queue permissions

nhsd-david-wass · nhsd-david-wass · commit d1caf750a4b1 · 2026-02-13T09:57:13.000Z
diff --git a/infrastructure/terraform/components/api/module_lambda_supplier_allocator.tf b/infrastructure/terraform/components/api/module_lambda_supplier_allocator.tf
@@ -15,7 +15,7 @@ module "supplier_allocator" {
   kms_key_arn           = module.kms.key_arn
 
   iam_policy_document = {
-    body = data.aws_iam_policy_document.sqs_supplier_allocator_lambda.json
+    body = data.aws_iam_policy_document.supplier_allocator_lambda.json
   }
 
   function_s3_bucket      = local.acct.s3_buckets["lambda_function_artefacts"]["id"]
@@ -40,7 +40,7 @@ module "supplier_allocator" {
   })
 }
 
-data "aws_iam_policy_document" "sqs_supplier_allocator_lambda" {
+data "aws_iam_policy_document" "supplier_allocator_lambda" {
   statement {
     sid    = "KMSPermissions"
     effect = "Allow"
diff --git a/infrastructure/terraform/components/api/module_sqs_supplier_allocator.tf b/infrastructure/terraform/components/api/module_sqs_supplier_allocator.tf
@@ -12,5 +12,60 @@ module "sqs_supplier_allocator" {
 
   visibility_timeout_seconds = 60
 
-  create_dlq = true
+  create_dlq          = true
+  sqs_policy_overload = data.aws_iam_policy_document.supplier_allocator_queue_policy.json
+}
+
+data "aws_iam_policy_document" "supplier_allocator_queue_policy" {
+  version = "2012-10-17"
+  statement {
+    sid    = "AllowSNSToSendMessage"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["sns.amazonaws.com"]
+    }
+
+    actions = [
+      "sqs:SendMessage"
+    ]
+
+    resources = [
+      "arn:aws:sqs:${var.region}:${var.aws_account_id}:${var.project}-${var.environment}-${var.component}-supplier-allocator-queue"
+    ]
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [module.eventsub.sns_topic.arn]
+    }
+  }
+
+  statement {
+    sid    = "AllowSNSPermissions"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["sns.amazonaws.com"]
+    }
+
+    actions = [
+      "sqs:SendMessage",
+      "sqs:ListQueueTags",
+      "sqs:GetQueueUrl",
+      "sqs:GetQueueAttributes",
+    ]
+
+    resources = [
+      "arn:aws:sqs:${var.region}:${var.aws_account_id}:${var.project}-${var.environment}-${var.component}-supplier-allocator-queue"
+    ]
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [module.eventsub.sns_topic.arn]
+    }
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ module "supplier_allocator" {`
`15`	`15`	`kms_key_arn = module.kms.key_arn`
`16`	`16`
`17`	`17`	`iam_policy_document = {`
`18`		`- body = data.aws_iam_policy_document.sqs_supplier_allocator_lambda.json`
	`18`	`+ body = data.aws_iam_policy_document.supplier_allocator_lambda.json`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`function_s3_bucket = local.acct.s3_buckets["lambda_function_artefacts"]["id"]`
`@@ -40,7 +40,7 @@ module "supplier_allocator" {`
`40`	`40`	`})`
`41`	`41`	`}`
`42`	`42`
`43`		`-data "aws_iam_policy_document" "sqs_supplier_allocator_lambda" {`
	`43`	`+data "aws_iam_policy_document" "supplier_allocator_lambda" {`
`44`	`44`	`statement {`
`45`	`45`	`sid = "KMSPermissions"`
`46`	`46`	`effect = "Allow"`