fix(export): use attribute substitution for reserved keywords

in DynamoDB

feat(terraform): Add new method for subscribing SQS to multiple SNS

Need to be able to update the SQS access policy to allow two ARNs;
creating subscriptions with existing method results with the policy
being chosen randomly since only one can be applied to a queue.

Since we are already using the wrapped helper stacks, just make
a new one. Alternatively just write it all manually.

Author: kschelonka

infrastructure/account-data-deleter/src/main.ts

@@ -21,7 +21,7 @@ import { provider as localProvider } from '@cdktf/provider-local';
 import { provider as nullProvider } from '@cdktf/provider-null';
 import {
   ApplicationSQSQueue,
-  ApplicationSqsSnsTopicSubscription,
+  ApplicationSqsSnsTopicsSubscription,
   PocketVPC,
   ApplicationDynamoDBTable,
   ApplicationDynamoDBTableCapacityMode,
@@ -135,33 +135,32 @@ class AccountDataDeleter extends TerraformStack {
       },
     );
 
-    new ApplicationSqsSnsTopicSubscription(
+    new ApplicationSqsSnsTopicsSubscription(
       this,
       'list-events-sns-subscription',
       {
-        name: `${config.envVars.exportRequestQueueName}-SNS`,
-        snsTopicArn: `arn:aws:sns:${pocketVpc.region}:${pocketVpc.accountId}:${config.lambda.snsTopicName.listEvents}`,
+        name: `${config.envVars.exportRequestQueueName}-subs`,
         sqsQueue: exportRequestQueue.sqsQueue,
-        filterPolicyScope: 'MessageBody',
-        filterPolicy: JSON.stringify({
-          'detail-type': ['list-export-requested'],
-        }),
-        tags: config.tags,
-      },
-    );
-
-    // Forward status updates on export components (shareable list, list, annotations)
-    new ApplicationSqsSnsTopicSubscription(
-      this,
-      'export-status-events-sns-subscription',
-      {
-        name: `${config.envVars.exportRequestQueueName}-Status-SNS`,
-        snsTopicArn: `arn:aws:sns:${pocketVpc.region}:${pocketVpc.accountId}:${config.lambda.snsTopicName.exportUpdateEvents}`,
-        sqsQueue: exportRequestQueue.sqsQueue,
-        filterPolicyScope: 'MessageBody',
-        filterPolicy: JSON.stringify({
-          'detail-type': ['export-part-complete'],
-        }),
+        subscriptions: [
+          // Forward initial export request from list topic
+          {
+            name: `${config.envVars.exportRequestQueueName}-SNS`,
+            snsTopicArn: `arn:aws:sns:${pocketVpc.region}:${pocketVpc.accountId}:${config.lambda.snsTopicName.listEvents}`,
+            filterPolicyScope: 'MessageBody',
+            filterPolicy: JSON.stringify({
+              'detail-type': ['list-export-requested'],
+            }),
+          },
+          // Forward status updates on export components (shareable list, list, annotations)
+          {
+            name: `${config.envVars.exportRequestQueueName}-Status-SNS`,
+            snsTopicArn: `arn:aws:sns:${pocketVpc.region}:${pocketVpc.accountId}:${config.lambda.snsTopicName.exportUpdateEvents}`,
+            filterPolicyScope: 'MessageBody',
+            filterPolicy: JSON.stringify({
+              'detail-type': ['export-part-complete'],
+            }),
+          },
+        ],
         tags: config.tags,
       },
     );

