From 2b07331b66874f01ceda0fbc090f290b6114ef22 Mon Sep 17 00:00:00 2001 From: Gareth Allan <157592212+gareth-allan@users.noreply.github.com> Date: Tue, 7 Apr 2026 13:46:28 +0100 Subject: [PATCH 1/7] CCM-15020: Add test SNS topic --- infrastructure/terraform/components/dl/sns_topic.tf | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 infrastructure/terraform/components/dl/sns_topic.tf diff --git a/infrastructure/terraform/components/dl/sns_topic.tf b/infrastructure/terraform/components/dl/sns_topic.tf new file mode 100644 index 00000000..f3abc9dc --- /dev/null +++ b/infrastructure/terraform/components/dl/sns_topic.tf @@ -0,0 +1,3 @@ +resource "aws_sns_topic" "main" { + name = local.csi +} From 7edda5203e9095865990d2a54294048c8983942e Mon Sep 17 00:00:00 2001 From: Gareth Allan <157592212+gareth-allan@users.noreply.github.com> Date: Tue, 7 Apr 2026 16:17:55 +0100 Subject: [PATCH 2/7] CCM-15020: Give test SNS topic a better name --- infrastructure/terraform/components/dl/sns_topic.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/terraform/components/dl/sns_topic.tf b/infrastructure/terraform/components/dl/sns_topic.tf index f3abc9dc..aa53e2e3 100644 --- a/infrastructure/terraform/components/dl/sns_topic.tf +++ b/infrastructure/terraform/components/dl/sns_topic.tf @@ -1,3 +1,3 @@ resource "aws_sns_topic" "main" { - name = local.csi + name = "${local.csi}-test" } From edd7df0581cdc9a02814a271ebae83f7ad7fa8bd Mon Sep 17 00:00:00 2001 From: Gareth Allan <157592212+gareth-allan@users.noreply.github.com> Date: Wed, 8 Apr 2026 11:35:47 +0100 Subject: [PATCH 3/7] CCM-15020: Allow cross-domain publishing to SNS topic --- .../terraform/components/dl/sns_topic.tf | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/infrastructure/terraform/components/dl/sns_topic.tf b/infrastructure/terraform/components/dl/sns_topic.tf index aa53e2e3..1c9b0090 100644 --- a/infrastructure/terraform/components/dl/sns_topic.tf +++ b/infrastructure/terraform/components/dl/sns_topic.tf @@ -1,3 +1,33 @@ resource "aws_sns_topic" "main" { name = "${local.csi}-test" + + policy = data.aws_iam_policy_document.sns_topic_policy_document.json +} + +data "aws_iam_policy_document" "sns_topic_policy_document" { + statement { + sid = "AllowCrossDomainEventBridgeToPublishMessageToSNS" + effect = "Allow" + + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.shared_infra_account_id}:root"] + } + + actions = [ + "sns:Publish", + ] + + resources = [ + aws_sns_topic.main.arn, + ] + + condition { + test = "ArnLike" + variable = "aws:SourceArn" + values = [ + "arn:aws:events:${var.region}:${var.shared_infra_account_id}:rule/*-data-plane*" + ] + } + } } From bdb4647ab21daa8aa02f09b02e7c429fedb7f784 Mon Sep 17 00:00:00 2001 From: Gareth Allan <157592212+gareth-allan@users.noreply.github.com> Date: Wed, 8 Apr 2026 11:44:30 +0100 Subject: [PATCH 4/7] CCM-15020: Fix SNS topic IAM policy? --- infrastructure/terraform/components/dl/sns_topic.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/infrastructure/terraform/components/dl/sns_topic.tf b/infrastructure/terraform/components/dl/sns_topic.tf index 1c9b0090..643f220c 100644 --- a/infrastructure/terraform/components/dl/sns_topic.tf +++ b/infrastructure/terraform/components/dl/sns_topic.tf @@ -1,6 +1,9 @@ resource "aws_sns_topic" "main" { name = "${local.csi}-test" +} +resource "aws_sns_topic_policy" "eventbridge_publish" { + arn = aws_sns_topic.main.arn policy = data.aws_iam_policy_document.sns_topic_policy_document.json } From c7ae3a4ebe7fb156c8fea2f9866ad36508200020 Mon Sep 17 00:00:00 2001 From: Gareth Allan <157592212+gareth-allan@users.noreply.github.com> Date: Wed, 8 Apr 2026 11:46:13 +0100 Subject: [PATCH 5/7] CCM-15020: TF Fix --- infrastructure/terraform/components/dl/sns_topic.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/terraform/components/dl/sns_topic.tf b/infrastructure/terraform/components/dl/sns_topic.tf index 643f220c..f4dbd62c 100644 --- a/infrastructure/terraform/components/dl/sns_topic.tf +++ b/infrastructure/terraform/components/dl/sns_topic.tf @@ -2,7 +2,7 @@ resource "aws_sns_topic" "main" { name = "${local.csi}-test" } -resource "aws_sns_topic_policy" "eventbridge_publish" { +resource "aws_sns_topic_policy" "sns_publish" { arn = aws_sns_topic.main.arn policy = data.aws_iam_policy_document.sns_topic_policy_document.json } From a175cc6b3687d12766977b263c005b247f3df860 Mon Sep 17 00:00:00 2001 From: Gareth Allan <157592212+gareth-allan@users.noreply.github.com> Date: Wed, 8 Apr 2026 12:31:28 +0100 Subject: [PATCH 6/7] CCM-15020: Permissions fixes --- infrastructure/terraform/components/dl/sns_topic.tf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/infrastructure/terraform/components/dl/sns_topic.tf b/infrastructure/terraform/components/dl/sns_topic.tf index f4dbd62c..22863273 100644 --- a/infrastructure/terraform/components/dl/sns_topic.tf +++ b/infrastructure/terraform/components/dl/sns_topic.tf @@ -13,8 +13,11 @@ data "aws_iam_policy_document" "sns_topic_policy_document" { effect = "Allow" principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.shared_infra_account_id}:root"] + type = "AWS" + identifiers = [ + "arn:aws:iam::${var.shared_infra_account_id}:role/nhs-*-events-digital-letters-reporting", + "arn:aws:sts::${var.shared_infra_account_id}:assumed-role/nhs-*-events-digital-letters-reporting/*" + ] } actions = [ From 0a6fafd04923f1582cfe157b7e9e73fccf4e3211 Mon Sep 17 00:00:00 2001 From: Gareth Allan <157592212+gareth-allan@users.noreply.github.com> Date: Wed, 8 Apr 2026 13:58:38 +0100 Subject: [PATCH 7/7] CCM-15020: SNS permissions tweak --- infrastructure/terraform/components/dl/sns_topic.tf | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/infrastructure/terraform/components/dl/sns_topic.tf b/infrastructure/terraform/components/dl/sns_topic.tf index 22863273..41060601 100644 --- a/infrastructure/terraform/components/dl/sns_topic.tf +++ b/infrastructure/terraform/components/dl/sns_topic.tf @@ -13,11 +13,8 @@ data "aws_iam_policy_document" "sns_topic_policy_document" { effect = "Allow" principals { - type = "AWS" - identifiers = [ - "arn:aws:iam::${var.shared_infra_account_id}:role/nhs-*-events-digital-letters-reporting", - "arn:aws:sts::${var.shared_infra_account_id}:assumed-role/nhs-*-events-digital-letters-reporting/*" - ] + type = "AWS" + identifiers = [var.shared_infra_account_id] } actions = [