update iam permissions for sqs

Author: eyw520

servers/fai-lambda-deploy/scripts/fai-scribe-stack.ts

@@ -4,6 +4,7 @@ import * as apigateway from "aws-cdk-lib/aws-apigateway";
 import { Certificate } from "aws-cdk-lib/aws-certificatemanager";
 import * as ec2 from "aws-cdk-lib/aws-ec2";
 import * as efs from "aws-cdk-lib/aws-efs";
+import * as iam from "aws-cdk-lib/aws-iam";
 import * as lambda from "aws-cdk-lib/aws-lambda";
 import { LogGroup, RetentionDays } from "aws-cdk-lib/aws-logs";
 import { ARecord, HostedZone, RecordTarget } from "aws-cdk-lib/aws-route53";
@@ -125,6 +126,25 @@ export class FaiScribeStack extends Stack {
             filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, "/mnt/efs")
         });
 
+        // Grant SQS permissions for editing session queues
+        // These queues are created dynamically by the FAI server per editing session
+        lambdaFunction.addToRolePolicy(
+            new iam.PolicyStatement({
+                effect: iam.Effect.ALLOW,
+                actions: [
+                    "sqs:ReceiveMessage",
+                    "sqs:DeleteMessage",
+                    "sqs:GetQueueAttributes",
+                    "sqs:GetQueueUrl",
+                    "sqs:ChangeMessageVisibility"
+                ],
+                resources: [
+                    // Allow access to all editing-session queues in this region
+                    `arn:aws:sqs:${this.region}:${this.account}:editing-session-*.fifo`
+                ]
+            })
+        );
+
         const apiName = `${lambdaName}-${environmentType.toLowerCase()}`;
 
         const api = new apigateway.RestApi(this, `${lambdaName}-api`, {