[PRMP-586] Add S3 read and write policies for document review process

NogaNHS · NogaNHS · commit 8393b7f6ed8e · 2025-11-24T12:06:43.000Z
Signed-off-by: NogaNHS &lt;127490765+NogaNHS@users.noreply.github.com&gt;
diff --git a/infrastructure/lambda-get-document-review.tf b/infrastructure/lambda-get-document-review.tf
@@ -7,7 +7,8 @@ module "get_document_review_lambda" {
     module.cloudfront_edge_dynamodb_table.dynamodb_read_policy_document,
     module.cloudfront_edge_dynamodb_table.dynamodb_write_policy_document,
     local.is_production ? "" : module.document_review_dynamodb_table[0].dynamodb_read_policy_document,
-    aws_iam_policy.ssm_access_policy.policy
+    aws_iam_policy.ssm_access_policy.policy,
+    module.ndr-document-pending-review-store.s3_read_policy_document
   ]
 
   rest_api_id                   = aws_api_gateway_rest_api.ndr_doc_store_api.id
diff --git a/infrastructure/lambda-patch-document-review.tf b/infrastructure/lambda-patch-document-review.tf
@@ -7,6 +7,7 @@ module "patch_document_review_lambda" {
     local.is_production ? "" : module.document_review_dynamodb_table[0].dynamodb_write_policy_document,
     local.is_production ? "" : module.document_review_dynamodb_table[0].dynamodb_read_policy_document,
     aws_iam_policy.ssm_access_policy.policy,
+    module.ndr-document-pending-review-store.s3_write_policy_document
   ]
 
   rest_api_id                   = aws_api_gateway_rest_api.ndr_doc_store_api.id
diff --git a/infrastructure/lambda-search-document-review.tf b/infrastructure/lambda-search-document-review.tf
@@ -21,8 +21,6 @@ module "search_document_review_lambda" {
     APPCONFIG_CONFIGURATION       = module.ndr-app-config.app_config_configuration_profile_id
     DOCUMENT_REVIEW_DYNAMODB_NAME = local.is_production ? "" : module.document_review_dynamodb_table[0].table_name
     WORKSPACE                     = terraform.workspace
-
-
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
diff --git a/infrastructure/modules/s3/iam.tf b/infrastructure/modules/s3/iam.tf
@@ -29,7 +29,7 @@ resource "aws_iam_policy" "s3_document_data_policy" {
           "s3:PutObjectTagging",
           "s3:GetObjectVersion",
         ],
-        "Resource" : ["${aws_s3_bucket.bucket.arn}/*", "${aws_s3_bucket.bucket.arn}/*"]
+        "Resource" : ["${aws_s3_bucket.bucket.arn}/*"]
       }
     ]
   })

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,8 @@ module "get_document_review_lambda" {`
`7`	`7`	`module.cloudfront_edge_dynamodb_table.dynamodb_read_policy_document,`
`8`	`8`	`module.cloudfront_edge_dynamodb_table.dynamodb_write_policy_document,`
`9`	`9`	`local.is_production ? "" : module.document_review_dynamodb_table[0].dynamodb_read_policy_document,`
`10`		`- aws_iam_policy.ssm_access_policy.policy`
	`10`	`+ aws_iam_policy.ssm_access_policy.policy,`
	`11`	`+ module.ndr-document-pending-review-store.s3_read_policy_document`
`11`	`12`	`]`
`12`	`13`
`13`	`14`	`rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ module "patch_document_review_lambda" {`
`7`	`7`	`local.is_production ? "" : module.document_review_dynamodb_table[0].dynamodb_write_policy_document,`
`8`	`8`	`local.is_production ? "" : module.document_review_dynamodb_table[0].dynamodb_read_policy_document,`
`9`	`9`	`aws_iam_policy.ssm_access_policy.policy,`
	`10`	`+ module.ndr-document-pending-review-store.s3_write_policy_document`
`10`	`11`	`]`
`11`	`12`
`12`	`13`	`rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id`
Original file line number	Diff line number	Diff line change
`@@ -21,8 +21,6 @@ module "search_document_review_lambda" {`
`21`	`21`	`APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id`
`22`	`22`	`DOCUMENT_REVIEW_DYNAMODB_NAME = local.is_production ? "" : module.document_review_dynamodb_table[0].table_name`
`23`	`23`	`WORKSPACE = terraform.workspace`
`24`		`-`
`25`		`-`
`26`	`24`	`}`
`27`	`25`	`depends_on = [`
`28`	`26`	`aws_api_gateway_rest_api.ndr_doc_store_api,`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ resource "aws_iam_policy" "s3_document_data_policy" {`
`29`	`29`	`"s3:PutObjectTagging",`
`30`	`30`	`"s3:GetObjectVersion",`
`31`	`31`	`],`
`32`		`- "Resource" : ["${aws_s3_bucket.bucket.arn}/", "${aws_s3_bucket.bucket.arn}/"]`
	`32`	`+ "Resource" : ["${aws_s3_bucket.bucket.arn}/*"]`
`33`	`33`	`}`
`34`	`34`	`]`
`35`	`35`	`})`