CCM-12616: Fix mesh-poll SSM parameters

Author: gareth-allan

infrastructure/terraform/components/dl/locals.tf

@@ -5,6 +5,7 @@ locals {
   apim_api_key_ssm_parameter_name      = "/${var.component}/${var.environment}/apim/api_key"
   apim_private_key_ssm_parameter_name  = "/${var.component}/${var.environment}/apim/private_key"
   apim_keystore_s3_bucket              = "nhs-${var.aws_account_id}-${var.region}-${var.environment}-${var.component}-static-assets"
+  ssm_mesh_prefix                      = "/${var.component}/${var.environment}/mesh"
   root_domain_name                     = "${var.environment}.${local.acct.route53_zone_names["digital-letters"]}"
   root_domain_id                       = local.acct.route53_zone_ids["digital-letters"]
   ttl_shard_count = 3

infrastructure/terraform/components/dl/module_lambda_mesh_poll.tf

@@ -38,7 +38,7 @@ module "mesh_poll" {
   log_subscription_role_arn = local.acct.log_subscription_role_arn
 
   lambda_env_vars = {
-    SSM_PREFIX                          = "/dl/${var.environment}/mesh"
+    SSM_PREFIX                          = "${local.ssm_mesh_prefix}"
     MAXIMUM_RUNTIME_MILLISECONDS        = "240000"  # 4 minutes (Lambda has 5 min timeout)
     ENVIRONMENT                         = var.environment
     EVENT_PUBLISHER_EVENT_BUS_ARN       = aws_cloudwatch_event_bus.main.arn
@@ -134,4 +134,17 @@ data "aws_iam_policy_document" "mesh_poll_lambda" {
       module.sqs_event_publisher_errors.sqs_queue_arn,
     ]
   }
+
+  statement {
+    sid    = "SSMPermissions"
+    effect = "Allow"
+
+    actions = [
+      "ssm:GetParametersByPath",
+    ]
+
+    resources = [
+      "arn:aws:ssm:${var.region}:${var.aws_account_id}:parameter/${local.ssm_mesh_prefix}/*"
+    ]
+  }
 }