From cf2ca70af19fbf636b58a8a9c60eeaa9f6ac6b5e Mon Sep 17 00:00:00 2001
From: jamesthompson26-nhs <james.thompson26@nhs.net>
Date: Fri, 15 Aug 2025 11:36:18 +0100
Subject: [PATCH 1/8] CCM-11701: SSL Module

---
 infrastructure/modules/ssl/README.md          | 30 ++++++++++++++
 infrastructure/modules/ssl/locals.tf          | 35 +++++++++++++++++
 .../modules/ssl/module_ssm_parameters.tf      | 39 +++++++++++++++++++
 infrastructure/modules/ssl/outputs.tf         | 17 ++++++++
 infrastructure/modules/ssl/providers.tf       | 11 ++++++
 .../ssl/tls_cert_request_server_csr.tf        | 19 +++++++++
 .../tls_locally_signed_cert_server_cert.tf    | 21 ++++++++++
 .../modules/ssl/tls_private_key_ca_key.tf     |  4 ++
 .../modules/ssl/tls_private_key_server_key.tf |  4 ++
 .../ssl/tls_self_signed_cert_ca_cert.tf       | 22 +++++++++++
 infrastructure/modules/ssl/variables.tf       | 34 ++++++++++++++++
 infrastructure/modules/ssl/versions.tf        |  3 ++
 12 files changed, 239 insertions(+)
 create mode 100644 infrastructure/modules/ssl/README.md
 create mode 100644 infrastructure/modules/ssl/locals.tf
 create mode 100644 infrastructure/modules/ssl/module_ssm_parameters.tf
 create mode 100644 infrastructure/modules/ssl/outputs.tf
 create mode 100644 infrastructure/modules/ssl/providers.tf
 create mode 100644 infrastructure/modules/ssl/tls_cert_request_server_csr.tf
 create mode 100644 infrastructure/modules/ssl/tls_locally_signed_cert_server_cert.tf
 create mode 100644 infrastructure/modules/ssl/tls_private_key_ca_key.tf
 create mode 100644 infrastructure/modules/ssl/tls_private_key_server_key.tf
 create mode 100644 infrastructure/modules/ssl/tls_self_signed_cert_ca_cert.tf
 create mode 100644 infrastructure/modules/ssl/variables.tf
 create mode 100644 infrastructure/modules/ssl/versions.tf

