NHSDigital · sidnhs · Dec 5, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 5, 2025
@@ -6,7 +6,7 @@ resource "aws_lambda_event_source_mapping" "status_updates_sqs_to_status_update_
   scaling_config { maximum_concurrency = 10 }
 
   depends_on = [
-    module.letter_status_updates_queue,         # ensures queue exists
-    module.letter_status_update                 # ensures update handler exists
+    module.letter_status_updates_queue, # ensures queue exists
+    module.letter_status_update         # ensures update handler exists
   ]
 }
@@ -5,16 +5,16 @@ locals {
   root_domain_nameservers       = local.acct.route53_zone_nameservers["supplier-api"]
 
   openapi_spec = templatefile("${path.module}/resources/spec.tmpl.json", {
-    APIG_EXECUTION_ROLE_ARN             = aws_iam_role.api_gateway_execution_role.arn
-    AWS_REGION                          = var.region
-    AUTHORIZER_LAMBDA_ARN               = module.authorizer_lambda.function_arn
-    GET_LETTER_LAMBDA_ARN               = module.get_letter.function_arn
-    GET_LETTERS_LAMBDA_ARN              = module.get_letters.function_arn
-    GET_LETTER_DATA_LAMBDA_ARN          = module.get_letter_data.function_arn
-    GET_STATUS_LAMBDA_ARN               = module.get_status.function_arn
-    PATCH_LETTER_LAMBDA_ARN             = module.patch_letter.function_arn
-    POST_LETTERS_LAMBDA_ARN             = module.post_letters.function_arn
-    POST_MI_LAMBDA_ARN                  = module.post_mi.function_arn
+    APIG_EXECUTION_ROLE_ARN    = aws_iam_role.api_gateway_execution_role.arn
+    AWS_REGION                 = var.region
+    AUTHORIZER_LAMBDA_ARN      = module.authorizer_lambda.function_arn
+    GET_LETTER_LAMBDA_ARN      = module.get_letter.function_arn
+    GET_LETTERS_LAMBDA_ARN     = module.get_letters.function_arn
+    GET_LETTER_DATA_LAMBDA_ARN = module.get_letter_data.function_arn
+    GET_STATUS_LAMBDA_ARN      = module.get_status.function_arn
+    PATCH_LETTER_LAMBDA_ARN    = module.patch_letter.function_arn
+    POST_LETTERS_LAMBDA_ARN    = module.post_letters.function_arn
+    POST_MI_LAMBDA_ARN         = module.post_mi.function_arn
   })
 
   destination_arn = "arn:aws:logs:${var.region}:${var.shared_infra_account_id}:destination:nhs-main-obs-firehose-logs"
@@ -23,7 +23,7 @@ locals {
     LETTERS_TABLE_NAME       = aws_dynamodb_table.letters.name,
     MI_TABLE_NAME            = aws_dynamodb_table.mi.name,
     LETTER_TTL_HOURS         = 12960, # 18 months * 30 days * 24 hours
-    MI_TTL_HOURS             = 2160 # 90 days * 24 hours
+    MI_TTL_HOURS             = 2160   # 90 days * 24 hours
     SUPPLIER_ID_HEADER       = "nhsd-supplier-id",
     APIM_CORRELATION_HEADER  = "nhsd-correlation-id",
     DOWNLOAD_URL_TTL_SECONDS = 60

@@ -38,7 +38,7 @@ module "authorizer_lambda" {
   lambda_env_vars = {
     CLOUDWATCH_NAMESPACE                     = "/aws/api-gateway/supplier/alarms",
     CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS = 14,
-    APIM_SUPPLIER_ID_HEADER               = "NHSD-Supplier-ID",
+    APIM_SUPPLIER_ID_HEADER                  = "NHSD-Supplier-ID",
     SUPPLIERS_TABLE_NAME                     = aws_dynamodb_table.suppliers.name
   }
 }

@@ -69,10 +69,10 @@ data "aws_iam_policy_document" "get_letter_data_lambda" {
   }
 
   statement {
-    sid       = "S3GetObjectForPresign"
-    actions   = [
+    sid = "S3GetObjectForPresign"
+    actions = [
       "s3:GetObject",
-      "s3:ListBucket"] # allows 404 response instead of 403 if object missing
+    "s3:ListBucket"] # allows 404 response instead of 403 if object missing
     resources = ["${module.s3bucket_test_letters.arn}/*"]
   }
 }
@@ -12,5 +12,60 @@ module "sqs_letter_updates" {
 
   visibility_timeout_seconds = 60
 
-  create_dlq = true
+  create_dlq          = true
+  sqs_policy_overload = data.aws_iam_policy_document.letter_updates_queue_policy.json
+}
+
+data "aws_iam_policy_document" "letter_updates_queue_policy" {
+  version = "2012-10-17"
+  statement {
+    sid    = "AllowSNSToSendMessage"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["sns.amazonaws.com"]
+    }
+
+    actions = [
+      "sqs:SendMessage"
+    ]
+
+    resources = [
+      "arn:aws:sqs:${var.region}:${var.aws_account_id}:${var.project}-${var.environment}-${var.component}-letter-updates-queue"
+    ]
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [module.eventsub.sns_topic.arn]
+    }
+  }
+
+  statement {
+    sid    = "AllowSNSPermissions"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["sns.amazonaws.com"]
+    }
+
+    actions = [
+      "sqs:SendMessage",
+      "sqs:ListQueueTags",
+      "sqs:GetQueueUrl",
+      "sqs:GetQueueAttributes",
+    ]
+
+    resources = [
+      "arn:aws:sqs:${var.region}:${var.aws_account_id}:${var.project}-${var.environment}-${var.component}-letter-updates-queue"
+    ]
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [module.eventsub.sns_topic.arn]
+    }
+  }
 }