Skip to content

CUMULUS-4416 adding sqs cross-account #4194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
etcart wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CUMULUS-4416 adding sqs cross-account #4194

etcart wants to merge 1 commit into from

Conversation

@etcart
Copy link
Contributor

@etcart etcart commented Jan 2, 2026
edited
Loading

Summary: Summary of changes

Addresses CUMULUS-4416: Develop amazing new feature

Changes

  • add lambda iam permission to access any sqs

PR Checklist

  • Update CHANGELOG
  • Unit tests
  • Ad-hoc testing - Deploy changes and test manually
  • Integration tests

📝 Note:
For most pull requests, please Squash and merge to maintain a clean and readable commit history.

Jkovarik
Jkovarik reviewed Jan 6, 2026
View reviewed changes
tf-modules/cumulus/iam.tf
"states:SendTaskSuccess",
"states:StartExecution",
"states:StopExecution"
"states:StopExecution",
Copy link
Member

@Jkovarik Jkovarik Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should consider carefully if we want expanding the '*' resource. Generally we should be working to reduce wide-open perms as much as possible to reduce potential blast-radius.

Is there a sane way to limit scope/configure this, particularly with an eye to production?

Copy link
Contributor Author

@etcart etcart Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the problem is two fold:
#1 I would need to know the account ID in this place in order to update this permission to point at the "correct" sqs queue
#2 I would need to know the sqs queue itself. I can't point it at a queue named the same, because one queue can't point at multiple lambda functions. I need to create a new sqs queue in the daac legacy environment which ingest can be switched over to, and I need to somehow know that here

a big part of all of this is how we play well with cirrus, and this part is making me regret dealing with cirrus as it puts all of that configuration somewhere else.

Jkovarik
Jkovarik reviewed Jan 6, 2026
View reviewed changes
CHANGELOG.md
### Changes

- **CUMULUS-4416**
- sqs permissions granted to "\*" instead of "\<account\>/\*"
Copy link
Member

@Jkovarik Jkovarik Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please include (either in PR or here) justification for the change

Jkovarik
Jkovarik requested changes Jan 6, 2026
View reviewed changes
Copy link
Member

@Jkovarik Jkovarik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@etcart just a couple of comments, let me know what you think!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jkovarik Jkovarik Jkovarik requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

pr feedback

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@etcart @Jkovarik