From 6d2756b02bb46108dbf8e4d91911e1ead2073faa Mon Sep 17 00:00:00 2001
From: TOEL2 <tom.eldridge1@nhs.net>
Date: Mon, 19 Jan 2026 09:37:12 +0000
Subject: [PATCH 1/4] (ELI-597) final extra permission

---
 .../stacks/iams-developer-roles/github_actions_policies.tf       | 1 +
 1 file changed, 1 insertion(+)

diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index c3d70b92f..1bcaf2145 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -458,6 +458,7 @@ resource "aws_iam_policy" "api_infrastructure" {
           "arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/webacl/*",
           "arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/managedruleset/*",
           "arn:aws:states:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:stateMachine:*",
+          "arn:aws:events:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:rule/*"
         ]
       },
     ]

From 5f5bf7805676ccc0ccd1767dd4f22d3a4dbbb55c Mon Sep 17 00:00:00 2001
From: TOEL2 <tom.eldridge1@nhs.net>
Date: Mon, 19 Jan 2026 11:44:29 +0000
Subject: [PATCH 2/4] (ELI-597) fixing escaping error

---
 infrastructure/stacks/api-layer/step_functions.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/infrastructure/stacks/api-layer/step_functions.tf b/infrastructure/stacks/api-layer/step_functions.tf
index ea40a8c78..2c0225ec9 100644
--- a/infrastructure/stacks/api-layer/step_functions.tf
+++ b/infrastructure/stacks/api-layer/step_functions.tf
@@ -106,7 +106,7 @@ INSTRUCTIONS:
 2. Ensure the new hashes are working as expected.
 3. Run the command below to approve and resume the workflow:
 
-aws stepfunctions send-task-success --task-token {} --task-output \\{\\}
+aws stepfunctions send-task-success --task-token {} --task-output {{}}
 
 ======================================================
 ', $$.Task.Token)
@@ -128,7 +128,7 @@ INSTRUCTIONS:
 2. Ensure the old hashes have been removed successfully.
 3. Run the command below to approve and resume the workflow:
 
-aws stepfunctions send-task-success --task-token {} --task-output \\{\\}
+aws stepfunctions send-task-success --task-token {} --task-output {{}}
 
 ======================================================
 ', $$.Task.Token)

From 4058ca74fc038d396acdb371246255898011ca92 Mon Sep 17 00:00:00 2001
From: TOEL2 <tom.eldridge1@nhs.net>
Date: Mon, 19 Jan 2026 12:24:05 +0000
Subject: [PATCH 3/4] (ELI-597) fixing escaping error

---
 .../stacks/api-layer/step_functions.tf        | 116 ++++--------------
 1 file changed, 23 insertions(+), 93 deletions(-)

diff --git a/infrastructure/stacks/api-layer/step_functions.tf b/infrastructure/stacks/api-layer/step_functions.tf
index 2c0225ec9..300803a1a 100644
--- a/infrastructure/stacks/api-layer/step_functions.tf
+++ b/infrastructure/stacks/api-layer/step_functions.tf
@@ -1,5 +1,4 @@
 resource "aws_sfn_state_machine" "rotation_machine" {
-  #checkov:skip=CKV_AWS_284: No x-ray needed for this resource
   name     = "SecretRotationWorkflow"
   role_arn = aws_iam_role.rotation_sfn_role.arn
 
