[PRM-52] Add permission to access edge table and list bucket

NogaNHS · NogaNHS · commit 54aad08bf4d9 · 2025-04-07T12:28:20.000+01:00
diff --git a/infrastructure/README.md b/infrastructure/README.md
@@ -215,6 +215,7 @@
 | [aws_cloudwatch_event_target.nhs_oauth_token_generator_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_event_target.statistical_report_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_log_metric_filter.edge_presign_error](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
+| [aws_cloudwatch_log_resource_policy.rum_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_resource_policy) | resource |
 | [aws_cloudwatch_metric_alarm.api_gateway_alarm_4XX](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
 | [aws_cloudwatch_metric_alarm.api_gateway_alarm_5XX](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
 | [aws_cloudwatch_metric_alarm.edge_presign_lambda_error](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
diff --git a/infrastructure/iam.tf b/infrastructure/iam.tf
@@ -46,6 +46,7 @@ resource "aws_iam_policy" "s3_document_data_policy_for_stitch_lambda" {
         "Effect" : "Allow",
         "Action" : [
           "s3:GetObject",
+          "S3:ListBucket",
         ],
         "Resource" : ["${module.ndr-lloyd-george-store.bucket_arn}/combined_files/*"]
       }
diff --git a/infrastructure/lambda-lloyd-george-record-stitch.tf b/infrastructure/lambda-lloyd-george-record-stitch.tf
@@ -73,7 +73,8 @@ module "lloyd-george-stitch-lambda" {
     module.stitch_metadata_reference_dynamodb_table.dynamodb_read_policy_document,
     module.stitch_metadata_reference_dynamodb_table.dynamodb_write_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
-    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.cloudfront_edge_dynamodb_table.dynamodb_write_policy_document
   ]
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id       = module.lloyd-george-stitch-gateway.gateway_resource_id
@@ -91,6 +92,7 @@ module "lloyd-george-stitch-lambda" {
     SPLUNK_SQS_QUEUE_URL          = try(module.sqs-splunk-queue[0].sqs_url, null)
     WORKSPACE                     = terraform.workspace
     PRESIGNED_ASSUME_ROLE         = aws_iam_role.stitch_presign_url_role.arn
+    EDGE_REFERENCE_TABLE          = module.cloudfront_edge_dynamodb_table.table_name
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ resource "aws_iam_policy" "s3_document_data_policy_for_stitch_lambda" {`
`46`	`46`	`"Effect" : "Allow",`
`47`	`47`	`"Action" : [`
`48`	`48`	`"s3:GetObject",`
	`49`	`+ "S3:ListBucket",`
`49`	`50`	`],`
`50`	`51`	`"Resource" : ["${module.ndr-lloyd-george-store.bucket_arn}/combined_files/*"]`
`51`	`52`	`}`