NHSDigital · bhansell1 · May 5, 2026 · May 5, 2026 · May 5, 2026 · May 5, 2026
@@ -51,6 +51,7 @@
 | <a name="output_sftp_environment"></a> [sftp\_environment](#output\_sftp\_environment) | n/a |
 | <a name="output_sftp_mock_credential_path"></a> [sftp\_mock\_credential\_path](#output\_sftp\_mock\_credential\_path) | n/a |
 | <a name="output_sftp_poll_lambda_name"></a> [sftp\_poll\_lambda\_name](#output\_sftp\_poll\_lambda\_name) | n/a |
+| <a name="output_templates_quarantine_bucket_key_prefix"></a> [templates\_quarantine\_bucket\_key\_prefix](#output\_templates\_quarantine\_bucket\_key\_prefix) | n/a |
 | <a name="output_templates_table_name"></a> [templates\_table\_name](#output\_templates\_table\_name) | n/a |
 | <a name="output_test_email_bucket_name"></a> [test\_email\_bucket\_name](#output\_test\_email\_bucket\_name) | n/a |
 | <a name="output_test_email_bucket_prefix"></a> [test\_email\_bucket\_prefix](#output\_test\_email\_bucket\_prefix) | n/a |

@@ -85,3 +85,7 @@ output "letter_variants_table_name" {
 output "contact_details_table_name" {
   value = module.backend_api.contact_details_table_name
 }
+
+output "templates_quarantine_bucket_key_prefix" {
+  value = module.backend_api.templates_quarantine_bucket_key_prefix
+}
@@ -74,7 +74,6 @@ No requirements.
 | <a name="module_request_proof_lambda"></a> [request\_proof\_lambda](#module\_request\_proof\_lambda) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_s3bucket_download"></a> [s3bucket\_download](#module\_s3bucket\_download) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.4/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_internal"></a> [s3bucket\_internal](#module\_s3bucket\_internal) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.4/terraform-s3bucket.zip | n/a |
-| <a name="module_s3bucket_quarantine"></a> [s3bucket\_quarantine](#module\_s3bucket\_quarantine) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.4/terraform-s3bucket.zip | n/a |
 | <a name="module_sqs_letter_render"></a> [sqs\_letter\_render](#module\_sqs\_letter\_render) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.28/terraform-sqs.zip | n/a |
 | <a name="module_sqs_proof_requests_table_events_pipe_dlq"></a> [sqs\_proof\_requests\_table\_events\_pipe\_dlq](#module\_sqs\_proof\_requests\_table\_events\_pipe\_dlq) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-sqs.zip | n/a |
 | <a name="module_sqs_routing_config_table_events_pipe_dlq"></a> [sqs\_routing\_config\_table\_events\_pipe\_dlq](#module\_sqs\_routing\_config\_table\_events\_pipe\_dlq) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.28/terraform-sqs.zip | n/a |
@@ -106,6 +105,7 @@ No requirements.
 | <a name="output_sftp_environment"></a> [sftp\_environment](#output\_sftp\_environment) | n/a |
 | <a name="output_sftp_mock_credential_path"></a> [sftp\_mock\_credential\_path](#output\_sftp\_mock\_credential\_path) | n/a |
 | <a name="output_sftp_poll_lambda_name"></a> [sftp\_poll\_lambda\_name](#output\_sftp\_poll\_lambda\_name) | n/a |
+| <a name="output_templates_quarantine_bucket_key_prefix"></a> [templates\_quarantine\_bucket\_key\_prefix](#output\_templates\_quarantine\_bucket\_key\_prefix) | n/a |
 | <a name="output_templates_table_name"></a> [templates\_table\_name](#output\_templates\_table\_name) | n/a |
 <!-- vale on -->
 <!-- markdownlint-enable -->

@@ -6,21 +6,14 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_proof
     source      = ["aws.guardduty"]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
     resources = [
-      var.guardduty_protection_plan_quarantine_arn,
-      #TODO: CCM-12777: delete
-      aws_guardduty_malware_protection_plan.quarantine.arn
-    ]
+    var.guardduty_protection_plan_quarantine_arn, ]
     detail = {
       s3ObjectDetails = {
         bucketName = [
           data.aws_s3_bucket.quarantine.id,
-          # TODO: CCM-12777: delete
-          module.s3bucket_quarantine.id
         ]
         objectKey = [
-          { prefix = "${var.environment}/proofs/" },
-          # TODO: CCM-12777: delete
-          { prefix = "proofs/" }
+          { prefix = "${local.csi}/proofs/" },
         ]
       }
       scanResultDetails = {

