import type { Construct } from 'constructs'; import { QueueGrants } from './sqs-grants.generated'; import type { IQueueRef, QueueReference } from './sqs.generated'; import * as iam from '../../aws-iam'; import type { GrantOnKeyResult, IEncryptedResource, IGrantable } from '../../aws-iam'; import type * as kms from '../../aws-kms'; import type { IResource, ResourceProps } from '../../core'; import { Resource } from '../../core'; /** * Represents an SQS queue */ export interface IQueue extends IResource, IQueueRef { /** * The ARN of this queue * @attribute */ readonly queueArn: string; /** * The URL of this queue * @attribute */ readonly queueUrl: string; /** * The name of this queue * @attribute */ readonly queueName: string; /** * If this queue is server-side encrypted, this is the KMS encryption key. */ readonly encryptionMasterKey?: kms.IKey; /** * Whether this queue is an Amazon SQS FIFO queue. If false, this is a standard queue. */ readonly fifo: boolean; /** * Whether the contents of the queue are encrypted, and by what type of key. */ readonly encryptionType?: QueueEncryption; /** * Adds a statement to the IAM resource policy associated with this queue. * * If this queue was created in this stack (`new Queue`), a queue policy * will be automatically created upon the first call to `addToPolicy`. If * the queue is imported (`Queue.import`), then this is a no-op. */ addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult; /** * Grant permissions to consume messages from a queue * * This will grant the following permissions: * * - sqs:ChangeMessageVisibility * - sqs:DeleteMessage * - sqs:ReceiveMessage * - sqs:GetQueueAttributes * - sqs:GetQueueUrl * * @param grantee Principal to grant consume rights to */ grantConsumeMessages(grantee: iam.IGrantable): iam.Grant; /** * Grant access to send messages to a queue to the given identity. * * This will grant the following permissions: * * - sqs:SendMessage * - sqs:GetQueueAttributes * - sqs:GetQueueUrl * * @param grantee Principal to grant send rights to */ grantSendMessages(grantee: iam.IGrantable): iam.Grant; /** * Grant an IAM principal permissions to purge all messages from the queue. * * This will grant the following permissions: * * - sqs:PurgeQueue * - sqs:GetQueueAttributes * - sqs:GetQueueUrl * * @param grantee Principal to grant send rights to */ grantPurge(grantee: iam.IGrantable): iam.Grant; /** * Grant the actions defined in queueActions to the identity Principal given * on this SQS queue resource. * * @param grantee Principal to grant right to * @param queueActions The actions to grant */ grant(grantee: iam.IGrantable, ...queueActions: string[]): iam.Grant; } /** * Reference to a new or existing Amazon SQS queue */ export declare abstract class QueueBase extends Resource implements IQueue, IEncryptedResource { /** * The ARN of this queue */ abstract readonly queueArn: string; /** * The URL of this queue */ abstract readonly queueUrl: string; /** * The name of this queue */ abstract readonly queueName: string; /** * If this queue is server-side encrypted, this is the KMS encryption key. */ abstract readonly encryptionMasterKey?: kms.IKey; /** * Whether this queue is an Amazon SQS FIFO queue. If false, this is a standard queue. */ abstract readonly fifo: boolean; /** * Whether the contents of the queue are encrypted, and by what type of key. */ abstract readonly encryptionType?: QueueEncryption; /** * Collection of grant methods for a Queue */ readonly grants: QueueGrants; /** * Controls automatic creation of policy objects. * * Set by subclasses. */ protected abstract readonly autoCreatePolicy: boolean; private policy?; constructor(scope: Construct, id: string, props?: ResourceProps); grantOnKey(grantee: IGrantable, ...actions: string[]): GrantOnKeyResult; get queueRef(): QueueReference; /** * Adds a statement to the IAM resource policy associated with this queue. * * If this queue was created in this stack (`new Queue`), a queue policy * will be automatically created upon the first call to `addToPolicy`. If * the queue is imported (`Queue.import`), then this is a no-op. */ addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult; /** * Grant permissions to consume messages from a queue * * This will grant the following permissions: * * - sqs:ChangeMessageVisibility * - sqs:DeleteMessage * - sqs:ReceiveMessage * - sqs:GetQueueAttributes * - sqs:GetQueueUrl * * If encryption is used, permission to use the key to decrypt the contents of the queue will also be granted to the same principal. * * This will grant the following KMS permissions: * * - kms:Decrypt * * * The use of this method is discouraged. Please use `grants.consumeMessages()` instead. * * [disable-awslint:no-grants] * * @param grantee Principal to grant consume rights to */ grantConsumeMessages(grantee: iam.IGrantable): iam.Grant; /** * Grant access to send messages to a queue to the given identity. * * This will grant the following permissions: * * - sqs:SendMessage * - sqs:GetQueueAttributes * - sqs:GetQueueUrl * * If encryption is used, permission to use the key to encrypt/decrypt the contents of the queue will also be granted to the same principal. * * This will grant the following KMS permissions: * * - kms:Decrypt * - kms:Encrypt * - kms:ReEncrypt* * - kms:GenerateDataKey* * * * The use of this method is discouraged. Please use `grants.sendMessages()` instead. * * [disable-awslint:no-grants] * * @param grantee Principal to grant send rights to */ grantSendMessages(grantee: iam.IGrantable): iam.Grant; /** * Grant an IAM principal permissions to purge all messages from the queue. * * This will grant the following permissions: * * - sqs:PurgeQueue * - sqs:GetQueueAttributes * - sqs:GetQueueUrl * * * The use of this method is discouraged. Please use `grants.purge()` instead. * * [disable-awslint:no-grants] * * @param grantee Principal to grant send rights to */ grantPurge(grantee: iam.IGrantable): iam.Grant; /** * Grant the actions defined in queueActions to the identity Principal given * on this SQS queue resource. * * [disable-awslint:no-grants] * * @param grantee Principal to grant right to * @param actions The actions to grant */ grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant; } /** * Reference to a queue */ export interface QueueAttributes { /** * The ARN of the queue. */ readonly queueArn: string; /** * The URL of the queue. * @see https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-queue-message-identifiers.html#sqs-general-identifiers * * @default - 'https://sqs.//' */ readonly queueUrl?: string; /** * The name of the queue. * @default if queue name is not specified, the name will be derived from the queue ARN */ readonly queueName?: string; /** * KMS encryption key, if this queue is server-side encrypted by a KMS key. * * @default - None */ readonly keyArn?: string; /** * Whether this queue is an Amazon SQS FIFO queue. If false, this is a standard queue. * * In case of a FIFO queue which is imported from a token, this value has to be explicitly set to true. * * @default - if fifo is not specified, the property will be determined based on the queue name (not possible for FIFO queues imported from a token) */ readonly fifo?: boolean; } /** * What kind of encryption to apply to this queue */ export declare enum QueueEncryption { /** * Messages in the queue are not encrypted */ UNENCRYPTED = "NONE", /** * Server-side KMS encryption with a KMS key managed by SQS. */ KMS_MANAGED = "KMS_MANAGED", /** * Server-side encryption with a KMS key managed by the user. * * If `encryptionKey` is specified, this key will be used, otherwise, one will be defined. */ KMS = "KMS", /** * Server-side encryption key managed by SQS (SSE-SQS). * * To learn more about SSE-SQS on Amazon SQS, please visit the * [Amazon SQS documentation](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html). */ SQS_MANAGED = "SQS_MANAGED" }