From 1fdff16e8da165744ceac4f3ffce199c25b64675 Mon Sep 17 00:00:00 2001
From: Jason Park <93040528+JasonNotJson@users.noreply.github.com>
Date: Fri, 22 Sep 2023 22:36:49 +0900
Subject: [PATCH] feat: adding permissions and envvar for forum thread (#328)

---
 lib/constructs/business/rest-api-service.ts |  1 +
 lib/constructs/common/lambda-functions.ts   | 66 +++++++++++----------
 2 files changed, 37 insertions(+), 30 deletions(-)

diff --git a/lib/constructs/business/rest-api-service.ts b/lib/constructs/business/rest-api-service.ts
index b12f1760c..a4ea17539 100644
--- a/lib/constructs/business/rest-api-service.ts
+++ b/lib/constructs/business/rest-api-service.ts
@@ -791,6 +791,7 @@ export class ForumThreadsApiService extends RestApiService {
       {
         envVars: {
           TABLE_NAME: props.dataSource!,
+          BUCKET_NAME: 'wasedatime-thread-img',
         },
       },
     );
diff --git a/lib/constructs/common/lambda-functions.ts b/lib/constructs/common/lambda-functions.ts
index a51645a03..5bc971515 100644
--- a/lib/constructs/common/lambda-functions.ts
+++ b/lib/constructs/common/lambda-functions.ts
@@ -495,9 +495,9 @@ export class ForumThreadFunctions extends Construct {
   constructor(scope: Construct, id: string, props: FunctionsProps) {
     super(scope, id);
 
-    const dynamoDBReadRole: iam.LazyRole = new iam.LazyRole(
+    const DBReadRole: iam.LazyRole = new iam.LazyRole(
       this,
-      'dynamo-read-role',
+      'dynamo-s3-read-role',
       {
         assumedBy: new iam.ServicePrincipal(AwsServicePrincipal.LAMBDA),
         description:
@@ -515,34 +515,40 @@ export class ForumThreadFunctions extends Construct {
             'db-read-only',
             'arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess',
           ),
-        ],
-      },
-    );
-
-    const dynamoDBPutRole: iam.LazyRole = new iam.LazyRole(
-      this,
-      'dynamo-put-role',
-      {
-        assumedBy: new iam.ServicePrincipal(AwsServicePrincipal.LAMBDA),
-        description:
-          'Allow lambda function to perform crud operation on dynamodb',
-        path: `/service-role/${AwsServicePrincipal.LAMBDA}/`,
-        roleName: 'dynamodb-lambda-write-thread',
-        managedPolicies: [
           iam.ManagedPolicy.fromManagedPolicyArn(
             this,
-            'basic-exec1',
-            'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
-          ),
-          iam.ManagedPolicy.fromManagedPolicyArn(
-            this,
-            'db-full-access',
-            'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess',
+            's3-read-only',
+            'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess',
           ),
         ],
       },
     );
 
+    const DBPutRole: iam.LazyRole = new iam.LazyRole(this, 'dynamo-put-role', {
+      assumedBy: new iam.ServicePrincipal(AwsServicePrincipal.LAMBDA),
+      description:
+        'Allow lambda function to perform crud operation on dynamodb',
+      path: `/service-role/${AwsServicePrincipal.LAMBDA}/`,
+      roleName: 'dynamodb-s3-put-role',
+      managedPolicies: [
+        iam.ManagedPolicy.fromManagedPolicyArn(
+          this,
+          'basic-exec1',
+          'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
+        ),
+        iam.ManagedPolicy.fromManagedPolicyArn(
+          this,
+          'db-full-access',
+          'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess',
+        ),
+        iam.ManagedPolicy.fromManagedPolicyArn(
+          this,
+          's3-full-access',
+          'arn:aws:iam::aws:policy/AmazonS3FullAccess',
+        ),
+      ],
+    });
+
     this.getAllFunction = new lambda_py.PythonFunction(
       this,
       'get-all-threads',
@@ -552,9 +558,9 @@ export class ForumThreadFunctions extends Construct {
         functionName: 'get-all-threads',
         logRetention: logs.RetentionDays.ONE_MONTH,
         memorySize: 128,
-        role: dynamoDBReadRole,
+        role: DBReadRole,
         runtime: lambda.Runtime.PYTHON_3_9,
-        timeout: Duration.seconds(3),
+        timeout: Duration.seconds(10),
         environment: props.envVars,
       },
     );
@@ -568,7 +574,7 @@ export class ForumThreadFunctions extends Construct {
         functionName: 'get-user-threads',
         logRetention: logs.RetentionDays.ONE_MONTH,
         memorySize: 128,
-        role: dynamoDBReadRole,
+        role: DBReadRole,
         runtime: lambda.Runtime.PYTHON_3_9,
         timeout: Duration.seconds(3),
         environment: props.envVars,
@@ -584,7 +590,7 @@ export class ForumThreadFunctions extends Construct {
         functionName: 'get-single-thread',
         logRetention: logs.RetentionDays.ONE_MONTH,
         memorySize: 128,
-        role: dynamoDBPutRole,
+        role: DBPutRole,
         runtime: lambda.Runtime.PYTHON_3_9,
         timeout: Duration.seconds(3),
         environment: props.envVars,
@@ -597,7 +603,7 @@ export class ForumThreadFunctions extends Construct {
       functionName: 'post-forum-thread',
       logRetention: logs.RetentionDays.ONE_MONTH,
       memorySize: 256,
-      role: dynamoDBPutRole,
+      role: DBPutRole,
       runtime: lambda.Runtime.PYTHON_3_9,
       timeout: Duration.seconds(5),
       environment: props.envVars,
@@ -612,7 +618,7 @@ export class ForumThreadFunctions extends Construct {
       functionName: 'patch-forum-thread',
       logRetention: logs.RetentionDays.ONE_MONTH,
       memorySize: 256,
-      role: dynamoDBPutRole,
+      role: DBPutRole,
       runtime: lambda.Runtime.PYTHON_3_9,
       timeout: Duration.seconds(5),
       environment: props.envVars,
@@ -627,7 +633,7 @@ export class ForumThreadFunctions extends Construct {
       functionName: 'delete-forum-thread',
       logRetention: logs.RetentionDays.ONE_MONTH,
       memorySize: 128,
-      role: dynamoDBPutRole,
+      role: DBPutRole,
       runtime: lambda.Runtime.PYTHON_3_9,
       timeout: Duration.seconds(3),
       environment: props.envVars,