diff --git a/infrastructure/modules/ssl/README.md b/infrastructure/modules/ssl/README.md
new file mode 100644
index 0000000..dcd896e
--- /dev/null
+++ b/infrastructure/modules/ssl/README.md
@@ -0,0 +1,30 @@
+<!-- BEGIN_TF_DOCS -->
+<!-- markdownlint-disable -->
+<!-- vale off -->
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.10.1 |
+| <a name="requirement_tls"></a> [tls](#requirement\_tls) | 4.0.5 |
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_module"></a> [module](#input\_module) | The variable encapsulating the name of this module | `string` | `"fe"` | no |
+| <a name="input_parameter_bundle"></a> [parameter\_bundle](#input\_parameter\_bundle) | Contains all of the default parameters needed by any module in this project | <pre>object(<br/>    {<br/>      project                             = string<br/>      environment                         = string<br/>      component                           = string<br/>      group                               = string<br/>      region                              = string<br/>      account_ids                         = map(string)<br/>      account_name                        = string<br/>      default_kms_deletion_window_in_days = number<br/>      default_tags                        = map(string)<br/>      iam_resource_arns                   = map(string)<br/>      target_env                          = map(any)<br/>      cicd_bucket_name                    = string<br/>      pipeline_overrides                  = map(any)<br/>      cloudwatch_options                  = map(bool)<br/>      cloudwatch_metric_thresholds        = map(map(string))<br/>      terraform_root_dir                  = string<br/>    }<br/>  )</pre> | n/a | yes |
+| <a name="input_truststore_s3_bucket"></a> [truststore\_s3\_bucket](#input\_truststore\_s3\_bucket) | The id of the mgmt truststore s3 bucket | `string` | n/a | yes |
+## Modules
+
+No modules.
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cacert_pem"></a> [cacert\_pem](#output\_cacert\_pem) | Truststore |
+| <a name="output_server_crt"></a> [server\_crt](#output\_server\_crt) | Server Certificate |
+| <a name="output_server_key"></a> [server\_key](#output\_server\_key) | Server Key |
+<!-- vale on -->
+<!-- markdownlint-enable -->
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/infrastructure/modules/ssl/locals.tf b/infrastructure/modules/ssl/locals.tf
new file mode 100644
index 0000000..df09aef
--- /dev/null
+++ b/infrastructure/modules/ssl/locals.tf
@@ -0,0 +1,35 @@
+locals {
+  # Compound Scope Identifier
+  csi = replace(
+    format(
+      "%s-%s-%s-%s",
+      var.parameter_bundle.project,
+      var.parameter_bundle.environment,
+      var.parameter_bundle.component,
+      var.module,
+    ),
+    "_",
+    "",
+  )
+
+  # CSI for use in resources with a global namespace, i.e. S3 Buckets
+  csi_global = replace(
+    format(
+      "%s-%s-%s-%s-%s-%s",
+      var.parameter_bundle.project,
+      local.this_account,
+      var.parameter_bundle.region,
+      var.parameter_bundle.environment,
+      var.parameter_bundle.component,
+      var.module,
+    ),
+    "_",
+    "",
+  )
+
+  default_tags = {
+    Module = var.module,
+  }
+
+  this_account = var.parameter_bundle.account_ids[var.parameter_bundle.account_name]
+}
diff --git a/infrastructure/modules/ssl/module_ssm_parameters.tf b/infrastructure/modules/ssl/module_ssm_parameters.tf
new file mode 100644
index 0000000..e14bd73
--- /dev/null
+++ b/infrastructure/modules/ssl/module_ssm_parameters.tf
@@ -0,0 +1,39 @@
+resource "aws_ssm_parameter" "server_key" {
+  name  = format("/%s/%s/${var.module}/server-key", var.parameter_bundle.project, var.parameter_bundle.environment)
+  type  = "SecureString"
+  value = tls_private_key.integration_testing_client_key.private_key_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_ssm_parameter" "server_crt" {
+  name  = format("/%s/%s/${var.module}/server-crt", var.parameter_bundle.project, var.parameter_bundle.environment)
+  type  = "SecureString"
+  value = tls_locally_signed_cert.integration_testing_client_cert.cert_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_ssm_parameter" "ca_crt" {
+  name  = format("/%s/%s/${var.module}/ca-crt", var.parameter_bundle.project, var.parameter_bundle.environment)
+  type  = "SecureString"
+  value = tls_self_signed_cert.ca_cert.cert_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_ssm_parameter" "ca_key" {
+  name  = format("/%s/%s/${var.module}/ca-key", var.parameter_bundle.project, var.parameter_bundle.environment)
+  type  = "SecureString"
+  value = tls_private_key.ca_key.private_key_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/infrastructure/modules/ssl/outputs.tf b/infrastructure/modules/ssl/outputs.tf
new file mode 100644
index 0000000..4241a55
--- /dev/null
+++ b/infrastructure/modules/ssl/outputs.tf
@@ -0,0 +1,17 @@
+output "server_crt" {
+  description = "Server Certificate"
+  value       = tls_locally_signed_cert.integration_testing_client_cert.cert_pem
+  sensitive   = true
+}
+
+output "server_key" {
+  description = "Server Key"
+  value       = tls_private_key.integration_testing_client_key.private_key_pem
+  sensitive   = true
+}
+
+output "cacert_pem" {
+  description = "Truststore"
+  value       = tls_self_signed_cert.ca_cert.cert_pem
+  sensitive   = true
+}
