add support for customizing dlq fifo throughput limit

aditmeno · aditmeno · commit e2bacaeb12ca · 2025-03-08T22:37:04.000+01:00
Signed-off-by: Aditya Menon &lt;amenon@canarytechnologies.com&gt;
diff --git a/README.md b/README.md
@@ -211,6 +211,7 @@ No modules.
 | <a name="input_dlq_content_based_deduplication"></a> [dlq\_content\_based\_deduplication](#input\_dlq\_content\_based\_deduplication) | Enables content-based deduplication for FIFO queues | `bool` | `null` | no |
 | <a name="input_dlq_deduplication_scope"></a> [dlq\_deduplication\_scope](#input\_dlq\_deduplication\_scope) | Specifies whether message deduplication occurs at the message group or queue level | `string` | `null` | no |
 | <a name="input_dlq_delay_seconds"></a> [dlq\_delay\_seconds](#input\_dlq\_delay\_seconds) | The time in seconds that the delivery of all messages in the queue will be delayed. An integer from 0 to 900 (15 minutes) | `number` | `null` | no |
+| <a name="input_dlq_fifo_throughput_limit"></a> [dlq\_fifo\_throughput\_limit](#input\_dlq\_fifo\_throughput\_limit) | Specifies whether the Dead Letter Queue FIFO queue throughput quota applies to the entire queue or per message group | `string` | `null` | no |
 | <a name="input_dlq_kms_data_key_reuse_period_seconds"></a> [dlq\_kms\_data\_key\_reuse\_period\_seconds](#input\_dlq\_kms\_data\_key\_reuse\_period\_seconds) | The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. An integer representing seconds, between 60 seconds (1 minute) and 86,400 seconds (24 hours) | `number` | `null` | no |
 | <a name="input_dlq_kms_master_key_id"></a> [dlq\_kms\_master\_key\_id](#input\_dlq\_kms\_master\_key\_id) | The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK | `string` | `null` | no |
 | <a name="input_dlq_message_retention_seconds"></a> [dlq\_message\_retention\_seconds](#input\_dlq\_message\_retention\_seconds) | The number of seconds Amazon SQS retains a message. Integer representing seconds, from 60 (1 minute) to 1209600 (14 days) | `number` | `null` | no |
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -45,6 +45,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | <a name="module_disabled_sqs"></a> [disabled\_sqs](#module\_disabled\_sqs) | ../../ | n/a |
 | <a name="module_fifo_sqs"></a> [fifo\_sqs](#module\_fifo\_sqs) | ../../ | n/a |
 | <a name="module_sqs_with_dlq"></a> [sqs\_with\_dlq](#module\_sqs\_with\_dlq) | ../../ | n/a |
+| <a name="module_sqs_with_fifo_dlq"></a> [sqs\_with\_fifo\_dlq](#module\_sqs\_with\_fifo\_dlq) | ../../ | n/a |
 | <a name="module_sse_encrypted_dlq_sqs"></a> [sse\_encrypted\_dlq\_sqs](#module\_sse\_encrypted\_dlq\_sqs) | ../../ | n/a |
 | <a name="module_sse_encrypted_sqs"></a> [sse\_encrypted\_sqs](#module\_sse\_encrypted\_sqs) | ../../ | n/a |
 | <a name="module_unencrypted_sqs"></a> [unencrypted\_sqs](#module\_unencrypted\_sqs) | ../../ | n/a |
@@ -104,6 +105,14 @@ No inputs.
 | <a name="output_sqs_with_dlq_queue_id"></a> [sqs\_with\_dlq\_queue\_id](#output\_sqs\_with\_dlq\_queue\_id) | The URL for the created Amazon SQS queue |
 | <a name="output_sqs_with_dlq_queue_name"></a> [sqs\_with\_dlq\_queue\_name](#output\_sqs\_with\_dlq\_queue\_name) | The name of the SQS queue |
 | <a name="output_sqs_with_dlq_queue_url"></a> [sqs\_with\_dlq\_queue\_url](#output\_sqs\_with\_dlq\_queue\_url) | Same as `queue_id`: The URL for the created Amazon SQS queue |
+| <a name="output_sqs_with_fifo_dlq_dlq_arn"></a> [sqs\_with\_fifo\_dlq\_dlq\_arn](#output\_sqs\_with\_fifo\_dlq\_dlq\_arn) | The ARN of the SQS queue |
+| <a name="output_sqs_with_fifo_dlq_dlq_id"></a> [sqs\_with\_fifo\_dlq\_dlq\_id](#output\_sqs\_with\_fifo\_dlq\_dlq\_id) | The URL for the created Amazon SQS queue |
+| <a name="output_sqs_with_fifo_dlq_dlq_name"></a> [sqs\_with\_fifo\_dlq\_dlq\_name](#output\_sqs\_with\_fifo\_dlq\_dlq\_name) | The name of the SQS queue |
+| <a name="output_sqs_with_fifo_dlq_dlq_url"></a> [sqs\_with\_fifo\_dlq\_dlq\_url](#output\_sqs\_with\_fifo\_dlq\_dlq\_url) | Same as `dead_letter_queue_id`: The URL for the created Amazon SQS queue |
+| <a name="output_sqs_with_fifo_dlq_queue_arn"></a> [sqs\_with\_fifo\_dlq\_queue\_arn](#output\_sqs\_with\_fifo\_dlq\_queue\_arn) | The ARN of the SQS queue |
+| <a name="output_sqs_with_fifo_dlq_queue_id"></a> [sqs\_with\_fifo\_dlq\_queue\_id](#output\_sqs\_with\_fifo\_dlq\_queue\_id) | The URL for the created Amazon SQS queue |
+| <a name="output_sqs_with_fifo_dlq_queue_name"></a> [sqs\_with\_fifo\_dlq\_queue\_name](#output\_sqs\_with\_fifo\_dlq\_queue\_name) | The name of the SQS queue |
+| <a name="output_sqs_with_fifo_dlq_queue_url"></a> [sqs\_with\_fifo\_dlq\_queue\_url](#output\_sqs\_with\_fifo\_dlq\_queue\_url) | Same as `queue_id`: The URL for the created Amazon SQS queue |
 | <a name="output_sse_encrypted_dlq_sqs_dlq_arn"></a> [sse\_encrypted\_dlq\_sqs\_dlq\_arn](#output\_sse\_encrypted\_dlq\_sqs\_dlq\_arn) | The ARN of the SQS queue |
 | <a name="output_sse_encrypted_dlq_sqs_dlq_id"></a> [sse\_encrypted\_dlq\_sqs\_dlq\_id](#output\_sse\_encrypted\_dlq\_sqs\_dlq\_id) | The URL for the created Amazon SQS queue |
 | <a name="output_sse_encrypted_dlq_sqs_dlq_name"></a> [sse\_encrypted\_dlq\_sqs\_dlq\_name](#output\_sse\_encrypted\_dlq\_sqs\_dlq\_name) | The name of the SQS queue |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -161,6 +161,68 @@ module "sqs_with_dlq" {
   tags = local.tags
 }
 