@@ -12,21 +11,22 @@ resource "aws_sfn_state_machine" "rotation_machine" {
   definition = jsonencode({
     Comment = "Secret Rotation: Create -> Manual Pause -> Promote -> Manual Pause",
     StartAt = "CreatePendingVersion",
-    States = {
-      "CreatePendingVersion" : {
+    States  = {
+      CreatePendingVersion = {
         Type     = "Task",
         Resource = aws_lambda_function.create_secret_lambda.arn,
         Catch    = [{ ErrorEquals = ["States.ALL"], Next = "NotifyFailure" }],
         Next     = "WaitFor_AddNewHashes"
       },
-      "WaitFor_AddNewHashes" : {
+
+      WaitFor_AddNewHashes = {
         Type           = "Task",
         Resource       = "arn:aws:states:::sns:publish.waitForTaskToken",
         TimeoutSeconds = 86400,
         Parameters = {
-          Subject     = "Action required: AWSPENDING secret created (Environment: ${var.environment})",
-          TopicArn    = aws_sns_topic.secret_rotation.arn,
-          "Message.$" = local.add_jobs_message
+          Subject  = "Action required: AWSPENDING secret created (Environment: ${var.environment})",
+          TopicArn = aws_sns_topic.secret_rotation.arn,
+          "Message.$" = "States.Format('======================================================\nAction required: AWSPENDING secret created (Environment: ${var.environment})\n======================================================\n\nA manual action is required to proceed.\n\nCONTEXT:\nSecret Name: ${module.secrets_manager.aws_hashing_secret_name}\n\nINSTRUCTIONS:\n1. Run the \"Add New Hashes (elid_add_new_salt)\" job.\n2. Ensure the new hashes are working as expected.\n3. Run the command below to approve and resume the workflow:\n\naws stepfunctions send-task-success --task-token {} --task-output {}\n\n======================================================\n', $$.Task.Token, '{}')"
         },
         Catch = [
           { ErrorEquals = ["States.Timeout"], Next = "NotifyTimeout" },
@@ -34,20 +34,22 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         ],
         Next = "PromoteToCurrent"
       },
-      "PromoteToCurrent" : {
+
+      PromoteToCurrent = {
         Type     = "Task",
         Resource = aws_lambda_function.promote_secret_lambda.arn,
         Catch    = [{ ErrorEquals = ["States.ALL"], Next = "NotifyFailure" }],
         Next     = "WaitFor_DelOldHashes"
       },
-      "WaitFor_DelOldHashes" : {
+
+      WaitFor_DelOldHashes = {
         Type           = "Task",
         Resource       = "arn:aws:states:::sns:publish.waitForTaskToken",
         TimeoutSeconds = 86400,
         Parameters = {
-          Subject     = "Action required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})",
-          TopicArn    = aws_sns_topic.secret_rotation.arn,
-          "Message.$" = local.delete_jobs_message
+          Subject  = "Action required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})",
+          TopicArn = aws_sns_topic.secret_rotation.arn,
+          "Message.$" = "States.Format('======================================================\nAction required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})\n======================================================\n\nA manual action is required to proceed.\n\nCONTEXT:\nSecret Name: ${module.secrets_manager.aws_hashing_secret_name}\n\nINSTRUCTIONS:\n1. Run the \"Delete Old Hashes (elid_delete_old_salt)\" job.\n2. Ensure the old hashes have been removed successfully.\n3. Run the command below to approve and resume the workflow:\n\naws stepfunctions send-task-success --task-token {} --task-output {}\n\n======================================================\n', $$.Task.Token, '{}')"
         },
         Catch = [
           { ErrorEquals = ["States.Timeout"], Next = "NotifyTimeout" },
@@ -56,23 +58,24 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         End = true
       },
 
-      "NotifyTimeout" : {
+      NotifyTimeout = {
         Type     = "Task",
         Resource = "arn:aws:states:::sns:publish",
         Parameters = {
-          TopicArn    = aws_sns_topic.secret_rotation.arn,
-          Subject     = "Warning: Secret rotation timed out (Environment: ${var.environment})",
-          "Message.$" = local.timeout_message
+          TopicArn = aws_sns_topic.secret_rotation.arn,
+          Subject  = "Warning: Secret rotation timed out (Environment: ${var.environment})",
+          Message  = local.timeout_message
         },
         Next = "Fail_Timeout"
       },
 
