Remove GetQueueAttributes from error queue policy (#11)

* Remove unnecessary GetQueueAttrs from err queue policy; allow custom stmts
* Terraform string escape rule warning - quotes in IAM/resource policies

Author: sqlxpert

README.md

@@ -11,6 +11,11 @@ reliable process, free of
 [race conditions](https://github.com/sqlxpert/stay-stopped-aws-rds-aurora#perspective)
 that might leave databases running without warning.
 
+Step-Stay-Stopped resolves Cloud Efficiency Hub reports
+[CER-0293: Automatic Restart of Stopped Aurora Clusters Causing Unintended Compute Charges](https://hub.pointfive.co/inefficiencies/automatic-restart-of-stopped-aurora-clusters-causing-unintended-compute-charges)
+and
+[CER-0097: No Lifecycle Management for Temporarily Stopped RDS Instances](https://hub.pointfive.co/inefficiencies/no-lifecycle-management-for-temporarily-stopped-rds-instances).
+
 Jump to:
 [Get Started](#get-started)
 •
@@ -78,7 +83,7 @@ or an
 
       ```terraform
       module "stay_stopped_rds" {
-        source = "git::https://github.com/sqlxpert/step-stay-stopped-aws-rds-aurora.git//terraform?ref=v2.2.0"
+        source = "git::https://github.com/sqlxpert/step-stay-stopped-aws-rds-aurora.git//terraform?ref=v2.3.0"
         # Reference a specific version from github.com/sqlxpert/step-stay-stopped-aws-rds-aurora/releases
       }
       ```
@@ -144,7 +149,7 @@ account) pair. To deploy in multiple regions and/or multiple AWS accounts,
 
       ```terraform
       module "stay_stopped_rds_stackset" {
-        source = "git::https://github.com/sqlxpert/step-stay-stopped-aws-rds-aurora.git//terraform-multi?ref=v2.2.0"
+        source = "git::https://github.com/sqlxpert/step-stay-stopped-aws-rds-aurora.git//terraform-multi?ref=v2.3.0"
         # Reference a specific version from github.com/sqlxpert/step-stay-stopped-aws-rds-aurora/releases
 
