Fix patch lambda permissions

francisco-videira-nhs · francisco-videira-nhs · commit e6c67d424756 · 2025-08-14T16:26:08.000Z
diff --git a/infrastructure/terraform/components/api/module_lambda_get_letters.tf b/infrastructure/terraform/components/api/module_lambda_get_letters.tf
@@ -62,13 +62,9 @@ data "aws_iam_policy_document" "get_letters_lambda" {
 
     actions = [
       "dynamodb:BatchGetItem",
-      "dynamodb:BatchWriteItem",
-      "dynamodb:DeleteItem",
       "dynamodb:GetItem",
-      "dynamodb:PutItem",
       "dynamodb:Query",
       "dynamodb:Scan",
-      "dynamodb:UpdateItem",
     ]
 
     resources = [
diff --git a/infrastructure/terraform/components/api/module_lambda_patch_letters.tf b/infrastructure/terraform/components/api/module_lambda_patch_letters.tf
@@ -9,7 +9,6 @@ module "patch_letters" {
   environment    = var.environment
   project        = var.project
   region         = var.region
-
   group          = var.group
 
   log_retention_in_days = var.log_retention_in_days
@@ -37,6 +36,8 @@ module "patch_letters" {
   log_subscription_role_arn = local.acct.log_subscription_role_arn
 
   lambda_env_vars = {
+    LETTERS_TABLE_NAME = aws_dynamodb_table.letters.name,
+    LETTER_TTL_HOURS = 24
   }
 }
 
@@ -54,4 +55,23 @@ data "aws_iam_policy_document" "patch_letters_lambda" {
       module.kms.key_arn, ## Requires shared kms module
     ]
   }
+
+    statement {
+    sid    = "AllowDynamoDBAccess"
+    effect = "Allow"
+
+    actions = [
+      "dynamodb:BatchGetItem",
+      "dynamodb:BatchWriteItem",
+      "dynamodb:GetItem",
+      "dynamodb:PutItem",
+      "dynamodb:Query",
+      "dynamodb:Scan",
+      "dynamodb:UpdateItem",
+    ]
+
+    resources = [
+      aws_dynamodb_table.letters.arn,
+    ]
+  }
 }
diff --git a/lambdas/api-handler/src/services/__tests__/letter-operations.test.ts b/lambdas/api-handler/src/services/__tests__/letter-operations.test.ts
@@ -1,7 +1,6 @@
-import { Letter, LetterStatus } from '../../../../../internal/datastore/src';
+import { Letter } from '../../../../../internal/datastore/src';
 import { LetterApiResource, LetterApiStatus } from '../../contracts/letter-api';
 import { getLetterIdsForSupplier, patchLetterStatus } from '../letter-operations';
-import { z } from 'zod';
 
 function makeLetterApiResource(id: string, status: LetterApiStatus) : LetterApiResource {
   return {
@@ -16,7 +15,7 @@ function makeLetterApiResource(id: string, status: LetterApiStatus) : LetterApiR
   };
 }
 
-function makeLetter(id: string, status: z.infer<typeof LetterStatus>) : Letter {
+function makeLetter(id: string, status: Letter['status']) : Letter {
   return {
       id,
       status,
