1

I'm provisioning an SQS queue and a CloudWatch that should create events to this queue via Terraform (terraform-provider-aws_4.58.0). All the resources was created succesfully, but the CloudWatch event rule always fail to send the message. At first, it seems to be something wrong with permissions, but even after explicitly allowing the rule to access the queue, the error persists.

I've also made a test of deleting the Rule target by managing console and recreating it manually with exactly same configurations. This time the rule started to work. However, at every terraform update, the problem come back.

Here is my Terraform code

provider "aws" {
  region = "sa-east-1"
}

resource "aws_sqs_queue" "my_queue_fifo" {
  content_based_deduplication       = "true"
  deduplication_scope               = "queue"
  delay_seconds                     = "0"
  fifo_queue                        = "true"
  fifo_throughput_limit             = "perQueue"
  kms_data_key_reuse_period_seconds = "300"
  max_message_size                  = "5120"
  message_retention_seconds         = "345600"
  name                              = "my-queue.fifo"
  receive_wait_time_seconds         = "3"
  sqs_managed_sse_enabled           = "false"
  visibility_timeout_seconds        = "300"

  tags = {
    project = "my-project"
  }
}

resource "aws_sqs_queue_policy" "schedule_permission" {
  queue_url = aws_sqs_queue.my_queue_fifo.url
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [{
      "Action" : ["sqs:SendMessage"],
      "Effect" : "Allow",
      "Principal" : {
        "Service" : "events.amazonaws.com"
      },
      "Resource" : "${aws_sqs_queue.my_queue_fifo.url}",
      "Condition" : {
        "ArnLike" : {
          "aws:SourceArn" : "${aws_cloudwatch_event_rule.my_schedule.arn}"
        }
      }
    }]
  })
}

resource "aws_cloudwatch_event_rule" "my_schedule" {
  name                = "sqs-schedule"
  description         = "SQS Schedule "
  schedule_expression = "cron(* * * * ? *)"
  is_enabled          = true

  tags = {
    project = "my-project"
  }
}

resource "aws_cloudwatch_event_target" "target_extract_oracle" {
  arn   = "${aws_sqs_queue.my_queue_fifo.arn}"
  rule  = "${aws_cloudwatch_event_rule.my_schedule.name}"
  input = jsonencode({ "property" : "value" })

  sqs_target {
    message_group_id = "sqs-group-id"
  }
}

And here is a print of the CloudWatch Rule monitoring Fails

Anyone has a clue of what's happening or how to solve this problem?

Derick Welman
  • 11
  • 2

0 Answers0