NHSDigital · tstephen-nhs · Apr 24, 2026 · Apr 27, 2026 · Apr 27, 2026 · Apr 27, 2026
diff --git a/.github/scripts/release_code.sh b/.github/scripts/release_code.sh
@@ -75,6 +75,7 @@ sam deploy \
             NotifyAPIBaseURLValue="$NOTIFY_API_BASE_URL" \
             RequireApplicationName="$REQUIRE_APPLICATION_NAME" \
             EnableBackup="$ENABLE_BACKUP" \
+            PsuExecuteLambdaRoleArn="${PSU_EXECUTE_LAMBDA_ROLE_ARN:-none}" \
             TestPresciptionsParamValue1="$TEST_PRESCRIPTIONS_1" \
             TestPresciptionsParamValue2="$TEST_PRESCRIPTIONS_2" \
             TestPresciptionsParamValue3="$TEST_PRESCRIPTIONS_3" \

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -196,4 +196,5 @@ jobs:
     secrets:
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.QA_CLOUD_FORMATION_DEPLOY_ROLE }}
+      DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }}
       PROXYGEN_ROLE: ${{ secrets.PROXYGEN_PTL_ROLE }}
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -128,6 +128,7 @@ jobs:
       FORWARD_CSOC_LOGS: false
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
+      DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }}
       PROXYGEN_ROLE: ${{ secrets.PROXYGEN_PTL_ROLE }}
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
   release_sandbox_code:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -271,6 +271,7 @@ jobs:
       FORWARD_CSOC_LOGS: false
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.QA_CLOUD_FORMATION_DEPLOY_ROLE }}
+      DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }}
       PROXYGEN_ROLE: ${{ secrets.PROXYGEN_PTL_ROLE }}
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
 

diff --git a/.github/workflows/run_regression_tests.yml b/.github/workflows/run_regression_tests.yml
@@ -9,6 +9,10 @@ on:
       VERSION_NUMBER:
         required: true
         type: string
+      PSU_EXECUTE_LAMBDA_ROLE_ARN:
+        required: false
+        type: string
+        default: ""
       REGRESSION_TESTS_PEM:
         type: string
       pinned_image:
@@ -57,14 +61,15 @@ jobs:
           TARGET_ENVIRONMENT: ${{ inputs.ENVIRONMENT }}
           VERSION_NUMBER: ${{ inputs.VERSION_NUMBER }}
           GITHUB-TOKEN: ${{ steps.generate-token.outputs.token }}
+          PSU_EXECUTE_LAMBDA_ROLE_ARN: ${{ inputs.PSU_EXECUTE_LAMBDA_ROLE_ARN }}
         run: |
           if [[ "$TARGET_ENVIRONMENT" != "prod" && "$TARGET_ENVIRONMENT" != "ref" ]]; then
             # this should be the tag of the tests you want to run
-            REGRESSION_TEST_REPO_TAG=v3.10.9
+            REGRESSION_TEST_REPO_TAG=aea-6055-gsul-boto-lambda-invoke #v3.10.9
 
             # this should be the tag of the regression test workflow you want to run
             # This will normally be the same as REGRESSION_TEST_REPO_TAG
-            REGRESSION_TEST_WORKFLOW_TAG=v3.10.9
+            REGRESSION_TEST_WORKFLOW_TAG=aea-6055-gsul-boto-lambda-invoke #v3.10.9
 
             curl https://raw.githubusercontent.com/NHSDigital/electronic-prescription-service-api-regression-tests/refs/tags/${REGRESSION_TEST_WORKFLOW_TAG}/scripts/run_regression_tests.py -o run_regression_tests.py
             poetry install
@@ -76,5 +81,6 @@ jobs:
             --is_called_from_github=true \
             --product=PSU \
             --regression_test_repo_tag "${REGRESSION_TEST_REPO_TAG}" \
-            --regression_test_workflow_tag "${REGRESSION_TEST_WORKFLOW_TAG}"
+            --regression_test_workflow_tag "${REGRESSION_TEST_WORKFLOW_TAG}" \
+            --psu_execute_lambda_role_arn "${PSU_EXECUTE_LAMBDA_ROLE_ARN}"
           fi
diff --git a/.github/workflows/run_release_code_and_api.yml b/.github/workflows/run_release_code_and_api.yml
@@ -121,6 +121,10 @@ on:
       pinned_image:
         required: true
         type: string
+      PSU_EXECUTE_LAMBDA_ROLE_ARN:
+        required: false
+        type: string
+        default: ""
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE:
         required: true
@@ -241,6 +245,7 @@ jobs:
           TEST_PRESCRIPTIONS_3: ${{ inputs.TEST_PRESCRIPTIONS_3 || 'noval' }}
           TEST_PRESCRIPTIONS_4: ${{ inputs.TEST_PRESCRIPTIONS_4 || 'noval' }}
           FORWARD_CSOC_LOGS: ${{ inputs.FORWARD_CSOC_LOGS }}
+          PSU_EXECUTE_LAMBDA_ROLE_ARN: ${{ inputs.PSU_EXECUTE_LAMBDA_ROLE_ARN }}
         run: ./release_code.sh
 
