Fix/tr/nops 195/sqs sender role assumption (#134)

theodorehreuter · web-flow · commit 4213d25011f2 · 2025-04-24T10:01:00.000-04:00
diff --git a/modules/stac-server/ingest.tf b/modules/stac-server/ingest.tf
@@ -1,3 +1,13 @@
+locals {
+  role_arns = [for item in var.additional_ingest_sqs_senders_arns : item if length(regexall("^arn:[a-z-]+:iam::\\d{12}:role", item)) > 0]
+
+  non_role_arns = concat(
+    [aws_sns_topic.stac_server_ingest_sns_topic.arn],
+    var.ingest_sns_topic_arns,
+    [for item in var.additional_ingest_sqs_senders_arns : item if !contains(local.role_arns, item)]
+  )
+}
+
 resource "aws_lambda_function" "stac_server_ingest" {
   filename                       = local.resolved_ingest_lambda_zip_filepath
   function_name                  = "${local.name_prefix}-stac-server-ingest"
@@ -72,6 +82,8 @@ resource "aws_sqs_queue_policy" "stac_server_ingest_sqs_queue_policy" {
 }
 
 data "aws_iam_policy_document" "stac_server_ingest_sqs_policy" {
+
+  # SNS + non-roles
   statement {
     effect = "Allow"
 
@@ -80,19 +92,29 @@ data "aws_iam_policy_document" "stac_server_ingest_sqs_policy" {
       identifiers = ["*"]
     }
 
-    actions = [
-      "sqs:SendMessage"
-    ]
-
-    resources = [
-      aws_sqs_queue.stac_server_ingest_sqs_queue.arn,
-    ]
+    actions   = ["sqs:SendMessage"]
+    resources = [aws_sqs_queue.stac_server_ingest_sqs_queue.arn]
 
     condition {
       test     = "ArnEquals"
       variable = "aws:SourceArn"
+      values   = local.non_role_arns
+    }
+  }
+
+  # handle roles - both directly used or assumed by STS
+  dynamic "statement" {
+    for_each = length(local.role_arns) > 0 ? [1] : []
+    content {
+      effect = "Allow"
+
+      principals {
+        type        = "AWS"
+        identifiers = local.role_arns
+      }
 
-      values = concat([aws_sns_topic.stac_server_ingest_sns_topic.arn], var.ingest_sns_topic_arns, var.additional_ingest_sqs_senders_arns)
+      actions   = ["sqs:SendMessage"]
+      resources = [aws_sqs_queue.stac_server_ingest_sqs_queue.arn]
     }
   }
 }
diff --git a/modules/stac-server/inputs.tf b/modules/stac-server/inputs.tf
@@ -380,6 +380,7 @@ variable "additional_ingest_sqs_senders_arns" {
   description = "List of additional principals to grant access to send to the Ingest SQS. This is required to allow STAC API SNS notifications (e.g. earth search's ingest SNS topic) to be able to publish SQS ingest messages to our stac-server for indexing."
   type        = list(string)
   default     = []
+  nullable    = false
 }
 
 variable "project_name" {

Original file line number	Diff line number	Diff line change
`@@ -380,6 +380,7 @@ variable "additional_ingest_sqs_senders_arns" {`
`380`	`380`	`description = "List of additional principals to grant access to send to the Ingest SQS. This is required to allow STAC API SNS notifications (e.g. earth search's ingest SNS topic) to be able to publish SQS ingest messages to our stac-server for indexing."`
`381`	`381`	`type = list(string)`
`382`	`382`	`default = []`
	`383`	`+ nullable = false`
`383`	`384`	`}`
`384`	`385`
`385`	`386`	`variable "project_name" {`