npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@aws-solutions-constructs/aws-sns-sqs

v2.74.0

Published

CDK constructs for defining an interaction between an Amazon SNS topic and an Amazon SQS queue.

Downloads

4,411

Readme

aws-sns-sqs module


Stability: Experimental

All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.


| Reference Documentation:| https://docs.aws.amazon.com/solutions/latest/constructs/| |:-------------|:-------------|

| Language | Package | |:-------------|-----------------| |Python Logo Python|aws_solutions_constructs.aws_sns_sqs| |Typescript Logo Typescript|@aws-solutions-constructs/aws-sns-sqs| |Java Logo Java|software.amazon.awsconstructs.services.snssqs|

Overview

This AWS Solutions Construct implements an Amazon SNS topic connected to an Amazon SQS queue.

Here is a minimal deployable pattern definition:

Typescript

import { Construct } from 'constructs';
import { Stack, StackProps } from 'aws-cdk-lib';
import { SnsToSqs, SnsToSqsProps } from "@aws-solutions-constructs/aws-sns-sqs";
import * as iam from 'aws-cdk-lib/aws-iam';

const snsToSqsStack = new SnsToSqs(this, 'SnsToSqsPattern', {});

// Grant yourself permissions to use the Customer Managed KMS Key
const policyStatement = new iam.PolicyStatement({
    actions: ["kms:Encrypt", "kms:Decrypt"],
    effect: iam.Effect.ALLOW,
    principals: [ new iam.AccountRootPrincipal() ],
    resources: [ "*" ]
});

snsToSqsStack.queueEncryptionKey?.addToResourcePolicy(policyStatement);
snsToSqsStack.topicEncryptionKey?.addToResourcePolicy(policyStatement);

Python

from aws_solutions_constructs.aws_sns_sqs import SnsToSqs
from aws_cdk import (
    aws_iam as iam,
    Stack
)
from constructs import Construct

construct_stack = SnsToSqs(self, 'SnsToSqsPattern')

policy_statement = iam.PolicyStatement(
    actions=["kms:Encrypt", "kms:Decrypt"],
    effect=iam.Effect.ALLOW,
    principals=[iam.AccountRootPrincipal()],
    resources=["*"]
)

construct_stack.queue_encryption_key.add_to_resource_policy(policy_statement)
construct_stack.topic_encryption_key.add_to_resource_policy(policy_statement)

Java

import software.constructs.Construct;
import java.util.List;

import software.amazon.awscdk.Stack;
import software.amazon.awscdk.StackProps;
import software.amazon.awscdk.services.iam.*;
import software.amazon.awsconstructs.services.snssqs.*;

final SnsToSqs constructStack = new SnsToSqs(this, "SnsToSqsPattern",
        new SnsToSqsProps.Builder()
                .build());

// Grant yourself permissions to use the Customer Managed KMS Key
final PolicyStatement policyStatement = PolicyStatement.Builder.create()
        .actions(List.of("kms:Encrypt", "kms:Decrypt"))
        .effect(Effect.ALLOW)
        .principals(List.of(new AccountRootPrincipal()))
        .resources(List.of("*"))
        .build();

constructStack.getQueueEncryptionKey().addToResourcePolicy(policyStatement);
constructStack.getTopicEncryptionKey().addToResourcePolicy(policyStatement);

New Interface as of v2.58.0

As of Solutions Constructs v2.58.0, we have updated the interface of SnsToSqs. The original implementation shared a KMS customer managed key between the topic and queue. There was a single set of construct props to define this key and a single property to access the single key. The new interface does not share a key, but uses a separate key for each resource and allows clients to control and access these keys independently.

In CDK v2.32.0, the CDK introduced an improvement in SNS Subscriptions that narrowed the permissions to access the SQS encryption key to the specific SNS topic (it was formerly the entire SNS service). This feature created a circular reference in SnsToSqs constructs due to the shared KMS keys, but since the improvement was gated behind the feature flag @aws-cdk/aws-sns-subscriptions:restrictSqsDescryption, it had no impact on existing applications. Newly generated CDK apps had the feature flag turned on by default, so would have to adjust settings to avoid the circular reference (the minimal deployment code would not work).

In addition, attempting to share the key between resources led to odd implementation choices in the construct - the implementation was highly biased towards the topic. For instance, if an existingTopic was provided but a CMK was still created to encrypt the queue that CMK was not available in the encryptionKey property.

Code using the original, single key props should continue to work - while that portion of the construct interface is deprecated it is not going away any time soon. Any code using any of those props, or with the new feature flag not enabled, will continue to use the old implementation. We wrote many unit tests confirming the old implementation will continue to work the same, warts and all. We do recommend that you migrate to use the new key features to take advantage of the finer grained IAM policy for the key and more control over key behavior within the construct.

Any code that references one of the new key properties (or that enables the new feature flag) will use the new functionality.

