[英]Using CDK to grant permissions to Dead Letter Queue on SNS Topic Subscription
我正在尝试设置一个 SNS 主题,并订阅一个队列。 我想将死信队列放入 SNS 订阅。
这部署正常,但是在 AWS 控制台中,当我打开订阅时,我看到错误“无法检查 Amazon SQS 队列权限。确保队列存在并且您的账户有权读取队列的属性” .
我是否需要以某种方式将TopicDLQ
SNSTopic
export class SNSToSQSConstruct extends Construct {
public readonly TopicDLQ: IQueue
public readonly SQSQueue: IQueue
public readonly SNSTopic: ITopic
constructor(scope: Construct, id: string) {
super(scope, id);
this.TopicDLQ = new Queue(this, `${id}_TopicDLQ`, {
visibilityTimeout: cdk.Duration.seconds(300),
});
this.SQSQueue = new Queue(this, `${id}_Queue`, {
visibilityTimeout: cdk.Duration.seconds(300),
});
this.SNSTopic = new Topic(this, `${id}_Topic`, {
fifo: false, // fifo support 300tps, standard support almost unlimited
topicName: id,
});
var subscription = this.SNSTopic.addSubscription(new SqsSubscription(this.SQSQueue, {
rawMessageDelivery: true,
deadLetterQueue: this.TopicDLQ
}));
// error Subscription is not IGrantable
//this.TopicDLQ.grantSendMessages(subscription);
}
}
我想你可以用addToResourcePolicy
做到这一点
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { IQueue, Queue } from 'aws-cdk-lib/aws-sqs'
import { ITopic, Topic } from 'aws-cdk-lib/aws-sns'
import { SqsSubscription } from 'aws-cdk-lib/aws-sns-subscriptions'
import { ServicePrincipal, PolicyStatement, Effect} from 'aws-cdk-lib/aws-iam'
export class SNSToSQSConstruct extends Construct {
public readonly TopicDLQ: IQueue
public readonly SQSQueue: IQueue
public readonly SNSTopic: ITopic
constructor(scope: Construct, id: string) {
super(scope, id);
this.TopicDLQ = new Queue(this, `${id}_TopicDLQ`, {
visibilityTimeout: cdk.Duration.seconds(300),
});
this.SQSQueue = new Queue(this, `${id}_Queue`, {
visibilityTimeout: cdk.Duration.seconds(300),
});
this.SNSTopic = new Topic(this, `${id}_Topic`, {
fifo: false, // fifo support 300tps, standard support almost unlimited
topicName: id,
});
var subscription = this.SNSTopic.addSubscription(new SqsSubscription(this.SQSQueue, {
rawMessageDelivery: true,
deadLetterQueue: this.TopicDLQ
}));
this.TopicDLQ.addToResourcePolicy(
new PolicyStatement({
effect: Effect.ALLOW,
principals: [new ServicePrincipal('sns.amazonaws.com')],
actions: ["sqs:SendMessage"],
resources: [this.TopicDLQ.queueArn],
conditions: {
ArnEquals: {
"aws:SourceArn": this.SNSTopic.topicArn,
},
},
})
);
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.