packages/terraform-modules/src/base/ApplicationSqsSnsTopicsSubscription.spec.ts

@@ -0,0 +1,63 @@
+import { sqsQueue } from '@cdktf/provider-aws';
+import { Testing } from 'cdktf';
+import { ApplicationSqsSnsTopicsSubscription } from './ApplicationSqsSnsTopicsSubscription.ts';
+
+describe('ApplicationSqsSnsTopicSubscription', () => {
+  const getConfig = (stack) => ({
+    name: 'test-sns-subscription',
+    subscriptions: [
+      { name: 'TopicName', snsTopicArn: 'arn:aws:sns:TopicName' },
+      { name: 'TopicSub2', snsTopicArn: 'arn:aws:sns:AnotherTopic' },
+    ],
+    sqsQueue: new sqsQueue.SqsQueue(stack, 'sqs', {
+      name: 'test-sqs',
+    }),
+  });
+
+  const getConfigWithDlq = (stack) => ({
+    name: 'test-sns-subscription',
+    subscriptions: [
+      {
+        snsTopicArn: 'arn:aws:sns:TopicName',
+        name: 'TopicSub',
+        snsDlq: new sqsQueue.SqsQueue(stack, 'dlq', {
+          name: 'test-sqs-dlq',
+        }),
+      },
+    ],
+    sqsQueue: new sqsQueue.SqsQueue(stack, 'sqs', {
+      name: 'test-sqs',
+    }),
+  });
+
+  it('renders an SQS SNS subscription without tags', () => {
+    const synthed = Testing.synthScope((stack) => {
+      new ApplicationSqsSnsTopicsSubscription(
+        stack,
+        'sqs-sns-subscription',
+        getConfig(stack),
+      );
+    });
+    expect(synthed).toMatchSnapshot();
+  });
+
+  it('renders an SQS SNS subscription with tags', () => {
+    const synthed = Testing.synthScope((stack) => {
+      new ApplicationSqsSnsTopicsSubscription(stack, 'sqs-sns-subscription', {
+        ...getConfig(stack),
+        tags: { hello: 'there' },
+      });
+    });
+    expect(synthed).toMatchSnapshot();
+  });
+
+  it('renders an SQS SNS subscription with dlq passed', () => {
+    const synthed = Testing.synthScope((stack) => {
+      new ApplicationSqsSnsTopicsSubscription(stack, 'sqs-sns-subscription', {
+        ...getConfigWithDlq(stack),
+        tags: { hello: 'there' },
+      });
+    });
+    expect(synthed).toMatchSnapshot();
+  });
+});

