From 9785cfb469a5bb05c32057be520ad167b755196f Mon Sep 17 00:00:00 2001
From: Steve Buxton <steve.buxton@nhs.net>
Date: Mon, 11 May 2026 14:55:03 +0100
Subject: [PATCH 1/2] Add routing for supplier config data

---
 ...oudwatch_event_bus_policy_control_plane.tf |  1 +
 ...nt_rule_supplier_config_to_supplier_api.tf | 87 +++++++++++++++++++
 ...plier_config_to_supplier_api_events_dlq.tf | 34 ++++++++
 3 files changed, 122 insertions(+)
 create mode 100644 infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_config_to_supplier_api.tf
 create mode 100644 infrastructure/terraform/components/events/module_supplier_config_to_supplier_api_events_dlq.tf

diff --git a/infrastructure/terraform/components/events/cloudwatch_event_bus_policy_control_plane.tf b/infrastructure/terraform/components/events/cloudwatch_event_bus_policy_control_plane.tf
index d845ec3..17aaf43 100644
--- a/infrastructure/terraform/components/events/cloudwatch_event_bus_policy_control_plane.tf
+++ b/infrastructure/terraform/components/events/cloudwatch_event_bus_policy_control_plane.tf
@@ -28,6 +28,7 @@ data "aws_iam_policy_document" "control_plane_ingest" {
       values = distinct(flatten([
         formatlist("arn:aws:iam::%s:role/comms-*-api-event-publisher", var.event_publisher_account_ids),
         formatlist("arn:aws:iam::%s:role/nhs-notify-*-eventpub", var.event_publisher_account_ids),
+        formatlist("arn:aws:iam::%s:role/service-role/GitHub_Deploy", var.event_publisher_account_ids),
         (
           var.template_control_cross_account_source != null
           ) ? [
diff --git a/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_config_to_supplier_api.tf b/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_config_to_supplier_api.tf
new file mode 100644
index 0000000..b90ced3
--- /dev/null
+++ b/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_config_to_supplier_api.tf
@@ -0,0 +1,87 @@
+resource "aws_cloudwatch_event_rule" "supplier_config_to_supplier_api" {
+  count = (var.supplier_api_data_cross_account_target != null) ? 1 : 0
+
+  name           = "${local.csi}-supplier-config-to-supplier-api"
+  description    = "Supplier Config events to Supplier API Rule"
+  event_bus_name = aws_cloudwatch_event_bus.control_plane.name
+
+  event_pattern = jsonencode({
+    "detail" : {
+      "type" : [
+        { "prefix" : "uk.nhs.notify.supplier-config" }
+      ],
+    }
+  })
+}
+
+resource "aws_cloudwatch_event_target" "supplier_config_to_supplier_api" {
+  count = (var.supplier_api_data_cross_account_target != null) ? 1 : 0
+
+  rule           = aws_cloudwatch_event_rule.supplier_config_to_supplier_api[0].name
+  arn            = var.event_target_arns["supplier_api_sns_topic"]
+  target_id      = "supplier-api-control-incoming"
+  event_bus_name = aws_cloudwatch_event_bus.control_plane.name
+  role_arn       = aws_iam_role.supplier_config_to_supplier_api_events[0].arn
+  input_path     = "$.detail"
+  dead_letter_config {
+    arn = module.supplier_config_to_supplier_api_events_dlq[0].sqs_queue_arn
+  }
+}
+
+data "aws_iam_policy_document" "supplier_config_to_supplier_api_events" {
+  count = (var.supplier_api_data_cross_account_target != null) ? 1 : 0
+
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "supplier_config_to_supplier_api_events" {
+  count = (var.supplier_api_data_cross_account_target != null) ? 1 : 0
+
+  name = "${local.csi}-supplier-config-to-supplier-api-events"
+
+  assume_role_policy = data.aws_iam_policy_document.supplier_config_to_supplier_api_events[0].json
+}
+
+resource "aws_iam_policy" "supplier_config_to_supplier_api_events" {
+  count = (var.supplier_api_data_cross_account_target != null) ? 1 : 0