-      "Fail_Timeout" : {
+      Fail_Timeout = {
         Type  = "Fail",
         Error = "ManualActionTimedOut",
         Cause = "User did not respond within 24 hours."
       },
-      "NotifyFailure" : {
+
+      NotifyFailure = {
         Type     = "Task",
         Resource = "arn:aws:states:::sns:publish",
         Parameters = {
@@ -82,7 +85,8 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         },
         Next = "Fail_Generic"
       },
-      "Fail_Generic" : {
+
+      Fail_Generic = {
         Type = "Fail"
       }
     }
@@ -90,50 +94,6 @@ resource "aws_sfn_state_machine" "rotation_machine" {
 }
 
 locals {
-  add_jobs_message = <<EOT
-States.Format('
-======================================================
-Action required: AWSPENDING secret created (Environment: ${var.environment})
-======================================================
-
-A manual action is required to proceed.
-
-CONTEXT:
-Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
-
-INSTRUCTIONS:
-1. Run the "Add New Hashes (elid_add_new_salt)" job.
-2. Ensure the new hashes are working as expected.
-3. Run the command below to approve and resume the workflow:
-
-aws stepfunctions send-task-success --task-token {} --task-output {{}}
-
-======================================================
-', $$.Task.Token)
-EOT
-
-  delete_jobs_message = <<EOT
-States.Format('
-======================================================
-Action required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})
-======================================================
-
-A manual action is required to proceed.
-
-CONTEXT:
-Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
-
-INSTRUCTIONS:
-1. Run the "Delete Old Hashes (elid_delete_old_salt)" job.
-2. Ensure the old hashes have been removed successfully.
-3. Run the command below to approve and resume the workflow:
-
-aws stepfunctions send-task-success --task-token {} --task-output {{}}
-
-======================================================
-', $$.Task.Token)
-EOT
-
   failure_message = <<EOT
 States.Format('
 ======================================================
@@ -148,48 +108,18 @@ Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
 ERROR DETAILS:
 {}
 
-------------------------------------------------------
-HOW TO FIX: "Pending Version Exists" Error
-------------------------------------------------------
-If the error above indicates a pending version already exists,
-you must clean it up manually.
-
-1. Find the Version ID of the pending secret:
-aws secretsmanager list-secret-version-ids --secret-id ${module.secrets_manager.aws_hashing_secret_name}
-
-2. Remove the AWSPENDING label:
-aws secretsmanager update-secret-version-stage --secret-id ${module.secrets_manager.aws_hashing_secret_name} --version-stage AWSPENDING --remove-from-version-id <OLD_PENDING_VERSION_ID>
-
 ======================================================
 ', $.Cause)
 EOT
 
   timeout_message = <<EOT
-States.Format('
 ======================================================
 Warning: Rotation timed out (Environment: ${var.environment})
 ======================================================
 
 The manual verification step was not completed within the 24-hour limit.
-The rotation workflow has been stopped.
 
-CONTEXT:
 Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
-
-IMPACT:
-No immediate impact. Your applications are still using the current secret.
-However, a "Pending" version may have been left behind.
-
-ACTION REQUIRED:
-Before the next rotation run, you must remove the pending version:
-
-1. Find the Version ID:
-aws secretsmanager list-secret-version-ids --secret-id ${module.secrets_manager.aws_hashing_secret_name}
-
-2. Remove the AWSPENDING label:
-aws secretsmanager update-secret-version-stage --secret-id ${module.secrets_manager.aws_hashing_secret_name} --version-stage AWSPENDING --remove-from-version-id <OLD_PENDING_VERSION_ID>
-
 ======================================================
-')
 EOT
 }

From ad46717941fb7b0e71d49a834ad95afb93249f14 Mon Sep 17 00:00:00 2001
From: TOEL2 <tom.eldridge1@nhs.net>
Date: Mon, 19 Jan 2026 12:29:16 +0000
Subject: [PATCH 4/4] (ELI-597) fixing escaping error

---
 .../stacks/api-layer/step_functions.tf        | 116 ++++++++++++++----
 1 file changed, 93 insertions(+), 23 deletions(-)

diff --git a/infrastructure/stacks/api-layer/step_functions.tf b/infrastructure/stacks/api-layer/step_functions.tf
index 300803a1a..199ff6dc2 100644
--- a/infrastructure/stacks/api-layer/step_functions.tf
+++ b/infrastructure/stacks/api-layer/step_functions.tf
@@ -1,4 +1,5 @@
 resource "aws_sfn_state_machine" "rotation_machine" {
+  #checkov:skip=CKV_AWS_284: No x-ray needed for this resource
   name     = "SecretRotationWorkflow"
   role_arn = aws_iam_role.rotation_sfn_role.arn
 
