feat: Add SQS queue resource policy to improve security (#1798)

julada · web-flow · commit 96def9a2150e · 2022-03-10T14:13:39.000+01:00
* feat: added sqs queue resource policy to improve security

* added policy to deny all actions on queue with unsecured transport method

* chore: formatted main.tf
diff --git a/main.tf b/main.tf
@@ -17,6 +17,38 @@ resource "random_string" "random" {
   upper   = false
 }
 
+data "aws_iam_policy_document" "deny_unsecure_transport" {
+  statement {
+    sid = "DenyUnsecureTransport"
+
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = [
+      "sqs:*"
+    ]
+
+    resources = [
+      "*"
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
+}
+
+resource "aws_sqs_queue_policy" "build_queue_policy" {
+  queue_url = aws_sqs_queue.queued_builds.id
+  policy    = data.aws_iam_policy_document.deny_unsecure_transport.json
+}
+
 resource "aws_sqs_queue" "queued_builds" {
   name                        = "${var.environment}-queued-builds${var.fifo_build_queue ? ".fifo" : ""}"
   delay_seconds               = var.delay_webhook_event
@@ -33,6 +65,12 @@ resource "aws_sqs_queue" "queued_builds" {
   tags = var.tags
 }
 
+
+resource "aws_sqs_queue_policy" "build_queue_dlq_policy" {
+  queue_url = aws_sqs_queue.queued_builds.id
+  policy    = data.aws_iam_policy_document.deny_unsecure_transport.json
+}
+
 resource "aws_sqs_queue" "queued_builds_dlq" {
   count = var.redrive_build_queue.enabled ? 1 : 0
   name  = "${var.environment}-queued-builds_dead_letter"
