From 42b97e44984e6bfa155edcf8b7bb7575a29e56d2 Mon Sep 17 00:00:00 2001
From: Maksym Dovhal <maksym.dovhal@gmail.com>
Date: Fri, 21 Jun 2024 15:16:11 +0300
Subject: [PATCH] DATAPLAT-260: fix The provided execution role does not have
 permissions to call ReceiveMessage on SQS

---
 main.tf | 25 ++++++++-----------------
 1 file changed, 8 insertions(+), 17 deletions(-)

diff --git a/main.tf b/main.tf
index d4f0955..72fc87b 100644
--- a/main.tf
+++ b/main.tf
@@ -582,7 +582,7 @@ data "aws_iam_policy_document" "glue_create_sqs" {
       type        = "*"
       identifiers = ["*"]
     }
-    actions   = ["sqs:SendMessage"]
+    actions   = ["sqs:SendMessage", "sqs:ReceiveMessage"]
     resources = ["arn:aws:sqs:*:*:${var.glue_create_config.sqs_queue_name}"]
     condition {
       test     = "ArnEquals"
@@ -601,7 +601,7 @@ data "aws_iam_policy_document" "glue_create_sqs_dl" {
       type        = "AWS"
       identifiers = ["*"]
     }
-    actions   = ["sqs:SendMessage"]
+    actions   = ["sqs:SendMessage", "sqs:ReceiveMessage"]
     resources = ["arn:aws:sqs:*:*:${var.glue_create_config.sqs_queue_name_dl}"]
     condition {
       test     = "ForAllValues:StringEquals"
@@ -746,27 +746,18 @@ data "aws_iam_policy_document" "glue_create" {
     ]
   }
   statement {
-    effect = "Allow"
-    actions   = ["sqs:ReceiveMessage"]
+    effect    = "Allow"
+    actions   = ["sqs:*"]
     resources = [aws_sqs_queue.glue_create[0].arn]
-
-    condition {
-      test     = "ArnEquals"
-      variable = "aws:SourceArn"
-      values   = [var.warehouse_bucket_arn]
-    }
   }
   statement {
     effect = "Allow"
     actions = [
-      "sqs:SendMessage"
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents"
     ]
-    resources = [aws_sqs_queue.glue_create[0].arn]
-    condition {
-      test     = "ForAllValues:StringEquals"
-      variable = "aws:SourceArn"
-      values   = [aws_sqs_queue.glue_create_dl[0].arn]
-    }
+    resources = ["*"]
   }
 }