@@ -11,22 +12,21 @@ resource "aws_sfn_state_machine" "rotation_machine" {
   definition = jsonencode({
     Comment = "Secret Rotation: Create -> Manual Pause -> Promote -> Manual Pause",
     StartAt = "CreatePendingVersion",
-    States  = {
-      CreatePendingVersion = {
+    States = {
+      "CreatePendingVersion" : {
         Type     = "Task",
         Resource = aws_lambda_function.create_secret_lambda.arn,
         Catch    = [{ ErrorEquals = ["States.ALL"], Next = "NotifyFailure" }],
         Next     = "WaitFor_AddNewHashes"
       },
-
-      WaitFor_AddNewHashes = {
+      "WaitFor_AddNewHashes" : {
         Type           = "Task",
         Resource       = "arn:aws:states:::sns:publish.waitForTaskToken",
         TimeoutSeconds = 86400,
         Parameters = {
-          Subject  = "Action required: AWSPENDING secret created (Environment: ${var.environment})",
-          TopicArn = aws_sns_topic.secret_rotation.arn,
-          "Message.$" = "States.Format('======================================================\nAction required: AWSPENDING secret created (Environment: ${var.environment})\n======================================================\n\nA manual action is required to proceed.\n\nCONTEXT:\nSecret Name: ${module.secrets_manager.aws_hashing_secret_name}\n\nINSTRUCTIONS:\n1. Run the \"Add New Hashes (elid_add_new_salt)\" job.\n2. Ensure the new hashes are working as expected.\n3. Run the command below to approve and resume the workflow:\n\naws stepfunctions send-task-success --task-token {} --task-output {}\n\n======================================================\n', $$.Task.Token, '{}')"
+          Subject     = "Action required: AWSPENDING secret created (Environment: ${var.environment})",
+          TopicArn    = aws_sns_topic.secret_rotation.arn,
+          "Message.$" = local.add_jobs_message
         },
         Catch = [
           { ErrorEquals = ["States.Timeout"], Next = "NotifyTimeout" },
@@ -34,22 +34,20 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         ],
         Next = "PromoteToCurrent"
       },
-
-      PromoteToCurrent = {
+      "PromoteToCurrent" : {
         Type     = "Task",
         Resource = aws_lambda_function.promote_secret_lambda.arn,
         Catch    = [{ ErrorEquals = ["States.ALL"], Next = "NotifyFailure" }],
         Next     = "WaitFor_DelOldHashes"
       },
-
-      WaitFor_DelOldHashes = {
+      "WaitFor_DelOldHashes" : {
         Type           = "Task",
         Resource       = "arn:aws:states:::sns:publish.waitForTaskToken",
         TimeoutSeconds = 86400,
         Parameters = {
-          Subject  = "Action required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})",
-          TopicArn = aws_sns_topic.secret_rotation.arn,
-          "Message.$" = "States.Format('======================================================\nAction required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})\n======================================================\n\nA manual action is required to proceed.\n\nCONTEXT:\nSecret Name: ${module.secrets_manager.aws_hashing_secret_name}\n\nINSTRUCTIONS:\n1. Run the \"Delete Old Hashes (elid_delete_old_salt)\" job.\n2. Ensure the old hashes have been removed successfully.\n3. Run the command below to approve and resume the workflow:\n\naws stepfunctions send-task-success --task-token {} --task-output {}\n\n======================================================\n', $$.Task.Token, '{}')"
+          Subject     = "Action required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})",
+          TopicArn    = aws_sns_topic.secret_rotation.arn,
+          "Message.$" = local.delete_jobs_message
         },
         Catch = [
           { ErrorEquals = ["States.Timeout"], Next = "NotifyTimeout" },
@@ -58,24 +56,23 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         End = true
       },
 
