give handler permission to write to s3 bucket

backend/magic_plan/handler.py

@@ -19,6 +19,7 @@ def handler(body: dict[str, Any], context: Any) -> str:
         customer_id=settings.MAGICPLAN_CUSTOMER_ID,
         api_key=settings.MAGICPLAN_API_KEY,
     )
+    # TODO: read s3_bucket from env var so staging/prod use the correct bucket
     plan: Plan = MagicPlanService(client, s3_bucket="retrofit-energy-assessments-dev").run(payload)
     logger.info("Saved MagicPlan plan uid=%s", plan.uid)
     return plan.uid

infrastructure/terraform/lambda/magic_plan/main.tf

@@ -15,6 +15,11 @@ locals {
   db_credentials = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)
 }
 
+resource "aws_iam_role_policy_attachment" "magic_plan_s3_write" {
+  role       = module.lambda.role_name
+  policy_arn = data.terraform_remote_state.shared.outputs.magic_plan_s3_write_arn
+}
+
 module "lambda" {
   source = "../../modules/lambda_with_sqs"
 

infrastructure/terraform/shared/main.tf

@@ -745,4 +745,18 @@ module "magic_plan_client_registry" {
   source = "../modules/container_registry"
   name   = "magic-plan"
   stage  = var.stage
+}
+
+module "magic_plan_s3_write" {
+  source = "../modules/s3_iam_policy"
+
+  policy_name        = "MagicPlanWriteS3"
+  policy_description = "Allow MagicPlan Lambda to write to retrofit energy assessments bucket"
+  bucket_arns        = ["arn:aws:s3:::retrofit-energy-assessments-${var.stage}"]
+  actions            = ["s3:PutObject", "s3:AbortMultipartUpload"]
+  resource_paths     = ["/*"]
+}
+
+output "magic_plan_s3_write_arn" {
+  value = module.magic_plan_s3_write.policy_arn
 }