Update: [AEA-6211] - INT specific doc sync role perms (#355)

## Summary


- Routine Change

### Details

imports ci-resources role and gives it needed permissions.

Author: bencegadanyi1-nhs

packages/cdk/nagSuppressions.ts

@@ -444,6 +444,21 @@ export const nagSuppressions = (stack: Stack, account: string) => {
     ]
   )
 
+  // Suppress DocumentSyncRole wildcard permissions
+  const docSyncRole = stack.node.tryFindChild("AssistMeDocumentSyncRole")
+  if (docSyncRole) {
+    NagSuppressions.addResourceSuppressions(
+      docSyncRole,
+      [
+        {
+          id: "AwsSolutions-IAM5",
+          reason: "Document Sync Role requires wildcard permissions for S3 sync operations."
+        }
+      ],
+      true
+    )
+  }
+
 }
 
 const safeAddNagSuppression = (stack: Stack, path: string, suppressions: Array<NagPackSuppression>) => {

packages/cdk/stacks/EpsAssistMeStack.ts

@@ -41,6 +41,9 @@ export class EpsAssistMeStack extends Stack {
     const regressionTestRoleArn = Fn.importValue("ci-resources:AssistMeRegressionTestRole")
     const auditLoggingBucketImport = Fn.importValue("account-resources:AuditLoggingBucket")
 
+    // document sync role
+    const assistMeDocumentSyncRoleArn = Fn.importValue("ci-resources:AssistMeDocumentSyncRole")
+
     // Get variables from context
     const region = Stack.of(this).region
     const account = Stack.of(this).account
@@ -260,6 +263,16 @@ export class EpsAssistMeStack extends Stack {
       regressionTestRole.addManagedPolicy(regressionTestPolicy)
     }
 
+    // Grant Access to Document Sync Role
+    const assistMeDocumentSyncRole = Role.fromRoleArn(
+      this,
+      "AssistMeDocumentSyncRole",
+      assistMeDocumentSyncRoleArn
+    )
+
+    storage.kbDocsBucket.grantRead(assistMeDocumentSyncRole)
+    storage.kbDocsKmsKey.grantDecrypt(assistMeDocumentSyncRole)
+
     // Output: SlackBot Endpoint
     new CfnOutput(this, "SlackBotEventsEndpoint", {
       value: `https://${apis.apis["api"].api.domainName?.domainName}/slack/events`,