From a9f320a1b02368f5771e7d3354df1067b77bc83e Mon Sep 17 00:00:00 2001
From: sidnhs <siddharth.nair1@nhs.net>
Date: Thu, 30 Apr 2026 16:15:09 +0100
Subject: [PATCH 1/3] CCM-16776: Enable S3 ABAC

---
 .../terraform/modules/s3bucket/s3_bucket_abac.tf          | 8 ++++++++
 infrastructure/terraform/modules/s3bucket/variables.tf    | 6 ++++++
 2 files changed, 14 insertions(+)
 create mode 100644 infrastructure/terraform/modules/s3bucket/s3_bucket_abac.tf

diff --git a/infrastructure/terraform/modules/s3bucket/s3_bucket_abac.tf b/infrastructure/terraform/modules/s3bucket/s3_bucket_abac.tf
new file mode 100644
index 0000000..0609508
--- /dev/null
+++ b/infrastructure/terraform/modules/s3bucket/s3_bucket_abac.tf
@@ -0,0 +1,8 @@
+resource "aws_s3_bucket_abac" "main" {
+  count = var.enable_abac ? 1 : 0
+  bucket = aws_s3_bucket.main.bucket
+
+  abac_status {
+    status = "Enabled"
+  }
+}
diff --git a/infrastructure/terraform/modules/s3bucket/variables.tf b/infrastructure/terraform/modules/s3bucket/variables.tf
index e61fb77..7aeeb60 100644
--- a/infrastructure/terraform/modules/s3bucket/variables.tf
+++ b/infrastructure/terraform/modules/s3bucket/variables.tf
@@ -129,3 +129,9 @@ variable "object_ownership" {
   description = "Ownership of objects written to the bucket"
   default     = "BucketOwnerEnforced"
 }
+
+variable "enable_abac" {
+  type        = bool
+  description = "Toggle for enabling ABAC on the bucket. Defaults to false"
+  default     = false
+}

From 94b56d8cd0e9624ec6b63a98b3450f8e3a405333 Mon Sep 17 00:00:00 2001
From: sidnhs <siddharth.nair1@nhs.net>
Date: Fri, 1 May 2026 14:15:56 +0100
Subject: [PATCH 2/3] CCM-16776: Enable S3 ABAC

---
 infrastructure/terraform/modules/s3bucket/s3_bucket_abac.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/terraform/modules/s3bucket/s3_bucket_abac.tf b/infrastructure/terraform/modules/s3bucket/s3_bucket_abac.tf
index 0609508..fac8d8f 100644
--- a/infrastructure/terraform/modules/s3bucket/s3_bucket_abac.tf
+++ b/infrastructure/terraform/modules/s3bucket/s3_bucket_abac.tf
@@ -1,5 +1,5 @@
 resource "aws_s3_bucket_abac" "main" {
-  count = var.enable_abac ? 1 : 0
+  count  = var.enable_abac ? 1 : 0
   bucket = aws_s3_bucket.main.bucket
 
   abac_status {

From 00109ad1a989a15d3d97d93f3a4288a82140e667 Mon Sep 17 00:00:00 2001
From: sidnhs <siddharth.nair1@nhs.net>
Date: Fri, 1 May 2026 14:19:00 +0100
Subject: [PATCH 3/3] CCM-16776: Enable S3 ABAC

---
 infrastructure/terraform/modules/s3bucket/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/infrastructure/terraform/modules/s3bucket/README.md b/infrastructure/terraform/modules/s3bucket/README.md
index 4cc9015..8e0e793 100644
--- a/infrastructure/terraform/modules/s3bucket/README.md
+++ b/infrastructure/terraform/modules/s3bucket/README.md
@@ -18,6 +18,7 @@
 | <a name="input_bucket_notification_depends_on"></a> [bucket\_notification\_depends\_on](#input\_bucket\_notification\_depends\_on) | Bucket notification explicit dependencies for depends\_on meta | `list(any)` | `[]` | no |
 | <a name="input_component"></a> [component](#input\_component) | The name of the tfscaffold component | `string` | n/a | yes |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
+| <a name="input_enable_abac"></a> [enable\_abac](#input\_enable\_abac) | Toggle for enabling ABAC on the bucket. Defaults to false | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Boolean to toggle force destroy of bucket. Defaults to true; should be changed in exceptional circumstances | `bool` | `true` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | ARN of default encryption KMS key for this bucket. If omitted, will use AES256 | `string` | `null` | no |