+module "sqs_with_fifo_dlq" {
+  source = "../../"
+
+  # This creates both the queue and the dead letter queue together
+
+  name       = "${local.name}-sqs-with-fifo-dlq"
+  fifo_queue = true
+
+  deduplication_scope   = "messageGroup"
+  fifo_throughput_limit = "perMessageGroupId"
+
+  # Policy
+  # Not required - just showing example
+  create_queue_policy = true
+  queue_policy_statements = {
+    account = {
+      sid = "AccountReadWrite"
+      actions = [
+        "sqs:SendMessage",
+        "sqs:ReceiveMessage",
+      ]
+      principals = [
+        {
+          type        = "AWS"
+          identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+        }
+      ]
+    }
+  }
+
+  # Dead letter queue
+  create_dlq = true
+  redrive_policy = {
+    # default is 5 for this module
+    maxReceiveCount = 10
+  }
+  create_dlq_redrive_allow_policy = false
+
+  # Dead letter queue policy
+  # Not required - just showing example
+  create_dlq_queue_policy = true
+  dlq_queue_policy_statements = {
+    account = {
+      sid = "AccountReadWrite"
+      actions = [
+        "sqs:SendMessage",
+        "sqs:ReceiveMessage",
+      ]
+      principals = [
+        {
+          type        = "AWS"
+          identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+        }
+      ]
+    }
+  }
+  dlq_deduplication_scope   = "queue"
+  dlq_fifo_throughput_limit = "perQueue"
+
+  tags = local.tags
+}
+
 module "disabled_sqs" {
   source = "../../"
 
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
@@ -285,6 +285,47 @@ output "sqs_with_dlq_dlq_name" {
   value       = module.sqs_with_dlq.dead_letter_queue_name
 }
 
