add eventsub

nhsd-david-wass · nhsd-david-wass · commit 21fe4a69a922 · 2026-01-29T14:08:20.000Z
diff --git a/infrastructure/terraform/components/api/glue_crawler_event_crawler.tf b/infrastructure/terraform/components/api/glue_crawler_event_crawler.tf
@@ -8,6 +8,10 @@ resource "aws_glue_crawler" "event_crawler" {
   s3_target {
     path = "s3://${local.csi_global}-eventcache/"
   }
+
+  s3_target {
+    path = "s3://${local.csi_global}-eventsubeventcache/"
+  }
   recrawl_policy {
     recrawl_behavior = "CRAWL_EVERYTHING"
   }
diff --git a/infrastructure/terraform/components/api/iam_role_glue.tf b/infrastructure/terraform/components/api/iam_role_glue.tf
@@ -50,7 +50,8 @@ data "aws_iam_policy_document" "glue_service_policy" {
       "s3:DeleteObject"
     ]
     resources = ["arn:aws:s3:::${local.csi}-glue-bucket/*",
-    "arn:aws:s3:::${local.csi_global}-eventcache/*"]
+    "arn:aws:s3:::${local.csi_global}-eventcache/*",
+    "arn:aws:s3:::${local.csi_global}-eventsubeventcache/*"]
   }
   statement {
     sid    = "GlueCatalogAccess"
diff --git a/infrastructure/terraform/components/api/s3_bucket_policy_eventcache.tf b/infrastructure/terraform/components/api/s3_bucket_policy_eventcache.tf
@@ -3,7 +3,7 @@ resource "aws_s3_bucket_policy" "eventcache" {
   bucket = local.event_cache_bucket_name
   policy = data.aws_iam_policy_document.eventcache[0].json
 
-  depends_on = [ module.eventpub ]
+  depends_on = [module.eventpub]
 }
 
 data "aws_iam_policy_document" "eventcache" {
diff --git a/infrastructure/terraform/modules/eventsub/s3_bucket_policy_eventcache.tf b/infrastructure/terraform/modules/eventsub/s3_bucket_policy_eventcache.tf
@@ -0,0 +1,48 @@
+resource "aws_s3_bucket_policy" "eventcache" {
+  bucket = s3_bucket_event_cache.bucket
+  policy = data.aws_iam_policy_document.eventcache[0].json
+
+}
+
+data "aws_iam_policy_document" "eventcache" {
+  statement {
+    sid    = "AllowGlueListBucketAndGetLocation"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_role.glue_role.arn]
+    }
+
+    actions = [
+      "s3:ListBucket",
+      "s3:GetBucketLocation"
+    ]
+
+    resources = [
+      "arn:aws:s3:::${local.csi_global}-eventsubeventcache"
+    ]
+  }
+
+  # Object-level permissions: Get/Put/Delete objects
+  statement {
+    sid    = "AllowGlueObjectAccess"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_role.glue_role.arn]
+    }
+
+    actions = [
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+      "s3:PutObject",
+      "s3:DeleteObject"
+    ]
+
+    resources = [
+      "arn:aws:s3:::${local.csi_global}-eventsubeventcache/*"
+    ]
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,10 @@ resource "aws_glue_crawler" "event_crawler" {`
`8`	`8`	`s3_target {`
`9`	`9`	`path = "s3://${local.csi_global}-eventcache/"`
`10`	`10`	`}`
	`11`	`+`
	`12`	`+ s3_target {`
	`13`	`+ path = "s3://${local.csi_global}-eventsubeventcache/"`
	`14`	`+ }`
`11`	`15`	`recrawl_policy {`
`12`	`16`	`recrawl_behavior = "CRAWL_EVERYTHING"`
`13`	`17`	`}`
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,8 @@ data "aws_iam_policy_document" "glue_service_policy" {`
`50`	`50`	`"s3:DeleteObject"`
`51`	`51`	`]`
`52`	`52`	`resources = ["arn:aws:s3:::${local.csi}-glue-bucket/*",`
`53`		`- "arn:aws:s3:::${local.csi_global}-eventcache/*"]`
	`53`	`+ "arn:aws:s3:::${local.csi_global}-eventcache/*",`
	`54`	`+ "arn:aws:s3:::${local.csi_global}-eventsubeventcache/*"]`
`54`	`55`	`}`
`55`	`56`	`statement {`
`56`	`57`	`sid = "GlueCatalogAccess"`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ resource "aws_s3_bucket_policy" "eventcache" {`
`3`	`3`	`bucket = local.event_cache_bucket_name`
`4`	`4`	`policy = data.aws_iam_policy_document.eventcache[0].json`
`5`	`5`
`6`		`- depends_on = [ module.eventpub ]`
	`6`	`+ depends_on = [module.eventpub]`
`7`	`7`	`}`
`8`	`8`
`9`	`9`	`data "aws_iam_policy_document" "eventcache" {`