From 6009ce8271c8f346adf2cd332f7174d240cc0fe8 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Mon, 2 Mar 2026 10:29:43 +0000 Subject: [PATCH 01/12] CCM-14600: Enable Access Logging for EventCache Buckets --- .../modules/eventpub/module_s3bucket_event_cache.tf | 2 ++ infrastructure/terraform/modules/eventpub/variables.tf | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf b/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf index e05761d..d9fc263 100644 --- a/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf +++ b/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf @@ -41,6 +41,8 @@ module "s3bucket_event_cache" { var.additional_policies_for_event_cache_bucket ) + bucket_logging_target = var.eventcache_bucket_logging_target + public_access = { block_public_acls = true block_public_policy = true diff --git a/infrastructure/terraform/modules/eventpub/variables.tf b/infrastructure/terraform/modules/eventpub/variables.tf index 7bdaa30..3005f8e 100644 --- a/infrastructure/terraform/modules/eventpub/variables.tf +++ b/infrastructure/terraform/modules/eventpub/variables.tf @@ -153,3 +153,9 @@ variable "event_publishing_anomaly_band_width" { description = "The width of the anomaly detection band. Higher values (e.g. 4-6) reduce sensitivity and noise, lower values (e.g. 2-3) increase sensitivity. Recommended: 2-4." default = 5 } + +variable "eventcache_bucket_logging_target" { + type = map(string) + description = "Map of S3 bucket access logging target properties" + default = {} +} From 77fcf54cebf2bac779379705443b5d5407f9c0af Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Mon, 2 Mar 2026 10:33:17 +0000 Subject: [PATCH 02/12] CCM-14600: Enable Access Logging for EventCache Buckets --- infrastructure/terraform/modules/eventpub/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/infrastructure/terraform/modules/eventpub/README.md b/infrastructure/terraform/modules/eventpub/README.md index 66d08ca..b3edb07 100644 --- a/infrastructure/terraform/modules/eventpub/README.md +++ b/infrastructure/terraform/modules/eventpub/README.md @@ -27,6 +27,7 @@ | [event\_publishing\_anomaly\_band\_width](#input\_event\_publishing\_anomaly\_band\_width) | The width of the anomaly detection band. Higher values (e.g. 4-6) reduce sensitivity and noise, lower values (e.g. 2-3) increase sensitivity. Recommended: 2-4. | `number` | `5` | no | | [event\_publishing\_anomaly\_evaluation\_periods](#input\_event\_publishing\_anomaly\_evaluation\_periods) | Number of evaluation periods for the publishing anomaly alarm. Each period is defined by event\_publishing\_anomaly\_period. | `number` | `3` | no | | [event\_publishing\_anomaly\_period](#input\_event\_publishing\_anomaly\_period) | The period in seconds over which the specified statistic is applied for anomaly detection. Minimum 300 seconds (5 minutes). Recommended: 300-600. | `number` | `300` | no | +| [eventcache\_bucket\_logging\_target](#input\_eventcache\_bucket\_logging\_target) | Map of S3 bucket access logging target properties | `map(string)` | `{}` | no | | [force\_destroy](#input\_force\_destroy) | When enabled will force destroy event-cache S3 bucket | `bool` | `false` | no | | [group](#input\_group) | The name of the tfscaffold group | `string` | `null` | no | | [iam\_permissions\_boundary\_arn](#input\_iam\_permissions\_boundary\_arn) | The ARN of the permissions boundary to use for the IAM role | `string` | `null` | no | From 33399ece4e4a1c58d2e9742f187d24d9944645fa Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Mon, 2 Mar 2026 13:29:35 +0000 Subject: [PATCH 03/12] CCM-14600: Enable Access Logging for EventCache Buckets --- .tool-versions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tool-versions b/.tool-versions index 9abd826..7ac5094 100644 --- a/.tool-versions +++ b/.tool-versions @@ -5,7 +5,7 @@ nodejs 22.15.1 pre-commit 3.6.0 terraform 1.10.1 terraform-docs 0.19.0 -trivy 0.61.0 +trivy 0.69.2 vale 3.6.0 # python 3.13.2 From 3d604f847b1aff3aebe39d30100a50c4b106f698 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Mon, 2 Mar 2026 14:51:51 +0000 Subject: [PATCH 04/12] CCM-14600: Enable Access Logging for EventCache Buckets --- infrastructure/terraform/modules/s3bucket/s3_bucket_logging.