I have a SES Receipt rule which redirect emails to S3 and a SNS to SQS as such:
resource "aws_ses_receipt_rule_set" "chat-replies" {
rule_set_name = "${local.deployment-name}-chat-replies"
}
resource "aws_ses_active_receipt_rule_set" "chat-replies" {
rule_set_name = aws_ses_receipt_rule_set.chat-replies.id
}
resource "aws_ses_receipt_rule" "chat-replies" {
name = "${local.deployment-name}-chat-replies-store"
rule_set_name = aws_ses_receipt_rule_set.chat-replies.id
recipients = [local.emails-chat-replies-domain]
enabled = true
scan_enabled = true
s3_action {
bucket_name = aws_s3_bucket.chat-replies.bucket
position = 1
topic_arn = aws_sns_topic.chat-replies.arn
}
depends_on = [aws_s3_bucket_policy.chat-replies]
}
resource "aws_s3_bucket" "chat-replies" {
bucket = "${local.deployment-name}-chat-replies"
}
resource "aws_s3_bucket_acl" "chat-replies" {
bucket = aws_s3_bucket.chat-replies.id
acl = "private"
}
resource "aws_s3_bucket_public_access_block" "chat-replies" {
bucket = aws_s3_bucket.chat-replies.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_policy" "chat-replies" {
bucket = aws_s3_bucket.chat-replies.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSESPuts",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "${aws_s3_bucket.chat-replies.arn}/*",
"Condition": {
"StringEquals": {
"aws:Referer": "${data.aws_caller_identity.current.account_id}"
}
}
}
]
}
POLICY
}
resource "aws_sns_topic" "chat-replies" {
name = "${local.deployment-name}-chat-replies"
}
resource "aws_sqs_queue" "chat-replies" {
name = "${local.deployment-name}-chat-replies"
message_retention_seconds = 604800 # 7 days
receive_wait_time_seconds = 20 # long poll
}
resource "aws_sns_topic_subscription" "chat-replies" {
topic_arn = aws_sns_topic.chat-replies.arn
protocol = "sqs"
endpoint = aws_sqs_queue.chat-replies.arn
}
resource "aws_sns_topic_policy" "chat-replies" {
arn = aws_sns_topic.chat-replies.arn
policy = data.aws_iam_policy_document.sns-chat-replies.json
}
data "aws_iam_policy_document" "sns-chat-replies" {
statement {
actions = [
"SNS:Publish",
]
condition {
test = "StringEquals"
variable = "AWS:SourceAccount"
values = [
data.aws_caller_identity.current.account_id,
]
}
effect = "Allow"
principals {
type = "Service"
identifiers = [
"ses.amazonaws.com"
]
}
resources = [aws_sns_topic.chat-replies.arn]
}
}
output "chat-replies-queue-url" {
value = aws_sqs_queue.chat-replies.url
}
While I’m perfectly see emails in my S3 bucket, the SQS queue is empty?
What am I missing?
2
Answers
I was missing
aws_sqs_queue_policy:I can’t find any documentation about what topic_arn does inside of the s3_action and it seems odd to me to find it there. Instead, I’d remove it from the s3_action block and add an additional sns_action block with the topic_arn for your chat-replies topic. Something like: