NHSDigital · Karthikeyannhs · Dec 16, 2025 · Dec 18, 2025 · Dec 18, 2025 · Dec 18, 2025
diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf
@@ -17,14 +17,15 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
 
   environment {
     variables = {
-      PERSON_TABLE_NAME          = var.eligibility_status_table_name,
-      RULES_BUCKET_NAME          = var.eligibility_rules_bucket_name,
-      KINESIS_AUDIT_STREAM_TO_S3 = var.kinesis_audit_stream_to_s3_name
-      ENV                        = var.environment
-      LOG_LEVEL                  = var.log_level
-      ENABLE_XRAY_PATCHING       = var.enable_xray_patching
-      API_DOMAIN_NAME            = var.api_domain_name
-      HASHING_SECRET_NAME        = var.hashing_secret_name
+      PERSON_TABLE_NAME            = var.eligibility_status_table_name,
+      RULES_BUCKET_NAME            = var.eligibility_rules_bucket_name,
+      CONSUMER_MAPPING_BUCKET_NAME = var.eligibility_consumer_mappings_bucket_name,
+      KINESIS_AUDIT_STREAM_TO_S3   = var.kinesis_audit_stream_to_s3_name
+      ENV                          = var.environment
+      LOG_LEVEL                    = var.log_level
+      ENABLE_XRAY_PATCHING         = var.enable_xray_patching
+      API_DOMAIN_NAME              = var.api_domain_name
+      HASHING_SECRET_NAME          = var.hashing_secret_name
     }
   }
 

diff --git a/infrastructure/modules/lambda/variables.tf b/infrastructure/modules/lambda/variables.tf
@@ -44,6 +44,11 @@ variable "eligibility_rules_bucket_name" {
   type        = string
 }
 
+variable "eligibility_consumer_mappings_bucket_name" {
+  description = "consumer mappings bucket name"
+  type        = string
+}
+
 variable "eligibility_status_table_name" {
   description = "eligibility datastore table name"
   type        = string

diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf
@@ -104,6 +104,60 @@
   }
 }
 
+# Policy doc for S3 Consumer Mappings bucket
+data "aws_iam_policy_document" "s3_consumer_mapping_bucket_policy" {
+  statement {
+    sid = "AllowSSLRequestsOnly"
+    actions = [
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+    resources = [
+      module.s3_consumer_mappings_bucket.storage_bucket_arn,
+      "${module.s3_consumer_mappings_bucket.storage_bucket_arn}/*",
+    ]
+    condition {
+      test     = "Bool"
+      values = ["true"]
+      variable = "aws:SecureTransport"
+    }
+  }
+}
+
+# ensure only secure transport is allowed
+
+resource "aws_s3_bucket_policy" "consumer_mapping_s3_bucket" {
+  bucket = module.s3_consumer_mappings_bucket.storage_bucket_id
+  policy = data.aws_iam_policy_document.consumer_mapping_s3_bucket_policy.json
+}
+
+data "aws_iam_policy_document" "consumer_mapping_s3_bucket_policy" {
+  statement {
+    sid = "AllowSslRequestsOnly"
+    actions = [
+      "s3:*",
+    ]
+    effect = "Deny"
+    resources = [
+      module.s3_consumer_mappings_bucket.storage_bucket_arn,
+      "${module.s3_consumer_mappings_bucket.storage_bucket_arn}/*",
+    ]
+    principals {
+      type = "*"
+      identifiers = ["*"]
+    }
+    condition {
+      test = "Bool"
+      values = [
+        "false",
+      ]
+
+      variable = "aws:SecureTransport"
+    }
+  }
+}
+
+# audit bucket
 resource "aws_s3_bucket_policy" "audit_s3_bucket" {
   bucket = module.s3_audit_bucket.storage_bucket_id
   policy = data.aws_iam_policy_document.audit_s3_bucket_policy.json
@@ -136,12 +190,18 @@
 }
 
 # Attach s3 read policy to Lambda role
-resource "aws_iam_role_policy" "lambda_s3_read_policy" {
+resource "aws_iam_role_policy" "lambda_s3_rules_read_policy" {
   name   = "S3ReadAccess"
   role   = aws_iam_role.eligibility_lambda_role.id
   policy = data.aws_iam_policy_document.s3_rules_bucket_policy.json
 }
 
