[PRMP-892] add staging bucket put permission to edge lambda

steph-torres-nhs · steph-torres-nhs · commit 1ce0dc765a24 · 2025-12-05T13:18:43.000Z
diff --git a/infrastructure/lambda-edge-presign.tf b/infrastructure/lambda-edge-presign.tf
@@ -74,10 +74,32 @@ module "edge-presign-lambda" {
     "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
     aws_iam_policy.ssm_access_policy.arn,
     module.ndr-app-config.app_config_policy_arn,
+    aws_iam_policy.staging_bucket_put.arn
   ]
   providers = {
     aws = aws.us_east_1
   }
   bucket_names = [module.ndr-lloyd-george-store.bucket_id, module.ndr-document-pending-review-store.bucket_id, module.ndr-bulk-staging-store.bucket_id]
   table_name   = module.cloudfront_edge_dynamodb_table.table_name
-}
+}
+
+
+
+resource "aws_iam_policy" "staging_bucket_put" {
+  name = "${terraform.workspace}_staging_bucket_put"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "s3:PutObject"
+        ],
+        Resource = [
+          module.ndr-bulk-staging-store.bucket_arn,
+          "${module.ndr-bulk-staging-store.bucket_arn}/*",
+        ]
+      }
+    ]
+  })
+}