diff --git a/infrastructure/modules/ssl/providers.tf b/infrastructure/modules/ssl/providers.tf
new file mode 100644
index 0000000..5981a59
--- /dev/null
+++ b/infrastructure/modules/ssl/providers.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "4.0.5"
+    }
+  }
+}
diff --git a/infrastructure/modules/ssl/tls_cert_request_server_csr.tf b/infrastructure/modules/ssl/tls_cert_request_server_csr.tf
new file mode 100644
index 0000000..5c0e45e
--- /dev/null
+++ b/infrastructure/modules/ssl/tls_cert_request_server_csr.tf
@@ -0,0 +1,19 @@
+resource "tls_cert_request" "server_csr" {
+
+  private_key_pem = tls_private_key.integration_testing_client_key.private_key_pem
+
+  dns_names = ["${var.module}.${var.parameter_bundle.environment}.communications.national.nhs.uk"]
+
+  subject {
+    country             = "GB"
+    province            = "West Yorkshire"
+    locality            = "Leeds"
+    common_name         = "${var.module}.${var.parameter_bundle.environment}.communications.national.nhs.uk"
+    organization        = "NHS England"
+    organizational_unit = "NHS Notify"
+  }
+
+  depends_on = [
+    tls_private_key.integration_testing_client_key,
+  ]
+}
diff --git a/infrastructure/modules/ssl/tls_locally_signed_cert_server_cert.tf b/infrastructure/modules/ssl/tls_locally_signed_cert_server_cert.tf
new file mode 100644
index 0000000..25c1b65
--- /dev/null
+++ b/infrastructure/modules/ssl/tls_locally_signed_cert_server_cert.tf
@@ -0,0 +1,21 @@
+resource "tls_locally_signed_cert" "integration_testing_client_cert" {
+  cert_request_pem   = tls_cert_request.server_csr.cert_request_pem
+  ca_private_key_pem = tls_private_key.ca_key.private_key_pem
+  ca_cert_pem        = tls_self_signed_cert.ca_cert.cert_pem
+
+  validity_period_hours = 8760
+
+  allowed_uses = [
+    "digital_signature",
+    "key_encipherment",
+    "server_auth",
+    "client_auth",
+  ]
+
+  depends_on = [
+    tls_private_key.ca_key,
+    tls_self_signed_cert.ca_cert,
+    tls_private_key.integration_testing_client_key,
+    tls_cert_request.server_csr
+  ]
+}
diff --git a/infrastructure/modules/ssl/tls_private_key_ca_key.tf b/infrastructure/modules/ssl/tls_private_key_ca_key.tf
new file mode 100644
index 0000000..e34a634
--- /dev/null
+++ b/infrastructure/modules/ssl/tls_private_key_ca_key.tf
@@ -0,0 +1,4 @@
+resource "tls_private_key" "ca_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
diff --git a/infrastructure/modules/ssl/tls_private_key_server_key.tf b/infrastructure/modules/ssl/tls_private_key_server_key.tf
new file mode 100644
index 0000000..3dd8848
--- /dev/null
+++ b/infrastructure/modules/ssl/tls_private_key_server_key.tf
@@ -0,0 +1,4 @@
+resource "tls_private_key" "integration_testing_client_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
diff --git a/infrastructure/modules/ssl/tls_self_signed_cert_ca_cert.tf b/infrastructure/modules/ssl/tls_self_signed_cert_ca_cert.tf
new file mode 100644
index 0000000..fc1f1fd
--- /dev/null
+++ b/infrastructure/modules/ssl/tls_self_signed_cert_ca_cert.tf
@@ -0,0 +1,22 @@
+resource "tls_self_signed_cert" "ca_cert" {
+  private_key_pem = tls_private_key.ca_key.private_key_pem
+
+  is_ca_certificate = true
+
+  subject {
+    country             = "GB"
+    province            = "West Yorkshire"
+    locality            = "Leeds"
+    common_name         = "${var.module}.${var.parameter_bundle.environment}-ca.communications.national.nhs.uk"
+    organization        = "NHS England"
+    organizational_unit = "NHS Notify"
+  }
+
+  validity_period_hours = 17520
+
+  allowed_uses = [
+    "digital_signature",
+    "cert_signing",
+    "crl_signing",
+  ]
+}
diff --git a/infrastructure/modules/ssl/variables.tf b/infrastructure/modules/ssl/variables.tf
new file mode 100644
index 0000000..0b07ad5
--- /dev/null
+++ b/infrastructure/modules/ssl/variables.tf
@@ -0,0 +1,34 @@
+variable "module" {
+  type        = string
+  description = "The variable encapsulating the name of this module"
+  default     = "fe"
+}
+
+variable "parameter_bundle" {
+  type = object(
+    {
+      project                             = string
+      environment                         = string
+      component                           = string
+      group                               = string
+      region                              = string
+      account_ids                         = map(string)
+      account_name                        = string
+      default_kms_deletion_window_in_days = number
+      default_tags                        = map(string)
+      iam_resource_arns                   = map(string)
+      target_env                          = map(any)
+      cicd_bucket_name                    = string
+      pipeline_overrides                  = map(any)
+      cloudwatch_options                  = map(bool)
+      cloudwatch_metric_thresholds        = map(map(string))
+      terraform_root_dir                  = string
+    }
+  )
+  description = "Contains all of the default parameters needed by any module in this project"
+}
+
+variable "truststore_s3_bucket" {
+  type        = string
+  description = "The id of the mgmt truststore s3 bucket"
+}
diff --git a/infrastructure/modules/ssl/versions.tf b/infrastructure/modules/ssl/versions.tf
new file mode 100644
index 0000000..c43599a
--- /dev/null
+++ b/infrastructure/modules/ssl/versions.tf
@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 1.10.1"
+}

