From d7d320942ee0ff4f8083b624ea790ab966cf6f4f Mon Sep 17 00:00:00 2001
From: sidnhs <siddharth.nair1@nhs.net>
Date: Thu, 4 Dec 2025 14:38:56 +0000
Subject: [PATCH 1/2] CCM-13451: Queue policy dependency fix

---
 .../api/module_sqs_letter_updates.tf          | 55 ++++++++++++++++++
 .../api/sqs_queue_policy_letter_updates.tf    | 58 -------------------
 2 files changed, 55 insertions(+), 58 deletions(-)
 delete mode 100644 infrastructure/terraform/components/api/sqs_queue_policy_letter_updates.tf

diff --git a/infrastructure/terraform/components/api/module_sqs_letter_updates.tf b/infrastructure/terraform/components/api/module_sqs_letter_updates.tf
index 75236a682..3820c972e 100644
--- a/infrastructure/terraform/components/api/module_sqs_letter_updates.tf
+++ b/infrastructure/terraform/components/api/module_sqs_letter_updates.tf
@@ -13,4 +13,59 @@ module "sqs_letter_updates" {
   visibility_timeout_seconds = 60
 
   create_dlq = true
+  sqs_policy_overload = data.aws_iam_policy_document.letter_updates_queue_policy.json
+}
+
+data "aws_iam_policy_document" "letter_updates_queue_policy" {
+  version = "2012-10-17"
+  statement {
+    sid    = "AllowSNSToSendMessage"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["sns.amazonaws.com"]
+    }
+
+    actions = [
+      "sqs:SendMessage"
+    ]
+
+    resources = [
+      "arn:aws:sqs:${var.region}:${var.aws_account_id}:${var.project}-${var.environment}-${var.component}-letter-updates-queue"
+    ]
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [module.eventsub.sns_topic.arn]
+    }
+  }
+
+  statement {
+    sid    = "AllowSNSPermissions"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["sns.amazonaws.com"]
+    }
+
+    actions = [
+      "sqs:SendMessage",
+      "sqs:ListQueueTags",
+      "sqs:GetQueueUrl",
+      "sqs:GetQueueAttributes",
+    ]
+
+    resources = [
+      "arn:aws:sqs:${var.region}:${var.aws_account_id}:${var.project}-${var.environment}-${var.component}-letter-updates-queue"
+    ]
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [module.eventsub.sns_topic.arn]
+    }
+  }
 }
diff --git a/infrastructure/terraform/components/api/sqs_queue_policy_letter_updates.tf b/infrastructure/terraform/components/api/sqs_queue_policy_letter_updates.tf
deleted file mode 100644
index 228525e69..000000000
--- a/infrastructure/terraform/components/api/sqs_queue_policy_letter_updates.tf
+++ /dev/null
@@ -1,58 +0,0 @@
-resource "aws_sqs_queue_policy" "letter_updates" {
-  queue_url = module.sqs_letter_updates.sqs_queue_url
-
-  policy = data.aws_iam_policy_document.letter_updates_queue_policy.json
-}
-
-data "aws_iam_policy_document" "letter_updates_queue_policy" {
-  statement {
-    sid    = "AllowSNSToSendMessage"
-    effect = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["sns.amazonaws.com"]
-    }
-
-    actions = [
-      "sqs:SendMessage"
-    ]
-
-    resources = [
-      module.sqs_letter_updates.sqs_queue_arn
-    ]
-
-    condition {
-      test     = "ArnEquals"
-      variable = "aws:SourceArn"
-      values   = [module.eventsub.sns_topic.arn]
-    }
-  }
-
-  statement {
-    sid    = "AllowSNSPermissions"
-    effect = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["sns.amazonaws.com"]
-    }
-
-    actions = [
-      "sqs:SendMessage",
-      "sqs:ListQueueTags",
-      "sqs:GetQueueUrl",
-      "sqs:GetQueueAttributes",
-    ]
-
-    resources = [
-      module.sqs_letter_updates.sqs_queue_arn
-    ]
-
-    condition {
-      test     = "ArnEquals"
-      variable = "aws:SourceArn"
-      values   = [module.eventsub.sns_topic.arn]
-    }
-  }
-}

From bf891fc73aa335a97b6b832d1e2c5ca44df0fdf4 Mon Sep 17 00:00:00 2001
From: sidnhs <siddharth.nair1@nhs.net>
Date: Thu, 4 Dec 2025 14:39:32 +0000
Subject: [PATCH 2/2] CCM-13451: Queue policy dependency fix

---
 ...ource_mapping_status_updates_to_handler.tf |  4 ++--
 .../terraform/components/api/locals.tf        | 22 +++++++++----------
 .../api/module_authorizer_lambda.tf           |  2 +-
 .../api/module_lambda_get_letter_data.tf      |  6 ++---
 .../api/module_sqs_letter_updates.tf          |  2 +-
 5 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/infrastructure/terraform/components/api/event_source_mapping_status_updates_to_handler.tf b/infrastructure/terraform/components/api/event_source_mapping_status_updates_to_handler.tf
index 62d99edd9..ab3634c43 100644
--- a/infrastructure/terraform/components/api/event_source_mapping_status_updates_to_handler.tf
+++ b/infrastructure/terraform/components/api/event_source_mapping_status_updates_to_handler.tf
@@ -6,7 +6,7 @@ resource "aws_lambda_event_source_mapping" "status_updates_sqs_to_status_update_
   scaling_config { maximum_concurrency = 10 }
 
