "lambda_assume_policy" {
   statement {
     effect = "Allow"

infra/modules/api-gateway/variables.tf

@@ -7,3 +7,13 @@ variable "lambda_security_group_id" {
   description = "Lambda's security group ID"
   type        = string
 }
+
+variable "message_queue_arn" {
+  description = "ARN of the SQS to send messages to"
+  type        = string
+}
+
+variable "message_queue_url" {
+  description = "URL of the SQS to send messages to"
+  type        = string
+}

infra/modules/network/vpc.tf

@@ -66,7 +66,7 @@ resource "aws_security_group_rule" "vpc_endpoints_from_lambda" {
 }
 
 resource "aws_security_group_rule" "lambda_to_vpc_endpoints" {
-  description              = "Security group rule for egress to "
+  description              = "Security group rule for egress to VPC endpoints"
   type                     = "egress"
   from_port                = 443
   to_port                  = 443
@@ -127,3 +127,18 @@ resource "aws_vpc_endpoint" "monitoring" {
   ]
   subnet_ids = aws_subnet.api_subnet.*.id
 }
+
+#
+# PrivateLink endpoint to SQS
+#
+
+resource "aws_vpc_endpoint" "sqs" {
+  vpc_id              = aws_vpc.api_vpc.id
+  vpc_endpoint_type   = "Interface"
+  service_name        = "com.amazonaws.${var.region}.sqs"
+  private_dns_enabled = true
+  security_group_ids = [
+    aws_security_group.vpc_endpoints.id,
+  ]
+  subnet_ids = aws_subnet.api_subnet.*.id
+}

infra/modules/sqs/data.tf

@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}

infra/modules/sqs/output.tf

@@ -0,0 +1,7 @@
+output "message_queue_arn" {
+  value = aws_sqs_queue.message_queue.arn
+}
+
+output "message_queue_url" {
+  value = aws_sqs_queue.message_queue.url
+}

infra/modules/sqs/sqs.tf

@@ -0,0 +1,97 @@
+locals {
+  account_id = data.aws_caller_identity.current.account_id
+}
+
+resource "aws_sqs_queue" "message_queue" {
+  name                      = "message-queue"
+  max_message_size          = 1024
+  message_retention_seconds = 86400 # 1 day
+  kms_master_key_id         = "alias/aws/sqs"
+
+  redrive_policy = jsonencode({
+    deadLetterTargetArn = aws_sqs_queue.message_deadletter_queue.arn
+    maxReceiveCount     = var.max_receive_count
+  })
+
+  tags = {
+    Name    = "${var.project_name}-message-queue"
+    Project = var.project_name
+    Billing = var.project_team
+  }
+}
+
+# Only allow this account to send messages to the queue
+resource "aws_sqs_queue_policy" "message_queue_policy" {
+  queue_url = aws_sqs_queue.message_queue.id
+  policy    = data.aws_iam_policy_document.message_queue_policy.json
+}
+
+data "aws_iam_policy_document" "message_queue_policy" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "sqs:GetQueueAttributes",
+      "sqs:GetQueueUrl",
+      "sqs:SendMessage*"
+    ]
+    resources = [
+      aws_sqs_queue.message_queue.arn
+    ]
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+
+      values = [
+        "arn:aws:lambda:${var.region}:${local.account_id}:function:${var.lambda_producer_function_name}*"
+      ]
+    }
+  }
+}
+
+resource "aws_sqs_queue" "message_deadletter_queue" {
+  name                      = "message-deadletter-queue"
+  max_message_size          = 1024
+  message_retention_seconds = 604800 # 1 week
+  kms_master_key_id         = "alias/aws/sqs"
+
+  tags = {
+    Name    = "${var.project_name}-message-deadletter-queue"
+    Project = var.project_name
+    Billing = var.project_team
+  }
+}
+
+# Only allow the message queue to send messages to the deadletter queue
+resource "aws_sqs_queue_policy" "message_deadletter_queue_policy" {
+  queue_url = aws_sqs_queue.message_deadletter_queue.id
+  policy    = data.aws_iam_policy_document.message_deadletter_queue_policy.json
+}
+
+data "aws_iam_policy_document" "message_deadletter_queue_policy" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "sqs:GetQueueAttributes",
+      "sqs:GetQueueUrl",
+      "sqs:SendMessage*"
+    ]
+    resources = [
+      aws_sqs_queue.message_deadletter_queue.arn
+    ]
+    principals {
+      type        = "Service"
+      identifiers = ["sqs.amazonaws.com"]
+    }
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values = [
+        aws_sqs_queue.message_queue.arn
+      ]
+    }
+  }
+}

infra/modules/sqs/variables.tf

@@ -0,0 +1,9 @@
+variable "lambda_producer_function_name" {
+  description = "Name of the Lambda function that produces messages for the SQS queue"
+  type        = string
+}
+
+variable "max_receive_count" {
+  description = "Max number of times a message can be processed without deletion before sent to the deadletter queue"
+  type        = number
+}