NHSDigital · harrim91 · Mar 18, 2025 · Mar 13, 2025 · Mar 13, 2025 · Mar 13, 2025
@@ -2,11 +2,17 @@ name: "Normalize branch name"
 description: "Normalize branch name"
 outputs:
   normalized_branch_name:
+    description: 10 character branch identifier (0000-branch)
     value: ${{ steps.normalize_branch_name.outputs.normalized_branch_name }}
 runs:
   using: "composite"
   steps:
     - id: normalize_branch_name
       shell: bash
-      run: echo "normalized_branch_name=$(sed -e 's/[^a-zA-Z0-9-]//g' <<< $(git rev-parse --abbrev-ref HEAD) | tr '[:upper:]' '[:lower:]' | head -c 25)" >> $GITHUB_OUTPUT
-
+      run: |
+        branch=$(git rev-parse --abbrev-ref HEAD)
+        stripped=$(echo $branch | sed -e 's/[^a-zA-Z0-9-]//g' | tr '[:upper:]' '[:lower:]')
+        starting_from_jira_ref=$(echo $stripped | sed -n 's/.*\([0-9]\{4,\}.*\)/\1/p')
+        with_fallback=${starting_from_jira_ref:-$stripped}
+        chopped=$(echo $with_fallback | head -c 10)
+        echo "normalized_branch_name=$chopped" >> $GITHUB_OUTPUT
@@ -18,14 +18,17 @@
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
 | <a name="input_initial_cli_secrets_provision_override"></a> [initial\_cli\_secrets\_provision\_override](#input\_initial\_cli\_secrets\_provision\_override) | A map of default value to intialise SSM secret values with. Only useful for initial setup of the account due to lifecycle rules. | `map(string)` | `{}` | no |
+| <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 | <a name="input_root_domain_name"></a> [root\_domain\_name](#input\_root\_domain\_name) | The service's root DNS root nameespace, like nonprod.nhsnotify.national.nhs.uk | `string` | `"nonprod.nhsnotify.national.nhs.uk"` | no |
+| <a name="input_support_sandbox_environments"></a> [support\_sandbox\_environments](#input\_support\_sandbox\_environments) | Does this account support dev sandbox environments? | `bool` | `false` | no |
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_kms_sandbox"></a> [kms\_sandbox](#module\_kms\_sandbox) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms | v1.0.8 |
 | <a name="module_s3bucket_access_logs"></a> [s3bucket\_access\_logs](#module\_s3bucket\_access\_logs) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_s3bucket_backup_reports"></a> [s3bucket\_backup\_reports](#module\_s3bucket\_backup\_reports) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 ## Outputs

diff --git a/infrastructure/terraform/components/acct/module_s3bucket_access_logs.tf b/infrastructure/terraform/components/acct/module_s3bucket_access_logs.tf
@@ -92,7 +92,7 @@ data "aws_iam_policy_document" "s3bucket_access_logs" {
     ]
 
     resources = [
-      module.s3bucket_lambda_artefacts.arn,
+      module.s3bucket_access_logs.arn,
     ]
 
     principals {
@@ -112,7 +112,7 @@ data "aws_iam_policy_document" "s3bucket_access_logs" {
     ]
 
     resources = [
-      "${module.s3bucket_lambda_artefacts.arn}/*",
+      "${module.s3bucket_access_logs.arn}/*",
     ]
 
     principals {

@@ -0,0 +1,15 @@
+module "kms_sandbox" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms?ref=v1.0.8"
+
+  count = var.support_sandbox_environments ? 1 : 0
+
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = var.region
+
+  name            = "sandbox"
+  deletion_window = var.kms_deletion_window
+  alias           = "alias/${local.csi}-sandbox"
+}
@@ -70,3 +70,15 @@ variable "initial_cli_secrets_provision_override" {
   # Usage like:
   #  ... -a apply -- -var initial_cli_secrets_provision_override={\"github_pat\":\"l0ngstr1ng"}
 }
+
+variable "kms_deletion_window" {
+  type        = string
+  description = "When a kms key is deleted, how long should it wait in the pending deletion state?"
+  default     = "30"
+}
+
+variable "support_sandbox_environments" {
+  type        = bool
+  description = "Does this account support dev sandbox environments?"
+  default     = false
+}
@@ -16,4 +16,6 @@ module "backend_api" {
   enable_backup = var.destination_vault_arn != null ? true : false
 
   enable_letters = var.enable_letters
+
+  kms_key_arn = module.kms.key_arn
 }
@@ -14,6 +14,7 @@ No requirements.
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonymous with account short-name) | `string` | n/a | yes |
+| <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |

@@ -0,0 +1,3 @@
+data "aws_kms_key" "sandbox" {
+  key_id = "alias/${var.project}-main-acct-sandbox"
+}
@@ -6,13 +6,18 @@ module "backend_api" {
   aws_account_id        = var.aws_account_id
   region                = var.region
   group                 = var.group
+  component             = var.component
   csi                   = local.csi
   log_retention_in_days = var.log_retention_in_days
 
