enable dead letter queue

Karthikeyannhs · Karthikeyannhs · commit d22e0e307284 · 2025-08-20T10:09:43.000+01:00
diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf
@@ -33,9 +33,14 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
     security_group_ids = var.security_group_ids
   }
 
+  dead_letter_config {
+    target_arn = aws_sqs_queue.lambda_dlq.arn
+  }
+
   tracing_config {
     mode = "Active"
   }
+
 }
 
 # provisioned concurrency - number of pre-warmed lambda containers
diff --git a/infrastructure/modules/lambda/sqs.tf b/infrastructure/modules/lambda/sqs.tf
@@ -0,0 +1,23 @@
+resource "aws_sqs_queue" "lambda_dlq" {
+  name = "${var.lambda_func_name}_dead_letter_queue"
+  kms_master_key_id = aws_kms_key.lambda_cmk.id
+  tags = var.tags
+}
+
+# sql policy attachment
+resource "aws_iam_role_policy" "lambda_sqs_send_inline" {
+  name = "LambdaSQSMessageSendPolicy"
+  role = var.eligibility_lambda_role_name
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid      = "AllowSQSSendMessage",
+        Effect   = "Allow",
+        Action   = ["sqs:SendMessage"],
+        Resource = aws_sqs_queue.lambda_dlq.arn
+      }
+    ]
+  })
+}
diff --git a/infrastructure/modules/lambda/variables.tf b/infrastructure/modules/lambda/variables.tf
@@ -1,5 +1,10 @@
 variable "eligibility_lambda_role_arn" {
-  description = "lambda read role arn for dynamodb"
+  description = "lambda role arn"
+  type        = string
+}
+
+variable "eligibility_lambda_role_name" {
+  description = "lambda role name"
   type        = string
 }
 
diff --git a/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf b/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf
@@ -52,7 +52,10 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" {
 
       # X-Ray - Lambda tracing
       "xray:PutTraceSegments",
-      "xray:PutTelemetryRecords"
+      "xray:PutTelemetryRecords",
+
+      #SQS - message management
+      "sqs:SendMessage"
     ]
 
     resources = ["*"]
diff --git a/infrastructure/stacks/api-layer/lambda.tf b/infrastructure/stacks/api-layer/lambda.tf
@@ -13,6 +13,7 @@ data "aws_subnet" "private_subnets" {
 module "eligibility_signposting_lambda_function" {
   source                          = "../../modules/lambda"
   eligibility_lambda_role_arn     = aws_iam_role.eligibility_lambda_role.arn
+  eligibility_lambda_role_name    = aws_iam_role.eligibility_lambda_role.name
   workspace                       = local.workspace
   environment                     = var.environment
   lambda_func_name                = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}eligibility_signposting_api"
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -217,7 +217,10 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "ssm:GetParameters",
       "ssm:ListTagsForResource",
       "ssm:PutParameter",
-      "ssm:AddTagsToResource"
+      "ssm:AddTagsToResource",
+
+      #SQS - message management
+      "sqs:SendMessage"
     ]
 
     resources = ["*"]

Original file line number	Diff line number	Diff line change
`@@ -33,9 +33,14 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {`
`33`	`33`	`security_group_ids = var.security_group_ids`
`34`	`34`	`}`
`35`	`35`
	`36`	`+ dead_letter_config {`
	`37`	`+ target_arn = aws_sqs_queue.lambda_dlq.arn`
	`38`	`+ }`
	`39`	`+`
`36`	`40`	`tracing_config {`
`37`	`41`	`mode = "Active"`
`38`	`42`	`}`
	`43`	`+`
`39`	`44`	`}`
`40`	`45`
`41`	`46`	`# provisioned concurrency - number of pre-warmed lambda containers`