[PRMP-1221] Lambda module - accept >10 iam_role_policies (#213)

* [PRMP-1120] adding a new nrl lambda

* adds tf for nrl queue and lambda

* adds nrl api endpoint to vars

* PRMP-1120: adds timeout to match lambda for queue

* Adds feature flag for NRL lambda

* Moves feature flag to SQS subsrciption

* edits filter to use action from message body

* adds new env variable to bulk upload lambda

* formatting

* formatting

* [PRMP-1122] adds env variable and nrl sqs policy to bulk upload terraform

* PRMP-1252 (#209)

* Update SQS, S3, and DynamoDB Modules to Output iam_role_policy_document Values

* [PRMP-1221] - Update the lambda module to take in iam_role_policy_documents (JSON) instead of iam_role_policies (ARNs).

* [PRMP-1221] - pass in the combined policies to the bulk-upload-lambda

* [PRMP-1221] - solve cyclic dependancy error

* [PRMP-1221] - error fix try

* [PRMP-1221] - error fix try

* [PRMP-1221] Moved concatenated policies into policies.tf and passed concatenated values into bulk-upload-lambda

* [PRMP-1221] - make combined policies json

* [PRMP-1221] - make combined policies json

* [PRMP-1221] - use the policy attribute for the module outputs to get the json policies

* [PRMP-1221] - remove sid

* [PRMP-1221] - get arn from combined policies

* [PRMP-1221] - fix duplicate name error

* [PRMP-1221] - fix duplicate name error

* PRMP-1221 - remove unused/commented out code

* PRMP-1221 - replace iam_role_policy_documents back to iam_role_policies

* PRMP-1221 remove the combined polcies for s2 and dynamodb

* PRMP-1221 remove extra lines

* PRMP-1221 - add iam_role_policy_documents into lambda module variables

* PRMP-1221 - replace iam_role_policy_documents from iam_role_policies

* PRMP-1221 - remove the iam_role_policy_documents from the lambda-edge config

* PRMP-1221 - fix error - modify aws_iam_role_policy_attachment

* PRMP-1221 - revert back to old lambda_excecution_policy

* PRMP-1221 - add read write policies in the dynamodb, s3, sqs modules

* PRMP-1221 - apply the read write policies as a test run

* PRMP-1221 - apply the read write policies as a test run

* PRMP-1221 - fix invalid index error

* PRMP-1221 - merge policy documents

* PRMP-1221 - fix Invalid JSON in Policy Documents error

* PRMP-1221 - fix Invalid JSON in Policy Documents error

* PRMP-1221 - fix Invalid JSON in Policy Documents error

* PRMP-1221 - apply read write to sqs modules

* PRMP-1221 fix error - lease ensure the role can perform the GetRecords, GetShardIterator, DescribeStream, and ListStreams Actions on your stream in IAM

* PRMP-1221 fix error - lease ensure the role can perform the GetRecords, GetShardIterator, DescribeStream, and ListStreams Actions on your stream in IAM

* PRMP-1221 adding to depends_on

* PRMP-1221 - make terraform log in debug mode in github workflows

* PRMP-1221 - make terraform log in debug mode in github workflows

* PRMP-1221 - remove comments

* PRMP-1221 specify the workspace in the lambda name

* PRMP-1221 - resolve ARN error

* PRMP-1221 - resolve ARN error

* PRMP-1221 - resolve ARN error

* PRMP-1221 - resolve ARN error

* PRMP-1221 - resolve ARN error

* PRMP-1221 - resolve ARN error

* PRMP-1221 make outputs for debugging

* PRMP-1221 undo some changes

* PRMP-1221 fix MalformedPolicyDocument: Resource  must be in ARN format or "*".

* PRMP-1221 fix MalformedPolicyDocument: Resource  must be in ARN format or "*".