+resource "aws_iam_role_policy" "lambda_s3_mapping_read_policy" {
+  name   = "S3ConsumerMappingReadAccess"
+  role   = aws_iam_role.eligibility_lambda_role.id
+  policy = data.aws_iam_policy_document.s3_consumer_mapping_bucket_policy.json
+}
+
 # Attach s3 write policy to kinesis firehose role
 resource "aws_iam_role_policy" "kinesis_firehose_s3_write_policy" {
   name   = "S3WriteAccess"
@@ -290,6 +350,38 @@
   policy = data.aws_iam_policy_document.s3_rules_kms_key_policy.json
 }
 
+data "aws_iam_policy_document" "s3_consumer_mapping_kms_key_policy" {
+  #checkov:skip=CKV_AWS_111: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_356: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_109: Root user needs full KMS key management
+  statement {
+    sid    = "EnableIamUserPermissions"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions = ["kms:*"]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "AllowLambdaDecrypt"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [aws_iam_role.eligibility_lambda_role.arn]
+    }
+    actions = ["kms:Decrypt"]
+    resources = ["*"]
+  }
+}
+
+resource "aws_kms_key_policy" "s3_consumer_mapping_kms_key" {
+  key_id = module.s3_consumer_mappings_bucket.storage_bucket_kms_key_id
+  policy = data.aws_iam_policy_document.s3_consumer_mapping_kms_key_policy.json
+}
+
 resource "aws_iam_role_policy" "splunk_firehose_policy" {
   #checkov:skip=CKV_AWS_290: Firehose requires write access to dynamic log streams without static constraints
   #checkov:skip=CKV_AWS_355: Firehose logging requires wildcard resource for CloudWatch log groups/streams

diff --git a/infrastructure/stacks/api-layer/lambda.tf b/infrastructure/stacks/api-layer/lambda.tf
@@ -11,27 +11,28 @@ data "aws_subnet" "private_subnets" {
 }
 
 module "eligibility_signposting_lambda_function" {
-  source                            = "../../modules/lambda"
-  eligibility_lambda_role_arn       = aws_iam_role.eligibility_lambda_role.arn
-  eligibility_lambda_role_name      = aws_iam_role.eligibility_lambda_role.name
-  workspace                         = local.workspace
-  environment                       = var.environment
-  runtime                           = "python3.13"
-  lambda_func_name                  = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}eligibility_signposting_api"
+  source                                    = "../../modules/lambda"
+  eligibility_lambda_role_arn               = aws_iam_role.eligibility_lambda_role.arn
+  eligibility_lambda_role_name              = aws_iam_role.eligibility_lambda_role.name
+  workspace                                 = local.workspace
+  environment                               = var.environment
+  runtime                                   = "python3.13"
+  lambda_func_name                          = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}eligibility_signposting_api"
   security_group_ids = [data.aws_security_group.main_sg.id]
-  vpc_intra_subnets                 = [for v in data.aws_subnet.private_subnets : v.id]
-  file_name                         = "../../../dist/lambda.zip"
-  handler                           = "eligibility_signposting_api.app.lambda_handler"
-  eligibility_rules_bucket_name     = module.s3_rules_bucket.storage_bucket_name
-  eligibility_status_table_name     = module.eligibility_status_table.table_name
-  kinesis_audit_stream_to_s3_name   = module.eligibility_audit_firehose_delivery_stream.firehose_stream_name
-  hashing_secret_name               = module.secrets_manager.aws_hashing_secret_name
-  lambda_insights_extension_version = 38
-  log_level                         = "INFO"
-  enable_xray_patching              = "true"
-  stack_name                        = local.stack_name
-  provisioned_concurrency_count     = 5
-  api_domain_name                   = local.api_domain_name
+  vpc_intra_subnets                         = [for v in data.aws_subnet.private_subnets : v.id]
+  file_name                                 = "../../../dist/lambda.zip"
+  handler                                   = "eligibility_signposting_api.app.lambda_handler"
+  eligibility_rules_bucket_name             = module.s3_rules_bucket.storage_bucket_name
+  eligibility_consumer_mappings_bucket_name = module.s3_consumer_mappings_bucket.storage_bucket_name
+  eligibility_status_table_name             = module.eligibility_status_table.table_name
+  kinesis_audit_stream_to_s3_name           = module.eligibility_audit_firehose_delivery_stream.firehose_stream_name
+  hashing_secret_name                       = module.secrets_manager.aws_hashing_secret_name
+  lambda_insights_extension_version         = 38
+  log_level                                 = "INFO"
+  enable_xray_patching                      = "true"
+  stack_name                                = local.stack_name
+  provisioned_concurrency_count             = 5
+  api_domain_name                           = local.api_domain_name
 }
 
