diff --git a/main.tf b/main.tf
index a9a79c87a3..2a49e33a0f 100644
--- a/main.tf
+++ b/main.tf
@@ -48,9 +48,16 @@ data "aws_iam_policy_document" "deny_insecure_transport" {
   }
 }
 
+data "aws_iam_policy_document" "build_queue_policy" {
+  source_policy_documents = compact([
+    data.aws_iam_policy_document.deny_insecure_transport.json,
+    var.sqs_build_queue_extra_policy_json,
+  ])
+}
+
 resource "aws_sqs_queue_policy" "build_queue_policy" {
   queue_url = aws_sqs_queue.queued_builds.id
-  policy    = data.aws_iam_policy_document.deny_insecure_transport.json
+  policy    = data.aws_iam_policy_document.build_queue_policy.json
 }
 
 resource "aws_sqs_queue" "queued_builds" {
@@ -97,6 +104,7 @@ module "ssm" {
 
 module "webhook" {
   source = "./modules/webhook"
+  count  = var.create_webhook_module ? 1 : 0
 
   ssm_paths = {
     root    = local.ssm_root_path
diff --git a/modules/multi-runner/outputs.tf b/modules/multi-runner/outputs.tf
index 7ce7171faf..65c1f9d810 100644
--- a/modules/multi-runner/outputs.tf
+++ b/modules/multi-runner/outputs.tf
@@ -32,16 +32,16 @@ output "binaries_syncer_map" {
 }
 
 output "webhook" {
-  value = {
-    gateway          = module.webhook.gateway
-    lambda           = module.webhook.lambda
-    lambda_log_group = module.webhook.lambda_log_group
-    lambda_role      = module.webhook.role
-    endpoint         = "${module.webhook.gateway.api_endpoint}/${module.webhook.endpoint_relative_path}"
-    webhook          = module.webhook.webhook
-    dispatcher       = var.eventbridge.enable ? module.webhook.dispatcher : null
-    eventbridge      = var.eventbridge.enable ? module.webhook.eventbridge : null
-  }
+  value = var.create_webhook_module ? {
+    gateway          = module.webhook[0].gateway
+    lambda           = module.webhook[0].lambda
+    lambda_log_group = module.webhook[0].lambda_log_group
+    lambda_role      = module.webhook[0].role
+    endpoint         = "${module.webhook[0].gateway.api_endpoint}/${module.webhook[0].endpoint_relative_path}"
+    webhook          = module.webhook[0].webhook
+    dispatcher       = var.eventbridge.enable ? module.webhook[0].dispatcher : null
+    eventbridge      = var.eventbridge.enable ? module.webhook[0].eventbridge : null
+  } : null
 }
 
 output "ssm_parameters" {
@@ -67,3 +67,13 @@ output "instance_termination_handler" {
     lambda_role      = module.instance_termination_watcher[0].spot_termination_handler.lambda_role
   } : null
 }
+
+output "queues" {
+  description = "SQS build queues per runner type."
+  value = {
+    for key in keys(var.multi_runner_config) : key => {
+      build_queue_arn = aws_sqs_queue.queued_builds[key].arn
+      build_queue_url = aws_sqs_queue.queued_builds[key].url
+    }
+  }
+}
diff --git a/modules/multi-runner/queues.tf b/modules/multi-runner/queues.tf
index bcc75f99cc..fa7f18bf12 100644
--- a/modules/multi-runner/queues.tf
+++ b/modules/multi-runner/queues.tf
@@ -45,10 +45,19 @@ resource "aws_sqs_queue" "queued_builds" {
   tags = var.tags
 }
 
