[PRMP-586] add presign role to get doc review lambda

steph-torres-nhs · steph-torres-nhs · commit d063b4d4af13 · 2025-10-31T15:06:37.000Z
diff --git a/infrastructure/iam.tf b/infrastructure/iam.tf
@@ -239,7 +239,46 @@ resource "aws_iam_role_policy_attachment" "api_gateway_logs" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
 }
 
+
 resource "aws_api_gateway_account" "logging" {
   count               = local.is_sandbox ? 0 : 1
   cloudwatch_role_arn = aws_iam_role.api_gateway_cloudwatch[0].arn
 }
+
+data "aws_iam_policy_document" "assume_role_policy_get_document_review_lambda" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [module.get_document_review_lambda.lambda_execution_role_arn]
+    }
+  }
+}
+
+resource "aws_iam_role" "get_document_review_presign" {
+  name               = "${terraform.workspace}_stitch_presign_url_role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy_get_document_review_lambda.json
+}
+
+resource "aws_iam_role_policy_attachment" "get_document_review" {
+  role       = aws_iam_role.get_document_review_presign.name
+  policy_arn = aws_iam_policy.s3_document_data_policy_get_document_review_lambda.arn
+}
+
+resource "aws_iam_policy" "s3_document_data_policy_get_document_review_lambda" {
+  name = "${terraform.workspace}_get_document_only_policy_for_get_document_review_lambda"
+
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "s3:GetObject",
+        ],
+        "Resource" : ["*"]
+      }
+    ]
+  })
+}
diff --git a/infrastructure/lambda-get-document-review.tf b/infrastructure/lambda-get-document-review.tf
@@ -15,13 +15,13 @@ module "get_document_review_lambda" {
   is_gateway_integration_needed = true
   is_invoked_from_gateway       = true
   lambda_environment_variables = {
-    APPCONFIG_APPLICATION          = module.ndr-app-config.app_config_application_id
-    APPCONFIG_ENVIRONMENT          = module.ndr-app-config.app_config_environment_id
-    APPCONFIG_CONFIGURATION        = module.ndr-app-config.app_config_configuration_profile_id
-    DOCUMENT_REVIEW_DYNAMO_NAME    = ""
-    EDGE_REFERENCE_TABLE           = module.cloudfront_edge_dynamodb_table.table_name
-    CLOUDFRONT_URL                 = module.cloudfront-distribution-lg.cloudfront_url
-    WORKSPACE                      = terraform.workspace
+    APPCONFIG_APPLICATION       = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT       = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION     = module.ndr-app-config.app_config_configuration_profile_id
+    DOCUMENT_REVIEW_DYNAMO_NAME = ""
+    EDGE_REFERENCE_TABLE        = module.cloudfront_edge_dynamodb_table.table_name
+    CLOUDFRONT_URL              = module.cloudfront-distribution-lg.cloudfront_url
+    WORKSPACE                   = terraform.workspace
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