 # -----------------------------------------------------------------------------

diff --git a/infrastructure/stacks/api-layer/s3_buckets.tf b/infrastructure/stacks/api-layer/s3_buckets.tf
@@ -7,6 +7,15 @@ module "s3_rules_bucket" {
   workspace    = terraform.workspace
 }
 
+module "s3_consumer_mappings_bucket" {
+  source       = "../../modules/s3"
+  bucket_name  = "eli-consumer-map"
+  environment  = var.environment
+  project_name = var.project_name
+  stack_name   = local.stack_name
+  workspace    = terraform.workspace
+}
+
 module "s3_audit_bucket" {
   source                 = "../../modules/s3"
   bucket_name            = "eli-audit"

diff --git a/src/eligibility_signposting_api/common/api_error_response.py b/src/eligibility_signposting_api/common/api_error_response.py
@@ -135,3 +135,11 @@ def log_and_generate_response(
     fhir_error_code=FHIRSpineErrorCode.ACCESS_DENIED,
     fhir_display_message="Access has been denied to process this request.",
 )
+
+CONSUMER_ID_NOT_PROVIDED_ERROR = APIErrorResponse(
+    status_code=HTTPStatus.FORBIDDEN,
+    fhir_issue_code=FHIRIssueCode.FORBIDDEN,
+    fhir_issue_severity=FHIRIssueSeverity.ERROR,
+    fhir_error_code=FHIRSpineErrorCode.ACCESS_DENIED,
+    fhir_display_message="Access has been denied to process this request.",
+)
diff --git a/src/eligibility_signposting_api/common/request_validator.py b/src/eligibility_signposting_api/common/request_validator.py
@@ -7,12 +7,13 @@
 from flask.typing import ResponseReturnValue
 
 from eligibility_signposting_api.common.api_error_response import (
+    CONSUMER_ID_NOT_PROVIDED_ERROR,
     INVALID_CATEGORY_ERROR,
     INVALID_CONDITION_FORMAT_ERROR,
     INVALID_INCLUDE_ACTIONS_ERROR,
     NHS_NUMBER_MISMATCH_ERROR,
 )
-from eligibility_signposting_api.config.constants import NHS_NUMBER_HEADER
+from eligibility_signposting_api.config.constants import CONSUMER_ID, NHS_NUMBER_HEADER
 
 logger = logging.getLogger(__name__)
 
@@ -56,6 +57,13 @@ def validate_request_params() -> Callable:
     def decorator(func: Callable) -> Callable:
         @wraps(func)
         def wrapper(*args, **kwargs) -> ResponseReturnValue:  # noqa:ANN002,ANN003
+            consumer_id = request.headers.get(CONSUMER_ID)
+            if not consumer_id:
+                message = "You are not authorised to request"
+                return CONSUMER_ID_NOT_PROVIDED_ERROR.log_and_generate_response(
+                    log_message=message, diagnostics=message
+                )
+
             path_nhs_number = str(kwargs.get("nhs_number"))
             header_nhs_no = str(request.headers.get(NHS_NUMBER_HEADER))
 

