CCM-18398: Allow access to eventpub's event cache bucket to be restricted

infrastructure/terraform/modules/eventpub/README.md

@@ -30,6 +30,7 @@
 | <a name="input_event_anomaly_period"></a> [event\_anomaly\_period](#input\_event\_anomaly\_period) | The period in seconds over which the specified statistic is applied for anomaly detection. Minimum 300 seconds (5 minutes). Recommended: 300-600. | `number` | `300` | no |
 | <a name="input_event_cache_buffer_interval"></a> [event\_cache\_buffer\_interval](#input\_event\_cache\_buffer\_interval) | The buffer interval for data firehose | `number` | `500` | no |
 | <a name="input_event_cache_expiry_days"></a> [event\_cache\_expiry\_days](#input\_event\_cache\_expiry\_days) | s3 archiving expiry in days | `number` | `30` | no |
+| <a name="input_event_cache_restrict_data_access"></a> [event\_cache\_restrict\_data\_access](#input\_event\_cache\_restrict\_data\_access) | Whether to restrict access to data in the event cache bucket | `bool` | `false` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When enabled will force destroy event-cache S3 bucket | `bool` | `false` | no |
 | <a name="input_group"></a> [group](#input\_group) | The name of the tfscaffold group | `string` | `null` | no |
 | <a name="input_iam_permissions_boundary_arn"></a> [iam\_permissions\_boundary\_arn](#input\_iam\_permissions\_boundary\_arn) | The ARN of the permissions boundary to use for the IAM role | `string` | `null` | no |

infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf

@@ -1,5 +1,5 @@
 module "s3bucket_event_cache" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.3/terraform-s3bucket.zip"
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/4.0.5/terraform-s3bucket.zip"
 
   count = var.enable_event_cache ? 1 : 0
 
@@ -14,6 +14,7 @@ module "s3bucket_event_cache" {
   acl           = "private"
   force_destroy = var.force_destroy
   versioning    = true
+  enable_abac   = var.event_cache_restrict_data_access
 
   lifecycle_rules = [
     {
@@ -54,7 +55,8 @@ module "s3bucket_event_cache" {
   }
 
   default_tags = {
-    Name = "Event Cache Storage"
+    Name                = "Event Cache Storage"
+    NHSE-RESTRICTED-PID = var.event_cache_restrict_data_access ? "True" : "False"
   }
 }
 

infrastructure/terraform/modules/eventpub/variables.tf

@@ -97,6 +97,12 @@ variable "enable_event_cache" {
   default     = false
 }
 
+variable "event_cache_restrict_data_access" {
+  type        = bool
+  description = "Whether to restrict access to data in the event cache bucket"
+  default     = false
+}
+
 variable "enable_firehose_raw_message_delivery" {
   type        = bool
   description = "Enables raw message delivery on firehose subscription"