I'm unable to create a CloudWatch rule to create SQS messages using terraform

Question

I'm trying to create an AWS CloudWatch rule that is execute every minute to create a message in a SQS. When I'm using the below Terraform-script everything looks find but the SQS my_queue doesn't receive any message.

When updating the rule my_trigger using Amazon console the messages are created in the SQS.

provider "aws" {
  region = "eu-central-1"
}

resource "aws_sqs_queue" "this_sqs_queue" {
  name                        = "my_queue"
  fifo_queue                  = "false"
  content_based_deduplication = "false"
  visibility_timeout_seconds  = 30
  message_retention_seconds   = 345600
  max_message_size            = 262144
  receive_wait_time_seconds   = 0
  delay_seconds               = 0
}

resource "aws_cloudwatch_event_rule" "cloudwatch_event_rule" {
  name                = "my_trigger"
  schedule_expression = "rate(1 minute)"
}

resource "aws_cloudwatch_event_target" "cloudwatch_event_target" {
  rule       = "${aws_cloudwatch_event_rule.cloudwatch_event_rule.name}"
  arn        = "${aws_sqs_queue.this_sqs_queue.arn}"
}

Any help is highly appreciated.

Answer 1

You need to create the policy on the SQS queue. AWS is doing this for you automatically when you create/update using the console. However, when using Terraform you need to do it explicitly create it.

resource "aws_sqs_queue_policy" "this_sqs_queue_policy" {
  queue_url = "${aws_sqs_queue.this_sqs_queue.id}"
  policy    = <<POLICY
{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "sqs:SendMessage",
      "Resource": "${aws_sqs_queue.this_sqs_queue.arn}",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "${aws_cloudwatch_event_rule.cloudwatch_event_rule.arn}"
        }
      }
    }
  ]
}
POLICY
}