特定のキュー(AmazonSQS)にしかアクセスできないポリシーを Terraform で作成したメモです。
$ aws sqs get-queue-url --queue-name accessible-queue
{
"QueueUrl": "https://ap-northeast-1.queue.amazonaws.com/${AccountID}/accessible-queue"
}
$ aws sqs get-queue-url --queue-name inaccessible-queue
An error occurred (AWS.SimpleQueueService.NonExistentQueue) when calling the GetQueueUrl operation: The specified queue does not exist or you do not have access to it.
main.tf
########################
## AWS Provider
########################
provider "aws" {
access_key = local.access_key
secret_key = local.secret_key
region = "ap-northeast-1"
}
##############################################
# SQS
##############################################
resource "aws_sqs_queue" "accessible_queue" {
name = "accessible-queue"
}
resource "aws_sqs_queue" "inaccessible_queue" {
name = "inaccessible-queue"
}
##############################################
# IAM User
##############################################
resource "aws_iam_user" "user" {
name = "user"
}
##############################################
# IAM Policy
##############################################
resource "aws_iam_policy" "policy" {
name = "sqs-policy"
policy = data.aws_iam_policy_document.policy_document.json
}
data "aws_iam_policy_document" "policy_document" {
statement {
sid = "Sid"
actions = [
"sqs:*",
]
resources = [
"${aws_sqs_queue.accessible_queue.arn}",
]
}
}
resource "aws_iam_user_policy_attachment" "policy_attachment" {
user = aws_iam_user.user.name
policy_arn = aws_iam_policy.policy.arn
}