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/terraform/modules/s3bucket/s3_bucket_logging.tf b/infrastructure/terraform/modules/s3bucket/s3_bucket_logging.tf index 01019a8..84a081f 100644 --- a/infrastructure/terraform/modules/s3bucket/s3_bucket_logging.tf +++ b/infrastructure/terraform/modules/s3bucket/s3_bucket_logging.tf @@ -4,5 +4,5 @@ resource "aws_s3_bucket_logging" "main" { # Enable S3 Bucket Logging to the logs bucket target_bucket = var.bucket_logging_target["bucket"] - target_prefix = lookup(var.bucket_logging_target, "prefix", "${var.name}/") + target_prefix = lookup(var.bucket_logging_target, "prefix", "${aws_s3_bucket.main.id}/") } From 1fbf1f288341790dba88c2dede016722050ed26a Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Mon, 2 Mar 2026 15:26:51 +0000 Subject: [PATCH 05/12] CCM-14600: Enable Access Logging for EventCache Buckets --- .../modules/eventpub/module_s3bucket_event_cache.tf | 5 ++++- infrastructure/terraform/modules/eventpub/variables.tf | 6 +++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf b/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf index d9fc263..074bd6a 100644 --- a/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf +++ b/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf @@ -41,7 +41,10 @@ module "s3bucket_event_cache" { var.additional_policies_for_event_cache_bucket ) - bucket_logging_target = var.eventcache_bucket_logging_target + bucket_logging_target = { + bucket = "${var.eventcache_bucket_logging_target}" + } + public_access = { block_public_acls = true diff --git a/infrastructure/terraform/modules/eventpub/variables.tf b/infrastructure/terraform/modules/eventpub/variables.tf index 3005f8e..1092cdd 100644 --- a/infrastructure/terraform/modules/eventpub/variables.tf +++ b/infrastructure/terraform/modules/eventpub/variables.tf @@ -155,7 +155,7 @@ variable "event_publishing_anomaly_band_width" { } variable "eventcache_bucket_logging_target" { - type = map(string) - description = "Map of S3 bucket access logging target properties" - default = {} + type = string + description = "S3 bucket access logging target" + default = "" } From 1a35536bef673fc61dd896a38ae7539b4d375aa6 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Mon, 2 Mar 2026 15:27:05 +0000 Subject: [PATCH 06/12] CCM-14600: Enable Access Logging for EventCache Buckets --- infrastructure/terraform/modules/eventpub/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/terraform/modules/eventpub/README.md b/infrastructure/terraform/modules/eventpub/README.md index b3edb07..2bdd336 100644 --- a/infrastructure/terraform/modules/eventpub/README.md +++ b/infrastructure/terraform/modules/eventpub/README.md @@ -27,7 +27,7 @@ | [event\_publishing\_anomaly\_band\_width](#input\_event\_publishing\_anomaly\_band\_width) | The width of the anomaly detection band. Higher values (e.g. 4-6) reduce sensitivity and noise, lower values (e.g. 2-3) increase sensitivity. Recommended: 2-4. | `number` | `5` | no | | [event\_publishing\_anomaly\_evaluation\_periods](#input\_event\_publishing\_anomaly\_evaluation\_periods) | Number of evaluation periods for the publishing anomaly alarm. Each period is defined by event\_publishing\_anomaly\_period. | `number` | `3` | no | | [event\_publishing\_anomaly\_period](#input\_event\_publishing\_anomaly\_period) | The period in seconds over which the specified statistic is applied for anomaly detection. Minimum 300 seconds (5 minutes). Recommended: 300-600. | `number` | `300` | no | -| [eventcache\_bucket\_logging\_target](#input\_eventcache\_bucket\_logging\_target) | Map of S3 bucket access logging target properties | `map(string)` | `{}` | no | +| [eventcache\_bucket\_logging\_target](#input\_eventcache\_bucket\_logging\_target) | S3 bucket access logging target | `string` | `""` | no | | [force\_destroy](#input\_force\_destroy) | When enabled will force destroy event-cache S3 bucket | `bool` | `false` | no | | [group](#input\_group) | The name of the tfscaffold group | `string` | `null` | no | | [iam\_permissions\_boundary\_arn](#input\_iam\_permissions\_boundary\_arn) | The ARN of the permissions boundary to use for the IAM role | `string` | `null` | no | From 43a9dabca59ccf5d7f06aad799f34ec51ae11a39 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Mon, 2 Mar 2026 15:32:20 +0000 Subject: [PATCH 07/12] CCM-14600: Enable Access Logging for EventCache Buckets --- .../terraform/modules/eventpub/module_s3bucket_event_cache.tf | 2 +- infrastructure/terraform/modules/eventpub/variables.