From 4fed600e5ea69450cea5f859c76718ef928df7f1 Mon Sep 17 00:00:00 2001
From: jamesthompson26-nhs <james.thompson26@nhs.net>
Date: Fri, 15 Aug 2025 12:15:35 +0100
Subject: [PATCH 2/8] CCM-11701: SSL Module

---
 infrastructure/modules/ssl/README.md          |  17 ++-
 infrastructure/modules/ssl/locals.tf          |  35 ++----
 .../modules/ssl/module_ssm_parameters.tf      |   8 +-
 .../ssl/tls_cert_request_server_csr.tf        |  14 +--
 .../ssl/tls_self_signed_cert_ca_cert.tf       |  12 +-
 infrastructure/modules/ssl/variables.tf       | 109 +++++++++++++-----
 6 files changed, 124 insertions(+), 71 deletions(-)

diff --git a/infrastructure/modules/ssl/README.md b/infrastructure/modules/ssl/README.md
index dcd896e..7e6c8f1 100644
--- a/infrastructure/modules/ssl/README.md
+++ b/infrastructure/modules/ssl/README.md
@@ -12,8 +12,19 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_module"></a> [module](#input\_module) | The variable encapsulating the name of this module | `string` | `"fe"` | no |
-| <a name="input_parameter_bundle"></a> [parameter\_bundle](#input\_parameter\_bundle) | Contains all of the default parameters needed by any module in this project | <pre>object(<br/>    {<br/>      project                             = string<br/>      environment                         = string<br/>      component                           = string<br/>      group                               = string<br/>      region                              = string<br/>      account_ids                         = map(string)<br/>      account_name                        = string<br/>      default_kms_deletion_window_in_days = number<br/>      default_tags                        = map(string)<br/>      iam_resource_arns                   = map(string)<br/>      target_env                          = map(any)<br/>      cicd_bucket_name                    = string<br/>      pipeline_overrides                  = map(any)<br/>      cloudwatch_options                  = map(bool)<br/>      cloudwatch_metric_thresholds        = map(map(string))<br/>      terraform_root_dir                  = string<br/>    }<br/>  )</pre> | n/a | yes |
+| <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
+| <a name="input_component"></a> [component](#input\_component) | The name of the tfscaffold component | `string` | n/a | yes |
+| <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | A unique name to distinguish this module invocation from others within the same CSI scope | `string` | n/a | yes |
+| <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
+| <a name="input_subject_common_name"></a> [subject\_common\_name](#input\_subject\_common\_name) | Common name for certificate subject | `string` | n/a | yes |
+| <a name="input_subject_country"></a> [subject\_country](#input\_subject\_country) | Country for certificate subject | `string` | `"GB"` | no |
+| <a name="input_subject_locality"></a> [subject\_locality](#input\_subject\_locality) | Locality for certificate subject | `string` | `"Leeds"` | no |
+| <a name="input_subject_organization"></a> [subject\_organization](#input\_subject\_organization) | Organization for certificate subject | `string` | `"NHS England"` | no |
+| <a name="input_subject_organizational_unit"></a> [subject\_organizational\_unit](#input\_subject\_organizational\_unit) | Organizational unit for certificate subject | `string` | `"NHS Notify"` | no |
+| <a name="input_subject_province"></a> [subject\_province](#input\_subject\_province) | Province for certificate subject | `string` | `"West Yorkshire"` | no |
 | <a name="input_truststore_s3_bucket"></a> [truststore\_s3\_bucket](#input\_truststore\_s3\_bucket) | The id of the mgmt truststore s3 bucket | `string` | n/a | yes |
 ## Modules
 
@@ -27,4 +38,4 @@ No modules.
 | <a name="output_server_key"></a> [server\_key](#output\_server\_key) | Server Key |
 <!-- vale on -->
 <!-- markdownlint-enable -->
-<!-- END_TF_DOCS -->
\ No newline at end of file
+<!-- END_TF_DOCS -->
diff --git a/infrastructure/modules/ssl/locals.tf b/infrastructure/modules/ssl/locals.tf
index df09aef..398b1a4 100644
--- a/infrastructure/modules/ssl/locals.tf
+++ b/infrastructure/modules/ssl/locals.tf
@@ -1,35 +1,24 @@
 locals {
+  module = "ssl"
+
   # Compound Scope Identifier
   csi = replace(
     format(
       "%s-%s-%s-%s",
-      var.parameter_bundle.project,
-      var.parameter_bundle.environment,
-      var.parameter_bundle.component,
-      var.module,
+      var.project,
+      var.environment,
+      var.component,
+      var.name
     ),
     "_",
     "",
   )
 
-  # CSI for use in resources with a global namespace, i.e. S3 Buckets
-  csi_global = replace(
-    format(
-      "%s-%s-%s-%s-%s-%s",
-      var.parameter_bundle.project,
-      local.this_account,
-      var.parameter_bundle.region,
-      var.parameter_bundle.environment,
-      var.parameter_bundle.component,
-      var.module,
-    ),
-    "_",
-    "",
+  default_tags = merge(
+    var.default_tags,
+    {
+      Module = local.module
+      Name   = local.csi
+    },
   )
-
-  default_tags = {
-    Module = var.module,
-  }
-
-  this_account = var.parameter_bundle.account_ids[var.parameter_bundle.account_name]
 }
diff --git a/infrastructure/modules/ssl/module_ssm_parameters.tf b/infrastructure/modules/ssl/module_ssm_parameters.tf
index e14bd73..7f13f09 100644
--- a/infrastructure/modules/ssl/module_ssm_parameters.tf
+++ b/infrastructure/modules/ssl/module_ssm_parameters.tf
@@ -1,5 +1,5 @@
 resource "aws_ssm_parameter" "server_key" {
-  name  = format("/%s/%s/${var.module}/server-key", var.parameter_bundle.project, var.parameter_bundle.environment)
+  name  = format("/%s/%s/${local.module}/server-key", var.project, var.environment)
   type  = "SecureString"
   value = tls_private_key.integration_testing_client_key.private_key_pem
 
