NHSDigital · mattdean3-nhs · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026
@@ -88,9 +88,9 @@ jobs:
         run: |
           terraform -chdir=terraform/account-wide-infrastructure/${ACCOUNT_NAME} show -no-color tfplan > terraform/account-wide-infrastructure/$ACCOUNT_NAME/tfplan.txt
 
-          aws s3 cp terraform/account-wide-infrastructure/$ACCOUNT_NAME/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/acc-$ACCOUNT_NAME/${{ github.run_id }}/tfplan
-          aws s3 cp terraform/account-wide-infrastructure/$ACCOUNT_NAME/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/acc-$ACCOUNT_NAME/${{ github.run_id }}/tfplan.txt
-          aws s3 cp terraform/account-wide-infrastructure/modules/glue/files/src.zip s3://nhsd-nrlf--mgmt--github-ci-logging/acc-$ACCOUNT_NAME/${{ github.run_id }}/glue-src.zip
+          aws s3 cp terraform/account-wide-infrastructure/$ACCOUNT_NAME/tfplan s3://nhsd-nrlf--mgmt--github-ci-data/acc-$ACCOUNT_NAME/${{ github.run_id }}/tfplan
+          aws s3 cp terraform/account-wide-infrastructure/$ACCOUNT_NAME/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-data/acc-$ACCOUNT_NAME/${{ github.run_id }}/tfplan.txt
+          aws s3 cp terraform/account-wide-infrastructure/modules/glue/files/src.zip s3://nhsd-nrlf--mgmt--github-ci-data/acc-$ACCOUNT_NAME/${{ github.run_id }}/glue-src.zip
 
   terraform-apply:
     name: Terraform Apply - ${{ inputs.environment }}
@@ -120,11 +120,11 @@ jobs:
         env:
           ACCOUNT_NAME: ${{ vars.ACCOUNT_NAME }}
         run: |
-          aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/acc-$ACCOUNT_NAME/${{ github.run_id }}/tfplan terraform/account-wide-infrastructure/${ACCOUNT_NAME}/tfplan
-          aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/acc-$ACCOUNT_NAME/${{ github.run_id }}/tfplan.txt terraform/account-wide-infrastructure/${ACCOUNT_NAME}/tfplan.txt
+          aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-data/acc-$ACCOUNT_NAME/${{ github.run_id }}/tfplan terraform/account-wide-infrastructure/${ACCOUNT_NAME}/tfplan
+          aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-data/acc-$ACCOUNT_NAME/${{ github.run_id }}/tfplan.txt terraform/account-wide-infrastructure/${ACCOUNT_NAME}/tfplan.txt
 
           mkdir -p terraform/account-wide-infrastructure/modules/glue/files
-          aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/acc-$ACCOUNT_NAME/${{ github.run_id }}/glue-src.zip terraform/account-wide-infrastructure/modules/glue/files/src.zip
+          aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-data/acc-$ACCOUNT_NAME/${{ github.run_id }}/glue-src.zip terraform/account-wide-infrastructure/modules/glue/files/src.zip
 
       - name: Retrieve Server Certificates
         env:

@@ -143,8 +143,8 @@ jobs:
           ENVIRONMENT: ${{ inputs.environment }}
         run: |
           terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt
-          aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan
-          aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan.txt
+          aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-data/$ENVIRONMENT/${{ github.run_id }}/tfplan
+          aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-data/$ENVIRONMENT/${{ github.run_id }}/tfplan.txt
 
   terraform-apply:
     name: Terraform Apply - ${{ inputs.environment }}
@@ -186,7 +186,7 @@ jobs:
       - name: Download Terraform Plan artifact
         env:
           ENVIRONMENT: ${{ inputs.environment }}
-        run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan
+        run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-data/$ENVIRONMENT/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan
 
       - name: Retrieve Server Certificates
         env:

@@ -220,8 +220,8 @@ jobs:
           ENVIRONMENT: ${{ inputs.environment }}
         run: |
           terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt
-          aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan
-          aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan.txt
+          aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-data/$ENVIRONMENT/${{ github.run_id }}/tfplan
+          aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-data/$ENVIRONMENT/${{ github.run_id }}/tfplan.txt
 
   terraform-apply:
     name: Apply permissions
@@ -265,7 +265,7 @@ jobs:
       - name: Download Terraform Plan artifact
         env:
           ENVIRONMENT: ${{ inputs.environment }}
-        run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan
+        run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-data/$ENVIRONMENT/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan
 
       - name: Terraform Init
         env:

@@ -63,7 +63,9 @@ data "aws_iam_policy_document" "codebuild_policy" {
   statement {
     effect = "Allow"
     actions = [
-      "ecr:*"
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability"
     ]
     resources = [
       "${aws_ecr_repository.repository.arn}",

@@ -10,10 +10,6 @@ data "aws_s3_bucket" "terraform_state" {
   bucket = "${local.project}--terraform-state"
 }
 
-data "aws_s3_bucket" "ci_logging" {
-  bucket = "${local.project}--mgmt--github-ci-logging"
-}
-
 data "aws_s3_bucket" "truststore" {
   bucket = "${local.project}--truststore"
 }
@@ -53,3 +49,7 @@ data "aws_secretsmanager_secret_version" "test_backup_account_id" {
 data "aws_secretsmanager_secret_version" "test_restore_account_id" {
   secret_id = data.aws_secretsmanager_secret.test_restore_account_id.name
 }
+
+data "aws_secretsmanager_secret_version" "prod_account_id" {
+  secret_id = data.aws_secretsmanager_secret.prod_account_id.name
+}
@@ -0,0 +1,117 @@
+resource "aws_iam_policy" "developer_policy" {
+  name = "${local.prefix}--developer-policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "s3:PutObject",
+          "s3:DeleteObject",
+          "s3:GetObject",
+          "dynamodb:PutItem",
+          "dynamodb:GetItem",
+          "dynamodb:DeleteItem",
+          "s3:ListBucket"
+        ]
+        Effect = "Allow"
+        Resource = [
+          data.aws_dynamodb_table.terraform_state_lock.arn,
+          data.aws_s3_bucket.terraform_state.arn,
+          "${data.aws_s3_bucket.terraform_state.arn}/*"
+        ]
+      },
+      {
+        Action = [
+          "s3:PutObject",
+          "s3:GetObject",
+          "s3:DeleteObject"
+        ]
+        Effect = "Deny"
+        Resource = [
+          "${data.aws_s3_bucket.terraform_state.arn}/${local.project}/prod/*",
+          "${data.aws_s3_bucket.terraform_state.arn}/${local.project}/mgmt/*",
+        ]
+      },
+      {
+        Action = [
+          "s3:DeleteObject"
+        ]
+        Effect = "Deny"
+        Resource = [
+          "${data.aws_s3_bucket.terraform_state.arn}/${local.project}/dev/*"
+        ]
+      },
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Resource = [
+          "arn:aws:iam::${data.aws_secretsmanager_secret_version.dev_account_id.secret_string}:role/terraform",
+          "arn:aws:iam::${data.aws_secretsmanager_secret_version.test_account_id.secret_string}:role/terraform",
+          "arn:aws:iam::${data.aws_secretsmanager_secret_version.test_backup_account_id.secret_string}:role/terraform",
+          "arn:aws:iam::${data.aws_secretsmanager_secret_version.test_restore_account_id.secret_string}:role/terraform"
+        ]
+      },
+      {
+        Action = [
+          "secretsmanager:GetResourcePolicy",
+          "secretsmanager:GetSecretValue",
+          "secretsmanager:DescribeSecret",
+          "secretsmanager:ListSecretVersionIds"
+        ]
+        Effect = "Allow"
+        Resource = [
+          data.aws_secretsmanager_secret.dev_account_id.arn,
+          data.aws_secretsmanager_secret.test_account_id.arn
+        ]
+      },
+      {
+        Action = [
+          "s3:ListAllMyBuckets"
+        ]
+        Effect = "Allow"
+        Resource = [
+          "arn:aws:s3:::*"
+        ]
+      },
+      {
+        Action = [
+          "s3:GetObject",
+          "s3:ListBucket"
+        ]
+        Effect = "Allow"
+        Resource = [
+          aws_s3_bucket.ci_data.arn,
+          "${aws_s3_bucket.ci_data.arn}/*"
+        ]
+      },
+      {
+        Action = [
+          "s3:PutObject",
+          "s3:GetObject",
+          "s3:DeleteObject"
+        ]
+        Effect = "Deny"
+        Resource = [
+          "${data.aws_s3_bucket.truststore.arn}/ca/prod*",
+          "${data.aws_s3_bucket.truststore.arn}/client/prod*",
+          "${data.aws_s3_bucket.truststore.arn}/server/prod*"
+        ]
+      },
+      {
+        Action = [
+          "s3:GetObject"
+        ]
+        Effect = "Allow"
+        Resource = [
+          "${data.aws_s3_bucket.truststore.arn}/*"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "developer_policy_attachment" {
+  role       = var.developer_role_name
+  policy_arn = aws_iam_policy.developer_policy.arn
+}