diff --git a/src/eligibility_signposting_api/config/config.py b/src/eligibility_signposting_api/config/config.py
@@ -22,6 +22,7 @@
 def config() -> dict[str, Any]:
     person_table_name = TableName(os.getenv("PERSON_TABLE_NAME", "test_eligibility_datastore"))
     rules_bucket_name = BucketName(os.getenv("RULES_BUCKET_NAME", "test-rules-bucket"))
+    consumer_mapping_bucket_name = BucketName(os.getenv("CONSUMER_MAPPING_BUCKET_NAME", "test-consumer-mapping-bucket"))
     audit_bucket_name = BucketName(os.getenv("AUDIT_BUCKET_NAME", "test-audit-bucket"))
     hashing_secret_name = HashSecretName(os.getenv("HASHING_SECRET_NAME", "test_secret"))
     aws_default_region = AwsRegion(os.getenv("AWS_DEFAULT_REGION", "eu-west-1"))
@@ -41,6 +42,7 @@ def config() -> dict[str, Any]:
             "s3_endpoint": None,
             "rules_bucket_name": rules_bucket_name,
             "audit_bucket_name": audit_bucket_name,
+            "consumer_mapping_bucket_name": consumer_mapping_bucket_name,
             "firehose_endpoint": None,
             "kinesis_audit_stream_to_s3": kinesis_audit_stream_to_s3,
             "enable_xray_patching": enable_xray_patching,
@@ -59,6 +61,7 @@ def config() -> dict[str, Any]:
         "s3_endpoint": URL(os.getenv("S3_ENDPOINT", local_stack_endpoint)),
         "rules_bucket_name": rules_bucket_name,
         "audit_bucket_name": audit_bucket_name,
+        "consumer_mapping_bucket_name": consumer_mapping_bucket_name,
         "firehose_endpoint": URL(os.getenv("FIREHOSE_ENDPOINT", local_stack_endpoint)),
         "kinesis_audit_stream_to_s3": kinesis_audit_stream_to_s3,
         "enable_xray_patching": enable_xray_patching,

diff --git a/src/eligibility_signposting_api/config/constants.py b/src/eligibility_signposting_api/config/constants.py
@@ -3,4 +3,5 @@
 URL_PREFIX = "patient-check"
 RULE_STOP_DEFAULT = False
 NHS_NUMBER_HEADER = "nhs-login-nhs-number"
+CONSUMER_ID = "consumer-id"
 ALLOWED_CONDITIONS = Literal["COVID", "FLU", "MMR", "RSV"]
diff --git a/src/eligibility_signposting_api/model/consumer_mapping.py b/src/eligibility_signposting_api/model/consumer_mapping.py
@@ -0,0 +1,17 @@
+from typing import NewType
+
+from pydantic import BaseModel, Field, RootModel
+
+from eligibility_signposting_api.model.campaign_config import CampaignID
+
+ConsumerId = NewType("ConsumerId", str)
+
+
+class ConsumerCampaign(BaseModel):
+    campaign: CampaignID = Field(alias="Campaign")
+    description: str | None = Field(default=None, alias="Description")
+
+
+class ConsumerMapping(RootModel[dict[ConsumerId, list[ConsumerCampaign]]]):
+    def get(self, key: ConsumerId, default: list[ConsumerCampaign] | None = None) -> list[ConsumerCampaign] | None:
+        return self.root.get(key, default)
diff --git a/src/eligibility_signposting_api/repos/consumer_mapping_repo.py b/src/eligibility_signposting_api/repos/consumer_mapping_repo.py
@@ -0,0 +1,43 @@
+import json
+from typing import Annotated, NewType
+
+from botocore.client import BaseClient
+from wireup import Inject, service
+
+from eligibility_signposting_api.model.campaign_config import CampaignID
+from eligibility_signposting_api.model.consumer_mapping import ConsumerId, ConsumerMapping
+
+BucketName = NewType("BucketName", str)
+
+
+@service
+class ConsumerMappingRepo:
+    """Repository class for Campaign Rules, which we can use to calculate a person's eligibility for vaccination.
+
+    These rules are stored as JSON files in AWS S3."""
+
+    def __init__(
+        self,
+        s3_client: Annotated[BaseClient, Inject(qualifier="s3")],
+        bucket_name: Annotated[BucketName, Inject(param="consumer_mapping_bucket_name")],
+    ) -> None:
+        super().__init__()
+        self.s3_client = s3_client
+        self.bucket_name = bucket_name
+
+    def get_permitted_campaign_ids(self, consumer_id: ConsumerId) -> list[CampaignID] | None:
+        objects = self.s3_client.list_objects(Bucket=self.bucket_name).get("Contents")
+
+        if not objects:
+            return None
+
+        consumer_mappings_obj = objects[0]
+        response = self.s3_client.get_object(Bucket=self.bucket_name, Key=consumer_mappings_obj["Key"])
+        body = response["Body"].read()
+
+        mapping_result = ConsumerMapping.model_validate(json.loads(body)).get(consumer_id)
+
+        if mapping_result is None:
+            return None
+
+        return [item.campaign for item in mapping_result]