NHSDigital · sidnhs · May 29, 2025 · May 28, 2025 · May 28, 2025 · May 28, 2025
@@ -35,7 +35,7 @@ No modules.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_name"></a> [name](#output\_name) | n/a |
+| <a name="output_name"></a> [name](#output\_name) | Name of the Amplify branch |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->
@@ -1,3 +1,4 @@
 output "name" {
-  value = aws_amplify_branch.main.branch_name
+  description = "Name of the Amplify branch"
+  value       = aws_amplify_branch.main.branch_name
 }
@@ -68,7 +68,7 @@ variable "branch" {
 variable "display_name" {
   description = "The display name of the branch app being deployed"
   type        = string
-  default = null
+  default     = null
 }
 
 variable "enable_auto_build" {

@@ -57,7 +57,7 @@ No requirements.
 | <a name="input_backup_copy_vault_account_id"></a> [backup\_copy\_vault\_account\_id](#input\_backup\_copy\_vault\_account\_id) | The account id of the destination backup vault for allowing restores back into the source account. | `string` | `""` | no |
 | <a name="input_backup_copy_vault_arn"></a> [backup\_copy\_vault\_arn](#input\_backup\_copy\_vault\_arn) | The ARN of the destination backup vault for cross-account backup copies. | `string` | `""` | no |
 | <a name="input_backup_plan_config_dynamodb"></a> [backup\_plan\_config\_dynamodb](#input\_backup\_plan\_config\_dynamodb) | Configuration for backup plans with dynamodb | <pre>object({<br/>    enable                    = bool<br/>    selection_tag             = string<br/>    compliance_resource_types = list(string)<br/>    rules = optional(list(object({<br/>      name                     = string<br/>      schedule                 = string<br/>      enable_continuous_backup = optional(bool)<br/>      lifecycle = object({<br/>        delete_after       = number<br/>        cold_storage_after = optional(number)<br/>      })<br/>      copy_action = optional(object({<br/>        delete_after = optional(number)<br/>      }))<br/>    })))<br/>  })</pre> | <pre>{<br/>  "compliance_resource_types": [<br/>    "DynamoDB"<br/>  ],<br/>  "enable": false,<br/>  "rules": [<br/>    {<br/>      "copy_action": {<br/>        "delete_after": 365<br/>      },<br/>      "lifecycle": {<br/>        "delete_after": 35<br/>      },<br/>      "name": "dynamodb_daily_kept_5_weeks",<br/>      "schedule": "cron(0 0 * * ? *)"<br/>    },<br/>    {<br/>      "copy_action": {<br/>        "delete_after": 365<br/>      },<br/>      "lifecycle": {<br/>        "delete_after": 90<br/>      },<br/>      "name": "dynamodb_weekly_kept_3_months",<br/>      "schedule": "cron(0 1 ? * SUN *)"<br/>    },<br/>    {<br/>      "copy_action": {<br/>        "delete_after": 365<br/>      },<br/>      "lifecycle": {<br/>        "cold_storage_after": 30,<br/>        "delete_after": 2555<br/>      },<br/>      "name": "dynamodb_monthly_kept_7_years",<br/>      "schedule": "cron(0 2 1  * ? *)"<br/>    }<br/>  ],<br/>  "selection_tag": "BackupDynamoDB"<br/>}</pre> | no |
-| <a name="input_backup_plan_config_s3"></a> [backup\_plan\_config\_s3](#input\_backup\_plan\_config\_s3) | Configuration for backup plans | <pre>object({<br/>    enable                    = bool<br/>    selection_tag             = string<br/>    compliance_resource_types = list(string)<br/>    rules = list(object({<br/>      name                     = string<br/>      schedule                 = string<br/>      enable_continuous_backup = optional(bool)<br/>      lifecycle = object({<br/>        delete_after       = optional(number)<br/>        cold_storage_after = optional(number)<br/>      })<br/>      copy_action = optional(object({<br/>        delete_after = optional(number)<br/>      }))<br/>    }))<br/>  })</pre> | <pre>{<br/>  "compliance_resource_types": [<br/>    "S3"<br/>  ],<br/>  "enable": false,<br/>  "rules": [<br/>    {<br/>      "copy_action": {<br/>        "delete_after": 365<br/>      },<br/>      "lifecycle": {<br/>        "delete_after": 35<br/>      },<br/>      "name": "daily_kept_5_weeks",<br/>      "schedule": "cron(0 0 * * ? *)"<br/>    },<br/>    {<br/>      "copy_action": {<br/>        "delete_after": 365<br/>      },<br/>      "lifecycle": {<br/>        "delete_after": 90<br/>      },<br/>      "name": "weekly_kept_3_months",<br/>      "schedule": "cron(0 1 ? * SUN *)"<br/>    },<br/>    {<br/>      "copy_action": {<br/>        "delete_after": 365<br/>      },<br/>      "lifecycle": {<br/>        "cold_storage_after": 30,<br/>        "delete_after": 2555<br/>      },<br/>      "name": "monthly_kept_7_years",<br/>      "schedule": "cron(0 2 1  * ? *)"<br/>    },<br/>    {<br/>      "copy_action": {<br/>        "delete_after": 365<br/>      },<br/>      "enable_continuous_backup": true,<br/>      "lifecycle": {<br/>        "delete_after": 35<br/>      },<br/>      "name": "point_in_time_recovery",<br/>      "schedule": "cron(0 5 * * ? *)"<br/>    }<br/>  ],<br/>  "selection_tag": "BackupLocal"<br/>}</pre> | no |
+| <a name="input_backup_plan_config_s3"></a> [backup\_plan\_config\_s3](#input\_backup\_plan\_config\_s3) | Configuration for backup plans for s3 | <pre>object({<br/>    enable                    = bool<br/>    selection_tag             = string<br/>    compliance_resource_types = list(string)<br/>    rules = list(object({<br/>      name                     = string<br/>      schedule                 = string<br/>      enable_continuous_backup = optional(bool)<br/>      lifecycle = object({<br/>        delete_after       = optional(number)<br/>        cold_storage_after = optional(number)<br/>      })<br/>      copy_action = optional(object({<br/>        delete_after = optional(number)<br/>      }))<br/>    }))<br/>  })</pre> | <pre>{<br/>  "compliance_resource_types": [<br/>    "S3"<br/>  ],<br/>  "enable": false,<br/>  "rules": [<br/>    {<br/>      "copy_action": {<br/>        "delete_after": 365<br/>      },<br/>      "lifecycle": {<br/>        "delete_after": 35<br/>      },<br/>      "name": "daily_kept_5_weeks",<br/>      "schedule": "cron(0 0 * * ? *)"<br/>    },<br/>    {<br/>      "copy_action": {<br/>        "delete_after": 365<br/>      },<br/>      "lifecycle": {<br/>        "delete_after": 90<br/>      },<br/>      "name": "weekly_kept_3_months",<br/>      "schedule": "cron(0 1 ? * SUN *)"<br/>    },<br/>    {<br/>      "copy_action": {<br/>        "delete_after": 365<br/>      },<br/>      "lifecycle": {<br/>        "cold_storage_after": 30,<br/>        "delete_after": 2555<br/>      },<br/>      "name": "monthly_kept_7_years",<br/>      "schedule": "cron(0 2 1  * ? *)"<br/>    },<br/>    {<br/>      "copy_action": {<br/>        "delete_after": 365<br/>      },<br/>      "enable_continuous_backup": true,<br/>      "lifecycle": {<br/>        "delete_after": 35<br/>      },<br/>      "name": "point_in_time_recovery",<br/>      "schedule": "cron(0 5 * * ? *)"<br/>    }<br/>  ],<br/>  "selection_tag": "BackupLocal"<br/>}</pre> | no |
 | <a name="input_component"></a> [component](#input\_component) | The name of the tfscaffold component | `string` | n/a | yes |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | Default tag map for application to all taggable resources in the module | `map(string)` | `{}` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the environment where AWS Backup is configured. | `string` | n/a | yes |

@@ -2,7 +2,7 @@
 resource "aws_backup_plan" "dynamodb" {
   count = var.backup_plan_config_dynamodb.enable ? 1 : 0
 