@@ -9,7 +9,7 @@ resource "aws_ssm_parameter" "server_key" {
 }
 
 resource "aws_ssm_parameter" "server_crt" {
-  name  = format("/%s/%s/${var.module}/server-crt", var.parameter_bundle.project, var.parameter_bundle.environment)
+  name  = format("/%s/%s/${local.module}/server-crt", var.project, var.environment)
   type  = "SecureString"
   value = tls_locally_signed_cert.integration_testing_client_cert.cert_pem
 
@@ -19,7 +19,7 @@ resource "aws_ssm_parameter" "server_crt" {
 }
 
 resource "aws_ssm_parameter" "ca_crt" {
-  name  = format("/%s/%s/${var.module}/ca-crt", var.parameter_bundle.project, var.parameter_bundle.environment)
+  name  = format("/%s/%s/${local.module}/ca-crt", var.project, var.environment)
   type  = "SecureString"
   value = tls_self_signed_cert.ca_cert.cert_pem
 
@@ -29,7 +29,7 @@ resource "aws_ssm_parameter" "ca_crt" {
 }
 
 resource "aws_ssm_parameter" "ca_key" {
-  name  = format("/%s/%s/${var.module}/ca-key", var.parameter_bundle.project, var.parameter_bundle.environment)
+  name  = format("/%s/%s/${local.module}/ca-key", var.project, var.environment)
   type  = "SecureString"
   value = tls_private_key.ca_key.private_key_pem
 
diff --git a/infrastructure/modules/ssl/tls_cert_request_server_csr.tf b/infrastructure/modules/ssl/tls_cert_request_server_csr.tf
index 5c0e45e..7f2f88f 100644
--- a/infrastructure/modules/ssl/tls_cert_request_server_csr.tf
+++ b/infrastructure/modules/ssl/tls_cert_request_server_csr.tf
@@ -2,15 +2,15 @@ resource "tls_cert_request" "server_csr" {
 
   private_key_pem = tls_private_key.integration_testing_client_key.private_key_pem
 
-  dns_names = ["${var.module}.${var.parameter_bundle.environment}.communications.national.nhs.uk"]
+  dns_names = [var.subject_common_name]
 
   subject {
-    country             = "GB"
-    province            = "West Yorkshire"
-    locality            = "Leeds"
-    common_name         = "${var.module}.${var.parameter_bundle.environment}.communications.national.nhs.uk"
-    organization        = "NHS England"
-    organizational_unit = "NHS Notify"
+    country             = var.subject_country
+    province            = var.subject_province
+    locality            = var.subject_locality
+    common_name         = var.subject_common_name
+    organization        = var.subject_organization
+    organizational_unit = var.subject_organizational_unit
   }
 
   depends_on = [
diff --git a/infrastructure/modules/ssl/tls_self_signed_cert_ca_cert.tf b/infrastructure/modules/ssl/tls_self_signed_cert_ca_cert.tf
index fc1f1fd..7c43574 100644
--- a/infrastructure/modules/ssl/tls_self_signed_cert_ca_cert.tf
+++ b/infrastructure/modules/ssl/tls_self_signed_cert_ca_cert.tf
@@ -4,12 +4,12 @@ resource "tls_self_signed_cert" "ca_cert" {
   is_ca_certificate = true
 
   subject {
-    country             = "GB"
-    province            = "West Yorkshire"
-    locality            = "Leeds"
-    common_name         = "${var.module}.${var.parameter_bundle.environment}-ca.communications.national.nhs.uk"
-    organization        = "NHS England"
-    organizational_unit = "NHS Notify"
+    country             = var.subject_country
+    province            = var.subject_province
+    locality            = var.subject_locality
+    common_name         = var.subject_common_name
+    organization        = var.subject_organization
+    organizational_unit = var.subject_organizational_unit
   }
 