* PRMP-1221 make pre-commit

* PRMP-1221 undo main change

* PRMP-1221 try with out additional_policy_arns

* PRMP-1221 try with out additional_policy_arns

* PRMP-1221 try with out additional_policy_arns

* PRMP-1221 try with out additional_policy_arns

* PRMP-1221 remove all additional_policy_arns and pass them in docs

* PRMP-1221 remove all additional_policy_arns and pass them in docs

* PRMP-1221 remove all additional_policy_arns and pass them in docs

* PRMP-1221 remove all additional_policy_arns and pass them in docs

* PRMP-1221 remove all additional_policy_arns and pass them in docs

* PRMP-1221 remove all additional_policy_arns and pass them in docs

* PRMP-1221 remove all additional_policy_arns and pass them in docs

* PRMP-1221 remove all additional_policy_arns and pass them in docs

* PRMP-1221 replace all arns in docs to json

* PRMP-1221 replace all arns in docs to json

* PRMP-1221 is an invalid ARN error

* PRMP-1221 is an invalid ARN error

* PRMP-1221 is an invalid ARN error

* PRMP-1221 is an invalid ARN error

* PRMP-1221 is an invalid ARN error

* PRMP-1221 is an invalid ARN error

* PRMP-1221 is an invalid ARN error

* PRMP-1221 is an invalid ARN error

* [PRMP-1221] - Removed comments and madea a couple small changes

* [PRMP-1221] - Added some test policy json outputs to try and consolidate types

* [PRMP-1221] - Added some test policy json outputs to try and consolidate types

* PRMP-1221 undo a change causing errors

* PRMP-1221 format

* PRMP-1221 comment out non document polcies

* PRMP-1221 fix MalformedPolicyDocument: Resource  must be in ARN format or *

* PRMP-1221 Syntax errors in policy.

* PRMP-1221 Syntax errors in policy.

* PRMP-1221 Syntax errors in policy.

* PRMP-1221 Syntax errors in policy.

* PRMP-1221 Syntax errors in policy.

* PRMP-1221 Syntax errors in policy.

* PRMP-1221 Syntax errors in policy.

* PRMP-1221 Syntax errors in policy.

* PRMP-1221 Syntax errors in policy.

* PRMP-1221 bring back some of the commented out policies

* PRMP-1221 bring back some of the commented out policies

* PRMP-1221 bring back some of the commented out policies

* PRMP-1221 bring back some of the commented out policies

* PRMP-1221 remove unused code

* PRMP-1221 remove debug env variables

* PRMP-1221 increase lambda memory etc

* PRMP-1221 format

* PRMP-1221 remove lambda_timeout

* PRMP-1221 add line

* PRMP-1221  format

* PRMP-1221 limit exceed error fix

* PRMP-1221 limit exceed error fix

* PRMP-1221 limit exceed error fix

* PRMP-1221 limit exceed error fix

* PRMP-1221 limit exceed error fix

* PRMP-1221 limit exceed error fix

* PRMP-1221 move variable into variable.tf

* PRMP-1221 merge main in

* PRMP-1221 change to data block

* PRMP-1221 change to data block

* PRMP-1221 comment out dependancies as a test

* PRMP-1221 fix github workflow for manual destroy

* PRMP-1221 remove dependencies

* PRMP-1221 remove unused outputs and resources

* PRMP-1221 remove format

* PRMP-1221 bring back s3_document_data_policy

* PRMP-1221 format

* PRMP-1221 rename lambda_combined_policy to combined_policies

* PRMP-1221 format

---------

Co-authored-by: NogaNHS <noga.sasson1@nhs.net>
Co-authored-by: Jack Sutton <jack.sutton@madetech.com>
Co-authored-by: Ollie Beumkes <oliver.beumkes2@nhs.net>

infrastructure/README.md

@@ -8,7 +8,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.77.0 |
 
 ## Modules
 
@@ -163,12 +163,8 @@
 | [aws_backup_vault.backup_vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
 | [aws_cloudwatch_event_rule.bulk_upload_metadata_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_rule.bulk_upload_report_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
-| [aws_cloudwatch_event_rule.data_collection_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
-| [aws_cloudwatch_event_rule.statistical_report_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_target.bulk_upload_metadata_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_event_target.bulk_upload_report_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
-| [aws_cloudwatch_event_target.data_collection_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
-| [aws_cloudwatch_event_target.statistical_report_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_log_group.mesh_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_log_metric_filter.error_log_metric_filter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
 | [aws_cloudwatch_log_metric_filter.inbox_message_count](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
@@ -227,8 +223,6 @@
 | [aws_lambda_event_source_mapping.nrl_pointer_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_permission.bulk_upload_metadata_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.bulk_upload_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
-| [aws_lambda_permission.data_collection_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
-| [aws_lambda_permission.statistical_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_s3_bucket.logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_lifecycle_configuration.doc-store-lifecycle-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_lifecycle_configuration.lg-lifecycle-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |

infrastructure/lambda-authoriser.tf

@@ -2,12 +2,11 @@ module "authoriser-lambda" {
   source  = "./modules/lambda"
   name    = "AuthoriserLambda"
   handler = "handlers.authoriser_handler.lambda_handler"
-  iam_role_policies = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    aws_iam_policy.ssm_policy_authoriser.arn,
-    module.auth_session_dynamodb_table.dynamodb_policy,
-    module.ndr-app-config.app_config_policy_arn
+  iam_role_policy_documents = [
+    aws_iam_policy.ssm_policy_authoriser.policy,
+    module.auth_session_dynamodb_table.dynamodb_read_policy_document,
+    module.auth_session_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-app-config.app_config_policy
   ]
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn

infrastructure/lambda-back-channel-logout.tf

@@ -23,12 +23,11 @@ module "back_channel_logout_lambda" {
   source  = "./modules/lambda"
   name    = "BackChannelLogoutHandler"
   handler = "handlers.back_channel_logout_handler.lambda_handler"
-  iam_role_policies = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    aws_iam_policy.ssm_policy_oidc.arn,
-    module.auth_session_dynamodb_table.dynamodb_policy,
-    module.ndr-app-config.app_config_policy_arn
+  iam_role_policy_documents = [
+    aws_iam_policy.ssm_policy_oidc.policy,
+    module.auth_session_dynamodb_table.dynamodb_read_policy_document,
+    module.auth_session_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-app-config.app_config_policy
   ]
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id       = module.back-channel-logout-gateway.gateway_resource_id

infrastructure/lambda-bulk-upload-metadata.tf

@@ -3,12 +3,12 @@ module "bulk-upload-metadata-lambda" {
   name           = "BulkUploadMetadataLambda"
   handler        = "handlers.bulk_upload_metadata_handler.lambda_handler"
   lambda_timeout = 900
-  iam_role_policies = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    module.ndr-bulk-staging-store.s3_object_access_policy,
-    module.sqs-lg-bulk-upload-metadata-queue.sqs_policy,
-    module.ndr-app-config.app_config_policy_arn
+  iam_role_policy_documents = [
+    module.ndr-bulk-staging-store.s3_read_policy_document,
+    module.ndr-bulk-staging-store.s3_write_policy_document,
+    module.sqs-lg-bulk-upload-metadata-queue.sqs_read_policy_document,
+    module.sqs-lg-bulk-upload-metadata-queue.sqs_write_policy_document,
+    module.ndr-app-config.app_config_policy
   ]
 
   rest_api_id       = null

infrastructure/lambda-bulk-upload-report.tf

@@ -2,13 +2,13 @@ module "bulk-upload-report-lambda" {
   source  = "./modules/lambda"
   name    = "BulkUploadReportLambda"
   handler = "handlers.bulk_upload_report_handler.lambda_handler"
-  iam_role_policies = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    module.statistical-reports-store.s3_object_access_policy,
-    module.bulk_upload_report_dynamodb_table.dynamodb_policy,
-    aws_iam_policy.dynamodb_policy_scan_bulk_report.arn,
-    module.ndr-app-config.app_config_policy_arn
+  iam_role_policy_documents = [
+    module.statistical-reports-store.s3_read_policy_document,
+    module.statistical-reports-store.s3_write_policy_document,
+    module.bulk_upload_report_dynamodb_table.dynamodb_read_policy_document,
+    module.bulk_upload_report_dynamodb_table.dynamodb_write_policy_document,
+    aws_iam_policy.dynamodb_policy_scan_bulk_report.policy,
+    module.ndr-app-config.app_config_policy
   ]
   rest_api_id       = null
   api_execution_arn = null

infrastructure/lambda-bulk-upload.tf

@@ -2,17 +2,23 @@ module "bulk-upload-lambda" {
   source  = "./modules/lambda"
   name    = "BulkUploadLambda"
   handler = "handlers.bulk_upload_handler.lambda_handler"
-  iam_role_policies = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    module.ndr-bulk-staging-store.s3_object_access_policy,
-    module.ndr-lloyd-george-store.s3_object_access_policy,
-    module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
-    module.bulk_upload_report_dynamodb_table.dynamodb_policy,
-    module.sqs-lg-bulk-upload-metadata-queue.sqs_policy,
-    module.sqs-lg-bulk-upload-invalid-queue.sqs_policy,
-    aws_iam_policy.ssm_access_policy.arn,
-    module.ndr-app-config.app_config_policy_arn
+  iam_role_policy_documents = [
+    module.ndr-bulk-staging-store.s3_read_policy_document,
+    module.ndr-bulk-staging-store.s3_write_policy_document,
+    module.ndr-lloyd-george-store.s3_read_policy_document,
+    module.ndr-lloyd-george-store.s3_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.bulk_upload_report_dynamodb_table.dynamodb_read_policy_document,
+    module.bulk_upload_report_dynamodb_table.dynamodb_write_policy_document,
+    module.sqs-nrl-queue.sqs_read_policy_document,
+    module.sqs-nrl-queue.sqs_write_policy_document,
+    module.sqs-lg-bulk-upload-metadata-queue.sqs_read_policy_document,
+    module.sqs-lg-bulk-upload-metadata-queue.sqs_write_policy_document,
+    module.sqs-lg-bulk-upload-invalid-queue.sqs_read_policy_document,
+    module.sqs-lg-bulk-upload-invalid-queue.sqs_write_policy_document,
+    aws_iam_policy.ssm_access_policy.policy,
+    module.ndr-app-config.app_config_policy
   ]
   rest_api_id       = null
   api_execution_arn = null
@@ -29,6 +35,7 @@ module "bulk-upload-lambda" {
     METADATA_SQS_QUEUE_URL     = module.sqs-lg-bulk-upload-metadata-queue.sqs_url
     INVALID_SQS_QUEUE_URL      = module.sqs-lg-bulk-upload-invalid-queue.sqs_url
     PDS_FHIR_IS_STUBBED        = local.is_sandbox
+    NRL_SQS_URL                = module.sqs-nrl-queue.sqs_url
   }
 