+data "aws_iam_policy_document" "build_queue_policy" {
+  for_each = var.multi_runner_config
+
+  source_policy_documents = compact([
+    data.aws_iam_policy_document.deny_insecure_transport.json,
+    var.sqs_build_queue_extra_policy_json,
+  ])
+}
+
 resource "aws_sqs_queue_policy" "build_queue_policy" {
   for_each  = var.multi_runner_config
   queue_url = aws_sqs_queue.queued_builds[each.key].id
-  policy    = data.aws_iam_policy_document.deny_insecure_transport.json
+  policy    = data.aws_iam_policy_document.build_queue_policy[each.key].json
 }
 
 resource "aws_sqs_queue" "queued_builds_dlq" {
diff --git a/modules/multi-runner/variables.tf b/modules/multi-runner/variables.tf
index 613cf8b2ce..2bbee577f0 100644
--- a/modules/multi-runner/variables.tf
+++ b/modules/multi-runner/variables.tf
@@ -770,3 +770,15 @@ variable "parameter_store_tags" {
   type        = map(string)
   default     = {}
 }
+
+variable "sqs_build_queue_extra_policy_json" {
+  description = "Optional additional SQS policy statements (JSON) merged into the build queue policy for all runner types. Useful for cross-account access, e.g. allowing an SNS topic from another account to send messages."
+  type        = string
+  default     = null
+}
+
+variable "create_webhook_module" {
+  description = "Set to false to skip deploying the webhook Lambda and API Gateway. Use when webhook delivery is handled externally (e.g. a centralised proxy in another account)."
+  type        = bool
+  default     = true
+}
diff --git a/modules/multi-runner/webhook.tf b/modules/multi-runner/webhook.tf
index 900040c609..284356d024 100644
--- a/modules/multi-runner/webhook.tf
+++ b/modules/multi-runner/webhook.tf
@@ -1,5 +1,6 @@
 module "webhook" {
   source                              = "../webhook"
+  count                               = var.create_webhook_module ? 1 : 0
   prefix                              = var.prefix
   tags                                = local.tags
   kms_key_arn                         = var.kms_key_arn
diff --git a/outputs.tf b/outputs.tf
index fdf4a37801..42a68cb40c 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -31,16 +31,16 @@ output "binaries_syncer" {
 }
 
 output "webhook" {
-  value = {
-    gateway          = module.webhook.gateway
-    lambda           = module.webhook.lambda
-    lambda_log_group = module.webhook.lambda_log_group
-    lambda_role      = module.webhook.role
-    endpoint         = "${module.webhook.gateway.api_endpoint}/${module.webhook.endpoint_relative_path}"
-    webhook          = module.webhook.webhook
-    dispatcher       = var.eventbridge.enable ? module.webhook.dispatcher : null
-    eventbridge      = var.eventbridge.enable ? module.webhook.eventbridge : null
-  }
+  value = var.create_webhook_module ? {
+    gateway          = module.webhook[0].gateway
+    lambda           = module.webhook[0].lambda
+    lambda_log_group = module.webhook[0].lambda_log_group
+    lambda_role      = module.webhook[0].role
+    endpoint         = "${module.webhook[0].gateway.api_endpoint}/${module.webhook[0].endpoint_relative_path}"
+    webhook          = module.webhook[0].webhook
+    dispatcher       = var.eventbridge.enable ? module.webhook[0].dispatcher : null
+    eventbridge      = var.eventbridge.enable ? module.webhook[0].eventbridge : null
+  } : null
 }
 
 output "ssm_parameters" {
@@ -56,6 +56,7 @@ output "queues" {
   description = "SQS queues."
   value = {
     build_queue_arn     = aws_sqs_queue.queued_builds.arn
+    build_queue_url     = aws_sqs_queue.queued_builds.url
     build_queue_dlq_arn = var.redrive_build_queue.enabled ? aws_sqs_queue.queued_builds_dlq[0].arn : null
   }
 }
diff --git a/variables.tf b/variables.tf
index d739e916fb..cd9e50aebb 100644
--- a/variables.tf
+++ b/variables.tf
@@ -3,6 +3,18 @@ variable "aws_region" {
   type        = string
 }
 
+variable "sqs_build_queue_extra_policy_json" {
+  description = "Optional additional SQS policy statements (JSON) merged into the build queue policy. Useful for cross-account access, e.g. allowing an SNS topic from another account to send messages."
+  type        = string
+  default     = null
+}
+
+variable "create_webhook_module" {
+  description = "Set to false to skip deploying the webhook Lambda and API Gateway. Use when webhook delivery is handled externally (e.g. a centralised proxy in another account)."
+  type        = bool
+  default     = true
+}
+
 variable "vpc_id" {
   description = "The VPC for security groups of the action runners."
   type        = string