skip to Main Content

I have a SES Receipt rule which redirect emails to S3 and a SNS to SQS as such:

resource "aws_ses_receipt_rule_set" "chat-replies" {
  rule_set_name = "${local.deployment-name}-chat-replies"
}

resource "aws_ses_active_receipt_rule_set" "chat-replies" {
  rule_set_name = aws_ses_receipt_rule_set.chat-replies.id
}

resource "aws_ses_receipt_rule" "chat-replies" {
  name          = "${local.deployment-name}-chat-replies-store"
  rule_set_name = aws_ses_receipt_rule_set.chat-replies.id
  recipients    = [local.emails-chat-replies-domain]
  enabled       = true
  scan_enabled  = true

  s3_action {
    bucket_name = aws_s3_bucket.chat-replies.bucket
    position    = 1
    topic_arn   = aws_sns_topic.chat-replies.arn
  }

  depends_on = [aws_s3_bucket_policy.chat-replies]
}

resource "aws_s3_bucket" "chat-replies" {
  bucket   = "${local.deployment-name}-chat-replies"
}

resource "aws_s3_bucket_acl" "chat-replies" {
  bucket   = aws_s3_bucket.chat-replies.id
  acl      = "private"
}

resource "aws_s3_bucket_public_access_block" "chat-replies" {
  bucket                  = aws_s3_bucket.chat-replies.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

resource "aws_s3_bucket_policy" "chat-replies" {
  bucket   = aws_s3_bucket.chat-replies.id

  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSESPuts",
            "Effect": "Allow",
            "Principal": {
                "Service": "ses.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "${aws_s3_bucket.chat-replies.arn}/*",
            "Condition": {
                "StringEquals": {
                    "aws:Referer": "${data.aws_caller_identity.current.account_id}"
                }
            }
        }
    ]
}
POLICY
}

resource "aws_sns_topic" "chat-replies" {
  name     = "${local.deployment-name}-chat-replies"
}

resource "aws_sqs_queue" "chat-replies" {
  name                      = "${local.deployment-name}-chat-replies"
  message_retention_seconds = 604800 # 7 days
  receive_wait_time_seconds = 20     # long poll
}

resource "aws_sns_topic_subscription" "chat-replies" {
  topic_arn = aws_sns_topic.chat-replies.arn
  protocol  = "sqs"
  endpoint  = aws_sqs_queue.chat-replies.arn
}

resource "aws_sns_topic_policy" "chat-replies" {
  arn      = aws_sns_topic.chat-replies.arn
  policy   = data.aws_iam_policy_document.sns-chat-replies.json
}

data "aws_iam_policy_document" "sns-chat-replies" {
  statement {
    actions = [
      "SNS:Publish",
    ]

    condition {
      test     = "StringEquals"
      variable = "AWS:SourceAccount"

      values = [
        data.aws_caller_identity.current.account_id,
      ]
    }

    effect = "Allow"
    principals {
      type = "Service"
      identifiers = [
        "ses.amazonaws.com"
      ]
    }

    resources = [aws_sns_topic.chat-replies.arn]
  }
}

output "chat-replies-queue-url" {
  value = aws_sqs_queue.chat-replies.url
}

While I’m perfectly see emails in my S3 bucket, the SQS queue is empty?

What am I missing?

2

Answers


  1. Chosen as BEST ANSWER

    I was missing aws_sqs_queue_policy:

    resource "aws_sqs_queue_policy" "chat-replies" {
      queue_url = aws_sqs_queue.chat-replies.id
      policy    = data.aws_iam_policy_document.sqs-chat-replies.json
    }
    
    data "aws_iam_policy_document" "sqs-chat-replies" {
      statement {
        sid    = "First"
        effect = "Allow"
    
        principals {
          type = "Service"
          identifiers = [
            "sns.amazonaws.com"
          ]
        }
    
        actions   = ["sqs:SendMessage"]
        resources = ["*"]
      }
    }
    

  2. I can’t find any documentation about what topic_arn does inside of the s3_action and it seems odd to me to find it there. Instead, I’d remove it from the s3_action block and add an additional sns_action block with the topic_arn for your chat-replies topic. Something like:

    resource "aws_ses_receipt_rule" "chat-replies" {
      name = ...
     
      s3_action {
        position    = 1
        bucket_name = aws_s3_bucket.chat-replies.bucket
      }
    
      sns_action {
        position  = 2
        topic_arn = aws_sns_topic.chat-replies.arn
      }
    }
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search