   is_gateway_integration_needed  = false
@@ -44,7 +51,6 @@ module "bulk-upload-lambda" {
     module.lloyd_george_reference_dynamodb_table,
     module.bulk_upload_report_dynamodb_table,
     aws_iam_policy.ssm_access_policy,
-    module.ndr-app-config
   ]
 }
 

infrastructure/lambda-create-doc-ref.tf

@@ -66,21 +66,27 @@ module "create-doc-ref-lambda" {
   source  = "./modules/lambda"
   name    = "CreateDocRefLambda"
   handler = "handlers.create_document_reference_handler.lambda_handler"
-  iam_role_policies = [
-    module.document_reference_dynamodb_table.dynamodb_policy,
-    module.stitch_metadata_reference_dynamodb_table.dynamodb_policy,
-    module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
-    module.ndr-bulk-staging-store.s3_object_access_policy,
-    module.ndr-lloyd-george-store.s3_object_access_policy,
-    module.ndr-document-store.s3_object_access_policy,
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    aws_iam_policy.ssm_access_policy.arn,
-    module.ndr-app-config.app_config_policy_arn,
+  iam_role_policy_documents = [
+    module.ndr-bulk-staging-store.s3_read_policy_document,
+    module.ndr-bulk-staging-store.s3_write_policy_document,
+    module.ndr-lloyd-george-store.s3_write_policy_document,
+    module.ndr-lloyd-george-store.s3_read_policy_document,
+    module.ndr-document-store.s3_read_policy_document,
+    module.ndr-document-store.s3_write_policy_document,
+    module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.stitch_metadata_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.stitch_metadata_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    aws_iam_policy.ssm_access_policy.policy,
+    module.ndr-app-config.app_config_policy,
   ]
-  rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
-  resource_id       = module.create-doc-ref-gateway.gateway_resource_id
-  http_methods      = ["POST"]
+  rest_api_id  = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  resource_id  = module.create-doc-ref-gateway.gateway_resource_id
+  http_methods = ["POST"]
+  memory_size  = 512
+
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   lambda_environment_variables = {
     STAGING_STORE_BUCKET_NAME     = "${terraform.workspace}-${var.staging_store_bucket_name}"

infrastructure/lambda-data-collection.tf

@@ -45,16 +45,19 @@ module "data-collection-lambda" {
   name           = "DataCollectionLambda"
   handler        = "handlers.data_collection_handler.lambda_handler"
   lambda_timeout = 900
-  iam_role_policies = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    module.ndr-app-config.app_config_policy_arn,
-    module.statistics_dynamodb_table.dynamodb_policy,
-    module.ndr-lloyd-george-store.s3_list_object_policy,
-    module.ndr-document-store.s3_list_object_policy,
-    module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
-    module.document_reference_dynamodb_table.dynamodb_policy,
-    aws_iam_policy.cloudwatch_log_query_policy.arn
+  iam_role_policy_documents = [
+    module.ndr-app-config.app_config_policy,
+    module.statistics_dynamodb_table.dynamodb_read_policy_document,
+    module.statistics_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-lloyd-george-store.s3_read_policy_document,
+    module.ndr-lloyd-george-store.s3_write_policy_document,
+    module.ndr-document-store.s3_read_policy_document,
+    module.ndr-document-store.s3_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+    aws_iam_policy.cloudwatch_log_query_policy.policy
   ]
   rest_api_id       = null
   api_execution_arn = null