   validity_period_hours = 17520
diff --git a/infrastructure/modules/ssl/variables.tf b/infrastructure/modules/ssl/variables.tf
index 0b07ad5..bec3d30 100644
--- a/infrastructure/modules/ssl/variables.tf
+++ b/infrastructure/modules/ssl/variables.tf
@@ -1,34 +1,87 @@
-variable "module" {
-  type        = string
-  description = "The variable encapsulating the name of this module"
-  default     = "fe"
-}
-
-variable "parameter_bundle" {
-  type = object(
-    {
-      project                             = string
-      environment                         = string
-      component                           = string
-      group                               = string
-      region                              = string
-      account_ids                         = map(string)
-      account_name                        = string
-      default_kms_deletion_window_in_days = number
-      default_tags                        = map(string)
-      iam_resource_arns                   = map(string)
-      target_env                          = map(any)
-      cicd_bucket_name                    = string
-      pipeline_overrides                  = map(any)
-      cloudwatch_options                  = map(bool)
-      cloudwatch_metric_thresholds        = map(map(string))
-      terraform_root_dir                  = string
-    }
-  )
-  description = "Contains all of the default parameters needed by any module in this project"
+##
+# Basic Required Variables for tfscaffold Modules
+##
+
+variable "project" {
+  type        = string
+  description = "The name of the tfscaffold project"
+}
+
+variable "environment" {
+  type        = string
+  description = "The name of the tfscaffold environment"
+}
+
+variable "component" {
+  type        = string
+  description = "The name of the tfscaffold component"
+}
+
+variable "aws_account_id" {
+  type        = string
+  description = "The AWS Account ID (numeric)"
+}
+
+variable "region" {
+  type        = string
+  description = "The AWS Region"
+}
+
+##
+# tfscaffold variables specific to this module
+##
+
+variable "default_tags" {
+  type        = map(string)
+  description = "A map of default tags to apply to all taggable resources within the component"
+  default     = {}
 }
 
+##
+# Variables specific to this module
+##
+
 variable "truststore_s3_bucket" {
   type        = string
   description = "The id of the mgmt truststore s3 bucket"
 }
+
+variable "name" {
+  type        = string
+  description = "A unique name to distinguish this module invocation from others within the same CSI scope"
+}
+
+variable "subject_country" {
+  type        = string
+  description = "Country for certificate subject"
+  default     = "GB"
+}
+
+variable "subject_province" {
+  type        = string
+  description = "Province for certificate subject"
+  default     = "West Yorkshire"
+}
+
+variable "subject_locality" {
+  type        = string
+  description = "Locality for certificate subject"
+  default     = "Leeds"
+}
+
+variable "subject_common_name" {
+  type        = string
+  description = "Common name for certificate subject"
+}
+
+variable "subject_organization" {
+  type        = string
+  description = "Organization for certificate subject"
+  default     = "NHS England"
+}
+
+variable "subject_organizational_unit" {
+  type        = string
+  description = "Organizational unit for certificate subject"
+  default     = "NHS Notify"
+}

From cdf9cbb0731aa973feb9a229f9bdd87848fdf7bf Mon Sep 17 00:00:00 2001
From: jamesthompson26-nhs <james.thompson26@nhs.net>
Date: Fri, 15 Aug 2025 12:16:42 +0100
Subject: [PATCH 3/8] CCM-11701: SSL Module

---
 .../modules/ssl/{module_ssm_parameters.tf => ssm_parameters.tf}   | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename infrastructure/modules/ssl/{module_ssm_parameters.tf => ssm_parameters.tf} (100%)

diff --git a/infrastructure/modules/ssl/module_ssm_parameters.tf b/infrastructure/modules/ssl/ssm_parameters.tf
similarity index 100%
rename from infrastructure/modules/ssl/module_ssm_parameters.tf
rename to infrastructure/modules/ssl/ssm_parameters.tf

From 1f3696f46c4015325d84d36e4b5df9dd626d298b Mon Sep 17 00:00:00 2001
From: jamesthompson26-nhs <james.thompson26@nhs.net>
Date: Fri, 15 Aug 2025 12:20:42 +0100
Subject: [PATCH 4/8] CCM-11701: SSL Module

---
 .../modules/ssl/ssm_parameter_ca_crt.tf       |  9 +++++
 .../modules/ssl/ssm_parameter_ca_key.tf       |  9 +++++
 .../modules/ssl/ssm_parameter_server_crt.tf   |  9 +++++
 .../modules/ssl/ssm_parameter_server_key.tf   |  9 +++++
 infrastructure/modules/ssl/ssm_parameters.tf  | 39 -------------------
 5 files changed, 36 insertions(+), 39 deletions(-)
 create mode 100644 infrastructure/modules/ssl/ssm_parameter_ca_crt.tf
 create mode 100644 infrastructure/modules/ssl/ssm_parameter_ca_key.tf
 create mode 100644 infrastructure/modules/ssl/ssm_parameter_server_crt.tf
 create mode 100644 infrastructure/modules/ssl/ssm_parameter_server_key.tf
 delete mode 100644 infrastructure/modules/ssl/ssm_parameters.tf

