From f3e77beefdacb9a2a4ef9d26035d9c38458901bd Mon Sep 17 00:00:00 2001
From: Daniel Roth <daniel_roth@hotmail.co.uk>
Date: Mon, 9 Feb 2026 14:13:06 +0000
Subject: [PATCH] generate new role for reading from s3 bucket and attach it to
 the lambda

---
 .../terraform/lambda/condition-etl/main.tf    |  5 +++++
 infrastructure/terraform/shared/main.tf       | 19 +++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/infrastructure/terraform/lambda/condition-etl/main.tf b/infrastructure/terraform/lambda/condition-etl/main.tf
index dda57385..ecd52644 100644
--- a/infrastructure/terraform/lambda/condition-etl/main.tf
+++ b/infrastructure/terraform/lambda/condition-etl/main.tf
@@ -26,3 +26,8 @@ module "lambda" {
   )
 
 }
+
+resource "aws_iam_role_policy_attachment" "attach_condition_etl_s3_read" {
+  role       = module.lambda.role.role_name
+  policy_arn = module.shared.condition_etl_s3_read_arn
+}
\ No newline at end of file
diff --git a/infrastructure/terraform/shared/main.tf b/infrastructure/terraform/shared/main.tf
index d1d48aec..3b1404ed 100644
--- a/infrastructure/terraform/shared/main.tf
+++ b/infrastructure/terraform/shared/main.tf
@@ -344,4 +344,23 @@ module "condition_data_bucket" {
   source      = "../modules/s3"
   bucketname = "condition-data-${var.stage}"
   allowed_origins = var.allowed_origins
+}
+
+resource "aws_iam_policy" "condition_etl_s3_read" {
+  name        = "ConditionETLReadS3"
+  description = "Allow Lambda to read objects from condition-data-${var.stage}"
+  policy      = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = ["s3:GetObject"]
+        Resource = "arn:aws:s3:::condition-data-${var.stage}/*"
+      }
+    ]
+  })
+}
+
+output "condition_etl_s3_read_arn" {
+  value = aws_iam_policy.condition_etl_s3_read.arn
 }
\ No newline at end of file