-  name  = "${local.csi}-dynamodb"
+  name = "${local.csi}-dynamodb"
 
   dynamic "rule" {
     for_each = var.backup_plan_config_dynamodb.rules

@@ -1,5 +1,5 @@
 resource "aws_backup_report_plan" "copy_jobs" {
-  count       = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" ? 1 : 0
+  count = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" ? 1 : 0
 
   name        = "${local.csi_underscore}_copy_jobs"
   description = "Report for showing whether copies ran successfully in the last 24 hours"

@@ -3,7 +3,7 @@ resource "aws_backup_report_plan" "resource_compliance" {
   description = "Report for showing whether resources are compliant with the framework"
 
   report_delivery_channel {
-    formats = ["JSON"]
+    formats        = ["JSON"]
     s3_bucket_name = var.reports_bucket
     s3_key_prefix  = "resource_compliance"
   }
@@ -19,6 +19,6 @@ resource "aws_backup_report_plan" "resource_compliance" {
       var.backup_plan_config_s3.enable ? [aws_backup_framework.s3[0].arn] : []
     ))
 
-    report_template      = "RESOURCE_COMPLIANCE_REPORT"
+    report_template = "RESOURCE_COMPLIANCE_REPORT"
   }
 }
@@ -1,5 +1,5 @@
 resource "aws_iam_role" "backup" {
-  name               = "${local.csi}"
+  name               = local.csi
   assume_role_policy = data.aws_iam_policy_document.assume_role.json
 }
 

@@ -9,12 +9,12 @@ locals {
     var.name
   )
 
-  csi_underscore = replace(local.csi,"-","_")
+  csi_underscore = replace(local.csi, "-", "_")
 
   default_tags = merge(
     var.default_tags,
     {
-      Name = local.csi
+      Name   = local.csi
       Module = local.module
     },
   )

@@ -93,7 +93,7 @@ variable "backup_copy_vault_account_id" {
 }
 
 variable "backup_plan_config_s3" {
-  description = "Configuration for backup plans"
+  description = "Configuration for backup plans for s3"
   type = object({
     enable                    = bool
     selection_tag             = string

@@ -38,8 +38,8 @@
 
 | Name | Description |
 |------|-------------|
-| <a name="output_s3_bucket_event_cache"></a> [s3\_bucket\_event\_cache](#output\_s3\_bucket\_event\_cache) | n/a |
-| <a name="output_sns_topic"></a> [sns\_topic](#output\_sns\_topic) | n/a |
+| <a name="output_s3_bucket_event_cache"></a> [s3\_bucket\_event\_cache](#output\_s3\_bucket\_event\_cache) | S3 Bucket ARN and Name for event cache |
+| <a name="output_sns_topic"></a> [sns\_topic](#output\_sns\_topic) | SNS Topic ARN and Name |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->
@@ -1,6 +1,6 @@
 resource "archive_file" "lambda" {
-  type        = "zip"
-  source_dir  = "${path.module}/lambda/eventpub/src"
+  type       = "zip"
+  source_dir = "${path.module}/lambda/eventpub/src"
 
   # Timestamp in path to resolve https://github.com/hashicorp/terraform-provider-archive/issues/39
   output_path = "${path.module}/lambda/eventpub_${timestamp()}.zip"

@@ -67,7 +67,7 @@ data "aws_iam_policy_document" "lambda" {
     ]
   }
 
-    statement {
+  statement {
     sid    = "DLQPutMessage"
     effect = "Allow"
 

@@ -1,11 +1,13 @@
 output "sns_topic" {
+  description = "SNS Topic ARN and Name"
   value = {
     arn  = aws_sns_topic.main.arn
     name = aws_sns_topic.main.name
   }
 }
 
 output "s3_bucket_event_cache" {
+  description = "S3 Bucket ARN and Name for event cache"
   value = var.enable_event_cache ? {
     arn    = module.s3bucket_event_cache[0].arn
     bucket = module.s3bucket_event_cache[0].bucket

