Move permission definition

wildjames · wildjames · commit 328e1e0591e5 · 2025-04-17T11:34:55.000Z
diff --git a/SAMtemplates/functions/main.yaml b/SAMtemplates/functions/main.yaml
@@ -63,13 +63,6 @@ Resources:
       CodeUri: ../../packages
       Handler: updatePrescriptionStatus.handler
       Role: !GetAtt UpdatePrescriptionStatusResources.Outputs.LambdaRoleArn
-      Policies:
-        - Statement:
-            Effect: Allow
-            Action:
-              - sqs:sendmessage
-            Resource:
-              - !Ref NHSNotifyPrescriptionsSQSQueueArn
       Environment:
         Variables:
           TABLE_NAME: !Ref PrescriptionStatusUpdatesTableName
@@ -108,6 +101,7 @@ Resources:
           - - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionStatusUpdatesTableName}:TableWritePolicyArn
             - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionStatusUpdatesTableName}:TableReadPolicyArn
             - Fn::ImportValue: !Sub ${StackName}:tables:UsePrescriptionStatusUpdatesKMSKeyPolicyArn
+            - Fn::ImportValue: !Sub ${StackName}-WriteNHSNotifyPrescriptionsSQSQueuePolicyArn
         LogRetentionInDays: !Ref LogRetentionInDays
         CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
         EnableSplunk: !Ref EnableSplunk
diff --git a/SAMtemplates/messaging/main.yaml b/SAMtemplates/messaging/main.yaml
@@ -36,14 +36,25 @@ Resources:
         Statement:
           - Effect: Allow
             Action:
-              - sqs:ChangeMessageVisibility
-              - sqs:DeleteMessage
               - sqs:ReceiveMessage
               - sqs:GetQueueAttributes
               - sqs:GetQueueUrl
               - sqs:ListQueues
             Resource: !GetAtt NHSNotifyPrescriptionsSQSQueue.Arn
-
+            
+  WriteNHSNotifyPrescriptionsSQSQueuePolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: !Sub ${AWS::StackName}-NHSNotifyPrescriptionsSendMessagePolicy
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - sqs:SendMessage
+              - sqs:DeleteMessage
+            Resource: !GetAtt NSNotifyPrescriptionsSQSQueue.Arn
+            
 Outputs:
   NHSNotifyPrescriptionsSQSQueueUrl:
     Description: The URL of the NHS Notify Prescriptions SQS Queue
@@ -56,3 +67,16 @@ Outputs:
     Value: !GetAtt NHSNotifyPrescriptionsSQSQueue.Arn
     Export:
       Name: !Sub ${AWS::StackName}-NHSNotifyPrescriptionsSQSQueueArn
+
+  ReadNHSNotifyPrescriptionsSQSQueuePolicyArn:
+    Description: ARN of policy granting permission to read the prescriptions queue
+    Value: !Ref ReadNHSNotifyPrescriptionsSQSQueuePolicy
+    Export:
+      Name: !Sub ${AWS::StackName}-ReadNHSNotifyPrescriptionsSQSQueuePolicyArn
+      
+      
+  WriteNHSNotifyPrescriptionsSQSQueuePolicyArn:
+    Description: ARN of policy granting permission to write to the prescriptions queue
+    Value: !Ref WriteNHSNotifyPrescriptionsSQSQueuePolicy
+    Export:
+      Name: !Sub ${AWS::StackName}-WriteNHSNotifyPrescriptionsSQSQueuePolicyArn