+
+  name = "${local.csi}-csupplier_config-to-supplier-events"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect   = "Allow",
+      Action   = "sns:Publish",
+      Resource = var.event_target_arns["supplier_api_sns_topic"]
+      },
+      {
+        Action = [
+          "kms:GenerateDataKey",
+          "kms:Encrypt",
+          "kms:DescribeKey",
+          "kms:Decrypt"
+        ],
+        Effect   = "Allow",
+        Resource = "arn:aws:kms:${var.region}:${var.supplier_api_data_cross_account_target.account_id}:key/*"
+        Condition = {
+          "ForAnyValue:StringEquals" = {
+            "kms:ResourceAliases" = "alias/nhs-${var.supplier_api_data_cross_account_target.environment}-supapi"
+          }
+        }
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "supplier_config_to_supplier_api_events" {
+  count = (var.supplier_api_data_cross_account_target != null) ? 1 : 0
+
+  role       = aws_iam_role.supplier_config_to_supplier_api_events[0].name
+  policy_arn = aws_iam_policy.supplier_config_to_supplier_api_events[0].arn
+}
diff --git a/infrastructure/terraform/components/events/module_supplier_config_to_supplier_api_events_dlq.tf b/infrastructure/terraform/components/events/module_supplier_config_to_supplier_api_events_dlq.tf
new file mode 100644
index 0000000..6f94554
--- /dev/null
+++ b/infrastructure/terraform/components/events/module_supplier_config_to_supplier_api_events_dlq.tf
@@ -0,0 +1,34 @@
+module "supplier_config_to_supplier_api_events_dlq" {
+  count  = (var.supplier_api_data_cross_account_target != null) ? 1 : 0
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-sqs.zip"
+
+  aws_account_id  = var.aws_account_id
+  component       = var.component
+  environment     = var.environment
+  project         = var.project
+  region          = var.region
+  name            = "supplier-config-to-supplier-api-events-dlq"
+  sqs_kms_key_arn = module.kms.key_arn
+
+  sqs_policy_overload = data.aws_iam_policy_document.supplier_config_to_supplier_api_events_allow_eventbridge[0].json
+}
+
+data "aws_iam_policy_document" "supplier_config_to_supplier_api_events_allow_eventbridge" {
+  count = (var.supplier_api_data_cross_account_target != null) ? 1 : 0
+
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+
+    actions   = ["sqs:SendMessage"]
+    resources = [module.supplier_config_to_supplier_api_events_dlq[0].sqs_queue_arn]
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_cloudwatch_event_rule.supplier_config_to_supplier_api[0].arn]
+    }
+  }
+}

From 47b6cdd6054531cdcae7d7fc16d0217818f0d34a Mon Sep 17 00:00:00 2001
From: stevebux <104152898+stevebux@users.noreply.github.com>
Date: Thu, 14 May 2026 15:28:01 +0100
Subject: [PATCH 2/2] Fix resource name

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 .../cloudwatch_event_rule_supplier_config_to_supplier_api.tf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_config_to_supplier_api.tf b/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_config_to_supplier_api.tf
index b90ced3..53300d1 100644
--- a/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_config_to_supplier_api.tf
+++ b/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_config_to_supplier_api.tf
@@ -52,7 +52,7 @@ resource "aws_iam_role" "supplier_config_to_supplier_api_events" {
 resource "aws_iam_policy" "supplier_config_to_supplier_api_events" {
   count = (var.supplier_api_data_cross_account_target != null) ? 1 : 0
 
-  name = "${local.csi}-csupplier_config-to-supplier-events"
+  name = "${local.csi}-supplier-config-to-supplier-api-events"
 
   policy = jsonencode({
     Version = "2012-10-17",