Deploy SQS queue for crates.io to staging

The SQS queue that was configured in #377 has been deployed to the new
staging account for crates.io that was created in #374. Slight
modifications were necessary to the configuration:

  - The resource and human-readable names of the SQS are now identical.
  - The `sid` for policies matches the naming rules of AWS.
  - The input variable has been changed, since the account number is not
    part of a bucket's ARN and can thus not be extracted from it.

The infrastructure has been deployed with the same version of the
Terraform provider for AWS as the other modules in simpleinfra to ensure
future compatibility.

Author: jdno

terragrunt/accounts/crates-io-staging/account.json

@@ -0,0 +1,6 @@
+{
+    "aws": {
+        "profile": "crates-io-staging",
+        "region": "us-east-2"
+    }
+}

terragrunt/accounts/crates-io-staging/crates-io-logs/.terraform.lock.hcl

@@ -0,0 +1,13 @@
+terraform {
+  source = "../../../..//terragrunt/modules/crates-io-logs"
+}
+
+include {
+  path           = find_in_parent_folders()
+  merge_strategy = "deep"
+}
+
+inputs = {
+  bucket_account = 890664054962
+  bucket_arn = "arn:aws:s3:::rust-staging-crates-io-logs"
+}

terragrunt/accounts/crates-io-staging/crates-io-logs/terragrunt.hcl

@@ -0,0 +1,20 @@
+terraform {
+  required_version = "~> 1"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.32"
+    }
+  }
+}
+
+variable "bucket_account" {
+  type        = number
+  description = "Account ID of the S3 bucket which will send events to the SQS queue"
+}
+
+variable "bucket_arn" {
+  type        = string
+  description = "ARN of the S3 bucket which will send events to the SQS queue"
+}

terragrunt/modules/crates-io-logs/_terraform.tf

@@ -1,16 +1,16 @@
-resource "aws_sqs_queue" "log_event_queue" {
-  name                      = "cdn-log-queue"
+resource "aws_sqs_queue" "cdn_log_event_queue" {
+  name                      = "cdn-log-event-queue"
   receive_wait_time_seconds = 20
 }
 
 resource "aws_sqs_queue_policy" "s3_push" {
-  queue_url = aws_sqs_queue.log_event_queue.id
+  queue_url = aws_sqs_queue.cdn_log_event_queue.id
   policy    = data.aws_iam_policy_document.s3_push_to_queue.json
 }
 
 data "aws_iam_policy_document" "s3_push_to_queue" {
   statement {
-    sid    = "allow-s3-to-push-events"
+    sid    = "AllowS3ToPushEvents"
     effect = "Allow"
     principals {
       type        = "Service"
@@ -19,45 +19,37 @@ data "aws_iam_policy_document" "s3_push_to_queue" {
 
     actions = ["sqs:SendMessage"]
 
-    resources = [aws_sqs_queue.log_event_queue.arn]
+    resources = [aws_sqs_queue.cdn_log_event_queue.arn]
     condition {
       test     = "ArnLike"
       variable = "aws:SourceArn"
-      values   = [data.aws_arn.src_bucket.arn]
+      values   = [var.bucket_arn]
     }
     condition {
       test     = "StringEquals"
       variable = "aws:SourceAccount"
-      values   = [data.aws_arn.src_bucket.account]
+      values   = [var.bucket_account]
     }
   }
 }
 
-data "aws_arn" "src_bucket" {
-  arn = var.src_log_bucket_arn
-}
-
-variable "src_log_bucket_arn" {
-  type        = string
-  description = "Bucket ARN which will send events to the SQS queue"
-}
-
 resource "aws_iam_user" "heroku_access" {
   name = "crates-io-heroku-access"
 }
 
 resource "aws_iam_access_key" "crates_io" {
-  user = aws_iam_user.heroku_access
+  user = aws_iam_user.heroku_access.name
 }
 
-resouce "aws_iam_user_policy" "sqs_read" {
-  name = "heroku-access"
-  user = aws_iam_user.heroku_access.name
+resource "aws_iam_user_policy" "sqs_read" {
+  name   = "heroku-access"
+  user   = aws_iam_user.heroku_access.name
+  policy = data.aws_iam_policy_document.heroku_access.json
 }
 
 data "aws_iam_policy_document" "heroku_access" {
   statement {
-    sid    = "allow-sqs"
+    sid    = "AllowAccessToSQS"
     effect = "Allow"
 
     actions = [
@@ -67,6 +59,6 @@ data "aws_iam_policy_document" "heroku_access" {
       "sqs:ReceiveMessage",
     ]
 
-    resources = [aws_sqs_queue.log_event_queue.arn]
+    resources = [aws_sqs_queue.cdn_log_event_queue.arn]
   }
 }