@@ -29,10 +29,10 @@ No modules.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_admin_policy_arn"></a> [admin\_policy\_arn](#output\_admin\_policy\_arn) | n/a |
-| <a name="output_key_arn"></a> [key\_arn](#output\_key\_arn) | n/a |
-| <a name="output_key_id"></a> [key\_id](#output\_key\_id) | n/a |
-| <a name="output_user_policy_arn"></a> [user\_policy\_arn](#output\_user\_policy\_arn) | n/a |
+| <a name="output_admin_policy_arn"></a> [admin\_policy\_arn](#output\_admin\_policy\_arn) | ARN of the admin IAM policy |
+| <a name="output_key_arn"></a> [key\_arn](#output\_key\_arn) | ARN of the KMS key |
+| <a name="output_key_id"></a> [key\_id](#output\_key\_id) | ID of the KMS key |
+| <a name="output_user_policy_arn"></a> [user\_policy\_arn](#output\_user\_policy\_arn) | ARN of the user IAM policy |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->
@@ -1,15 +1,19 @@
 output "key_arn" {
-  value = aws_kms_key.main.arn
+  description = "ARN of the KMS key"
+  value       = aws_kms_key.main.arn
 }
 
 output "key_id" {
-  value = aws_kms_key.main.key_id
+  description = "ID of the KMS key"
+  value       = aws_kms_key.main.key_id
 }
 
 output "admin_policy_arn" {
-  value = aws_iam_policy.admin.arn
+  description = "ARN of the admin IAM policy"
+  value       = aws_iam_policy.admin.arn
 }
 
 output "user_policy_arn" {
-  value = aws_iam_policy.user.arn
+  description = "ARN of the user IAM policy"
+  value       = aws_iam_policy.user.arn
 }
@@ -21,8 +21,8 @@
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_filter_pattern"></a> [filter\_pattern](#input\_filter\_pattern) | Filter pattern to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_force_lambda_code_deploy"></a> [force\_lambda\_code\_deploy](#input\_force\_lambda\_code\_deploy) | If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development | `bool` | `false` | no |
-| <a name="input_function_code_base_path"></a> [function\_code\_base\_path](#input\_function\_code\_base\_path) | The path to the sourcecode directories needed for this lambda | `string` | `"./"` | no |
-| <a name="input_function_code_dir"></a> [function\_code\_dir](#input\_function\_code\_dir) | The path to the sourcecode directories needed for this lambda | `string` | n/a | yes |
+| <a name="input_function_code_base_path"></a> [function\_code\_base\_path](#input\_function\_code\_base\_path) | The base path to the sourcecode directories needed for this lambda | `string` | `"./"` | no |
+| <a name="input_function_code_dir"></a> [function\_code\_dir](#input\_function\_code\_dir) | The directory for this lambda | `string` | n/a | yes |
 | <a name="input_function_include_common"></a> [function\_include\_common](#input\_function\_include\_common) | Include the 'common' lambda module with this lambda | `bool` | `true` | no |
 | <a name="input_function_module_name"></a> [function\_module\_name](#input\_function\_module\_name) | The name of the function module as used by the lambda handler, e.g. index or exports | `string` | `"index"` | no |
 | <a name="input_function_name"></a> [function\_name](#input\_function\_name) | Base name of this lambda | `string` | n/a | yes |
@@ -31,8 +31,8 @@
 | <a name="input_handler_function_name"></a> [handler\_function\_name](#input\_handler\_function\_name) | The name of the lambda handler function (passed directly to the Lambda's handler option) | `string` | `"handler"` | no |
 | <a name="input_iam_policy_document"></a> [iam\_policy\_document](#input\_iam\_policy\_document) | n/a | <pre>object({<br/>    body = string<br/>  })</pre> | `null` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key arn to use for this function | `string` | n/a | yes |
-| <a name="input_lambda_at_edge"></a> [lambda\_at\_edge](#input\_lambda\_at\_edge) | Enable the lambda insights layer, this must be disabled for lambda@edge usage | `bool` | `false` | no |
-| <a name="input_lambda_dlq_message_retention_seconds"></a> [lambda\_dlq\_message\_retention\_seconds](#input\_lambda\_dlq\_message\_retention\_seconds) | KMS Key ARN to be used for SNS Topic for on-failure Lambda invocation records | `number` | `86400` | no |
+| <a name="input_lambda_at_edge"></a> [lambda\_at\_edge](#input\_lambda\_at\_edge) | Whether this Lambda is a Lambda@Edge function | `bool` | `false` | no |
+| <a name="input_lambda_dlq_message_retention_seconds"></a> [lambda\_dlq\_message\_retention\_seconds](#input\_lambda\_dlq\_message\_retention\_seconds) | The number of seconds to retain messages in the Lambda DLQ SQS queue | `number` | `86400` | no |
 | <a name="input_lambda_env_vars"></a> [lambda\_env\_vars](#input\_lambda\_env\_vars) | Lambda environment parameters map | `map(string)` | `{}` | no |
 | <a name="input_layers"></a> [layers](#input\_layers) | Lambda layer arns to include | `list(any)` | `[]` | no |
 | <a name="input_log_destination_arn"></a> [log\_destination\_arn](#input\_log\_destination\_arn) | Destination ARN to use for the log subscription filter | `string` | `""` | no |
@@ -58,14 +58,14 @@ No modules.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_cloudwatch_log_group_name"></a> [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | n/a |
-| <a name="output_function_arn"></a> [function\_arn](#output\_function\_arn) | n/a |
-| <a name="output_function_env_vars"></a> [function\_env\_vars](#output\_function\_env\_vars) | n/a |
-| <a name="output_function_invoke_arn"></a> [function\_invoke\_arn](#output\_function\_invoke\_arn) | n/a |
-| <a name="output_function_name"></a> [function\_name](#output\_function\_name) | n/a |
-| <a name="output_function_qualified_arn"></a> [function\_qualified\_arn](#output\_function\_qualified\_arn) | n/a |
-| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | n/a |
-| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | n/a |
+| <a name="output_cloudwatch_log_group_name"></a> [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | Name of the CloudWatch Log Group for the Lambda function |
+| <a name="output_function_arn"></a> [function\_arn](#output\_function\_arn) | ARN of the Lambda function |
+| <a name="output_function_env_vars"></a> [function\_env\_vars](#output\_function\_env\_vars) | Environment variables for the Lambda function |
+| <a name="output_function_invoke_arn"></a> [function\_invoke\_arn](#output\_function\_invoke\_arn) | Invoke ARN of the Lambda function |
+| <a name="output_function_name"></a> [function\_name](#output\_function\_name) | Name of the Lambda function |
+| <a name="output_function_qualified_arn"></a> [function\_qualified\_arn](#output\_function\_qualified\_arn) | Qualified ARN of the Lambda function, including version or alias |
+| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | ARN of the IAM role associated with the Lambda function |
+| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | Name of the IAM role associated with the Lambda function |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->
@@ -1,31 +1,39 @@
 output "function_name" {
-  value = aws_lambda_function.main.function_name
+  description = "Name of the Lambda function"
+  value       = aws_lambda_function.main.function_name
 }
 
