From 411ea79b80b6d1c4bb27df1e7c1cfae8f7cec1d8 Mon Sep 17 00:00:00 2001
From: Jun-te Kim <juntekim@googlemail.com>
Date: Fri, 5 Jun 2026 15:37:21 +0000
Subject: [PATCH 1/2] permissions

---
 deployment/terraform/shared/main.tf | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/deployment/terraform/shared/main.tf b/deployment/terraform/shared/main.tf
index 804082fc..25c7d357 100644
--- a/deployment/terraform/shared/main.tf
+++ b/deployment/terraform/shared/main.tf
@@ -572,16 +572,17 @@ module "bulk_upload_finaliser_registry" {
   stage  = var.stage
 }
 
-# The finaliser only reads the combiner output (bulk_final_outputs) to insert
-# property rows; it writes to Postgres, not S3.
+# The finaliser reads the combiner output (bulk_final_outputs) to insert property
+# rows, and — for v2 (ADR-0006) — the classifier CSV (bulk_onboarding_inputs) to
+# populate property_overrides. It writes to Postgres, not S3.
 module "bulk_upload_finaliser_s3_read" {
   source = "../modules/s3_iam_policy"
 
   policy_name        = "BulkUploadFinaliserReadS3"
-  policy_description = "Allow bulk_upload_finaliser Lambda to read combiner output from retrofit-data bucket"
+  policy_description = "Allow bulk_upload_finaliser Lambda to read combiner output + classifier CSV from retrofit-data bucket"
   bucket_arns        = ["arn:aws:s3:::retrofit-data-${var.stage}"]
   actions            = ["s3:GetObject", "s3:ListBucket"]
-  resource_paths     = ["/bulk_final_outputs/*"]
+  resource_paths     = ["/bulk_final_outputs/*", "/bulk_onboarding_inputs/*"]
 }
 
 output "bulk_upload_finaliser_s3_read_arn" {

From 9427a6d40b67346525a72b1c636760e27fd75d25 Mon Sep 17 00:00:00 2001
From: Jun-te Kim <juntekim@googlemail.com>
Date: Fri, 5 Jun 2026 15:38:36 +0000
Subject: [PATCH 2/2] description reverted

---
 deployment/terraform/shared/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deployment/terraform/shared/main.tf b/deployment/terraform/shared/main.tf
index 25c7d357..9be59e4d 100644
--- a/deployment/terraform/shared/main.tf
+++ b/deployment/terraform/shared/main.tf
@@ -579,7 +579,7 @@ module "bulk_upload_finaliser_s3_read" {
   source = "../modules/s3_iam_policy"
 
   policy_name        = "BulkUploadFinaliserReadS3"
-  policy_description = "Allow bulk_upload_finaliser Lambda to read combiner output + classifier CSV from retrofit-data bucket"
+  policy_description = "Allow bulk_upload_finaliser Lambda to read combiner output from retrofit-data bucket"
   bucket_arns        = ["arn:aws:s3:::retrofit-data-${var.stage}"]
   actions            = ["s3:GetObject", "s3:ListBucket"]
   resource_paths     = ["/bulk_final_outputs/*", "/bulk_onboarding_inputs/*"]