From 5cc86e5c55cb50e60708ba2e21abca51d7c4e131 Mon Sep 17 00:00:00 2001
From: Chris Elliott <chris.elliott17@nhs.net>
Date: Tue, 23 Jun 2026 12:42:35 +0100
Subject: [PATCH] CCM-10241: Fix cloudwatch delivery logging

---
 .../eventpub/iam_policy_sns_delivery_logging_cloudwatch.tf | 7 +++++++
 .../eventsub/iam_policy_sns_delivery_logging_cloudwatch.tf | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/infrastructure/terraform/modules/eventpub/iam_policy_sns_delivery_logging_cloudwatch.tf b/infrastructure/terraform/modules/eventpub/iam_policy_sns_delivery_logging_cloudwatch.tf
index d296da2d..146aabad 100644
--- a/infrastructure/terraform/modules/eventpub/iam_policy_sns_delivery_logging_cloudwatch.tf
+++ b/infrastructure/terraform/modules/eventpub/iam_policy_sns_delivery_logging_cloudwatch.tf
@@ -6,6 +6,13 @@ resource "aws_iam_policy" "sns_delivery_logging_cloudwatch" {
   policy      = data.aws_iam_policy_document.sns_delivery_logging_cloudwatch[0].json
 }
 
+resource "aws_iam_role_policy_attachment" "sns_delivery_logging_cloudwatch" {
+  count = var.enable_sns_delivery_logging ? 1 : 0
+
+  role       = aws_iam_role.sns_delivery_logging_role[0].name
+  policy_arn = aws_iam_policy.sns_delivery_logging_cloudwatch[0].arn
+}
+
 data "aws_iam_policy_document" "sns_delivery_logging_cloudwatch" {
   count = var.enable_sns_delivery_logging ? 1 : 0
 
diff --git a/infrastructure/terraform/modules/eventsub/iam_policy_sns_delivery_logging_cloudwatch.tf b/infrastructure/terraform/modules/eventsub/iam_policy_sns_delivery_logging_cloudwatch.tf
index d296da2d..146aabad 100644
--- a/infrastructure/terraform/modules/eventsub/iam_policy_sns_delivery_logging_cloudwatch.tf
+++ b/infrastructure/terraform/modules/eventsub/iam_policy_sns_delivery_logging_cloudwatch.tf
@@ -6,6 +6,13 @@ resource "aws_iam_policy" "sns_delivery_logging_cloudwatch" {
   policy      = data.aws_iam_policy_document.sns_delivery_logging_cloudwatch[0].json
 }
 
+resource "aws_iam_role_policy_attachment" "sns_delivery_logging_cloudwatch" {
+  count = var.enable_sns_delivery_logging ? 1 : 0
+
+  role       = aws_iam_role.sns_delivery_logging_role[0].name
+  policy_arn = aws_iam_policy.sns_delivery_logging_cloudwatch[0].arn
+}
+
 data "aws_iam_policy_document" "sns_delivery_logging_cloudwatch" {
   count = var.enable_sns_delivery_logging ? 1 : 0