Merge pull request #147 from NHSDigital/feature/CCM-12958_sechub

sidnhs · web-flow · commit f89fb8b29bf5 · 2026-02-09T15:01:46.000Z
CCM-12958: Additional policies for eventcache bucket in eventpub
diff --git a/infrastructure/modules/eventpub/README.md b/infrastructure/modules/eventpub/README.md
@@ -11,6 +11,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_additional_policies_for_event_cache_bucket"></a> [additional\_policies\_for\_event\_cache\_bucket](#input\_additional\_policies\_for\_event\_cache\_bucket) | A list of JSON policies to use to build the bucket policy | `list(string)` | `[]` | no |
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
 | <a name="input_component"></a> [component](#input\_component) | The name of the terraformscaffold component calling this module | `string` | n/a | yes |
 | <a name="input_control_plane_bus_arn"></a> [control\_plane\_bus\_arn](#input\_control\_plane\_bus\_arn) | Data plane event bus arn | `string` | n/a | yes |
@@ -36,7 +37,7 @@
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_s3bucket_event_cache"></a> [s3bucket\_event\_cache](#module\_s3bucket\_event\_cache) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
+| <a name="module_s3bucket_event_cache"></a> [s3bucket\_event\_cache](#module\_s3bucket\_event\_cache) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.30/terraform-s3bucket.zip | n/a |
 ## Outputs
 
 | Name | Description |
diff --git a/infrastructure/modules/eventpub/module_s3bucket_event_cache.tf b/infrastructure/modules/eventpub/module_s3bucket_event_cache.tf
@@ -1,5 +1,5 @@
 module "s3bucket_event_cache" {
-  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket?ref=v1.0.8"
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.30/terraform-s3bucket.zip"
 
   count = var.enable_event_cache ? 1 : 0
 
@@ -36,9 +36,10 @@ module "s3bucket_event_cache" {
     }
   ]
 
-  policy_documents = [
-    data.aws_iam_policy_document.s3bucket_event_cache[0].json
-  ]
+  policy_documents = concat(
+    [data.aws_iam_policy_document.s3bucket_event_cache[0].json],
+    var.additional_policies_for_event_cache_bucket
+  )
 
   public_access = {
     block_public_acls       = true
diff --git a/infrastructure/modules/eventpub/variables.tf b/infrastructure/modules/eventpub/variables.tf
@@ -123,3 +123,9 @@ variable "force_destroy" {
   description = "When enabled will force destroy event-cache S3 bucket"
   default     = false
 }
+
+variable "additional_policies_for_event_cache_bucket" {
+  type        = list(string)
+  description = "A list of JSON policies to use to build the bucket policy"
+  default     = []
+}
