From 891ccd4a8b45f9239b854ff648e914b37feb9134 Mon Sep 17 00:00:00 2001
From: Daniel Roth <daniel_roth@hotmail.co.uk>
Date: Tue, 10 Mar 2026 13:55:45 +0000
Subject: [PATCH] fast api s3 policy

---
 .../terraform/lambda/fast-api/main.tf         |  4 +--
 infrastructure/terraform/shared/main.tf       | 26 +++++++++++++++++++
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/infrastructure/terraform/lambda/fast-api/main.tf b/infrastructure/terraform/lambda/fast-api/main.tf
index ebf436c3..40e0f4f9 100644
--- a/infrastructure/terraform/lambda/fast-api/main.tf
+++ b/infrastructure/terraform/lambda/fast-api/main.tf
@@ -122,10 +122,10 @@ module "fastapi" {
 ############################################
 resource "aws_iam_role_policy_attachment" "fastapi_s3_read" {
   role       = module.fastapi.role_name
-  policy_arn = data.terraform_remote_state.shared.outputs.fastapi_s3_read_arn
+  policy_arn = data.terraform_remote_state.shared.outputs.fast_api_s3_read_arn
 }
 
 resource "aws_iam_role_policy_attachment" "fastapi_sqs_send" {
   role       = module.fastapi.role_name
-  policy_arn = data.terraform_remote_state.shared.outputs.fastapi_sqs_send_arn
+  policy_arn = data.terraform_remote_state.shared.outputs.fast_api_sqs_send_arn
 }
\ No newline at end of file
diff --git a/infrastructure/terraform/shared/main.tf b/infrastructure/terraform/shared/main.tf
index eaacddec..f4b2cd3f 100644
--- a/infrastructure/terraform/shared/main.tf
+++ b/infrastructure/terraform/shared/main.tf
@@ -535,3 +535,29 @@ module "ara_fastapi_registry" {
   name   = "ara-fastapi"
   stage = var.stage
 }
+
+# S3 policy for FastAPI app to read and write from various S3 buckets
+module "fast_api_s3_read_and_write" {
+  source = "../modules/s3_iam_policy"
+
+  policy_name        = "FastAPIReadandWriteS3"
+  policy_description = "Allow FastAPI Lambda to read from and write to various S3 buckets"
+  bucket_arns        = [
+    "arn:aws:s3:::${module.s3_presignable_bucket.bucket_name}",
+    "arn:aws:s3:::${module.retrofit_sap_data.bucket_name}",
+    "arn:aws:s3:::${module.retrofit_sap_predictions.bucket_name}",
+    "arn:aws:s3:::${module.retrofit_carbon_predictions.bucket_name}",
+    "arn:aws:s3:::${module.retrofit_heat_predictions.bucket_name}",
+    "arn:aws:s3:::${module.retrofit_heating_kwh_predictions.bucket_name}",
+    "arn:aws:s3:::${module.retrofit_hotwater_kwh_predictions.bucket_name}",
+    "arn:aws:s3:::${module.retrofit_energy_assessments.bucket_name}"
+  ]
+  actions            = ["s3:GetObject", "s3:ListBucket"]
+  resource_paths     = ["/*"]
+}
+
+output "fast_api_s3_read_and_write_arn" {
+  value = module.fast_api_s3_read_and_write.policy_arn
+}
+
+