I have a sqs queue, which has an existing sqs access policy.
I am trying to add another policy statement inside the existing policy, but running my cloudformation template results in overwriting the existing policy with the new policy.
DlqSqsQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: !Sub name
KmsMasterKeyId: alias/aws/sqs
KmsDataKeyReusePeriodSeconds: 86400
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
DlqSqsQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Statement:
- Action: sqs:SendMessage
Condition:
ArnEquals:
aws:SourceArn:
Fn::GetAtt:
- rulenamev1
- Arn
Effect: Allow
Principal:
Service: events.amazonaws.com
Resource:
Fn::GetAtt:
- DlqSqsQueue
- Arn
Sid: v1
Version: '2012-10-17'
Queues:
- Ref: DlqSqsQueue
DlqSqsQueuePolicyV2:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Statement:
- Action: sqs:SendMessage
Condition:
ArnEquals:
aws:SourceArn:
Fn::GetAtt:
- rulenamev2
- Arn
Effect: Allow
Principal:
Service: events.amazonaws.com
Resource:
Fn::GetAtt:
- DlqSqsQueue
- Arn
Sid: v2
Version: '2012-10-17'
Queues:
- Ref: DlqSqsQueue
An SQS queue can have only one AWS::SQS::QueuePolicy. You have to take your Statement from DlqSqsQueuePolicyV2 and add it to DlqSqsQueuePolicy:
DlqSqsQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: !Sub name
KmsMasterKeyId: alias/aws/sqs
KmsDataKeyReusePeriodSeconds: 86400
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
DlqSqsQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Statement:
- Action: sqs:SendMessage
Condition:
ArnEquals:
aws:SourceArn:
Fn::GetAtt:
- rulenamev1
- Arn
Effect: Allow
Principal:
Service: events.amazonaws.com
Resource:
Fn::GetAtt:
- DlqSqsQueue
- Arn
Sid: v1
- Action: sqs:SendMessage
Condition:
ArnEquals:
aws:SourceArn:
Fn::GetAtt:
- rulenamev2
- Arn
Effect: Allow
Principal:
Service: events.amazonaws.com
Resource:
Fn::GetAtt:
- DlqSqsQueue
- Arn
Sid: v2
Version: '2012-10-17'
Queues:
- Ref: DlqSqsQueue