iam permissions

deployment/terraform/shared/main.tf

@@ -513,10 +513,13 @@ module "landlord_overrides_s3_read" {
   source = "../modules/s3_iam_policy"
 
   policy_name        = "LandlordOverridesReadS3"
-  policy_description = "Allow landlord description overrides Lambda to read from retrofit-data bucket"
-  bucket_arns        = ["arn:aws:s3:::retrofit-data-${var.stage}"]
-  actions            = ["s3:GetObject", "s3:ListBucket"]
-  resource_paths     = ["/*"]
+  policy_description = "Allow landlord description overrides Lambda to read the original upload CSV from retrofit-plan-inputs (and retrofit-data) bucket"
+  bucket_arns = [
+    "arn:aws:s3:::retrofit-plan-inputs-${var.stage}",
+    "arn:aws:s3:::retrofit-data-${var.stage}",
+  ]
+  actions        = ["s3:GetObject", "s3:ListBucket"]
+  resource_paths = ["/*"]
 }
 
 output "landlord_overrides_s3_read_arn" {