   depends_on = [
-    module.letter_status_updates_queue,         # ensures queue exists
-    module.letter_status_update                 # ensures update handler exists
+    module.letter_status_updates_queue, # ensures queue exists
+    module.letter_status_update         # ensures update handler exists
   ]
 }
diff --git a/infrastructure/terraform/components/api/locals.tf b/infrastructure/terraform/components/api/locals.tf
index fec749a36..bfadfd30f 100644
--- a/infrastructure/terraform/components/api/locals.tf
+++ b/infrastructure/terraform/components/api/locals.tf
@@ -5,16 +5,16 @@ locals {
   root_domain_nameservers       = local.acct.route53_zone_nameservers["supplier-api"]
 
   openapi_spec = templatefile("${path.module}/resources/spec.tmpl.json", {
-    APIG_EXECUTION_ROLE_ARN             = aws_iam_role.api_gateway_execution_role.arn
-    AWS_REGION                          = var.region
-    AUTHORIZER_LAMBDA_ARN               = module.authorizer_lambda.function_arn
-    GET_LETTER_LAMBDA_ARN               = module.get_letter.function_arn
-    GET_LETTERS_LAMBDA_ARN              = module.get_letters.function_arn
-    GET_LETTER_DATA_LAMBDA_ARN          = module.get_letter_data.function_arn
-    GET_STATUS_LAMBDA_ARN               = module.get_status.function_arn
-    PATCH_LETTER_LAMBDA_ARN             = module.patch_letter.function_arn
-    POST_LETTERS_LAMBDA_ARN             = module.post_letters.function_arn
-    POST_MI_LAMBDA_ARN                  = module.post_mi.function_arn
+    APIG_EXECUTION_ROLE_ARN    = aws_iam_role.api_gateway_execution_role.arn
+    AWS_REGION                 = var.region
+    AUTHORIZER_LAMBDA_ARN      = module.authorizer_lambda.function_arn
+    GET_LETTER_LAMBDA_ARN      = module.get_letter.function_arn
+    GET_LETTERS_LAMBDA_ARN     = module.get_letters.function_arn
+    GET_LETTER_DATA_LAMBDA_ARN = module.get_letter_data.function_arn
+    GET_STATUS_LAMBDA_ARN      = module.get_status.function_arn
+    PATCH_LETTER_LAMBDA_ARN    = module.patch_letter.function_arn
+    POST_LETTERS_LAMBDA_ARN    = module.post_letters.function_arn
+    POST_MI_LAMBDA_ARN         = module.post_mi.function_arn
   })
 
   destination_arn = "arn:aws:logs:${var.region}:${var.shared_infra_account_id}:destination:nhs-main-obs-firehose-logs"
@@ -23,7 +23,7 @@ locals {
     LETTERS_TABLE_NAME       = aws_dynamodb_table.letters.name,
     MI_TABLE_NAME            = aws_dynamodb_table.mi.name,
     LETTER_TTL_HOURS         = 12960, # 18 months * 30 days * 24 hours
-    MI_TTL_HOURS             = 2160 # 90 days * 24 hours
+    MI_TTL_HOURS             = 2160   # 90 days * 24 hours
     SUPPLIER_ID_HEADER       = "nhsd-supplier-id",
     APIM_CORRELATION_HEADER  = "nhsd-correlation-id",
     DOWNLOAD_URL_TTL_SECONDS = 60
diff --git a/infrastructure/terraform/components/api/module_authorizer_lambda.tf b/infrastructure/terraform/components/api/module_authorizer_lambda.tf
index dd95851b0..a3ab42a07 100644
--- a/infrastructure/terraform/components/api/module_authorizer_lambda.tf
+++ b/infrastructure/terraform/components/api/module_authorizer_lambda.tf
@@ -38,7 +38,7 @@ module "authorizer_lambda" {
   lambda_env_vars = {
     CLOUDWATCH_NAMESPACE                     = "/aws/api-gateway/supplier/alarms",
     CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS = 14,
-    APIM_SUPPLIER_ID_HEADER               = "NHSD-Supplier-ID",
+    APIM_SUPPLIER_ID_HEADER                  = "NHSD-Supplier-ID",
     SUPPLIERS_TABLE_NAME                     = aws_dynamodb_table.suppliers.name
   }
 }
diff --git a/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf b/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf
index 7bb2bb80c..1f43a35f0 100644
--- a/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf
+++ b/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf
@@ -69,10 +69,10 @@ data "aws_iam_policy_document" "get_letter_data_lambda" {
   }
 
   statement {
-    sid       = "S3GetObjectForPresign"
-    actions   = [
+    sid = "S3GetObjectForPresign"
+    actions = [
       "s3:GetObject",
-      "s3:ListBucket"] # allows 404 response instead of 403 if object missing
+    "s3:ListBucket"] # allows 404 response instead of 403 if object missing
     resources = ["${module.s3bucket_test_letters.arn}/*"]
   }
 }
diff --git a/infrastructure/terraform/components/api/module_sqs_letter_updates.tf b/infrastructure/terraform/components/api/module_sqs_letter_updates.tf
index 3820c972e..472afb81f 100644
--- a/infrastructure/terraform/components/api/module_sqs_letter_updates.tf
+++ b/infrastructure/terraform/components/api/module_sqs_letter_updates.tf
@@ -12,7 +12,7 @@ module "sqs_letter_updates" {
 
   visibility_timeout_seconds = 60
 
-  create_dlq = true
+  create_dlq          = true
   sqs_policy_overload = data.aws_iam_policy_document.letter_updates_queue_policy.json
 }