diff --git a/deployment/terraform/shared/main.tf b/deployment/terraform/shared/main.tf
index 804082fc..25c7d357 100644
--- a/deployment/terraform/shared/main.tf
+++ b/deployment/terraform/shared/main.tf
@@ -572,16 +572,17 @@ module "bulk_upload_finaliser_registry" {
   stage  = var.stage
 }
 
-# The finaliser only reads the combiner output (bulk_final_outputs) to insert
-# property rows; it writes to Postgres, not S3.
+# The finaliser reads the combiner output (bulk_final_outputs) to insert property
+# rows, and — for v2 (ADR-0006) — the classifier CSV (bulk_onboarding_inputs) to
+# populate property_overrides. It writes to Postgres, not S3.
 module "bulk_upload_finaliser_s3_read" {
   source = "../modules/s3_iam_policy"
 
   policy_name        = "BulkUploadFinaliserReadS3"
-  policy_description = "Allow bulk_upload_finaliser Lambda to read combiner output from retrofit-data bucket"
+  policy_description = "Allow bulk_upload_finaliser Lambda to read combiner output + classifier CSV from retrofit-data bucket"
   bucket_arns        = ["arn:aws:s3:::retrofit-data-${var.stage}"]
   actions            = ["s3:GetObject", "s3:ListBucket"]
-  resource_paths     = ["/bulk_final_outputs/*"]
+  resource_paths     = ["/bulk_final_outputs/*", "/bulk_onboarding_inputs/*"]
 }
 
 output "bulk_upload_finaliser_s3_read_arn" {