Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Prevent CloudFormation AWS::SQS::QueueInlinePolicy from being overwritten by an AWS::SQS::QueuePolicy

0

Take the following CloudFormation stack which configures an AWS::SQS::QueueInlinePolicy:

SandboxTestQueueInlinePolicy:
  Type: AWS::SQS::QueueInlinePolicy
  Properties:
    Queue: !Ref SandboxTestQueue
    PolicyDocument:
      Version: "2012-10-17"
      # Note: referenced resources "SandboxTestQueue" and "SandboxTestTopic" are defined in this template, but redacted from this example
      Statement:
        -
          Resource: !GetAtt SandboxTestQueue.Arn
          Action: SQS:SendMessage
          Effect: Allow
          Principal: "*"
          Condition:
            ArnEquals:
              aws:SourceArn: !Ref SandboxTestTopic

Now, imagine an AWS::SQS::QueuePolicy is added which (accidentally) references the same underlying queue. For example:

  # (...)

  SandboxTestQueuePolicyNew:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - Ref: SandboxTestQueue # <--- oops! we're referencing the same queue as our existing `QueueInlinePolicy`
      PolicyDocument:
        Version: "2012-10-17"
        # Note: the statement here differs from the original, referencing SQS queue 2 / SNS topic 2 (redacted from this example)
        Statement:
          Action: SQS:SendMessage
          Effect: Allow
          Resource: !GetAtt SandboxTestQueue2.Arn
          Principal: '*'
          Condition:
            ArnEquals:
              aws:SourceArn: !Ref SandboxTestTopic2

Once the stack has been updated, the original QueueInlinePolicy is replaced and running drift detection reports the QueueInlinePolicy as being "IN SYNC", despite the policy being different.

Now, if you update the stack's QueuePolicy to reference a different queue (i.e. update the ref: - Ref: SomeOtherQueue), the original queue's policy will revert to the default:

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:<redacted>:sandbox-dev-sqs-test/SQSDefaultPolicy"
}

Running drift detection now (correctly) marks the QueueInlinePolicy as "DELETED".

I am trying to understand how to protect a QueueInlinePolicy from being overwritten by a QueuePolicy in this way.

What I've tried:

  1. Assigning a stack policy to deny ALL updates to ALL resources:
{
  "Statement" : [
    {
      "Effect": "Deny",
      "Action": "Update:*",
      "Principal": "*",
      "Resource" : "*"
    }
  ]
}
  1. Setting Deletion and UpdateReplace policies on the QueueInlinePolicy resource:
  SandboxTestQueuePolicy:
    Type: AWS::SQS::QueueInlinePolicy
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Properties:
      # (...)

Neither of these attempts had any effect and the QueuePolicy continued to delete/replace the existing QueueInlinePolicy - is this a bug?

Topics
Application IntegrationServerlessManagement & Governance
Tags
AWS CloudFormationAmazon Simple Queue Service
Language
English
asked 2 years ago355 views
1 Answer
1

Hi,

Thank you for raising the concerns.

Since the stack changes happening from the CloudFormation side, We would need to validate the configurations and behavior of QueueInlinePolicy and the QueuePolicy to confirm it as a bug. I am afraid that I will not able to confirm or pinpoint this issue right away.

I would suggest you to raise the technical support case with cloudformation alongwith this information so that we can assist you in-depth and provide you better workaround is needed,

[+] https://docs.aws.amazon.com/awssupport/latest/user/case-management.html#creating-a-support-case

AWS
SUPPORT ENGINEER
answered 2 years ago
  • lyonsd_lf
    2 years ago

    Thanks, I've created a case (172131240100335).

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content