NHSDigital · jamesthompson26-nhs · Jun 9, 2025 · Jun 2, 2025 · Jun 9, 2025
@@ -22,6 +22,7 @@
 | <a name="input_event_cache_buffer_interval"></a> [event\_cache\_buffer\_interval](#input\_event\_cache\_buffer\_interval) | The buffer interval for data firehose | `number` | `500` | no |
 | <a name="input_event_cache_expiry_days"></a> [event\_cache\_expiry\_days](#input\_event\_cache\_expiry\_days) | s3 archiving expiry in days | `number` | `30` | no |
 | <a name="input_group"></a> [group](#input\_group) | The name of the tfscaffold group | `string` | `null` | no |
+| <a name="input_iam_permissions_boundary_arn"></a> [iam\_permissions\_boundary\_arn](#input\_iam\_permissions\_boundary\_arn) | The ARN of the permissions boundary to use for the IAM role | `string` | `null` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key arn to use for this function | `string` | n/a | yes |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"WARN"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events generated by the lambda function | `number` | n/a | yes |

@@ -1,6 +1,6 @@
 resource "aws_cloudwatch_metric_alarm" "dlq_alarm" {
   alarm_name          = "${local.csi}-dlq-messages-alarm"
-  alarm_description   = "Alarm for messages in the DLQ"
+  alarm_description   = "RELIABILITY: Alarm for messages in the DLQ"
   comparison_operator = "GreaterThanThreshold"
   evaluation_periods  = 1
   metric_name         = "ApproximateNumberOfMessagesVisible"

@@ -0,0 +1,17 @@
+resource "aws_cloudwatch_metric_alarm" "lambda_errors" {
+  alarm_name          = "${local.csi}-lambda-errors-alarm"
+  alarm_description   = "RELIABILITY: Alarm for Lambda function errors"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  evaluation_periods  = 1
+  metric_name         = "Errors"
+  namespace           = "AWS/Lambda"
+  period              = 300
+  statistic           = "Sum"
+  threshold           = 1
+  actions_enabled     = true
+  treat_missing_data  = "notBreaching"
+
+  dimensions = {
+    FunctionName = aws_lambda_function.main.function_name
+  }
+}
@@ -0,0 +1,16 @@
+resource "aws_cloudwatch_metric_alarm" "sns_delivery_failures" {
+  alarm_name          = "${local.csi}-sns-delivery-failures"
+  alarm_description   = "RELIABILITY: Alarm for SNS topic delivery failures"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = 1
+  metric_name         = "NumberOfNotificationsFailed"
+  namespace           = "AWS/SNS"
+  period              = 300
+  statistic           = "Sum"
+  threshold           = 0
+  treat_missing_data  = "notBreaching"
+
+  dimensions = {
+    TopicName = aws_sns_topic.main.name
+  }
+}
@@ -1,8 +1,9 @@
 resource "aws_iam_role" "firehose_role" {
   count = var.enable_event_cache ? 1 : 0
 
-  name               = "${local.csi}-firehose-role"
-  assume_role_policy = data.aws_iam_policy_document.firehose_assume_role[0].json
+  name                 = "${local.csi}-firehose-role"
+  assume_role_policy   = data.aws_iam_policy_document.firehose_assume_role[0].json
+  permissions_boundary = var.iam_permissions_boundary_arn != null ? var.iam_permissions_boundary_arn : null
 }
 
 data "aws_iam_policy_document" "firehose_assume_role" {

@@ -1,6 +1,7 @@
 resource "aws_iam_role" "lambda" {
-  name               = local.csi
-  assume_role_policy = data.aws_iam_policy_document.lambda_assumerole.json
+  name                 = local.csi
+  assume_role_policy   = data.aws_iam_policy_document.lambda_assumerole.json
+  permissions_boundary = var.iam_permissions_boundary_arn != null ? var.iam_permissions_boundary_arn : null
 }
 
 resource "aws_iam_policy" "lambda" {

@@ -1,6 +1,7 @@
 resource "aws_iam_role" "sns_role" {
-  name               = "${local.csi}-sns-role"
-  assume_role_policy = data.aws_iam_policy_document.sns_assume_role.json
+  name                 = "${local.csi}-sns-role"
+  assume_role_policy   = data.aws_iam_policy_document.sns_assume_role.json
+  permissions_boundary = var.iam_permissions_boundary_arn != null ? var.iam_permissions_boundary_arn : null
 }
 
 resource "aws_iam_policy" "firehose_delivery" {

@@ -1,8 +1,9 @@
 resource "aws_iam_role" "sns_delivery_logging_role" {
   count = var.enable_sns_delivery_logging ? 1 : 0
 
-  name               = "${local.csi}-sns-delivery-logging"
-  assume_role_policy = data.aws_iam_policy_document.sns_delivery_logging_assume_role[0].json
+  name                 = "${local.csi}-sns-delivery-logging"
+  assume_role_policy   = data.aws_iam_policy_document.sns_delivery_logging_assume_role[0].json
+  permissions_boundary = var.iam_permissions_boundary_arn != null ? var.iam_permissions_boundary_arn : null
 }
 
 data "aws_iam_policy_document" "sns_delivery_logging_assume_role" {

@@ -108,3 +108,9 @@ variable "control_plane_bus_arn" {
   type        = string
   description = "Data plane event bus arn"
 }
+
+variable "iam_permissions_boundary_arn" {
+  type        = string
+  description = "The ARN of the permissions boundary to use for the IAM role"
+  default     = null
+}