From 587538c31fc71bb8a5daaf5b2bd2f245682e4ae8 Mon Sep 17 00:00:00 2001
From: Matt Dean <matt.dean3@nhs.net>
Date: Fri, 20 Jun 2025 08:24:31 +0100
Subject: [PATCH 1/2] [NRL-1379] Add TF config for lambda error notifications
 in test and prod

---
 terraform/account-wide-infrastructure/prod/cloudwatch.tf | 2 ++
 terraform/account-wide-infrastructure/prod/data.tf       | 8 ++++++++
 terraform/account-wide-infrastructure/prod/locals.tf     | 2 ++
 terraform/account-wide-infrastructure/test/cloudwatch.tf | 2 ++
 terraform/account-wide-infrastructure/test/data.tf       | 9 +++++++++
 terraform/account-wide-infrastructure/test/locals.tf     | 2 ++
 6 files changed, 25 insertions(+)

diff --git a/terraform/account-wide-infrastructure/prod/cloudwatch.tf b/terraform/account-wide-infrastructure/prod/cloudwatch.tf
index c1946b67e..089ed2cf4 100644
--- a/terraform/account-wide-infrastructure/prod/cloudwatch.tf
+++ b/terraform/account-wide-infrastructure/prod/cloudwatch.tf
@@ -2,6 +2,8 @@ module "lambda_errors_cloudwatch_metric_alarm_dev" {
   source      = "../modules/lambda-errors-metric-alarm"
   name_prefix = "nhsd-nrlf--prod"
 
+  notification_emails = local.notification_emails
+
   evaluation_periods = 1
   period             = 60
   threshold          = 1
diff --git a/terraform/account-wide-infrastructure/prod/data.tf b/terraform/account-wide-infrastructure/prod/data.tf
index fe0eefc7c..7b3c623de 100644
--- a/terraform/account-wide-infrastructure/prod/data.tf
+++ b/terraform/account-wide-infrastructure/prod/data.tf
@@ -1,3 +1,11 @@
 data "aws_secretsmanager_secret_version" "identities_account_id" {
   secret_id = aws_secretsmanager_secret.identities_account_id.name
 }
+
+data "aws_secretsmanager_secret" "emails" {
+  name = "${local.prefix}-emails"
+}
+
+data "aws_secretsmanager_secret_version" "emails" {
+  secret_id = data.aws_secretsmanager_secret.emails.id
+}
diff --git a/terraform/account-wide-infrastructure/prod/locals.tf b/terraform/account-wide-infrastructure/prod/locals.tf
index 0929b0d38..9b06efdfe 100644
--- a/terraform/account-wide-infrastructure/prod/locals.tf
+++ b/terraform/account-wide-infrastructure/prod/locals.tf
@@ -3,4 +3,6 @@ locals {
   project     = "nhsd-nrlf"
   environment = terraform.workspace
   prefix      = "${local.project}--${local.environment}"
+
+  notification_emails = nonsensitive(toset(tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))))
 }
diff --git a/terraform/account-wide-infrastructure/test/cloudwatch.tf b/terraform/account-wide-infrastructure/test/cloudwatch.tf
index ae69099fd..1719c793b 100644
--- a/terraform/account-wide-infrastructure/test/cloudwatch.tf
+++ b/terraform/account-wide-infrastructure/test/cloudwatch.tf
@@ -2,6 +2,8 @@ module "lambda_errors_cloudwatch_metric_alarm_dev" {
   source      = "../modules/lambda-errors-metric-alarm"
   name_prefix = "nhsd-nrlf--test"
 
+  notification_emails = local.notification_emails
+
   evaluation_periods = 1
   period             = 60
   threshold          = 1
diff --git a/terraform/account-wide-infrastructure/test/data.tf b/terraform/account-wide-infrastructure/test/data.tf
index fe0eefc7c..d94f607d5 100644
--- a/terraform/account-wide-infrastructure/test/data.tf
+++ b/terraform/account-wide-infrastructure/test/data.tf
@@ -1,3 +1,12 @@
 data "aws_secretsmanager_secret_version" "identities_account_id" {
   secret_id = aws_secretsmanager_secret.identities_account_id.name
 }
+
+
+data "aws_secretsmanager_secret" "emails" {
+  name = "${local.prefix}-emails"
+}
+
+data "aws_secretsmanager_secret_version" "emails" {
+  secret_id = data.aws_secretsmanager_secret.emails.id
+}
diff --git a/terraform/account-wide-infrastructure/test/locals.tf b/terraform/account-wide-infrastructure/test/locals.tf
index 0929b0d38..9b06efdfe 100644
--- a/terraform/account-wide-infrastructure/test/locals.tf
+++ b/terraform/account-wide-infrastructure/test/locals.tf
@@ -3,4 +3,6 @@ locals {
   project     = "nhsd-nrlf"
   environment = terraform.workspace
   prefix      = "${local.project}--${local.environment}"
+
+  notification_emails = nonsensitive(toset(tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))))
 }

