generate new role for reading from s3 bucket and attach it to the lambda

infrastructure/terraform/lambda/condition-etl/main.tf

@@ -26,3 +26,8 @@ module "lambda" {
   )
 
 }
+
+resource "aws_iam_role_policy_attachment" "attach_condition_etl_s3_read" {
+  role       = module.lambda.role.role_name
+  policy_arn = module.shared.condition_etl_s3_read_arn
+}

infrastructure/terraform/shared/main.tf

@@ -344,4 +344,23 @@ module "condition_data_bucket" {
   source      = "../modules/s3"
   bucketname = "condition-data-${var.stage}"
   allowed_origins = var.allowed_origins
+}
+
+resource "aws_iam_policy" "condition_etl_s3_read" {
+  name        = "ConditionETLReadS3"
+  description = "Allow Lambda to read objects from condition-data-${var.stage}"
+  policy      = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = ["s3:GetObject"]
+        Resource = "arn:aws:s3:::condition-data-${var.stage}/*"
+      }
+    ]
+  })
+}
+
+output "condition_etl_s3_read_arn" {
+  value = aws_iam_policy.condition_etl_s3_read.arn
 }