 output "function_arn" {
-  value = aws_lambda_function.main.arn
+  description = "ARN of the Lambda function"
+  value       = aws_lambda_function.main.arn
 }
 
 output "function_invoke_arn" {
-  value = aws_lambda_function.main.invoke_arn
+  description = "Invoke ARN of the Lambda function"
+  value       = aws_lambda_function.main.invoke_arn
 }
 
 output "function_qualified_arn" {
-  value = aws_lambda_function.main.qualified_arn
+  description = "Qualified ARN of the Lambda function, including version or alias"
+  value       = aws_lambda_function.main.qualified_arn
 }
 
 output "function_env_vars" {
-  value = length(var.lambda_env_vars) == 0 ? {} : aws_lambda_function.main.environment[0].variables
+  description = "Environment variables for the Lambda function"
+  value       = length(var.lambda_env_vars) == 0 ? {} : aws_lambda_function.main.environment[0].variables
 }
 
 output "iam_role_name" {
-  value = aws_iam_role.main.name
+  description = "Name of the IAM role associated with the Lambda function"
+  value       = aws_iam_role.main.name
 }
 
 output "iam_role_arn" {
-  value = aws_iam_role.main.arn
+  description = "ARN of the IAM role associated with the Lambda function"
+  value       = aws_iam_role.main.arn
 }
 
 output "cloudwatch_log_group_name" {
-  value = aws_cloudwatch_log_group.main.name
+  description = "Name of the CloudWatch Log Group for the Lambda function"
+  value       = aws_cloudwatch_log_group.main.name
 }