diff --git a/infrastructure/modules/ssl/ssm_parameter_ca_crt.tf b/infrastructure/modules/ssl/ssm_parameter_ca_crt.tf
new file mode 100644
index 0000000..c824b9d
--- /dev/null
+++ b/infrastructure/modules/ssl/ssm_parameter_ca_crt.tf
@@ -0,0 +1,9 @@
+resource "aws_ssm_parameter" "ca_crt" {
+  name  = format("/%s/%s/${local.module}/ca-crt", var.project, var.environment)
+  type  = "SecureString"
+  value = tls_self_signed_cert.ca_cert.cert_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/infrastructure/modules/ssl/ssm_parameter_ca_key.tf b/infrastructure/modules/ssl/ssm_parameter_ca_key.tf
new file mode 100644
index 0000000..7c25260
--- /dev/null
+++ b/infrastructure/modules/ssl/ssm_parameter_ca_key.tf
@@ -0,0 +1,9 @@
+resource "aws_ssm_parameter" "ca_key" {
+  name  = format("/%s/%s/${local.module}/ca-key", var.project, var.environment)
+  type  = "SecureString"
+  value = tls_private_key.ca_key.private_key_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/infrastructure/modules/ssl/ssm_parameter_server_crt.tf b/infrastructure/modules/ssl/ssm_parameter_server_crt.tf
new file mode 100644
index 0000000..d3cff53
--- /dev/null
+++ b/infrastructure/modules/ssl/ssm_parameter_server_crt.tf
@@ -0,0 +1,9 @@
+resource "aws_ssm_parameter" "server_crt" {
+  name  = format("/%s/%s/${local.module}/server-crt", var.project, var.environment)
+  type  = "SecureString"
+  value = tls_locally_signed_cert.integration_testing_client_cert.cert_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/infrastructure/modules/ssl/ssm_parameter_server_key.tf b/infrastructure/modules/ssl/ssm_parameter_server_key.tf
new file mode 100644
index 0000000..c9cabcb
--- /dev/null
+++ b/infrastructure/modules/ssl/ssm_parameter_server_key.tf
@@ -0,0 +1,9 @@
+resource "aws_ssm_parameter" "server_key" {
+  name  = format("/%s/%s/${local.module}/server-key", var.project, var.environment)
+  type  = "SecureString"
+  value = tls_private_key.integration_testing_client_key.private_key_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/infrastructure/modules/ssl/ssm_parameters.tf b/infrastructure/modules/ssl/ssm_parameters.tf
deleted file mode 100644
index 7f13f09..0000000
--- a/infrastructure/modules/ssl/ssm_parameters.tf
+++ /dev/null
@@ -1,39 +0,0 @@
-resource "aws_ssm_parameter" "server_key" {
-  name  = format("/%s/%s/${local.module}/server-key", var.project, var.environment)
-  type  = "SecureString"
-  value = tls_private_key.integration_testing_client_key.private_key_pem
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_ssm_parameter" "server_crt" {
-  name  = format("/%s/%s/${local.module}/server-crt", var.project, var.environment)
-  type  = "SecureString"
-  value = tls_locally_signed_cert.integration_testing_client_cert.cert_pem
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_ssm_parameter" "ca_crt" {
-  name  = format("/%s/%s/${local.module}/ca-crt", var.project, var.environment)
-  type  = "SecureString"
-  value = tls_self_signed_cert.ca_cert.cert_pem
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_ssm_parameter" "ca_key" {
-  name  = format("/%s/%s/${local.module}/ca-key", var.project, var.environment)
-  type  = "SecureString"
-  value = tls_private_key.ca_key.private_key_pem
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}

From e4f0eca3574d00902fd99501ff3ef59337fb2f31 Mon Sep 17 00:00:00 2001
From: jamesthompson26-nhs <james.thompson26@nhs.net>
Date: Fri, 15 Aug 2025 12:21:33 +0100
Subject: [PATCH 5/8] CCM-11701: SSL Module

---
 infrastructure/modules/ssl/README.md    | 2 +-
 infrastructure/modules/ssl/providers.tf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/infrastructure/modules/ssl/README.md b/infrastructure/modules/ssl/README.md
index 7e6c8f1..26b44c9 100644
--- a/infrastructure/modules/ssl/README.md
+++ b/infrastructure/modules/ssl/README.md
@@ -7,7 +7,7 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.10.1 |
-| <a name="requirement_tls"></a> [tls](#requirement\_tls) | 4.0.5 |
+| <a name="requirement_tls"></a> [tls](#requirement\_tls) | 4.1.0 |
 ## Inputs
 
 | Name | Description | Type | Default | Required |
diff --git a/infrastructure/modules/ssl/providers.tf b/infrastructure/modules/ssl/providers.tf
index 5981a59..ad6ac72 100644
--- a/infrastructure/modules/ssl/providers.tf
+++ b/infrastructure/modules/ssl/providers.tf
@@ -5,7 +5,7 @@ terraform {
     }
     tls = {
       source  = "hashicorp/tls"
-      version = "4.0.5"
+      version = "4.1.0"
     }
   }
 }