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf b/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf index 074bd6a..d5bb003 100644 --- a/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf +++ b/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf @@ -42,7 +42,7 @@ module "s3bucket_event_cache" { ) bucket_logging_target = { - bucket = "${var.eventcache_bucket_logging_target}" + bucket = "${var.access_logging_bucket}" } diff --git a/infrastructure/terraform/modules/eventpub/variables.tf b/infrastructure/terraform/modules/eventpub/variables.tf index 1092cdd..7dc7db0 100644 --- a/infrastructure/terraform/modules/eventpub/variables.tf +++ b/infrastructure/terraform/modules/eventpub/variables.tf @@ -154,8 +154,8 @@ variable "event_publishing_anomaly_band_width" { default = 5 } -variable "eventcache_bucket_logging_target" { +variable "access_logging_bucket" { type = string - description = "S3 bucket access logging target" + description = "S3 Access logging bucket name." default = "" } From aa5e7c7fdc392ff687f825c50b6c235463c90fd0 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Mon, 2 Mar 2026 15:36:43 +0000 Subject: [PATCH 08/12] CCM-14600: Enable Access Logging for EventCache Buckets --- .../terraform/modules/eventpub/module_s3bucket_event_cache.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf b/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf index d5bb003..be37075 100644 --- a/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf +++ b/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf @@ -1,5 +1,5 @@ module "s3bucket_event_cache" { - source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.30/terraform-s3bucket.zip" + source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/terraform/modules/s3bucket?ref=feature/CCM-14600_Enable_Access_Logging_For_EventCache_Buckets" count = var.enable_event_cache ? 1 : 0 From 5464ccdb4367b3dc1d2c1f1388d41340d3f424e8 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 3 Mar 2026 08:59:38 +0000 Subject: [PATCH 09/12] CCM-14600: Enable Access Logging for EventCache Buckets --- infrastructure/terraform/modules/s3bucket/s3_bucket_logging.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/terraform/modules/s3bucket/s3_bucket_logging.tf b/infrastructure/terraform/modules/s3bucket/s3_bucket_logging.tf index 84a081f..01019a8 100644 --- a/infrastructure/terraform/modules/s3bucket/s3_bucket_logging.tf +++ b/infrastructure/terraform/modules/s3bucket/s3_bucket_logging.tf @@ -4,5 +4,5 @@ resource "aws_s3_bucket_logging" "main" { # Enable S3 Bucket Logging to the logs bucket target_bucket = var.bucket_logging_target["bucket"] - target_prefix = lookup(var.bucket_logging_target, "prefix", "${aws_s3_bucket.main.id}/") + target_prefix = lookup(var.bucket_logging_target, "prefix", "${var.name}/") } From 59c4609350620ad75593cdb59b1a1116f3c67094 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 3 Mar 2026 09:05:58 +0000 Subject: [PATCH 10/12] CCM-14600: Enable Access Logging for EventCache Buckets --- infrastructure/terraform/modules/eventpub/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infrastructure/terraform/modules/eventpub/README.md b/infrastructure/terraform/modules/eventpub/README.md index 2bdd336..4b10f0e 100644 --- a/infrastructure/terraform/modules/eventpub/README.md +++ b/infrastructure/terraform/modules/eventpub/README.md @@ -11,6 +11,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [access\_logging\_bucket](#input\_access\_logging\_bucket) | S3 Access logging