resource "aws_iam_policy" "lambda_policy" {
  name = "lambda_policy"
  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect = "Allow",
        Action = [
          "s3:GetObject",
          "s3:PutObject"
        ],
        Resource = [
          "arn:aws:s3:::${aws_s3_bucket.raw_bucket.id}/*",
          "arn:aws:s3:::${aws_s3_bucket.processed_bucket.id}/*"
        ]
      },
      {
        Effect = "Allow",
        Action = "ssm:GetParameter",
        Resource = "arn:aws:ssm:${var.region}:${var.account_number}:parameter/s3_processed_bucket_name"
      }
    ]
  })
}