From bf3e3b42165bec76b6419d509ed27197d36d15c2 Mon Sep 17 00:00:00 2001
From: Matt Dean <matt.dean3@nhs.net>
Date: Fri, 20 Jun 2025 15:51:20 +0100
Subject: [PATCH 2/2] [NRL-1379] Keep notification emails as sensitive in TF

---
 terraform/account-wide-infrastructure/dev/locals.tf           | 2 +-
 terraform/account-wide-infrastructure/dev/secrets.tf          | 4 ----
 .../modules/lambda-errors-metric-alarm/sns.tf                 | 4 ++--
 .../modules/lambda-errors-metric-alarm/vars.tf                | 3 ++-
 terraform/account-wide-infrastructure/prod/locals.tf          | 2 +-
 terraform/account-wide-infrastructure/test/locals.tf          | 2 +-
 6 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/terraform/account-wide-infrastructure/dev/locals.tf b/terraform/account-wide-infrastructure/dev/locals.tf
index 9b06efdfe..06c8c4221 100644
--- a/terraform/account-wide-infrastructure/dev/locals.tf
+++ b/terraform/account-wide-infrastructure/dev/locals.tf
@@ -4,5 +4,5 @@ locals {
   environment = terraform.workspace
   prefix      = "${local.project}--${local.environment}"
 
-  notification_emails = nonsensitive(toset(tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))))
+  notification_emails = tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))
 }
diff --git a/terraform/account-wide-infrastructure/dev/secrets.tf b/terraform/account-wide-infrastructure/dev/secrets.tf
index bc9b0a3cc..dd735c3d7 100644
--- a/terraform/account-wide-infrastructure/dev/secrets.tf
+++ b/terraform/account-wide-infrastructure/dev/secrets.tf
@@ -7,10 +7,6 @@ resource "aws_secretsmanager_secret" "backup_destination_parameters" {
   description = "Parameters used to configure the backup destination"
 }
 
-resource "aws_secretsmanager_secret" "notification_email_addresses" {
-  name = "${local.prefix}-dev-notification-email-addresses"
-}
-
 resource "aws_secretsmanager_secret" "dev_smoke_test_apigee_app" {
   name        = "${local.prefix}--dev--apigee-app--smoke-test"
   description = "APIGEE App used to run Smoke Tests against the DEV environment"
diff --git a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/sns.tf b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/sns.tf
index 5abaa0a6c..a8ad22b81 100644
--- a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/sns.tf
+++ b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/sns.tf
@@ -4,8 +4,8 @@ resource "aws_sns_topic" "sns_topic" {
 }
 
 resource "aws_sns_topic_subscription" "sns_subscription" {
-  for_each  = var.notification_emails
+  count     = length(var.notification_emails)
   topic_arn = aws_sns_topic.sns_topic.arn
   protocol  = "email"
-  endpoint  = sensitive(each.value)
+  endpoint  = var.notification_emails[count.index]
 }
diff --git a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/vars.tf b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/vars.tf
index 605569262..e5f167db3 100644
--- a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/vars.tf
+++ b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/vars.tf
@@ -27,7 +27,8 @@ variable "kms_deletion_window_in_days" {
 }
 
 variable "notification_emails" {
-  type        = set(string)
+  type        = list(string)
+  sensitive   = true
   description = "The email addresses to which notifications will be sent."
   default     = []
 }
diff --git a/terraform/account-wide-infrastructure/prod/locals.tf b/terraform/account-wide-infrastructure/prod/locals.tf
index 9b06efdfe..06c8c4221 100644
--- a/terraform/account-wide-infrastructure/prod/locals.tf
+++ b/terraform/account-wide-infrastructure/prod/locals.tf
@@ -4,5 +4,5 @@ locals {
   environment = terraform.workspace
   prefix      = "${local.project}--${local.environment}"
 
-  notification_emails = nonsensitive(toset(tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))))
+  notification_emails = tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))
 }
diff --git a/terraform/account-wide-infrastructure/test/locals.tf b/terraform/account-wide-infrastructure/test/locals.tf
index 9b06efdfe..06c8c4221 100644
--- a/terraform/account-wide-infrastructure/test/locals.tf
+++ b/terraform/account-wide-infrastructure/test/locals.tf
@@ -4,5 +4,5 @@ locals {
   environment = terraform.workspace
   prefix      = "${local.project}--${local.environment}"
 
-  notification_emails = nonsensitive(toset(tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))))
+  notification_emails = tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))
 }