bucket name. | `string` | `""` | no | | [additional\_policies\_for\_event\_cache\_bucket](#input\_additional\_policies\_for\_event\_cache\_bucket) | A list of JSON policies to use to build the bucket policy | `list(string)` | `[]` | no | | [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes | | [component](#input\_component) | The name of the terraformscaffold component calling this module | `string` | n/a | yes | @@ -27,7 +28,6 @@ | [event\_publishing\_anomaly\_band\_width](#input\_event\_publishing\_anomaly\_band\_width) | The width of the anomaly detection band. Higher values (e.g. 4-6) reduce sensitivity and noise, lower values (e.g. 2-3) increase sensitivity. Recommended: 2-4. | `number` | `5` | no | | [event\_publishing\_anomaly\_evaluation\_periods](#input\_event\_publishing\_anomaly\_evaluation\_periods) | Number of evaluation periods for the publishing anomaly alarm. Each period is defined by event\_publishing\_anomaly\_period. | `number` | `3` | no | | [event\_publishing\_anomaly\_period](#input\_event\_publishing\_anomaly\_period) | The period in seconds over which the specified statistic is applied for anomaly detection. Minimum 300 seconds (5 minutes). Recommended: 300-600. | `number` | `300` | no | -| [eventcache\_bucket\_logging\_target](#input\_eventcache\_bucket\_logging\_target) | S3 bucket access logging target | `string` | `""` | no | | [force\_destroy](#input\_force\_destroy) | When enabled will force destroy event-cache S3 bucket | `bool` | `false` | no | | [group](#input\_group) | The name of the tfscaffold group | `string` | `null` | no | | [iam\_permissions\_boundary\_arn](#input\_iam\_permissions\_boundary\_arn) | The ARN of the permissions boundary to use for the IAM role | `string` | `null` | no | @@ -42,7 +42,7 @@ | Name | Source | Version | |------|--------|---------| -| [s3bucket\_event\_cache](#module\_s3bucket\_event\_cache) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.30/terraform-s3bucket.zip | n/a | +| [s3bucket\_event\_cache](#module\_s3bucket\_event\_cache) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/terraform/modules/s3bucket | feature/CCM-14600_Enable_Access_Logging_For_EventCache_Buckets | ## Outputs | Name | Description | From 3cf90d0bca9bc4b1be5f2b226abea9ab063a9c61 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 3 Mar 2026 09:28:51 +0000 Subject: [PATCH 11/12] CCM-14600: Enable Access Logging for EventCache Buckets --- .../terraform/modules/eventpub/module_s3bucket_event_cache.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf b/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf index be37075..4124502 100644 --- a/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf +++ b/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf @@ -1,5 +1,5 @@ module "s3bucket_event_cache" { - source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/terraform/modules/s3bucket?ref=feature/CCM-14600_Enable_Access_Logging_For_EventCache_Buckets" + source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.3/terraform-s3bucket.zip" count = var.enable_event_cache ? 1 : 0 From c69a5ae2f75f152206f505e00390835d03e59dd1 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 3 Mar 2026 09:32:13 +0000 Subject: [PATCH 12/12] CCM-14600: Enable Access Logging for EventCache Buckets --- infrastructure/terraform/modules/eventpub/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/terraform/modules/eventpub/README.md b/infrastructure/terraform/modules/eventpub/README.md index 4b10f0e..0fdf4ed 100644 --- a/infrastructure/terraform/modules/eventpub/README.md +++ b/infrastructure/terraform/modules/eventpub/README.md @@ -42,7 +42,7 @@ | Name | Source | Version | |------|--------|---------| -| [s3bucket\_event\_cache](#module\_s3bucket\_event\_cache) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/terraform/modules/s3bucket | feature/CCM-14600_Enable_Access_Logging_For_EventCache_Buckets | +| [s3bucket\_event\_cache](#module\_s3bucket\_event\_cache) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.3/terraform-s3bucket.zip | n/a | ## Outputs | Name | Description |