packages/terraform-modules/src/base/ApplicationSqsSnsTopicsSubscription.ts

@@ -0,0 +1,191 @@
+import {
+  dataAwsIamPolicyDocument,
+  snsTopicSubscription,
+  sqsQueue,
+  sqsQueuePolicy,
+  dataAwsSqsQueue,
+} from '@cdktf/provider-aws';
+import { type SnsTopicSubscriptionConfig } from '@cdktf/provider-aws/lib/sns-topic-subscription';
+import { TerraformMetaArguments, TerraformResource } from 'cdktf';
+import { Construct } from 'constructs';
+
+export interface SnsSqsSubscriptionProps {
+  name: string;
+  snsTopicArn: string;
+  snsDlq?: sqsQueue.SqsQueue;
+  filterPolicy?: SnsTopicSubscriptionConfig['filterPolicy'];
+  filterPolicyScope?: SnsTopicSubscriptionConfig['filterPolicyScope'];
+}
+
+export interface ApplicationSqsSnsTopicsSubscriptionProps
+  extends TerraformMetaArguments {
+  subscriptions: SnsSqsSubscriptionProps[];
+  name: string;
+  sqsQueue: sqsQueue.SqsQueue | dataAwsSqsQueue.DataAwsSqsQueue;
+  tags?: { [key: string]: string };
+  dependsOn?: TerraformResource[];
+}
+
+/**
+ * Creates an SNS to SQS subscription, allowing an SQS queue to
+ * subscribe to multiple topics (in the rare case where this pattern
+ * is useful)
+ */
+export class ApplicationSqsSnsTopicsSubscription extends Construct {
+  public readonly snsTopicSubscriptions: snsTopicSubscription.SnsTopicSubscription[];
+
+  constructor(
+    scope: Construct,
+    name: string,
+    private config: ApplicationSqsSnsTopicsSubscriptionProps,
+  ) {
+    super(scope, name);
+    const subscriptions = config.subscriptions.map((sub) => ({
+      ...sub,
+      snsDlq: sub.snsDlq ?? this.createSqsSubscriptionDlq(sub.name),
+    }));
+    this.snsTopicSubscriptions = subscriptions.map((sub) => {
+      return this.createSnsTopicSubscription(sub);
+    });
+    this.createPoliciesForSnsToSQS(subscriptions);
+  }
+
+  /**
+   * Create a dead-letter queue for failed SNS messages
+   * @private
+   */
+  private createSqsSubscriptionDlq(name: string): sqsQueue.SqsQueue {
+    return new sqsQueue.SqsQueue(this, `${name}-sns-topic-dql`, {
+      name: `${name}-SNS-Topic-DLQ`,
+      tags: this.config.tags,
+      provider: this.config.provider,
+    });
+  }
+
+  /**
+   * Create an SNS subscription for SQS
+   * @param snsTopicDlq
+   * @private
+   */
+  private createSnsTopicSubscription(
+    properties: Omit<SnsSqsSubscriptionProps, 'snsDlq'> & {
+      snsDlq: sqsQueue.SqsQueue;
+    },
+  ): snsTopicSubscription.SnsTopicSubscription {
+    return new snsTopicSubscription.SnsTopicSubscription(
+      this,
+      `${properties.name}-sns-subscription`,
+      {
+        topicArn: properties.snsTopicArn,
+        protocol: 'sqs',
+        endpoint: this.config.sqsQueue.arn,
+        redrivePolicy: JSON.stringify({
+          deadLetterTargetArn: properties.snsDlq.arn,
+        }),
+        filterPolicy: properties.filterPolicy,
+        filterPolicyScope: properties.filterPolicyScope,
+        dependsOn: [
+          properties.snsDlq,
+          ...(this.config.dependsOn ? this.config.dependsOn : []),
+        ],
+        provider: this.config.provider,
+      } as snsTopicSubscription.SnsTopicSubscriptionConfig,
+    );
+  }
+
+  /**
+   * Create IAM policies to allow SNS to write to the target SQS queue and a
+   * dead-letter queue
+   * @param snsTopicDlq
+   * @private
+   */
+  private createPoliciesForSnsToSQS(
+    subscriptions: Array<
+      Omit<SnsSqsSubscriptionProps, 'snsDlq'> & {
+        snsDlq: sqsQueue.SqsQueue;
+      }
+    >,
+  ): void {
+    // Make DLQ policies first since they are separate
+    subscriptions.forEach((sub) => {
+      const policy = new dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
+        this,
+        `${sub.name}-sns-dlq-policy-document`,
+        {
+          statement: [
+            {
+              effect: 'Allow',
+              actions: ['sqs:SendMessage'],
+              resources: [sub.snsDlq.arn],
+              principals: [
+                {
+                  identifiers: ['sns.amazonaws.com'],
+                  type: 'Service',
+                },
+              ],
+              condition: [
+                {
+                  test: 'ArnEquals',
+                  variable: 'aws:SourceArn',
+                  values: [sub.snsTopicArn],
+                },
+              ],
+            },
+          ],
+          dependsOn: [sub.snsDlq] as TerraformResource[],
+          provider: this.config.provider,
+        },
+      ).json;
+
+      return new sqsQueuePolicy.SqsQueuePolicy(
+        this,
+        `${sub.name}-sns-dlq-policy`,
+        {
+          queueUrl: sub.snsDlq.url,
+          policy: policy,
+          provider: this.config.provider,
+        },
+      );
+    });
+
+    const queuePolicyDoc =
+      new dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
+        this,
+        `${this.config.name}-sns-sqs-policy-document`,
+        {
+          statement: [
+            {
+              effect: 'Allow',
+              actions: ['sqs:SendMessage'],
+              resources: [this.config.sqsQueue.arn],
+              principals: [
+                {
+                  identifiers: ['sns.amazonaws.com'],
+                  type: 'Service',
+                },
+              ],
+              condition: [
+                {
+                  test: 'ArnEquals',
+                  variable: 'aws:SourceArn',
+                  values: subscriptions.map((sub) => sub.snsTopicArn),
+                },
+              ],
+            },
+          ],
+          dependsOn: [this.config.sqsQueue] as TerraformResource[],
+          provider: this.config.provider,
+        },
+      ).json;
+
+    new sqsQueuePolicy.SqsQueuePolicy(
+      this,
+      `${this.config.name}-sns-sqs-policy`,
+      {
+        queueUrl: this.config.sqsQueue.url,
+        policy: queuePolicyDoc,
+        provider: this.config.provider,
+      },
+    );
+  }
+}