Validando sqs kms

modules/ecs-task/iam.tf

@@ -15,6 +15,42 @@ resource "aws_iam_role" "ecs_task_role" {
   })
 }
 
+resource "aws_iam_role_policy" "ecs_task_kms_policy" {
+  count = var.sqs_queue_arn != null ? 1 : 0
+
+  name = "ecs-task-policy-sqs-kms-${var.family}"
+  role = aws_iam_role.ecs_task_role.name
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowSQSAccessToQueue"
+        Effect = "Allow"
+        Action = [
+          "sqs:ReceiveMessage",
+          "sqs:DeleteMessage",
+          "sqs:GetQueueAttributes",
+          "sqs:GetQueueUrl"
+        ]
+        Resource = var.sqs_queue_arn
+      },
+      {
+        Sid    = "AllowKMSForQueue"
+        Effect = "Allow"
+        Action = [
+          "kms:Decrypt",
+          "kms:GenerateDataKey"
+        ]
+        # Se informou a fila mas não informou a chave, usa "*" para KMS 
+        # ou você pode passar o ARN da chave KMS se houver uma.
+        Resource = var.kms_key_arn != null ? var.kms_key_arn : "*"
+      }
+    ]
+  })
+}
+
+
 resource "aws_iam_role_policy_attachment" "attach_ecsTaskExecutionRole" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
   role       = aws_iam_role.ecs_task_role.name

modules/ecs-task/variables.tf

@@ -79,6 +79,16 @@ variable "cpu_architecture" {
   default     = "X86_64"
 }
 
+variable "sqs_queue_arn" {
+  description = "ARN da fila SQS A"
+  type        = string
+}
+
+variable "kms_key_arn" {
+  description = "ARN da chave KMS utilizada para criptografia"
+  type        = string
+}
+
 # variable "retention_in_days" {
 #   description = "Quantidade de dias para retenção de logs."
 #   type        = number

modules/sqs/main.tf

@@ -1,27 +1,69 @@
+########################
+# LOCALS
+########################
 locals {
   queue_base_name = join("-", [var.name, "sqs", var.environment])
   queue_name      = var.fifo_queue == true ? "${local.queue_base_name}.fifo" : local.queue_base_name
+
+  effective_kms_key_id = var.kms_master_key_id != null ? var.kms_master_key_id : aws_kms_key.sqs[0].arn
+
+  kms_tags = merge(
+    {
+      Name        = "${local.queue_name}-kms"
+      Environment = var.environment
+      Service     = var.name
+    },
+    var.tags
+  )
+}
+
+########################
+# KMS (CRIA SOMENTE SE NÃO FOR ENVIADA)
+########################
+resource "aws_kms_key" "sqs" {
+  count                   = var.kms_master_key_id == null ? 1 : 0
+  description             = "KMS key for SQS ${local.queue_name}"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+
+  tags = local.kms_tags
+}
+
+resource "aws_kms_alias" "sqs" {
+  count         = var.kms_master_key_id == null ? 1 : 0
+  name          = "alias/${local.queue_name}-sqs"
+  target_key_id = aws_kms_key.sqs[0].key_id
 }
 
+########################
+# SQS QUEUE
+########################
 resource "aws_sqs_queue" "sqs_queue" {
   name                              = local.queue_name
   delay_seconds                     = var.delay_seconds
   max_message_size                  = var.max_message_size
   message_retention_seconds         = var.message_retention_seconds
   receive_wait_time_seconds         = var.receive_wait_time_seconds
-  tags                              = var.tags
-  fifo_queue                        = var.fifo_queue
-  content_based_deduplication       = var.content_based_deduplication
-  redrive_policy                    = var.redrive_policy
-  kms_master_key_id                 = var.kms_master_key_id
-  kms_data_key_reuse_period_seconds = var.kms_data_key_reuse_period_seconds
   visibility_timeout_seconds        = var.visibility_timeout_seconds
+
+  fifo_queue                  = var.fifo_queue
+  content_based_deduplication = var.content_based_deduplication
+  redrive_policy              = var.redrive_policy
+
+  kms_master_key_id                 = local.effective_kms_key_id
+  kms_data_key_reuse_period_seconds = var.kms_data_key_reuse_period_seconds
+
+  tags = var.tags
 }
 
-resource "aws_sqs_queue_policy" "sqs_queue" {
+########################
+# POLICY – VPC ENDPOINT
+########################
+resource "aws_sqs_queue_policy" "sqs_queue_vpce" {
   count = var.vpc_endpoint_name != null ? 1 : 0
 
   queue_url = aws_sqs_queue.sqs_queue.id
+
   policy = jsonencode({
     Version = "2012-10-17"
     Id      = join("-", [aws_sqs_queue.sqs_queue.name, "sqs-policy"])
@@ -63,11 +105,15 @@ resource "aws_sqs_queue_policy" "sqs_queue" {
   })
 }
 
-resource "aws_sqs_queue_policy" "sqs_queue_policy" {
+########################
+# POLICY – SNS TOPIC
+########################
+resource "aws_sqs_queue_policy" "sqs_queue_topic" {
   count = var.vpc_endpoint_name == null && var.topic_arn != null ? 1 : 0
 
   queue_url = aws_sqs_queue.sqs_queue.id
-  policy = jsonencode({
+
+ policy = jsonencode({
     Version = "2008-10-17",
     Id      = join("-", [aws_sqs_queue.sqs_queue.name, "sqs-policy"]),
     Statement = [
@@ -93,6 +139,9 @@ resource "aws_sqs_queue_policy" "sqs_queue_policy" {
   })
 }
 
+########################
+# IAM POLICY PARA ROLE
+########################
 data "aws_iam_policy_document" "sqs_queue" {
   count = var.role_name != null ? 1 : 0
 
@@ -125,10 +174,7 @@ data "aws_iam_policy_document" "sqs_queue" {
       condition {
         test     = "ArnEquals"
         variable = "aws:SourceArn"
-
-        values = [
-          var.topic_arn
-        ]
+        values   = [var.topic_arn]
       }
     }
   }