NHSDigital · aidenvaines-cgi · Apr 29, 2026 · Apr 30, 2026
@@ -5,7 +5,7 @@ nodejs         24.14.1
 pnpm           10.33.0
 pre-commit     3.6.0
 ruby           3.3.6
-terraform      1.10.1
+terraform      1.14.3
 terraform-docs 0.19.0
 #trivy          0.61.0 - TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
 vale           3.6.0

@@ -1 +1 @@
-terraform 1.10.1
+terraform 1.14.3
@@ -15,7 +15,6 @@
 |------|-------------|------|---------|:--------:|
 | <a name="input_applications_map_parameter_name"></a> [applications\_map\_parameter\_name](#input\_applications\_map\_parameter\_name) | SSM Parameter Store path for the clientId-to-applicationData map, where applicationData is currently only the applicationId | `string` | `null` | no |
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
-| <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"callbacks"` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_deploy_mock_clients"></a> [deploy\_mock\_clients](#input\_deploy\_mock\_clients) | Flag to deploy mock webhook lambda for integration testing (test/dev environments only) | `bool` | `false` | no |
 | <a name="input_enable_event_anomaly_detection"></a> [enable\_event\_anomaly\_detection](#input\_enable\_event\_anomaly\_detection) | Enable CloudWatch anomaly detection alarm for inbound event queue message reception | `bool` | `true` | no |
@@ -44,6 +43,7 @@
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_callback_clients"></a> [callback\_clients](#module\_callback\_clients) | ../../modules/callback-clients | n/a |
 | <a name="module_client_config_bucket"></a> [client\_config\_bucket](#module\_client\_config\_bucket) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.7/terraform-s3bucket.zip | n/a |
 | <a name="module_client_destination"></a> [client\_destination](#module\_client\_destination) | ../../modules/client-destination | n/a |
 | <a name="module_client_transform_filter_lambda"></a> [client\_transform\_filter\_lambda](#module\_client\_transform\_filter\_lambda) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.7/terraform-lambda.zip | n/a |

@@ -62,5 +62,5 @@ locals {
     }
   ]...)
 
-  applications_map_parameter_name = coalesce(var.applications_map_parameter_name, "/${var.project}/${var.environment}/${var.component}/applications-map")
+  applications_map_parameter_name = coalesce(var.applications_map_parameter_name, "/${var.project}/${var.environment}/${local.component}/applications-map")
 }
@@ -1,4 +1,6 @@
 locals {
+  component = "cb"
+
   terraform_state_bucket = format(
     "%s-tfscaffold-%s-%s",
     var.project,
@@ -11,7 +13,7 @@ locals {
       "%s-%s-%s",
       var.project,
       var.environment,
-      var.component,
+      local.component,
     ),
     "_",
     "",
@@ -25,7 +27,7 @@ locals {
       var.aws_account_id,
       var.region,
       var.environment,
-      var.component,
+      local.component,
     ),
     "_",
     "",
@@ -36,7 +38,7 @@ locals {
     {
       Project     = var.project
       Environment = var.environment
-      Component   = var.component
+      Component   = local.component
       Group       = var.group
       Name        = local.csi
     },

@@ -0,0 +1,22 @@
+locals {
+  clients = toset(["alpha", "beta", "gamma"])
+}
+
+module "callback_clients" {
+  source = "../../modules/callback-clients"
+
+  for_each = local.clients
+
+  project         = var.project
+  aws_account_id  = var.aws_account_id
+  region          = var.region
+  component       = local.component
+  client_id       = each.key
+  environment     = var.environment
+  client_bus_name = aws_cloudwatch_event_bus.main.name
+
+  kms_key_arn = module.kms.key_arn
+
+  log_retention_in_days    = var.log_retention_in_days
+  force_lambda_code_deploy = var.force_lambda_code_deploy
+}
@@ -4,7 +4,7 @@ module "client_destination" {
   project         = var.project
   aws_account_id  = var.aws_account_id
   region          = var.region
-  component       = var.component
+  component       = local.component
   environment     = var.environment
   client_bus_name = aws_cloudwatch_event_bus.main.name
 

@@ -2,7 +2,7 @@ module "kms" {
   source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.7/terraform-kms.zip"
 
   aws_account_id = var.aws_account_id
-  component      = var.component
+  component      = local.component
   environment    = var.environment
   project        = var.project
   region         = var.region

@@ -6,7 +6,7 @@ module "mock_webhook_lambda" {
   description   = "Mock webhook endpoint for integration testing - logs received callbacks to CloudWatch"
 
   aws_account_id = var.aws_account_id
-  component      = var.component
+  component      = local.component
   environment    = var.environment
   project        = var.project
   region         = var.region

@@ -2,7 +2,7 @@ module "sqs_inbound_event" {
   source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.7/terraform-sqs.zip"
 
   aws_account_id = var.aws_account_id
-  component      = var.component
+  component      = local.component
   environment    = var.environment
   project        = var.project
   region         = var.region
@@ -33,7 +33,7 @@ data "aws_iam_policy_document" "sqs_inbound_event" {
     ]
 
     resources = [
-      "arn:aws:sqs:${var.region}:${var.aws_account_id}:${var.project}-${var.environment}-${var.component}-inbound-event-queue"
+      "arn:aws:sqs:${var.region}:${var.aws_account_id}:${var.project}-${var.environment}-${local.component}-inbound-event-queue"
     ]
 
     condition {

@@ -5,7 +5,7 @@ module "client_transform_filter_lambda" {
   description   = "Lambda function that transforms and filters events coming to through the eventpipe"
 
   aws_account_id = var.aws_account_id
-  component      = var.component
+  component      = local.component
   environment    = var.environment
   project        = var.project
   region         = var.region