+# With FIFO Dead Letter Queue
+output "sqs_with_fifo_dlq_queue_id" {
+  description = "The URL for the created Amazon SQS queue"
+  value       = module.sqs_with_fifo_dlq.queue_id
+}
+
+output "sqs_with_fifo_dlq_queue_arn" {
+  description = "The ARN of the SQS queue"
+  value       = module.sqs_with_fifo_dlq.queue_arn
+}
+
+output "sqs_with_fifo_dlq_queue_url" {
+  description = "Same as `queue_id`: The URL for the created Amazon SQS queue"
+  value       = module.sqs_with_fifo_dlq.queue_url
+}
+
+output "sqs_with_fifo_dlq_queue_name" {
+  description = "The name of the SQS queue"
+  value       = module.sqs_with_fifo_dlq.queue_name
+}
+
+output "sqs_with_fifo_dlq_dlq_id" {
+  description = "The URL for the created Amazon SQS queue"
+  value       = module.sqs_with_fifo_dlq.dead_letter_queue_id
+}
+
+output "sqs_with_fifo_dlq_dlq_arn" {
+  description = "The ARN of the SQS queue"
+  value       = module.sqs_with_fifo_dlq.dead_letter_queue_arn
+}
+
+output "sqs_with_fifo_dlq_dlq_url" {
+  description = "Same as `dead_letter_queue_id`: The URL for the created Amazon SQS queue"
+  value       = module.sqs_with_fifo_dlq.dead_letter_queue_url
+}
+
+output "sqs_with_fifo_dlq_dlq_name" {
+  description = "The name of the SQS queue"
+  value       = module.sqs_with_fifo_dlq.dead_letter_queue_name
+}
+
 # Disabled
 output "disabled_sqs_queue_id" {
   description = "The URL for the created Amazon SQS queue"
diff --git a/main.tf b/main.tf
@@ -137,7 +137,7 @@ resource "aws_sqs_queue" "dlq" {
   delay_seconds               = try(coalesce(var.dlq_delay_seconds, var.delay_seconds), null)
   # If source queue is FIFO, DLQ must also be FIFO and vice versa
   fifo_queue                        = var.fifo_queue
-  fifo_throughput_limit             = var.fifo_throughput_limit
+  fifo_throughput_limit             = try(coalesce(var.dlq_fifo_throughput_limit, var.fifo_throughput_limit), null)
   kms_data_key_reuse_period_seconds = try(coalesce(var.dlq_kms_data_key_reuse_period_seconds, var.kms_data_key_reuse_period_seconds), null)
   kms_master_key_id                 = local.dlq_kms_master_key_id
   max_message_size                  = var.max_message_size
diff --git a/variables.tf b/variables.tf
@@ -214,6 +214,12 @@ variable "dlq_sqs_managed_sse_enabled" {
   default     = true
 }
 
+variable "dlq_fifo_throughput_limit" {
+  description = "Specifies whether the Dead Letter Queue FIFO queue throughput quota applies to the entire queue or per message group"
+  type        = string
+  default     = null
+}
+
 variable "dlq_visibility_timeout_seconds" {
   description = "The visibility timeout for the queue. An integer from 0 to 43200 (12 hours)"
   type        = number
diff --git a/wrappers/main.tf b/wrappers/main.tf
@@ -14,6 +14,7 @@ module "wrapper" {
   dlq_content_based_deduplication       = try(each.value.dlq_content_based_deduplication, var.defaults.dlq_content_based_deduplication, null)
   dlq_deduplication_scope               = try(each.value.dlq_deduplication_scope, var.defaults.dlq_deduplication_scope, null)
   dlq_delay_seconds                     = try(each.value.dlq_delay_seconds, var.defaults.dlq_delay_seconds, null)
+  dlq_fifo_throughput_limit             = try(each.value.dlq_fifo_throughput_limit, var.defaults.dlq_fifo_throughput_limit, null)
   dlq_kms_data_key_reuse_period_seconds = try(each.value.dlq_kms_data_key_reuse_period_seconds, var.defaults.dlq_kms_data_key_reuse_period_seconds, null)
   dlq_kms_master_key_id                 = try(each.value.dlq_kms_master_key_id, var.defaults.dlq_kms_master_key_id, null)
   dlq_message_retention_seconds         = try(each.value.dlq_message_retention_seconds, var.defaults.dlq_message_retention_seconds, null)
