From 0bfa34d0f35b188ba474b30daf8b7e3a439f23d0 Mon Sep 17 00:00:00 2001
From: jamesthompson26-nhs <james.thompson26@nhs.net>
Date: Tue, 23 Jun 2026 09:58:21 +0100
Subject: [PATCH 1/2] CCM-18334: Bump Eventpub to 4.0.10 and add KMS perms to
 Eventsub local module

---
 .../terraform/components/api/modules_eventpub.tf    |  2 +-
 .../terraform/modules/eventsub/iam_role_sns.tf      | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/infrastructure/terraform/components/api/modules_eventpub.tf b/infrastructure/terraform/components/api/modules_eventpub.tf
index f202cbfdd..bc60015f4 100644
--- a/infrastructure/terraform/components/api/modules_eventpub.tf
+++ b/infrastructure/terraform/components/api/modules_eventpub.tf
@@ -1,5 +1,5 @@
 module "eventpub" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-eventpub.zip"
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/4.0.10/terraform-eventpub.zip"
 
   name = "eventpub"
 
diff --git a/infrastructure/terraform/modules/eventsub/iam_role_sns.tf b/infrastructure/terraform/modules/eventsub/iam_role_sns.tf
index 97bdc99af..294e392f7 100644
--- a/infrastructure/terraform/modules/eventsub/iam_role_sns.tf
+++ b/infrastructure/terraform/modules/eventsub/iam_role_sns.tf
@@ -48,4 +48,17 @@ data "aws_iam_policy_document" "firehose_delivery" {
       "${aws_kinesis_firehose_delivery_stream.main[0].arn}",
     ]
   }
+  statement {
+    sid    = "AllowKmsAccessForFirehoseDelivery"
+    effect = "Allow"
+
+    actions = [
+      "kms:GenerateDataKey",
+      "kms:Decrypt",
+    ]
+
+    resources = [
+      var.kms_key_arn,
+    ]
+  }
 }

From 4f44a8f9d5a3fef9632ca4e4346ad17a4ef3a3ca Mon Sep 17 00:00:00 2001
From: jamesthompson26-nhs <james.thompson26@nhs.net>
Date: Tue, 23 Jun 2026 09:58:35 +0100
Subject: [PATCH 2/2] CCM-18334: Bump Eventpub to 4.0.10 and add KMS perms to
 Eventsub local module

---
 infrastructure/terraform/components/api/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/terraform/components/api/README.md b/infrastructure/terraform/components/api/README.md
index 67b50e3e9..c034c9549 100644
--- a/infrastructure/terraform/components/api/README.md
+++ b/infrastructure/terraform/components/api/README.md
@@ -67,7 +67,7 @@ No requirements.
 | <a name="module_ddb_alarms_mi"></a> [ddb\_alarms\_mi](#module\_ddb\_alarms\_mi) | ../../modules/alarms-ddb | n/a |
 | <a name="module_ddb_alarms_suppliers"></a> [ddb\_alarms\_suppliers](#module\_ddb\_alarms\_suppliers) | ../../modules/alarms-ddb | n/a |
 | <a name="module_domain_truststore"></a> [domain\_truststore](#module\_domain\_truststore) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
-| <a name="module_eventpub"></a> [eventpub](#module\_eventpub) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-eventpub.zip | n/a |
+| <a name="module_eventpub"></a> [eventpub](#module\_eventpub) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/4.0.10/terraform-eventpub.zip | n/a |
 | <a name="module_eventsub"></a> [eventsub](#module\_eventsub) | ../../modules/eventsub | n/a |
 | <a name="module_get_letter"></a> [get\_letter](#module\_get\_letter) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/4.0.2/terraform-lambda.zip | n/a |
 | <a name="module_get_letter_data"></a> [get\_letter\_data](#module\_get\_letter\_data) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/4.0.2/terraform-lambda.zip | n/a |