+
   cognito_config = {
     USER_POOL_ID        = aws_cognito_user_pool.sandbox.id
     USER_POOL_CLIENT_ID = aws_cognito_user_pool_client.sandbox.id
   }
 
   enable_letters = true
+
+  kms_key_arn          = data.aws_kms_key.sandbox.arn
+  dynamodb_kms_key_arn = data.aws_kms_key.sandbox.arn
 }
@@ -56,3 +56,9 @@ variable "log_retention_in_days" {
   description = "The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite"
   default     = 0
 }
+
+variable "kms_deletion_window" {
+  type        = string
+  description = "When a kms key is deleted, how long should it wait in the pending deletion state?"
+  default     = "30"
+}
@@ -13,10 +13,12 @@ No requirements.
 | <a name="input_cognito_config"></a> [cognito\_config](#input\_cognito\_config) | Cognito config | <pre>object({<br/>    USER_POOL_ID : string,<br/>    USER_POOL_CLIENT_ID : string<br/>  })</pre> | n/a | yes |
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"api"` | no |
 | <a name="input_csi"></a> [csi](#input\_csi) | CSI from the parent component | `string` | n/a | yes |
+| <a name="input_dynamodb_kms_key_arn"></a> [dynamodb\_kms\_key\_arn](#input\_dynamodb\_kms\_key\_arn) | KMS Key ARN for encrypting DynamoDB data. If not given, a key will be created. | `string` | `""` | no |
 | <a name="input_enable_backup"></a> [enable\_backup](#input\_enable\_backup) | Enable Backups for the DynamoDB table? | `bool` | `true` | no |
 | <a name="input_enable_letters"></a> [enable\_letters](#input\_enable\_letters) | Enable letters feature flag | `bool` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
+| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS Key ARN | `string` | n/a | yes |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
@@ -31,6 +33,8 @@ No requirements.
 | <a name="module_create_template_lambda"></a> [create\_template\_lambda](#module\_create\_template\_lambda) | ../lambda-function | n/a |
 | <a name="module_get_template_lambda"></a> [get\_template\_lambda](#module\_get\_template\_lambda) | ../lambda-function | n/a |
 | <a name="module_list_template_lambda"></a> [list\_template\_lambda](#module\_list\_template\_lambda) | ../lambda-function | n/a |
+| <a name="module_s3bucket_internal"></a> [s3bucket\_internal](#module\_s3bucket\_internal) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
+| <a name="module_s3bucket_quarantine"></a> [s3bucket\_quarantine](#module\_s3bucket\_quarantine) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_update_template_lambda"></a> [update\_template\_lambda](#module\_update\_template\_lambda) | ../lambda-function | n/a |
 ## Outputs
 

@@ -26,12 +26,12 @@ resource "aws_dynamodb_table" "templates" {
 
   server_side_encryption {
     enabled     = true
-    kms_key_arn = aws_kms_key.dynamo.arn
+    kms_key_arn = local.dynamodb_kms_key_arn
   }
 
-    tags = {
-      "NHSE-Enable-Dynamo-Backup" = var.enable_backup ? "True": "False"
-    }
+  tags = {
+    "NHSE-Enable-Dynamo-Backup" = var.enable_backup ? "True" : "False"
+  }
 
   lifecycle {
     ignore_changes = [

@@ -1,4 +1,5 @@
 resource "aws_kms_key" "dynamo" {
+  count                   = var.dynamodb_kms_key_arn == "" ? 1 : 0
   description             = "CMK for encrypting dynamodb data"
   deletion_window_in_days = 14
   enable_key_rotation     = true

@@ -14,10 +14,12 @@ locals {
   })
 
   backend_lambda_entrypoints = {
-    create_template  = "src/templates/api/create.ts"
-    get_template     = "src/templates/api/get.ts"
-    update_template  = "src/templates/api/update.ts"
-    list_template    = "src/templates/api/list.ts"
-    template_client  = "src/index.ts"
+    create_template = "src/templates/api/create.ts"
+    get_template    = "src/templates/api/get.ts"
+    update_template = "src/templates/api/update.ts"
+    list_template   = "src/templates/api/list.ts"
+    template_client = "src/index.ts"
   }
+
+  dynamodb_kms_key_arn = var.dynamodb_kms_key_arn == "" ? aws_kms_key.dynamo[0].arn : var.dynamodb_kms_key_arn
 }
@@ -46,7 +46,7 @@ data "aws_iam_policy_document" "create_template_lambda_policy" {
     ]
 
     resources = [
-      aws_kms_key.dynamo.arn
+      local.dynamodb_kms_key_arn
     ]
   }
 }
@@ -47,7 +47,7 @@ data "aws_iam_policy_document" "get_template_lambda_policy" {
     ]
 
     resources = [
-      aws_kms_key.dynamo.arn
+      local.dynamodb_kms_key_arn
     ]
   }
 }
@@ -47,7 +47,7 @@ data "aws_iam_policy_document" "list_template_lambda_policy" {
     ]
 
     resources = [
-      aws_kms_key.dynamo.arn
+      local.dynamodb_kms_key_arn
     ]
   }
 }
@@ -0,0 +1,13 @@
+module "s3bucket_internal" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket?ref=v1.0.8"
+
+  name = "internal"
+
+  aws_account_id = var.aws_account_id
+  region         = var.region
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+
+  kms_key_arn = var.kms_key_arn
+}
@@ -0,0 +1,13 @@
+module "s3bucket_quarantine" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket?ref=v1.0.8"
+
+  name = "quarantine"
+
+  aws_account_id = var.aws_account_id
+  region         = var.region
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+
+  kms_key_arn = var.kms_key_arn
+}
@@ -46,7 +46,7 @@ data "aws_iam_policy_document" "update_template_lambda_policy" {
     ]
 
     resources = [
-      aws_kms_key.dynamo.arn
+      local.dynamodb_kms_key_arn
     ]
   }
 }
@@ -71,3 +71,14 @@ variable "enable_letters" {
   type        = bool
   description = "Enable letters feature flag"
 }
+
+variable "kms_key_arn" {
+  type        = string
+  description = "KMS Key ARN"
+}
+
+variable "dynamodb_kms_key_arn" {
+  type        = string
+  description = "KMS Key ARN for encrypting DynamoDB data. If not given, a key will be created."
+  default     = ""
+}