@@ -10,7 +10,7 @@ output "deployment" {
     project        = var.project
     environment    = var.environment
     group          = var.group
-    component      = var.component
+    component      = local.component
   }
 }
 

@@ -17,7 +17,7 @@ module "client_config_bucket" {
   name = "subscription-config"
 
   aws_account_id = var.aws_account_id
-  component      = var.component
+  component      = local.component
   environment    = var.environment
   project        = var.project
   region         = var.region

@@ -35,11 +35,7 @@ variable "group" {
 # a default within its declaration in this file, because the variables
 # purpose is as an identifier unique to this component, rather
 # then to the environment from where all other variables come.
-variable "component" {
-  type        = string
-  description = "The variable encapsulating the name of this component"
-  default     = "callbacks"
-}
+
 
 variable "default_tags" {
   type        = map(string)

@@ -0,0 +1,33 @@
+<!-- BEGIN_TF_DOCS -->
+<!-- markdownlint-disable -->
+<!-- vale off -->
+
+## Requirements
+
+No requirements.
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
+| <a name="input_client_bus_name"></a> [client\_bus\_name](#input\_client\_bus\_name) | The name of the event bus to create rules on | `string` | n/a | yes |
+| <a name="input_client_id"></a> [client\_id](#input\_client\_id) | Unique identifier for the client | `string` | n/a | yes |
+| <a name="input_component"></a> [component](#input\_component) | Component name | `string` | n/a | yes |
+| <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
+| <a name="input_force_lambda_code_deploy"></a> [force\_lambda\_code\_deploy](#input\_force\_lambda\_code\_deploy) | If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development | `bool` | `false` | no |
+| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS Key ARN | `string` | n/a | yes |
+| <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
+| <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
+## Modules
+
+No modules.
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_callback_rule_arn"></a> [callback\_rule\_arn](#output\_callback\_rule\_arn) | ARN of the callback event rule |
+| <a name="output_callback_rule_name"></a> [callback\_rule\_name](#output\_callback\_rule\_name) | Name of the callback event rule |
+<!-- vale on -->
+<!-- markdownlint-enable -->
+<!-- END_TF_DOCS -->
@@ -0,0 +1,16 @@
+resource "aws_cloudwatch_event_rule" "main" {
+  name           = "${local.csi}-callback-rule"
+  event_bus_name = var.client_bus_name
+
+  event_pattern = jsonencode({
+    source = [{ prefix = "" }] # Your event pattern here this is effectively "*"
+  })
+}
+
+# resource "aws_cloudwatch_event_target" "main" {
+#   rule           = aws_cloudwatch_event_rule.main.name
+#   event_bus_name = var.client_bus_name
+#   target_id      = "callback-target"
+#   arn            = # Your target ARN (Lambda, SNS, etc.)
+#   # Additional target configuration...
+# }
@@ -0,0 +1,13 @@
+locals {
+  csi = replace(
+    format(
+      "%s-%s-%s-%s",
+      var.project,
+      var.environment,
+      var.component,
+      var.client_id,
+    ),
+    "_",
+    "",
+  )
+}
@@ -0,0 +1,9 @@
+output "callback_rule_arn" {
+  description = "ARN of the callback event rule"
+  value       = aws_cloudwatch_event_rule.main.arn
+}
+
+output "callback_rule_name" {
+  description = "Name of the callback event rule"
+  value       = aws_cloudwatch_event_rule.main.name
+}
@@ -0,0 +1,55 @@
+##
+# Basic Required Variables for tfscaffold Components
+##
+
+variable "project" {
+  type        = string
+  description = "The name of the tfscaffold project"
+}
+
+variable "environment" {
+  type        = string
+  description = "The name of the tfscaffold environment"
+}
+
+variable "component" {
+  type        = string
+  description = "Component name"
+}
+
+variable "client_id" {
+  type        = string
+  description = "Unique identifier for the client"
+}
+
+variable "aws_account_id" {
+  type        = string
+  description = "The AWS Account ID (numeric)"
+}
+
+variable "region" {
+  type        = string
+  description = "The AWS Region"
+}
+
+variable "kms_key_arn" {
+  type        = string
+  description = "KMS Key ARN"
+}
+
+variable "client_bus_name" {
+  type        = string
+  description = "The name of the event bus to create rules on"
+}
+
+variable "log_retention_in_days" {
+  type        = number
+  description = "The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite"
+  default     = 0
+}
+
+variable "force_lambda_code_deploy" {
+  type        = bool
+  description = "If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development"
+  default     = false
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -62,5 +62,5 @@ locals { @@
         }
       ]...)
-      applications_map_parameter_name = coalesce(var.applications_map_parameter_name, "/${var.project}/${var.environment}/${var.component}/applications-map")
+      applications_map_parameter_name = coalesce(var.applications_map_parameter_name, "/${var.project}/${var.environment}/${local.component}/applications-map")
     }