CCM-13611: Allow access to Core PDF pipeline bucket for getletterdata lambda

sidnhs · sidnhs · commit bf32f5eb31df · 2025-12-23T11:31:04.000Z
diff --git a/infrastructure/terraform/components/api/locals.tf b/infrastructure/terraform/components/api/locals.tf
@@ -28,4 +28,7 @@ locals {
     APIM_CORRELATION_HEADER  = "nhsd-correlation-id",
     DOWNLOAD_URL_TTL_SECONDS = 60
   }
+
+core_pdf_bucket_arn = "arn:aws:s3:::comms-${var.core_account_id}-eu-west-2-${var.core_environment}-api-stg-pdf-pipeline"
+core_s3_kms_key_alias_name = "alias/comms-${var.core_environment}-api-s3"
 }
diff --git a/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf b/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf
@@ -68,11 +68,43 @@ data "aws_iam_policy_document" "get_letter_data_lambda" {
     ]
   }
 
+  statement {
+    sid = "S3ListBucketForPresign"
+    actions = [
+    "s3:ListBucket"
+    ]
+    resources = [
+      module.s3bucket_test_letters.arn,
+      local.core_pdf_bucket_arn
+      ]
+  }
+
   statement {
     sid = "S3GetObjectForPresign"
     actions = [
       "s3:GetObject",
-    "s3:ListBucket"] # allows 404 response instead of 403 if object missing
-    resources = ["${module.s3bucket_test_letters.arn}/*"]
+      "s3:PutObject",
+    ] # allows 404 response instead of 403 if object missing
+    resources = [
+      "${module.s3bucket_test_letters.arn}/*",
+      "${local.core_pdf_bucket_arn}/*",
+      ]
+  }
+
+  statement {
+    sid = "KMSForCoreS3Access"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+      "kms:DescribeKey"
+    ]
+    resources = [
+      "arn:aws:kms:${var.region}:${var.core_account_id}:key/*"
+    ]
+    condition {
+      test = "ForAnyValue:StringEquals"
+      variable = "kms:ResourceAliases"
+      values = [local.core_s3_kms_key_alias_name]
+    }
   }
 }
diff --git a/infrastructure/terraform/components/api/variables.tf b/infrastructure/terraform/components/api/variables.tf
@@ -134,3 +134,15 @@ variable "eventpub_control_plane_bus_arn" {
   description = "ARN of the EventBridge control plane bus for eventpub"
   default     = ""
 }
+
+variable "core_account_id" {
+  type        = string
+  description = "AWS Account ID for Core"
+  default     = "000000000000"
+}
+
+variable "core_environment" {
+  type       = string
+  description = "Environment of Core"
+  default     = "prod"
+}

Original file line number	Diff line number	Diff line change
`@@ -28,4 +28,7 @@ locals {`
`28`	`28`	`APIM_CORRELATION_HEADER = "nhsd-correlation-id",`
`29`	`29`	`DOWNLOAD_URL_TTL_SECONDS = 60`
`30`	`30`	`}`
	`31`	`+`
	`32`	`+core_pdf_bucket_arn = "arn:aws:s3:::comms-${var.core_account_id}-eu-west-2-${var.core_environment}-api-stg-pdf-pipeline"`
	`33`	`+core_s3_kms_key_alias_name = "alias/comms-${var.core_environment}-api-s3"`
`31`	`34`	`}`