From 1ee33ed79d132196e40deaf4969dee39d377f126 Mon Sep 17 00:00:00 2001
From: Luigi Di Fraia <93160889+luigidifraiawork@users.noreply.github.com>
Date: Tue, 28 May 2024 17:06:42 +0100
Subject: [PATCH 1/3] chore: restrict the actions of the Lambda role for the
 queue-processing example (#216)

chore: restrict actions of Lambda role for queue processing blueprint
---
 terraform/fargate-examples/queue-processing/main.tf | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/terraform/fargate-examples/queue-processing/main.tf b/terraform/fargate-examples/queue-processing/main.tf
index a328de75..fd1922b2 100644
--- a/terraform/fargate-examples/queue-processing/main.tf
+++ b/terraform/fargate-examples/queue-processing/main.tf
@@ -338,16 +338,9 @@ data "aws_iam_policy_document" "lambda_role" {
   }
 
   statement {
-    sid = "SQSReadWrite"
+    sid = "SQSReadAttributes"
     actions = [
-      "sqs:ChangeMessageVisibility",
-      "sqs:ChangeMessageVisibilityBatch",
-      "sqs:SendMessage",
-      "sqs:DeleteMessage",
-      "sqs:DeleteMessageBatch",
-      "sqs:GetQueueAttributes",
-      "sqs:GetQueueUrl",
-      "sqs:ReceiveMessage"
+      "sqs:GetQueueAttributes"
     ]
     resources = [module.sqs.queue_arn]
   }

From be5b3b4144c555b48126eef7c92d564fbb2e32ce Mon Sep 17 00:00:00 2001
From: Luigi Di Fraia <93160889+luigidifraiawork@users.noreply.github.com>
Date: Tue, 28 May 2024 17:07:05 +0100
Subject: [PATCH 2/3] fix: disable read-only for the root filesystem of the
 queue-processing example (#212)

fix: disable read-only for the root filesystem
---
 terraform/fargate-examples/queue-processing/main.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/terraform/fargate-examples/queue-processing/main.tf b/terraform/fargate-examples/queue-processing/main.tf
index fd1922b2..f9cd7f58 100644
--- a/terraform/fargate-examples/queue-processing/main.tf
+++ b/terraform/fargate-examples/queue-processing/main.tf
@@ -36,7 +36,8 @@ module "ecs_service" {
 
   container_definitions = {
     (local.container_name) = {
-      image = module.ecr.repository_url
+      image                    = module.ecr.repository_url
+      readonly_root_filesystem = false
     }
   }
 

From 5c2b302de602f8c9f9b42df8ba33fc82104eb8c3 Mon Sep 17 00:00:00 2001
From: Luigi Di Fraia <93160889+luigidifraiawork@users.noreply.github.com>
Date: Tue, 28 May 2024 17:07:30 +0100
Subject: [PATCH 3/3] chore: add missing SQS endpoint (#214)

---
 terraform/fargate-examples/vpc-endpoints/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/fargate-examples/vpc-endpoints/main.tf b/terraform/fargate-examples/vpc-endpoints/main.tf
index 2212984e..31bd2a9d 100644
--- a/terraform/fargate-examples/vpc-endpoints/main.tf
+++ b/terraform/fargate-examples/vpc-endpoints/main.tf
@@ -42,7 +42,7 @@ module "vpc_endpoints" {
       }
     }
     },
-    { for service in toset(["ecr.api", "ecr.dkr", "ecs", "ecs-telemetry", "ecs-agent", "logs", "ssm", "secretsmanager"]) :
+    { for service in toset(["ecr.api", "ecr.dkr", "ecs", "ecs-telemetry", "ecs-agent", "sqs", "logs", "ssm", "secretsmanager"]) :
       replace(service, ".", "_") =>
       {
         service             = service