From 1da0ab69d447eeec1f8897bfa0191a44c2b05600 Mon Sep 17 00:00:00 2001
From: Gareth Allan <157592212+gareth-allan@users.noreply.github.com>
Date: Wed, 3 Jun 2026 11:59:48 +0100
Subject: [PATCH 1/2] CCM-18398: Allow access to eventpub's event cache bucket
 to be restricted

---
 infrastructure/terraform/modules/eventpub/README.md         | 1 +
 .../modules/eventpub/module_s3bucket_event_cache.tf         | 6 ++++--
 infrastructure/terraform/modules/eventpub/variables.tf      | 6 ++++++
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/infrastructure/terraform/modules/eventpub/README.md b/infrastructure/terraform/modules/eventpub/README.md
index 96a9a6c8..6ec9a2b2 100644
--- a/infrastructure/terraform/modules/eventpub/README.md
+++ b/infrastructure/terraform/modules/eventpub/README.md
@@ -30,6 +30,7 @@
 | <a name="input_event_anomaly_period"></a> [event\_anomaly\_period](#input\_event\_anomaly\_period) | The period in seconds over which the specified statistic is applied for anomaly detection. Minimum 300 seconds (5 minutes). Recommended: 300-600. | `number` | `300` | no |
 | <a name="input_event_cache_buffer_interval"></a> [event\_cache\_buffer\_interval](#input\_event\_cache\_buffer\_interval) | The buffer interval for data firehose | `number` | `500` | no |
 | <a name="input_event_cache_expiry_days"></a> [event\_cache\_expiry\_days](#input\_event\_cache\_expiry\_days) | s3 archiving expiry in days | `number` | `30` | no |
+| <a name="input_event_cache_restrict_data_access"></a> [event\_cache\_restrict\_data\_access](#input\_event\_cache\_restrict\_data\_access) | Whether to restrict access to PII data in the event cache bucket | `bool` | `false` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When enabled will force destroy event-cache S3 bucket | `bool` | `false` | no |
 | <a name="input_group"></a> [group](#input\_group) | The name of the tfscaffold group | `string` | `null` | no |
 | <a name="input_iam_permissions_boundary_arn"></a> [iam\_permissions\_boundary\_arn](#input\_iam\_permissions\_boundary\_arn) | The ARN of the permissions boundary to use for the IAM role | `string` | `null` | no |
diff --git a/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf b/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf
index 41245022..bade1241 100644
--- a/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf
+++ b/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf
@@ -1,5 +1,5 @@
 module "s3bucket_event_cache" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.3/terraform-s3bucket.zip"
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/4.0.5/terraform-s3bucket.zip"
 
   count = var.enable_event_cache ? 1 : 0
 
@@ -14,6 +14,7 @@ module "s3bucket_event_cache" {
   acl           = "private"
   force_destroy = var.force_destroy
   versioning    = true
+  enable_abac   = var.event_cache_restrict_data_access
 
   lifecycle_rules = [
     {
@@ -54,7 +55,8 @@ module "s3bucket_event_cache" {
   }
 
   default_tags = {
-    Name = "Event Cache Storage"
+    Name                = "Event Cache Storage"
+    NHSE-RESTRICTED-PID = "True"
   }
 }
 
diff --git a/infrastructure/terraform/modules/eventpub/variables.tf b/infrastructure/terraform/modules/eventpub/variables.tf
index b27052f1..cb15f7b6 100644
--- a/infrastructure/terraform/modules/eventpub/variables.tf
+++ b/infrastructure/terraform/modules/eventpub/variables.tf
@@ -97,6 +97,12 @@ variable "enable_event_cache" {
   default     = false
 }
 
+variable "event_cache_restrict_data_access" {
+  type        = bool
+  description = "Whether to restrict access to PII data in the event cache bucket"
+  default     = false
+}
+
 variable "enable_firehose_raw_message_delivery" {
   type        = bool
   description = "Enables raw message delivery on firehose subscription"

From 05f4e756200131f27132061e8bdeb8072db49773 Mon Sep 17 00:00:00 2001
From: Gareth Allan <157592212+gareth-allan@users.noreply.github.com>
Date: Wed, 3 Jun 2026 12:07:37 +0100
Subject: [PATCH 2/2] CCM-18398: Make tag conditional

---
 infrastructure/terraform/modules/eventpub/README.md             | 2 +-
 .../terraform/modules/eventpub/module_s3bucket_event_cache.tf   | 2 +-
 infrastructure/terraform/modules/eventpub/variables.tf          | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/infrastructure/terraform/modules/eventpub/README.md b/infrastructure/terraform/modules/eventpub/README.md
index 6ec9a2b2..d9811dc8 100644
--- a/infrastructure/terraform/modules/eventpub/README.md
+++ b/infrastructure/terraform/modules/eventpub/README.md
@@ -30,7 +30,7 @@
 | <a name="input_event_anomaly_period"></a> [event\_anomaly\_period](#input\_event\_anomaly\_period) | The period in seconds over which the specified statistic is applied for anomaly detection. Minimum 300 seconds (5 minutes). Recommended: 300-600. | `number` | `300` | no |
 | <a name="input_event_cache_buffer_interval"></a> [event\_cache\_buffer\_interval](#input\_event\_cache\_buffer\_interval) | The buffer interval for data firehose | `number` | `500` | no |
 | <a name="input_event_cache_expiry_days"></a> [event\_cache\_expiry\_days](#input\_event\_cache\_expiry\_days) | s3 archiving expiry in days | `number` | `30` | no |
-| <a name="input_event_cache_restrict_data_access"></a> [event\_cache\_restrict\_data\_access](#input\_event\_cache\_restrict\_data\_access) | Whether to restrict access to PII data in the event cache bucket | `bool` | `false` | no |
+| <a name="input_event_cache_restrict_data_access"></a> [event\_cache\_restrict\_data\_access](#input\_event\_cache\_restrict\_data\_access) | Whether to restrict access to data in the event cache bucket | `bool` | `false` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When enabled will force destroy event-cache S3 bucket | `bool` | `false` | no |
 | <a name="input_group"></a> [group](#input\_group) | The name of the tfscaffold group | `string` | `null` | no |
 | <a name="input_iam_permissions_boundary_arn"></a> [iam\_permissions\_boundary\_arn](#input\_iam\_permissions\_boundary\_arn) | The ARN of the permissions boundary to use for the IAM role | `string` | `null` | no |
diff --git a/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf b/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf
index bade1241..88758a73 100644
--- a/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf
+++ b/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf
@@ -56,7 +56,7 @@ module "s3bucket_event_cache" {
 
   default_tags = {
     Name                = "Event Cache Storage"
-    NHSE-RESTRICTED-PID = "True"
+    NHSE-RESTRICTED-PID = var.event_cache_restrict_data_access ? "True" : "False"
   }
 }
 
diff --git a/infrastructure/terraform/modules/eventpub/variables.tf b/infrastructure/terraform/modules/eventpub/variables.tf
index cb15f7b6..e4747d66 100644
--- a/infrastructure/terraform/modules/eventpub/variables.tf
+++ b/infrastructure/terraform/modules/eventpub/variables.tf
@@ -99,7 +99,7 @@ variable "enable_event_cache" {
 
 variable "event_cache_restrict_data_access" {
   type        = bool
-  description = "Whether to restrict access to PII data in the event cache bucket"
+  description = "Whether to restrict access to data in the event cache bucket"
   default     = false
 }