From f6378ae1607e6209f24a4dfa6737d7615ddf1ee5 Mon Sep 17 00:00:00 2001
From: Marcus Aspin <maspin@unilink.com>
Date: Wed, 23 Aug 2023 10:16:45 +0100
Subject: [PATCH] Add new DLQ Redrive permissions to SQS policy

This PR adds permissions to perform DLQ redrives using the new IAM action names - these used to be covered by Send/ReceiveMessage. The new permissions and CloudTrail events take effect on 31st August 2023.

https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues-cloudtrail.html
---
 sqs.tf | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sqs.tf b/sqs.tf
index f5f9601..ebba526 100644
--- a/sqs.tf
+++ b/sqs.tf
@@ -16,11 +16,14 @@ data "aws_iam_policy_document" "sqs_for_github" {
     sid    = "AllowSQSSendRecvOwn"
     effect = "Allow"
     actions = [
+      "sqs:CancelMessageMoveTask",
       "sqs:ChangeMessageVisibility",
       "sqs:DeleteMessage",
+      "sqs:ListMessageMoveTasks",
       "sqs:ReceiveMessage",
       "sqs:SendMessage",
-      "sqs:PurgeQueue",
+      "sqs:StartMessageMoveTask",
+      "sqs:PurgeQueue"
     ]
     resources = ["*"]
     condition {