AWS · AWS · AWS SQS & SNS
SQS Queue with DLQ
SQS standard/FIFO queue with dead-letter queue, redrive policy, SSE, and least-privilege queue policy.
Compare Messaging & Pub/Sub across clouds →
Verification
Live-testedReally deployed, verified, idempotent and destroyed in a cloud sandbox.
Conformance
- Static validation (fmt · validate · tflint)
- Security scan clean (Checkov)
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live-tested — applied, verified, destroyed
Last verified 2026-06-11 · how we verify
Details
- Type
- tf_module
- Provider / collection
- hashicorp/aws
- Target clouds
- aws
- Target OS
- —
- Version
- v1.0.0
- License
- LicenseRef-IaCBazaar-Commercial
$49.00
one-time · perpetual license + 12 months of updates
Included in the builder+ subscription.
Documentation
aws-sqs
SQS standard/FIFO queue with dead-letter queue, redrive policy, SSE, and
least-privilege queue policy. Works with Terraform and OpenTofu (>= 1.6),
AWS provider >= 6.0, < 7.0. The two classic SQS gotchas are encoded for you:
FIFO naming (.fifo suffix on the queue and its DLQ) is automatic, and the
DLQ wiring uses the standalone redrive resources plus a redrive_allow_policy
that locks the DLQ to exactly this source queue.
Secure defaults:
- Encryption at rest always on: SSE-KMS with your key when
kms_key_idis set, SQS-managed SSE otherwise - Queue policy denies any non-TLS access (
aws:SecureTransport = false) on both the queue and the DLQ; producers/consumers/service publishers are allow-listed explicitly (service principals pinned to theiraws:SourceArn) - DLQ created by default with
maxReceiveCount = 5and 14-day retention - Long polling (10s) by default — fewer empty receives, lower cost
Usage
module "orders_queue" {
source = "./aws-sqs"
name = "orders"
producer_arns = [aws_iam_role.api.arn]
consumer_arns = [aws_iam_role.worker.arn]
service_publishers = {
sns = {
service = "sns.amazonaws.com"
source_arn = aws_sns_topic.orders.arn
}
}
tags = { Environment = "prod" }
}
For FIFO: set fifo_queue = true — orders becomes orders.fifo and the DLQ
orders-dlq.fifo automatically.
Inputs
| Name | Type | Default | Description |
|---|---|---|---|
name | string | — | Queue name; .fifo appended automatically for FIFO (required) |
fifo_queue | bool | false | FIFO queue + FIFO DLQ |
content_based_deduplication | bool | false | FIFO: dedupe on body hash |
deduplication_scope / fifo_throughput_limit | string | "queue" / "perQueue" | Set messageGroup + perMessageGroupId for high-throughput FIFO |
visibility_timeout_seconds | number | 30 | Use ≥ 6x consumer processing time |
message_retention_seconds | number | 345600 | Main queue retention (4 days) |
max_message_size / delay_seconds / receive_wait_time_seconds | number | 262144 / 0 / 10 | Queue tuning |
kms_key_id (+ kms_data_key_reuse_period_seconds) | string | null (300) | SSE-KMS; null = SQS-managed SSE |
create_dlq | bool | true | Create DLQ + redrive + redrive-allow wiring |
dlq_name | string | null | Override DLQ name (default <name>-dlq) |
max_receive_count | number | 5 | Receives before dead-lettering |
dlq_message_retention_seconds | number | 1209600 | DLQ retention (14 days max) |
create_queue_policy | bool | true | Attach the TLS-only + allow-list policies |
producer_arns / consumer_arns | list(string) | [] | IAM principals allowed to send / receive+delete |
service_publishers | map(object) | {} | {service, source_arn} pairs (SNS, S3, EventBridge...) |
tags | map(string) | {} | Tags for all resources |
Outputs
queue_url, queue_arn, queue_name, dlq_url, dlq_arn, dlq_name
(DLQ outputs are null when create_dlq = false).
Requirements
- Terraform or OpenTofu
>= 1.6 hashicorp/aws>= 6.0, < 7.0
Verification
Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.
License
Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).