-      NotifyTimeout = {
+      "NotifyTimeout" : {
         Type     = "Task",
         Resource = "arn:aws:states:::sns:publish",
         Parameters = {
-          TopicArn = aws_sns_topic.secret_rotation.arn,
-          Subject  = "Warning: Secret rotation timed out (Environment: ${var.environment})",
-          Message  = local.timeout_message
+          TopicArn    = aws_sns_topic.secret_rotation.arn,
+          Subject     = "Warning: Secret rotation timed out (Environment: ${var.environment})",
+          "Message.$" = local.timeout_message
         },
         Next = "Fail_Timeout"
       },
 
-      Fail_Timeout = {
+      "Fail_Timeout" : {
         Type  = "Fail",
         Error = "ManualActionTimedOut",
         Cause = "User did not respond within 24 hours."
       },
-
-      NotifyFailure = {
+      "NotifyFailure" : {
         Type     = "Task",
         Resource = "arn:aws:states:::sns:publish",
         Parameters = {
@@ -85,8 +82,7 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         },
         Next = "Fail_Generic"
       },
-
-      Fail_Generic = {
+      "Fail_Generic" : {
         Type = "Fail"
       }
     }
@@ -94,6 +90,50 @@ resource "aws_sfn_state_machine" "rotation_machine" {
 }
 
 locals {
+  add_jobs_message = <<EOT
+States.Format('
+======================================================
+Action required: AWSPENDING secret created (Environment: ${var.environment})
+======================================================
+
+A manual action is required to proceed.
+
+CONTEXT:
+Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
+
+INSTRUCTIONS:
+1. Run the "Add New Hashes (elid_add_new_salt)" job.
+2. Ensure the new hashes are working as expected.
+3. Run the command below to approve and resume the workflow:
+
+aws stepfunctions send-task-success --task-token {} --task-output {}
+
+======================================================
+', $$.Task.Token, '{}')
+EOT
+
+  delete_jobs_message = <<EOT
+States.Format('
+======================================================
+Action required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})
+======================================================
+
+A manual action is required to proceed.
+
+CONTEXT:
+Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
+
+INSTRUCTIONS:
+1. Run the "Delete Old Hashes (elid_delete_old_salt)" job.
+2. Ensure the old hashes have been removed successfully.
+3. Run the command below to approve and resume the workflow:
+
+aws stepfunctions send-task-success --task-token {} --task-output {}
+
+======================================================
+', $$.Task.Token, '{}')
+EOT
+
   failure_message = <<EOT
 States.Format('
 ======================================================
@@ -108,18 +148,48 @@ Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
 ERROR DETAILS:
 {}
 
+------------------------------------------------------
+HOW TO FIX: "Pending Version Exists" Error
+------------------------------------------------------
+If the error above indicates a pending version already exists,
+you must clean it up manually.
+
+1. Find the Version ID of the pending secret:
+aws secretsmanager list-secret-version-ids --secret-id ${module.secrets_manager.aws_hashing_secret_name}
+
+2. Remove the AWSPENDING label:
+aws secretsmanager update-secret-version-stage --secret-id ${module.secrets_manager.aws_hashing_secret_name} --version-stage AWSPENDING --remove-from-version-id <OLD_PENDING_VERSION_ID>
+
 ======================================================
 ', $.Cause)
 EOT
 
   timeout_message = <<EOT
+States.Format('
 ======================================================
 Warning: Rotation timed out (Environment: ${var.environment})
 ======================================================
 
 The manual verification step was not completed within the 24-hour limit.
+The rotation workflow has been stopped.
 
+CONTEXT:
 Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
+
+IMPACT:
+No immediate impact. Your applications are still using the current secret.
+However, a "Pending" version may have been left behind.
+
+ACTION REQUIRED:
+Before the next rotation run, you must remove the pending version:
+
+1. Find the Version ID:
+aws secretsmanager list-secret-version-ids --secret-id ${module.secrets_manager.aws_hashing_secret_name}
+
+2. Remove the AWSPENDING label:
+aws secretsmanager update-secret-version-stage --secret-id ${module.secrets_manager.aws_hashing_secret_name} --version-stage AWSPENDING --remove-from-version-id <OLD_PENDING_VERSION_ID>
+
 ======================================================
+')
 EOT
 }