AWS CloudWatch 事件触发 SQS - 不工作

Question

我确实使用 Terraform 设置了一个 AWS SQS 队列。有一些订阅者在 AWS ECS 上运行。我的计划是使用 cron 表达式设置 CloudWatch 规则，它会定期将消息发送到 SQS 队列。 SQS 队列如下所示：

resource "aws_sqs_queue" "main-queue-fifo" {
  name                        = join("-", [var.environment, "main", "queue.fifo"])
  fifo_queue                  = true
  content_based_deduplication = true
  delay_seconds               = 0
  max_message_size            = 51200  # 50 kb
  message_retention_seconds   = 345600 # 4 days
  receive_wait_time_seconds   = 10
  visibility_timeout_seconds  = 180

  tags = {
    Environment = var.environment
  }
}

AWS CloudWatch 规则 + 目标如下所示：

resource "aws_cloudwatch_event_rule" "sqs_cn_overdue_reminder" {
  name                = join("-", [var.environment, "sqs-cn-overdue-reminder-rule"]) 
  description         = "Remind organisation to pay overdue credit notes"
  schedule_expression = "cron(0 11 ? * MON-FRI *)" # Monday to Friday 11:00
}

resource "aws_cloudwatch_event_target" "sqs_cn_overdue_reminder" {
  target_id = join("-", [var.environment, "sqs-cn-overdue-reminder-target"])
  arn       = aws_sqs_queue.main-queue-fifo.arn
  input     = jsonencode({"event": "cn_overdue_reminder"})
  rule      = aws_cloudwatch_event_rule.sqs_cn_overdue_reminder.name
  sqs_target {
    message_group_id = "main"
  }
}

问题是消息永远不会到达 SQS 队列。在规则指标中，我可以看到调用已触发，但失败了。但我不明白为什么调用失败。有人知道调用失败的原因吗？

Answer 1

经过几个小时的研究，我发现调用失败是因为 CloudWatch 没有访问 SQS 队列的权限。 SQS 队列可以有一个可选的访问策略。在我添加如下示例中的访问策略后，它运行良好。

resource "aws_sqs_queue_policy" "main-queue-fifo-policy" {
  queue_url = aws_sqs_queue.main-queue-fifo.id
  policy = data.aws_iam_policy_document.main-queue-policy-doc.json
}

data "aws_iam_policy_document" "main-queue-policy-doc" {
  statement {
    effect  = "Allow"
    actions = ["sqs:SendMessage"]

    principals {
      type        = "Service"
      identifiers = ["events.amazonaws.com"]
    }

    resources = [aws_sqs_queue.main-queue-fifo.arn]
  }
}