[PRMP-1318] IAM policies in im-alerting-lambda

Signed-off-by: NogaNHS <[email protected]>

Author: NogaNHS

infrastructure/lambda-back-channel-logout.tf

@@ -36,7 +36,6 @@ module "back_channel_logout_lambda" {
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
-    aws_iam_policy.ssm_access_policy,
     module.auth_session_dynamodb_table,
     module.back-channel-logout-gateway,
     module.ndr-app-config

infrastructure/lambda-bulk-upload.tf

@@ -54,7 +54,6 @@ module "bulk-upload-lambda" {
     module.ndr-lloyd-george-store,
     module.lloyd_george_reference_dynamodb_table,
     module.bulk_upload_report_dynamodb_table,
-    aws_iam_policy.ssm_access_policy,
     module.lg-bulk-upload-expedite-metadata-queue,
   ]
 }

infrastructure/lambda-im-alerting.tf

@@ -20,8 +20,8 @@ module "im-alerting-lambda" {
   handler = "handlers.im_alerting_handler.lambda_handler"
   iam_role_policy_documents = [
     local.ssm_access_policy.policy,
-    aws_iam_policy.alerting_lambda_alarms.policy,
-    aws_iam_policy.alerting_lambda_tags.policy,
+    local.alerting_lambda_alarms_policy.policy,
+    local.alerting_lambda_tags_policy.policy,
     module.ndr-app-config.app_config_policy,
     module.alarm_state_history_table.dynamodb_read_policy_document,
     module.alarm_state_history_table.dynamodb_write_policy_document
@@ -47,6 +47,7 @@ module "im-alerting-lambda" {
 
 
 resource "aws_iam_policy" "alerting_lambda_alarms" {
+  count       = local.is_sandbox ? 0 : 1
   name        = "${terraform.workspace}_alerting_lambda_alarms_policy"
   description = "Alarms policy to allow lambda to describe all alarms"
   policy = jsonencode({
@@ -65,6 +66,7 @@ resource "aws_iam_policy" "alerting_lambda_alarms" {
 }
 
 resource "aws_iam_policy" "alerting_lambda_tags" {
+  count       = local.is_sandbox ? 0 : 1
   name        = "${terraform.workspace}_alerting_lambda_tags_policy"
   description = "Tags policy to allow alerting lambda to get resources by tags"
   policy = jsonencode({
@@ -80,3 +82,23 @@ resource "aws_iam_policy" "alerting_lambda_tags" {
   })
 }
 
+data "aws_iam_policy" "dev_environment_alerting_lambda_alarms" {
+  count = local.is_sandbox ? 1 : 0
+  name  = "${var.shared_infra_workspace}_alerting_lambda_alarms_policy"
+}
+
+data "aws_iam_policy" "dev_environment_alerting_lambda_tags" {
+  count = local.is_sandbox ? 1 : 0
+  name  = "${var.shared_infra_workspace}_alerting_lambda_tags_policy"
+}
+
+locals {
+  alerting_lambda_alarms_policy = local.is_sandbox ? (
+    data.aws_iam_policy.dev_environment_alerting_lambda_alarms[0]
+  ) : aws_iam_policy.alerting_lambda_alarms[0]
+
+  alerting_lambda_tags_policy = local.is_sandbox ? (
+    data.aws_iam_policy.dev_environment_alerting_lambda_tags[0]
+  ) : aws_iam_policy.alerting_lambda_tags[0]
+}
+

infrastructure/moved-resources-v1.6.11.tf

@@ -23,3 +23,13 @@ moved {
   to   = aws_iam_policy.mtls_access_ssm_policy[0]
 }
 
+moved {
+  from = aws_iam_policy.alerting_lambda_alarms
+  to   = aws_iam_policy.alerting_lambda_alarms[0]
+}
+
+moved {
+  from = aws_iam_policy.alerting_lambda_tags
+  to   = aws_iam_policy.alerting_lambda_tags[0]
+}
+