From ad0f56183a902908da2aa7426632a8e3871407e2 Mon Sep 17 00:00:00 2001
From: jamesthompson26-nhs <james.thompson26@nhs.net>
Date: Fri, 15 Aug 2025 13:21:18 +0100
Subject: [PATCH 6/8] CCM-11701: SSL Module

---
 .github/actions/trivy/action.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/actions/trivy/action.yaml b/.github/actions/trivy/action.yaml
index be940ce..1452951 100644
--- a/.github/actions/trivy/action.yaml
+++ b/.github/actions/trivy/action.yaml
@@ -8,7 +8,6 @@ runs:
         components_exit_code=0
         modules_exit_code=0
 
-        ./scripts/terraform/trivy.sh ./infrastructure/terraform/components || components_exit_code=$?
         ./scripts/terraform/trivy.sh ./infrastructure/terraform/modules || modules_exit_code=$?
 
         if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then

From 9b908ac0befa2925fce9914dd62ce1f846e03267 Mon Sep 17 00:00:00 2001
From: jamesthompson26-nhs <james.thompson26@nhs.net>
Date: Fri, 15 Aug 2025 13:22:42 +0100
Subject: [PATCH 7/8] CCM-11701: SSL Module

---
 .github/actions/trivy/action.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/actions/trivy/action.yaml b/.github/actions/trivy/action.yaml
index 1452951..010386e 100644
--- a/.github/actions/trivy/action.yaml
+++ b/.github/actions/trivy/action.yaml
@@ -8,7 +8,13 @@ runs:
         components_exit_code=0
         modules_exit_code=0
 
-        ./scripts/terraform/trivy.sh ./infrastructure/terraform/modules || modules_exit_code=$?
+        if [ -d ./infrastructure/terraform/components ]; then
+          ./scripts/terraform/trivy.sh ./infrastructure/terraform/components || components_exit_code=$?
+        fi
+
+        if [ -d ./infrastructure/terraform/modules ]; then
+          ./scripts/terraform/trivy.sh ./infrastructure/terraform/modules || modules_exit_code=$?
+        fi
 
         if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
           echo "Trivy misconfigurations detected."

From 88829558f333fdd3c3778972181b38caededcc67 Mon Sep 17 00:00:00 2001
From: jamesthompson26-nhs <james.thompson26@nhs.net>
Date: Fri, 15 Aug 2025 15:12:52 +0100
Subject: [PATCH 8/8] CCM-11701: SSL Module

---
 infrastructure/modules/ssl/README.md    | 1 -
 infrastructure/modules/ssl/variables.tf | 5 -----
 2 files changed, 6 deletions(-)

diff --git a/infrastructure/modules/ssl/README.md b/infrastructure/modules/ssl/README.md
index 26b44c9..d7ecda3 100644
--- a/infrastructure/modules/ssl/README.md
+++ b/infrastructure/modules/ssl/README.md
@@ -25,7 +25,6 @@
 | <a name="input_subject_organization"></a> [subject\_organization](#input\_subject\_organization) | Organization for certificate subject | `string` | `"NHS England"` | no |
 | <a name="input_subject_organizational_unit"></a> [subject\_organizational\_unit](#input\_subject\_organizational\_unit) | Organizational unit for certificate subject | `string` | `"NHS Notify"` | no |
 | <a name="input_subject_province"></a> [subject\_province](#input\_subject\_province) | Province for certificate subject | `string` | `"West Yorkshire"` | no |
-| <a name="input_truststore_s3_bucket"></a> [truststore\_s3\_bucket](#input\_truststore\_s3\_bucket) | The id of the mgmt truststore s3 bucket | `string` | n/a | yes |
 ## Modules
 
 No modules.
diff --git a/infrastructure/modules/ssl/variables.tf b/infrastructure/modules/ssl/variables.tf
index bec3d30..28b9b15 100644
--- a/infrastructure/modules/ssl/variables.tf
+++ b/infrastructure/modules/ssl/variables.tf
@@ -41,11 +41,6 @@ variable "default_tags" {
 # Variables specific to this module
 ##
 
-variable "truststore_s3_bucket" {
-  type        = string
-  description = "The id of the mgmt truststore s3 bucket"
-}
-
 variable "name" {
   type        = string
   description = "A unique name to distinguish this module invocation from others within the same CSI scope"