NHSDigital · anthony-nhs · May 1, 2026 · Apr 28, 2026 · May 1, 2026 · May 1, 2026
diff --git a/.github/scripts/release_code.sh b/.github/scripts/release_code.sh
@@ -1,17 +1,40 @@
 #!/usr/bin/env bash
 
 echo "$COMMIT_ID"
+CF_LONDON_EXPORTS=$(aws cloudformation list-exports --region eu-west-2 --output json)
+ARTIFACT_BUCKET_ARN=$(echo "$CF_LONDON_EXPORTS" | \
+    jq \
+    --arg EXPORT_NAME "account-resources-cdk-uk:Bucket:ArtifactsBucket:Arn" \
+    -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
+ARTIFACT_BUCKET_NAME=$(echo "$ARTIFACT_BUCKET_ARN" | cut -d: -f6 | cut -d/ -f1)
+if [ -z "${ARTIFACT_BUCKET_NAME}" ]; then
+    echo "could not retrieve artifact_bucket from aws cloudformation list-exports"
+    exit 1
+fi
 
-artifact_bucket=$(aws cloudformation list-exports --output json | jq -r '.Exports[] | select(.Name == "account-resources:ArtifactsBucket") | .Value' | grep -o '[^:]*$')
-export artifact_bucket
-
-cloud_formation_execution_role=$(aws cloudformation list-exports --output json | jq -r '.Exports[] | select(.Name == "ci-resources:CloudFormationExecutionRole") | .Value' )
-export cloud_formation_execution_role
+CLOUD_FORMATION_EXECUTION_ROLE=$(echo "$CF_LONDON_EXPORTS" | \
+    jq \
+    --arg EXPORT_NAME "iam-cdk:IAM:CloudFormationExecutionRole:Arn" \
+    -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
+if [ -z "${CLOUD_FORMATION_EXECUTION_ROLE}" ]; then
+    echo "could not retrieve cloud_formation_execution_role from aws cloudformation list-exports"
+    exit 1
+fi
 
-TRUSTSTORE_BUCKET_ARN=$(aws cloudformation describe-stacks --stack-name account-resources --query "Stacks[0].Outputs[?OutputKey=='TrustStoreBucket'].OutputValue" --output text)
+TRUSTSTORE_BUCKET_ARN=$(echo "$CF_LONDON_EXPORTS" | \
+        jq \
+        --arg EXPORT_NAME "account-resources-cdk-uk:Bucket:TrustStoreBucket:Arn" \
+        -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
 TRUSTSTORE_BUCKET_NAME=$(echo "${TRUSTSTORE_BUCKET_ARN}" | cut -d ":" -f 6)
+if [ -z "${TRUSTSTORE_BUCKET_NAME}" ]; then
+    echo "could not retrieve truststore_bucket from aws cloudformation list-exports"
+    exit 1
+fi
 LATEST_TRUSTSTORE_VERSION=$(aws s3api list-object-versions --bucket "${TRUSTSTORE_BUCKET_NAME}" --prefix "${TRUSTSTORE_FILE}" --query 'Versions[?IsLatest].[VersionId]' --output text)
+
 export LATEST_TRUSTSTORE_VERSION
+export ARTIFACT_BUCKET_NAME
+export CLOUD_FORMATION_EXECUTION_ROLE
 
 cd ../../ || exit
 
@@ -27,11 +50,11 @@ sam deploy \
     --stack-name "$STACK_NAME" \
     --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
     --region eu-west-2 \
-    --s3-bucket "$artifact_bucket" \
+    --s3-bucket "$ARTIFACT_BUCKET_NAME" \
     --s3-prefix "$ARTIFACT_BUCKET_PREFIX" \
     --config-file samconfig_package_and_deploy.toml \
     --no-fail-on-empty-changeset \
-    --role-arn "$cloud_formation_execution_role" \
+    --role-arn "$CLOUD_FORMATION_EXECUTION_ROLE" \
     --no-confirm-changeset \
     --force-upload \
     --tags "version=$VERSION_NUMBER stack=$STACK_NAME repo=$REPO cfnDriftDetectionGroup=$CFN_DRIFT_DETECTION_GROUP" \

diff --git a/SAMtemplates/alarms/main.yaml b/SAMtemplates/alarms/main.yaml
@@ -44,8 +44,8 @@ Resources:
       TreatMissingData: notBreaching
       ActionsEnabled: !Ref EnableAlerts
       AlarmActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       InsufficientDataActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       OKActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
diff --git a/SAMtemplates/lambda_resources.yaml b/SAMtemplates/lambda_resources.yaml
@@ -87,8 +87,8 @@ Resources:
               Service: "lambda.amazonaws.com"
             Action: "sts:AssumeRole"
       ManagedPolicyArns:
-        - !ImportValue lambda-resources:LambdaInsightsLogGroupPolicy
-        - !ImportValue account-resources:LambdaEncryptCloudwatchKMSPolicy
+        - !ImportValue account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn
+        - !ImportValue account-resources-cdk-uk:IAM:LambdaEncryptCloudwatchKMSPolicy:Arn
 
   LambdaManagedPolicy:
     Type: AWS::IAM::ManagedPolicy

diff --git a/SAMtemplates/main_template.yaml b/SAMtemplates/main_template.yaml
@@ -51,9 +51,9 @@ Resources:
       Location: lambda_resources.yaml
       Parameters:
         StackName: !Ref AWS::StackName
-        CloudWatchKMSKey: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
-        SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole
-        SplunkDeliveryStream: !ImportValue lambda-resources:SplunkDeliveryStream
+        CloudWatchKMSKey: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn
+        SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn
+        SplunkDeliveryStream: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn
         EnableSplunk: "true"
         LambdaName: !Sub "${AWS::StackName}-FHIRValidatorUKCore"
         LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-FHIRValidatorUKCore