         stay_stopped_rds_stackset_regions = ["us-east-1", "us-west-2", ]
@@ -181,7 +186,7 @@ resemble:
 
 ```terraform
 module "stay_stopped_rds" {
-  source = "git::https://github.com/sqlxpert/step-stay-stopped-aws-rds-aurora.git//terraform?ref=v2.2.0"
+  source = "git::https://github.com/sqlxpert/step-stay-stopped-aws-rds-aurora.git//terraform?ref=v2.3.0"
   # Reference a specific version from github.com/sqlxpert/step-stay-stopped-aws-rds-aurora/releases
 
   for_each                = toset(["us-east-1", "us-west-2", ])
@@ -320,7 +325,7 @@ entirely at your own risk. You are encouraged to review the source code.
   stale events, if any.
 
 - Readable Identity and Access Management policies, formatted as CloudFormation
-  YAML rather than JSON (where permitted), and broken down into discrete
+  YAML rather than JSON (where possible), and broken down into discrete
   statements by service, resource or principal.
 
 ### Your Security Steps

cloudformation/step_stay_stopped_aws_rds_aurora.yaml

@@ -131,6 +131,16 @@ Parameters:
       primary key itself) must exist in every target region.
     Default: ""
 
+  ErrorQueueAdditionalPolicyStatements:
+    Type: String
+    Description: >-
+      Additional statements for the error queue policy. The least-privilege
+      default is the empty string. For each custom statement, including the
+      first or only one, specify a comma and a JSON object. You could allow
+      access from a central monitoring account, for example. See
+      https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html
+    Default: ''  # Values might contain double quotation marks!
+
   StepFnTaskTimeoutSeconds:
     Type: Number
     Description: >-
@@ -267,6 +277,7 @@ Metadata:
           - MessageRetentionPeriodSeconds
           - MaximumMessageSizeBytes
           - SqsKmsKey
+          - ErrorQueueAdditionalPolicyStatements
       - Label:
           default: AWS Step Function to stop databases
         Parameters:
@@ -307,6 +318,8 @@ Metadata:
         default: Maximum bytes in a message
       SqsKmsKey:
         default: KMS encryption key
+      ErrorQueueAdditionalPolicyStatements:
+        default: Additional error queue policy statements
       StepFnTaskTimeoutSeconds:
         default: Maximum seconds for an AWS request
       StepFnWaitSeconds:
@@ -602,42 +615,59 @@ Resources:
     Type: AWS::SQS::QueuePolicy
     Properties:
       Queues: [ !Ref ErrorQueue ]
-      PolicyDocument:
-        Version: "2012-10-17"
-        Statement:
-          - Sid: RequireTls
-            Effect: Deny
-            Principal: "*"
-            Action: sqs:*
-            Resource: "*"
-            Condition:
-              Bool: { aws:SecureTransport: "false" }
-          - Effect: Allow
-            Principal: "*"
-            Action: sqs:GetQueueAttributes
-            Resource: "*"
-          - Sid:
-              Fn::If:
-                - SqsKmsKeyCustom
-                - SourceEventRulesNoteKeyPolicyNeedsEventBridgeSqsKmsEncrypt
-                - SourceEventRules
-            Effect: Allow
-            Principal: { Service: events.amazonaws.com }
-            Action: sqs:SendMessage
-            Resource: "*"
-            Condition:
-              ArnEquals:
-                "aws:SourceArn":
-                  - !GetAtt DbForcedStartToStepFnRule.Arn
-          - Sid: ExclusiveSources
-            Effect: Deny
-            Principal: "*"
-            Action: sqs:SendMessage
-            Resource: "*"
-            Condition:
-              ArnNotEquals:
-                "aws:SourceArn":
-                  - !GetAtt DbForcedStartToStepFnRule.Arn
+      # Using YAML makes a policy easier to read, but we need to support
+      # insertion of custom JSON from ErrorQueueAdditionalPolicyStatements .
+      PolicyDocument: !Sub
+        - >-
+          {
+            "Version": "2012-10-17",
+            "Statement": [
+              {
+                "Sid": "RequireTls",
+                "Effect": "Deny",
+                "Principal": "*",
+                "Action": "sqs:*",
+                "Resource": "*",
+                "Condition": {
+                  "Bool": {
+                    "aws:SecureTransport": "false"
+                  }
+                }
+              },
+              {
+                "Sid": "${SourceEventRulesSid}",
+                "Effect": "Allow",
+                "Principal": {
+                  "Service": "events.amazonaws.com"
+                },
+                "Action": "sqs:SendMessage",
+                "Resource": "*",
+                "Condition": {
+                  "ArnEquals": {
+                    "aws:SourceArn": "${DbForcedStartToStepFnRule.Arn}"
+                  }
+                }
+              },
+              {
+                "Sid": "ExclusiveSources",
+                "Effect": "Deny",
+                "Principal": "*",
+                "Action": "sqs:SendMessage",
+                "Resource": "*",
+                "Condition": {
+                  "ArnNotEquals": {
+                    "aws:SourceArn": "${DbForcedStartToStepFnRule.Arn}"
+                  }
+                }
+              }
+              ${ErrorQueueAdditionalPolicyStatements}
+            ]
+          }
+        -
+          SourceEventRulesSid: !If
+            - SqsKmsKeyCustom
+            - SourceEventRulesNoteKeyPolicyNeedsEventBridgeSqsKmsEncrypt
+            - SourceEventRules
 
   # https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Events.Messages.html#USER_Events.Messages.cluster
   # - RDS-EVENT-0153 "DB cluster is being started due to it exceeding the

terraform-multi/variables.tf

@@ -58,6 +58,8 @@ variable "stay_stopped_rds_stackset_params" {
     SqsKmsKey                       = optional(string, "")
     CloudWatchLogsKmsKey            = optional(string, "")
 
+    ErrorQueueAdditionalPolicyStatements = optional(string, "")
+
     StepFnTaskTimeoutSeconds = optional(number, 30)
     StepFnWaitSeconds        = optional(number, 540)
     StepFnTimeoutSeconds     = optional(number, 86400)
@@ -79,7 +81,7 @@ variable "stay_stopped_rds_stackset_params" {
     # aws_cloudformation_stack_set.lifecycle.ignore_changes
   })
 
-  description = "Step Stay-Stopped CloudFormation StackSet parameter map. Keys, all optional, are parameter names from cloudformation/step_stay_stopped_aws_rds_aurora.yaml ; parameters are described there. CloudFormation and Terraform data types match, except for Boolean parameters. Terraform converts bool values to CloudFormation String values automatically. In the StackSet, Test is always ignored and set to false , to prevent unintended use in production."
+  description = "Step Stay-Stopped CloudFormation StackSet parameter map. Keys, all optional, are parameter names from cloudformation/step_stay_stopped_aws_rds_aurora.yaml ; parameters are described there. CloudFormation and Terraform data types match, except for Boolean parameters. Terraform converts bool values to CloudFormation String values automatically. In the StackSet, Test is always ignored and set to false , to prevent unintended use in production. Follow Terraform string escape rules for double quotation marks, etc. inside ErrorQueueAdditionalPolicyStatements ."
 
   default = {}
 }

terraform/variables.tf

@@ -30,6 +30,8 @@ variable "stay_stopped_rds_params" {
     SqsKmsKey                       = optional(string, "")
     CloudWatchLogsKmsKey            = optional(string, "")
 
+    ErrorQueueAdditionalPolicyStatements = optional(string, "")
+
     StepFnTaskTimeoutSeconds = optional(number, 30)
     StepFnWaitSeconds        = optional(number, 540)
     StepFnTimeoutSeconds     = optional(number, 86400)
@@ -43,7 +45,7 @@ variable "stay_stopped_rds_params" {
     # Repeat defaults from cloudformation/step_stay_stopped_aws_rds_aurora.yaml
   })
 
-  description = "Step Stay-Stopped CloudFormation stack parameter map. Keys, all optional, are parameter names from cloudformation/step_stay_stopped_aws_rds_aurora.yaml ; parameters are described there. CloudFormation and Terraform data types match, except for Boolean parameters. Terraform converts bool values to CloudFormation String values automatically. Specifying a value other than the empty string for StepFnRoleAttachLocalPolicyName , StepFnKmsKey , SqsKmsKey or CloudWatchLogsKmsKey causes Terraform to look up the resource, which must exist."
+  description = "Step Stay-Stopped CloudFormation stack parameter map. Keys, all optional, are parameter names from cloudformation/step_stay_stopped_aws_rds_aurora.yaml ; parameters are described there. CloudFormation and Terraform data types match, except for Boolean parameters. Terraform converts bool values to CloudFormation String values automatically. Specifying a value other than the empty string for StepFnRoleAttachLocalPolicyName , StepFnKmsKey , SqsKmsKey or CloudWatchLogsKmsKey causes Terraform to look up the resource, which must exist. Follow Terraform string escape rules for double quotation marks, etc. inside ErrorQueueAdditionalPolicyStatements ."
 
   default = {}
 }