From affed1b95ef247c2e530e34bf2ef6ba3719f5d9e Mon Sep 17 00:00:00 2001
From: Matt Dean <matt.dean3@nhs.net>
Date: Mon, 16 Feb 2026 15:44:59 +0000
Subject: [PATCH] [NRL-1938] Allow github-ci to access truststore bucket.
 Remove ci-data bucket ACL

---
 .../account-wide-infrastructure/mgmt/iam_github-ci.tf | 11 +++++++++++
 terraform/account-wide-infrastructure/mgmt/s3.tf      |  9 ---------
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/terraform/account-wide-infrastructure/mgmt/iam_github-ci.tf b/terraform/account-wide-infrastructure/mgmt/iam_github-ci.tf
index c12ec150d..0e18af18e 100644
--- a/terraform/account-wide-infrastructure/mgmt/iam_github-ci.tf
+++ b/terraform/account-wide-infrastructure/mgmt/iam_github-ci.tf
@@ -81,6 +81,17 @@ resource "aws_iam_policy" "github_ci_policy" {
           data.aws_secretsmanager_secret.prod_account_id.arn
         ]
       },
+      {
+        Action = [
+          "s3:GetObject",
+          "s3:ListBucket"
+        ]
+        Effect = "Allow"
+        Resource = [
+          data.aws_s3_bucket.truststore.arn,
+          "${data.aws_s3_bucket.truststore.arn}/*"
+        ]
+      },
       {
         Action = [
           "s3:PutObject",
diff --git a/terraform/account-wide-infrastructure/mgmt/s3.tf b/terraform/account-wide-infrastructure/mgmt/s3.tf
index b3fd09fc4..0b61531cf 100644
--- a/terraform/account-wide-infrastructure/mgmt/s3.tf
+++ b/terraform/account-wide-infrastructure/mgmt/s3.tf
@@ -2,15 +2,6 @@ resource "aws_s3_bucket" "ci_data" {
   bucket = "${local.prefix}--ci-data"
 }
 
-resource "aws_s3_bucket_acl" "ci_data" {
-  bucket = aws_s3_bucket.ci_data.id
-  acl    = "private"
-
-  depends_on = [
-    aws_s3_bucket.ci_data
-  ]
-}
-
 resource "aws_s3_bucket_public_access_block" "ci_data" {
   bucket = aws_s3_bucket.ci_data.id