diff --git a/infrastructure/terraform/components/dl/README.md b/infrastructure/terraform/components/dl/README.md
index 4d7b441ff..dbcb9c690 100644
--- a/infrastructure/terraform/components/dl/README.md
+++ b/infrastructure/terraform/components/dl/README.md
@@ -54,6 +54,7 @@ No requirements.
| [report\_scheduler\_schedule](#input\_report\_scheduler\_schedule) | Schedule to trigger sender reports | `string` | `"cron(30 4 * * ? *)"` | no |
| [reports\_data\_retention\_non\_current\_days](#input\_reports\_data\_retention\_non\_current\_days) | The number of non current days for data retention policy for reports generated by Athena in the reporting bucket | `number` | `14` | no |
| [reports\_data\_retention\_policy\_days](#input\_reports\_data\_retention\_policy\_days) | The number of days for data retention policy for reports generated by Athena in the reporting bucket | `number` | `90` | no |
+| [restrict\_pid\_data\_access](#input\_restrict\_pid\_data\_access) | Whether to restrict access to PII data in the bucket using a bucket policy | `bool` | `true` | no |
| [shared\_infra\_account\_id](#input\_shared\_infra\_account\_id) | The AWS Shared Infra Account ID (numeric) | `string` | n/a | yes |
| [sns\_success\_logging\_sample\_percent](#input\_sns\_success\_logging\_sample\_percent) | Enable SNS Delivery Successful Sample Percentage | `number` | `0` | no |
| [sqs\_max\_receive\_count](#input\_sqs\_max\_receive\_count) | Maximum number of times a message can be received before being sent to the DLQ | `string` | `"3"` | no |
@@ -85,10 +86,10 @@ No requirements.
| [report\_scheduler](#module\_report\_scheduler) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-lambda.zip | n/a |
| [report\_sender](#module\_report\_sender) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-lambda.zip | n/a |
| [s3bucket\_file\_quarantine](#module\_s3bucket\_file\_quarantine) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
-| [s3bucket\_file\_safe](#module\_s3bucket\_file\_safe) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
+| [s3bucket\_file\_safe](#module\_s3bucket\_file\_safe) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.1.3/terraform-s3bucket.zip | n/a |
| [s3bucket\_letters](#module\_s3bucket\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
| [s3bucket\_non\_pii\_data](#module\_s3bucket\_non\_pii\_data) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
-| [s3bucket\_pii\_data](#module\_s3bucket\_pii\_data) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
+| [s3bucket\_pii\_data](#module\_s3bucket\_pii\_data) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.1.3/terraform-s3bucket.zip | n/a |
| [s3bucket\_reporting](#module\_s3bucket\_reporting) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
| [s3bucket\_static\_assets](#module\_s3bucket\_static\_assets) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
| [sqs\_core\_notifier](#module\_sqs\_core\_notifier) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-sqs.zip | n/a |
diff --git a/infrastructure/terraform/components/dl/data_iam_roles_sso_dev.tf b/infrastructure/terraform/components/dl/data_iam_roles_sso_dev.tf
new file mode 100644
index 000000000..c44200873
--- /dev/null
+++ b/infrastructure/terraform/components/dl/data_iam_roles_sso_dev.tf
@@ -0,0 +1,5 @@
+data "aws_iam_roles" "sso_bc_restricted_dev" {
+ count = var.restrict_pid_data_access ? 1 : 0
+ name_regex = "AWSReservedSSO_nhs-notify-bc-developer_.*"
+ path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
diff --git a/infrastructure/terraform/components/dl/locals.tf b/infrastructure/terraform/components/dl/locals.tf
index 7a1ef5b92..f03b1bc1a 100644
--- a/infrastructure/terraform/components/dl/locals.tf
+++ b/infrastructure/terraform/components/dl/locals.tf
@@ -16,4 +16,6 @@ locals {
ssm_senders_prefix = "${local.ssm_prefix}/senders"
ttl_shard_count = 3
unscanned_files_bucket = local.acct.additional_s3_buckets["digital-letters_unscanned-files"]["id"]
+
+ bc_restricted_dev_role = try(tolist(data.aws_iam_roles.sso_bc_restricted_dev[0].arns)[0], null)
}
diff --git a/infrastructure/terraform/components/dl/module_s3bucket_file_safe.tf b/infrastructure/terraform/components/dl/module_s3bucket_file_safe.tf
index 19e126512..61404e042 100644
--- a/infrastructure/terraform/components/dl/module_s3bucket_file_safe.tf
+++ b/infrastructure/terraform/components/dl/module_s3bucket_file_safe.tf
@@ -1,5 +1,5 @@
module "s3bucket_file_safe" {
- source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip"
+ source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.1.3/terraform-s3bucket.zip"
name = "file-safe"
@@ -10,6 +10,7 @@ module "s3bucket_file_safe" {
component = local.component
kms_key_arn = module.kms.key_arn
+ enable_abac = var.restrict_pid_data_access ? true : false
policy_documents = [data.aws_iam_policy_document.s3bucket_file_safe.json]
@@ -41,7 +42,8 @@ module "s3bucket_file_safe" {
]
default_tags = {
- NHSE-Enable-S3-Backup-Acct = "True"
+ NHSE-Enable-S3-Backup-Acct = "True",
+ NHSE-RESTRICTED-PID = "True"
}
}
diff --git a/infrastructure/terraform/components/dl/module_s3bucket_pii_data.tf b/infrastructure/terraform/components/dl/module_s3bucket_pii_data.tf
index 921121b1e..681227dc4 100644
--- a/infrastructure/terraform/components/dl/module_s3bucket_pii_data.tf
+++ b/infrastructure/terraform/components/dl/module_s3bucket_pii_data.tf
@@ -1,5 +1,5 @@
module "s3bucket_pii_data" {
- source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip"
+ source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.1.3/terraform-s3bucket.zip"
name = "pii-data"
@@ -9,8 +9,8 @@ module "s3bucket_pii_data" {
environment = var.environment
component = local.component
- kms_key_arn = module.kms.key_arn
-
+ kms_key_arn = module.kms.key_arn
+ enable_abac = var.restrict_pid_data_access ? true : false
policy_documents = [data.aws_iam_policy_document.s3bucket_pii_data.json]
force_destroy = var.force_destroy
@@ -34,7 +34,8 @@ module "s3bucket_pii_data" {
]
default_tags = {
- NHSE-Enable-S3-Backup-Acct = "True"
+ NHSE-Enable-S3-Backup-Acct = "True",
+ NHSE-RESTRICTED-PID = "True",
}
}
diff --git a/infrastructure/terraform/components/dl/variables.tf b/infrastructure/terraform/components/dl/variables.tf
index 62684345f..7ed6295bc 100644
--- a/infrastructure/terraform/components/dl/variables.tf
+++ b/infrastructure/terraform/components/dl/variables.tf
@@ -319,3 +319,9 @@ variable "event_anomaly_band_width" {
error_message = "Band width must be between 2 and 10"
}
}
+
+variable "restrict_pid_data_access" {
+ type = bool
+ description = "Whether to restrict access to PII data in the bucket using a bucket policy"
+ default = true
+}