From fc1e2c7c924b747ff4032fba0dcabc06fd775366 Mon Sep 17 00:00:00 2001
From: Oneeb <258801025+oneeb-nhs@users.noreply.github.com>
Date: Wed, 1 Apr 2026 09:38:41 +0100
Subject: [PATCH 1/2] changed cloudwatch access log bucket name to meet
 character requirements

---
 infrastructure/modules/s3/s3.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/modules/s3/s3.tf b/infrastructure/modules/s3/s3.tf
index 8dc3c8744..d407dabaf 100644
--- a/infrastructure/modules/s3/s3.tf
+++ b/infrastructure/modules/s3/s3.tf
@@ -68,7 +68,7 @@ resource "aws_s3_bucket" "storage_bucket_access_logs" {
   #checkov:skip=CKV_AWS_144: We don't want to replicate outside our region
   #checkov:skip=CKV2_AWS_62: We won't enable event notifications for this bucket, yet
   #checkov:skip=CKV_AWS_21: Versioning not needed given short lifecycle of logs
-  bucket = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.project_name}-${var.environment}-${var.bucket_name}-access-logs"
+  bucket = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.project_name}-${var.environment}-${var.bucket_name}-access-log"
 }
 
 resource "aws_s3_bucket_logging" "storage_bucket_logging_config" {

From e876c3d22442394d159323042dafca5fd0b9153a Mon Sep 17 00:00:00 2001
From: Oneeb <258801025+oneeb-nhs@users.noreply.github.com>
Date: Wed, 1 Apr 2026 09:57:47 +0100
Subject: [PATCH 2/2] shortened cloudwatch bucket name

---
 infrastructure/modules/s3/s3.tf                           | 2 +-
 infrastructure/stacks/api-layer/s3_buckets.tf             | 2 +-
 .../iams-developer-roles/github_actions_policies.tf       | 8 ++++----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/infrastructure/modules/s3/s3.tf b/infrastructure/modules/s3/s3.tf
index d407dabaf..8dc3c8744 100644
--- a/infrastructure/modules/s3/s3.tf
+++ b/infrastructure/modules/s3/s3.tf
@@ -68,7 +68,7 @@ resource "aws_s3_bucket" "storage_bucket_access_logs" {
   #checkov:skip=CKV_AWS_144: We don't want to replicate outside our region
   #checkov:skip=CKV2_AWS_62: We won't enable event notifications for this bucket, yet
   #checkov:skip=CKV_AWS_21: Versioning not needed given short lifecycle of logs
-  bucket = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.project_name}-${var.environment}-${var.bucket_name}-access-log"
+  bucket = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.project_name}-${var.environment}-${var.bucket_name}-access-logs"
 }
 
 resource "aws_s3_bucket_logging" "storage_bucket_logging_config" {
diff --git a/infrastructure/stacks/api-layer/s3_buckets.tf b/infrastructure/stacks/api-layer/s3_buckets.tf
index 8e7b1ab35..fb6fd9054 100644
--- a/infrastructure/stacks/api-layer/s3_buckets.tf
+++ b/infrastructure/stacks/api-layer/s3_buckets.tf
@@ -60,7 +60,7 @@ module "s3_dq_metrics_bucket" {
 
 module "s3_cloudtrail_bucket" {
   source       = "../../modules/s3"
-  bucket_name  = "eli-cloudwatch-logs"
+  bucket_name  = "eli-cloudwatch"
   environment  = var.environment
   project_name = var.project_name
   stack_name   = local.stack_name
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index e4ab48f40..72c46e35a 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -235,10 +235,10 @@ resource "aws_iam_policy" "s3_management" {
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-dq-metrics/*",
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-dq-metrics-access-logs",
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-dq-metrics-access-logs/*",
-          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs",
-          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs/*",
-          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs-access-logs",
-          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs-access-logs/*",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch/*",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-access-logs",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-access-logs/*",
         ]
       }
     ]