Pattern Construct Props

| Name | Type | Description | |:-------------|:----------------|-----------------| |existingTopicObj?|sns.Topic|An optional, existing SNS topic to be used instead of the default topic. Providing both this and topicProps will cause an error.| |topicProps?|sns.TopicProps|Optional user provided properties to override the default properties for the SNS topic.| |encryptTopicWithCmk|boolean|Whether to encrypt the Topic with a customer managed KMS key (CMK). This is the default behavior, and this property defaults to true - if it is explicitly set to false then the Topic is encrypted with an Amazon managed KMS key. For a completely unencrypted Topic (not recommended), create the Topic separately from the construct and pass it in using the existingTopicObject.| |topicEncryptionKeyProps|kms.KeyProps|An optional subset of key properties to override the default properties used by constructs (enableKeyRotation: true). These properties will be used in constructing the CMK used to encrypt the SNS topic.| |existingTopicEncryptionKey|kms.Key|An optional CMK that will be used by the construct to encrypt the new SNS Topic.| |existingQueueObj?|sqs.Queue|An optional, existing SQS queue to be used instead of the default queue. Providing both this and queueProps will cause an error.| |queueProps?|sqs.QueueProps|Optional user provided properties to override the default properties for the SQS queue.| |encryptQueueWithCmk|boolean|Whether to encrypt the Queue with a customer managed KMS key (CMK). This is the default behavior, and this property defaults to true - if it is explicitly set to false then the Queue is encrypted with an Amazon managed KMS key. For a completely unencrypted Queue (not recommended), create the Queue separately from the construct and pass it in using the existingQueueObject. Since SNS subscriptions do not currently support SQS queues with AWS managed encryption keys, setting this to false will always result in an error from the underlying CDK - we have still included this property for consistency with topics and to be ready if the services one day support this functionality.| |queueEncryptionKeyProps|kms.KeyProps|An optional subset of key properties to override the default properties used by constructs (enableKeyRotation: true). These properties will be used in constructing the CMK used to encrypt the SQS queue.| |existingQueueEncryptionKey|kms.Key|An optional CMK that will be used by the construct to encrypt the new SQS queue.| |deployDeadLetterQueue?|boolean|Whether to create a secondary queue to be used as a dead letter queue. Defaults to true.| |deadLetterQueueProps?|sqs.QueueProps|Optional user-provided props to override the default props for the dead letter SQS queue.| |maxReceiveCount?|number|The number of times a message can be unsuccessfully dequeued before being moved to the dead letter queue. Defaults to 15.| |sqsSubscriptionProps?|subscriptions.SqsSubscriptionProps|Optional user-provided props to override the default props for sqsSubscriptionProps.|

Pattern Properties

| Name | Type | Description | |:-------------|:----------------|-----------------| |snsTopic|sns.Topic|Returns an instance of the SNS topic created by the pattern.| |topicEncryptionKey?|kms.Key|Returns the KMS key used to encrypt the topic within the construct. Note - this is only set if the construct assigns the key, if the key is passed in topicProps it will not appear here.| |sqsQueue|sqs.Queue|Returns an instance of the SQS queue created by the pattern.| |queueEncryptionKey?|kms.Key|Returns the KMS key used to encrypt the queue within the construct. Note - this is only set if the construct assigns the key, if the key is passed in topicProps it will not appear here.| |deadLetterQueue?|sqs.Queue|Returns an instance of the dead-letter SQS queue created by the pattern.|

Deprecated Pattern Construct Props

| Name | Type | Description | |:-------------|:----------------|-----------------| |enableEncryptionWithCustomerManagedKey?|boolean|If no key is provided, this flag determines whether the queue is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: topicProps.masterKey, queueProps.encryptionMasterKey, encryptionKey or encryptionKeyProps. We recommend you migrate your code to use encryptQueueWithCmk and encryptTopicWithCmk in place of this prop value.| |encryptionKey?|kms.Key|An optional, imported encryption key to encrypt the SQS Queue and SNS Topic with. We recommend you migrate your code to use queueEncryptionKey and topicEncryptionKey in place of this prop value.| |encryptionKeyProps?|kms.KeyProps|Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SQS topic and queue with. We recommend you migrate your code to use queueEncryptionKeyProps and topicEncryptionKeyProps in place of this prop value.|

Deprecated Pattern Properties

| Name | Type | Description | |:-------------|:----------------|-----------------| |encryptionKey|kms.Key|Returns an instance of kms.Key used for the SQS queue, and SNS Topic.|

Default settings

Out of the box implementation of the Construct without any override will set the following defaults:

Amazon SNS Topic

  • Configure least privilege access permissions for SNS Topic
  • Enable server-side encryption for SNS Topic using Customer managed KMS Key
  • Enforce encryption of data in transit

Amazon SQS Queue

  • Configure least privilege access permissions for SQS Queue
  • Deploy SQS dead-letter queue for the source SQS Queue
  • Enable server-side encryption for SQS Queue using Customer managed KMS Key
  • Enforce encryption of data in transit

Architecture

Architecture Diagram


© Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.