fix(webhook): add missing permission to workflow job queue (EventBridge) (#4224)

Dispatcher for EventBridge does not have access to sqs queueu for
publish workflow job event.

---------

Co-authored-by: philips-labs-pr|bot <philips-labs-pr[bot]@users.noreply.github.com>

Author: npalm

modules/webhook/eventbridge/README.md

@@ -34,6 +34,7 @@ No modules.
 | [aws_iam_role_policy.dispatcher_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.dispatcher_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.dispatcher_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.dispatcher_workflow_job_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.dispatcher_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_eventbridge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |

modules/webhook/eventbridge/dispatcher.tf

@@ -143,3 +143,13 @@ resource "aws_iam_role_policy" "dispatcher_xray" {
   policy = data.aws_iam_policy_document.lambda_xray[0].json
   role   = aws_iam_role.dispatcher_lambda.name
 }
+
+resource "aws_iam_role_policy" "dispatcher_workflow_job_sqs" {
+  count = var.config.sqs_workflow_job_queue != null ? 1 : 0
+  name  = "publish-workflow-job-sqs-policy"
+  role  = aws_iam_role.dispatcher_lambda.name
+
+  policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
+    sqs_resource_arns = jsonencode([var.config.sqs_workflow_job_queue.arn])
+  })
+}