From 1e54dd84acd2a2abc8d4dbd5cefd52364141545c Mon Sep 17 00:00:00 2001
From: Matt Dean <matt.dean3@nhs.net>
Date: Mon, 23 Feb 2026 16:31:21 +0000
Subject: [PATCH] [NRL-1904] Add permissions for legacy CI bucket for deploying
 old versions

---
 terraform/account-wide-infrastructure/mgmt/data.tf          | 4 ++++
 terraform/account-wide-infrastructure/mgmt/iam_github-ci.tf | 4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/terraform/account-wide-infrastructure/mgmt/data.tf b/terraform/account-wide-infrastructure/mgmt/data.tf
index 619199098..5d5438bcb 100644
--- a/terraform/account-wide-infrastructure/mgmt/data.tf
+++ b/terraform/account-wide-infrastructure/mgmt/data.tf
@@ -60,3 +60,7 @@ data "aws_secretsmanager_secret_version" "test_restore_account_id" {
 data "aws_secretsmanager_secret_version" "prod_account_id" {
   secret_id = data.aws_secretsmanager_secret.prod_account_id.name
 }
+
+data "aws_s3_bucket" "legacy_ci_data" {
+  bucket = "${local.project}--mgmt--github-ci-logging"
+}
diff --git a/terraform/account-wide-infrastructure/mgmt/iam_github-ci.tf b/terraform/account-wide-infrastructure/mgmt/iam_github-ci.tf
index 0e18af18e..38a97a940 100644
--- a/terraform/account-wide-infrastructure/mgmt/iam_github-ci.tf
+++ b/terraform/account-wide-infrastructure/mgmt/iam_github-ci.tf
@@ -102,7 +102,9 @@ resource "aws_iam_policy" "github_ci_policy" {
         Effect = "Allow"
         Resource = [
           aws_s3_bucket.ci_data.arn,
-          "${aws_s3_bucket.ci_data.arn}/*"
+          "${aws_s3_bucket.ci_data.arn}/*",
+          data.aws_s3_bucket.legacy_ci_data.arn,
+          "${data.aws_s3_bucket.legacy_ci_data.arn}/*"
         ]
       }
     ]