@@ -7,24 +7,16 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_uploa
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
     resources = [
       var.guardduty_protection_plan_quarantine_arn,
-      #TODO: CCM-12777: delete
-      aws_guardduty_malware_protection_plan.quarantine.arn
     ]
     detail = {
       s3ObjectDetails = {
         bucketName = [
           data.aws_s3_bucket.quarantine.id,
-          #TODO: CCM-12777: delete
-          module.s3bucket_quarantine.id
         ]
         objectKey = [
-          { prefix = "${var.environment}/docx-template/" },
-          { prefix = "${var.environment}/pdf-template/" },
-          { prefix = "${var.environment}/test-data/" },
-          # TODO: CCM-12777 delete
-          { prefix = "docx-template/" },
-          { prefix = "pdf-template/" },
-          { prefix = "test-data/" }
+          { prefix = "${local.csi}/docx-template/" },
+          { prefix = "${local.csi}/pdf-template/" },
+          { prefix = "${local.csi}/test-data/" },
         ]
       }
       scanResultDetails = {

@@ -7,20 +7,14 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_docx_
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
     resources = [
       var.guardduty_protection_plan_quarantine_arn,
-      #TODO: CCM-12777: delete
-      aws_guardduty_malware_protection_plan.quarantine.arn
     ]
     detail = {
       s3ObjectDetails = {
         bucketName = [
           data.aws_s3_bucket.quarantine.id,
-          # TODO: CCM-12777: delete
-          module.s3bucket_quarantine.id
         ]
         objectKey = [
-          { prefix = "${var.environment}/docx-template/" },
-          # TODO: CCM-12777: delete
-          { prefix = "docx-template/" }
+          { prefix = "${local.csi}/docx-template/" },
         ]
       }
       scanResultDetails = {

@@ -7,20 +7,14 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_proof
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
     resources = [
       var.guardduty_protection_plan_quarantine_arn,
-      #TODO: CCM-12777: delete
-      aws_guardduty_malware_protection_plan.quarantine.arn
     ]
     detail = {
       s3ObjectDetails = {
         bucketName = [
           data.aws_s3_bucket.quarantine.id,
-          # TODO: CCM-12777: delete
-          module.s3bucket_quarantine.id
         ]
         objectKey = [
-          { prefix = "${var.environment}/proofs/" },
-          # TODO: CCM-12777: delete
-          { prefix = "proofs/" }
+          { prefix = "${local.csi}/proofs/" },
         ]
       }
       scanResultDetails = {

@@ -7,22 +7,15 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_uploa
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
     resources = [
       var.guardduty_protection_plan_quarantine_arn,
-      #TODO: CCM-12777: delete
-      aws_guardduty_malware_protection_plan.quarantine.arn
     ]
     detail = {
       s3ObjectDetails = {
         bucketName = [
           data.aws_s3_bucket.quarantine.id,
-          # TODO: CCM-12777: delete
-          module.s3bucket_quarantine.id
         ]
         objectKey = [
-          { prefix = "${var.environment}/pdf-template/" },
-          { prefix = "${var.environment}/test-data/" },
-          # TODO: CCM-12777: delete
-          { prefix = "pdf-template/" },
-          { prefix = "test-data/" }
+          { prefix = "${local.csi}/pdf-template/" },
+          { prefix = "${local.csi}/test-data/" },
         ]
       }
       scanResultDetails = {

@@ -63,6 +63,7 @@ locals {
     TEMPLATES_DOWNLOAD_BUCKET_NAME          = module.s3bucket_download.id
     TEMPLATES_INTERNAL_BUCKET_NAME          = module.s3bucket_internal.id
     TEMPLATES_QUARANTINE_BUCKET_NAME        = data.aws_s3_bucket.quarantine.id
+    TEMPLATES_QUARANTINE_BUCKET_KEY_PREFIX  = local.csi
     TEMPLATES_TABLE_NAME                    = aws_dynamodb_table.templates.name
   }
 

@@ -49,8 +49,6 @@ data "aws_iam_policy_document" "copy_scanned_object_to_internal" {
 
     resources = [
       data.aws_s3_bucket.quarantine.arn,
-      # TODO: CCM-12777: delete
-      module.s3bucket_quarantine.arn
     ]
   }
 
@@ -66,9 +64,7 @@ data "aws_iam_policy_document" "copy_scanned_object_to_internal" {
     ]
 
     resources = [
-      "${data.aws_s3_bucket.quarantine.arn}/${var.environment}/*",
-      # TODO: CCM-12777: delete
-      "${module.s3bucket_quarantine.arn}/*"
+      "${data.aws_s3_bucket.quarantine.arn}/${local.csi}/*",
     ]
   }
 

@@ -48,9 +48,7 @@ data "aws_iam_policy_document" "delete_failed_scanned_object" {
     ]
 
     resources = [
-      "${data.aws_s3_bucket.quarantine.arn}/${var.environment}/*",
-      # TODO: CCM-12777: delete
-      "${module.s3bucket_quarantine.arn}/*"
+      "${data.aws_s3_bucket.quarantine.arn}/${local.csi}/*",
     ]
   }
 

@@ -94,9 +94,7 @@ data "aws_iam_policy_document" "process_proof" {
     ]
 
     resources = [
-      "${data.aws_s3_bucket.quarantine.arn}/${var.environment}/*",
-      #TODO: CCM-12777: delete
-      "${module.s3bucket_quarantine.arn}/*"
+      "${data.aws_s3_bucket.quarantine.arn}/${local.csi}/*",
     ]
   }