infrastructure/lambda-delete-doc-ref.tf

@@ -65,16 +65,20 @@ module "delete-doc-ref-lambda" {
   source  = "./modules/lambda"
   name    = "DeleteDocRefLambda"
   handler = "handlers.delete_document_reference_handler.lambda_handler"
-  iam_role_policies = [
-    module.document_reference_dynamodb_table.dynamodb_policy,
-    module.ndr-document-store.s3_object_access_policy,
-    module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
-    module.ndr-lloyd-george-store.s3_object_access_policy,
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    module.ndr-app-config.app_config_policy_arn,
-    module.stitch_metadata_reference_dynamodb_table.dynamodb_policy,
-    module.sqs-nrl-queue.sqs_policy
+  iam_role_policy_documents = [
+    module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-document-store.s3_read_policy_document,
+    module.ndr-document-store.s3_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-lloyd-george-store.s3_read_policy_document,
+    module.ndr-lloyd-george-store.s3_write_policy_document,
+    module.ndr-app-config.app_config_policy,
+    module.stitch_metadata_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.stitch_metadata_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.sqs-nrl-queue.sqs_read_policy_document,
+    module.sqs-nrl-queue.sqs_write_policy_document
   ]
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id       = module.delete-doc-ref-gateway.gateway_resource_id
@@ -88,7 +92,6 @@ module "delete-doc-ref-lambda" {
     LLOYD_GEORGE_DYNAMODB_NAME    = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
     STITCH_METADATA_DYNAMODB_NAME = "${terraform.workspace}_${var.stitch_metadata_dynamodb_table_name}"
     WORKSPACE                     = terraform.workspace
-    NRL_SQS_QUEUE_URL             = module.sqs-nrl-queue.sqs_url
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,

infrastructure/lambda-document-manifest-job.tf

@@ -67,14 +67,16 @@ module "document-manifest-job-lambda" {
   name           = "DocumentManifestJobLambda"
   handler        = "handlers.document_manifest_job_handler.lambda_handler"
   lambda_timeout = 900
-  iam_role_policies = [
-    module.document_reference_dynamodb_table.dynamodb_policy,
-    module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
-    module.zip_store_reference_dynamodb_table.dynamodb_policy,
-    module.ndr-zip-request-store.s3_object_access_policy,
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    module.ndr-app-config.app_config_policy_arn
+  iam_role_policy_documents = [
+    module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.zip_store_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.zip_store_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-zip-request-store.s3_read_policy_document,
+    module.ndr-zip-request-store.s3_write_policy_document,
+    module.ndr-app-config.app_config_policy
   ]
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id       = module.document-manifest-job-gateway.gateway_resource_id

infrastructure/lambda-feature-flags.tf

@@ -66,10 +66,8 @@ module "feature-flags-lambda" {
   source  = "./modules/lambda"
   name    = "FeatureFlagsLambda"
   handler = "handlers.feature_flags_handler.lambda_handler"
-  iam_role_policies = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    module.ndr-app-config.app_config_policy_arn
+  iam_role_policy_documents = [
+    module.ndr-app-config.app_config_policy
   ]
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id       = module.feature-flags-gateway.gateway_resource_id

infrastructure/lambda-generate-document-manifest.tf

@@ -46,15 +46,18 @@ module "generate-document-manifest-lambda" {
   handler                  = "handlers.generate_document_manifest_handler.lambda_handler"
   lambda_timeout           = 900
   lambda_ephemeral_storage = 512
-  iam_role_policies = [
-    module.ndr-document-store.s3_object_access_policy,
-    module.ndr-lloyd-george-store.s3_object_access_policy,
-    module.zip_store_reference_dynamodb_table.dynamodb_policy,
-    module.ndr-zip-request-store.s3_object_access_policy,
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
-    module.ndr-app-config.app_config_policy_arn,
-    aws_iam_policy.dynamodb_stream_manifest.arn
+  memory_size              = 512
+  iam_role_policy_documents = [
+    module.ndr-document-store.s3_read_policy_document,
+    module.ndr-document-store.s3_write_policy_document,
+    module.ndr-lloyd-george-store.s3_read_policy_document,
+    module.ndr-lloyd-george-store.s3_write_policy_document,
+    module.zip_store_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.zip_store_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-zip-request-store.s3_read_policy_document,
+    module.ndr-zip-request-store.s3_write_policy_document,
+    module.ndr-app-config.app_config_policy,
+    aws_iam_policy.dynamodb_stream_manifest.policy
   ]
   rest_api_id       = null
   api_execution_arn = null