       - name: get mtls secrets
@@ -340,6 +345,7 @@ jobs:
     with:
       ENVIRONMENT: ${{ inputs.APIGEE_ENVIRONMENT }}
       VERSION_NUMBER: ${{ inputs.VERSION_NUMBER }}
+      PSU_EXECUTE_LAMBDA_ROLE_ARN: ${{ inputs.PSU_EXECUTE_LAMBDA_ROLE_ARN }}
       pinned_image: "${{ inputs.pinned_image }}"
     secrets:
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
diff --git a/Makefile b/Makefile
@@ -53,6 +53,7 @@ sam-sync: guard-AWS_DEFAULT_PROFILE guard-stack_name compile
 			  NotifyAPIBaseURLValue=$${NOTIFY_API_BASE_URL:-https://int.api.service.nhs.uk} \
 			  EnableNotificationsInternal=$${ENABLE_NOTIFICATIONS_INTERNAL:-true} \
 			  EnableNotificationsExternal=$${ENABLE_NOTIFICATIONS_EXTERNAL:-false} \
+			  PsuExecuteLambdaRoleArn=$${PSU_EXECUTE_LAMBDA_ROLE_ARN:-none} \
 			  EnableBackup=$${ENABLE_BACKUP:-False}
 
 sam-deploy: guard-AWS_DEFAULT_PROFILE guard-stack_name
@@ -86,6 +87,7 @@ sam-deploy: guard-AWS_DEFAULT_PROFILE guard-stack_name
 			  NotifyAPIBaseURLValue=$${NOTIFY_API_BASE_URL:-https://int.api.service.nhs.uk} \
 			  EnableNotificationsInternal=$${ENABLE_NOTIFICATIONS_INTERNAL:-true} \
 			  EnableNotificationsExternal=$${ENABLE_NOTIFICATIONS_EXTERNAL:-false} \
+			  PsuExecuteLambdaRoleArn=$${PSU_EXECUTE_LAMBDA_ROLE_ARN:-none} \
 			  EnableBackup=$${ENABLE_BACKUP:-False}
 
 sam-delete: guard-AWS_DEFAULT_PROFILE guard-stack_name

diff --git a/SAMtemplates/functions/main.yaml b/SAMtemplates/functions/main.yaml
@@ -99,6 +99,10 @@ Parameters:
   EnableBackup:
     Type: String
 
+  PsuExecuteLambdaRoleArn:
+    Type: String
+    Default: none
+
   TestPrescriptionsParamName1:
     Type: String
 
@@ -120,6 +124,11 @@ Conditions:
     - "True"
     - !Ref EnableBackup
 
+  ShouldGrantPsuExecuteLambdaInvoke: !Not
+    - !Equals
+      - !Ref PsuExecuteLambdaRoleArn
+      - none
+
 Resources:
   UpdatePrescriptionStatus:
     Type: AWS::Serverless::Function
@@ -279,6 +288,25 @@ Resources:
         SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole
         SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream
 
+  GetStatusUpdatesInvokePolicyForRegressionRole:
+    Condition: ShouldGrantPsuExecuteLambdaInvoke
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Roles:
+        - !Select
+          - 1
+          - !Split
+            - "role/"
+            - !Ref PsuExecuteLambdaRoleArn
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - lambda:InvokeFunction
+            Resource:
+              - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${StackName}-GetStatusUpdates*
+
   Status:
     Type: AWS::Serverless::Function
     Properties:

diff --git a/SAMtemplates/main_template.yaml b/SAMtemplates/main_template.yaml
@@ -174,6 +174,10 @@ Parameters:
     AllowedValues:
       - true
       - false
+
+  PsuExecuteLambdaRoleArn:
+    Type: String
+    Default: none
 Resources:
   Secrets:
     Type: AWS::Serverless::Application
@@ -273,6 +277,7 @@ Resources:
         DeployCheckPrescriptionStatusUpdate: !Ref DeployCheckPrescriptionStatusUpdate
         Environment: !Ref Environment
         EnableBackup: !Ref EnableBackup
+        PsuExecuteLambdaRoleArn: !Ref PsuExecuteLambdaRoleArn
         RequireApplicationName: !Ref RequireApplicationName
         TestPrescriptionsParamName1: !GetAtt Parameters.Outputs.TestPrescriptionsParameterName1
         TestPrescriptionsParamName2: !GetAtt Parameters.Outputs.TestPrescriptionsParameterName2

diff --git a/zizmor.yml b/zizmor.yml
@@ -2,8 +2,8 @@ rules:
   unpinned-images:
     # these workflows use unpinned images because they are using a full image passed in that contains the tag
     ignore:
-      - run_release_code_and_api.yml:146:18
-      - run_regression_tests.yml:26:18
+      - run_release_code_and_api.yml:150:18
+      - run_regression_tests.yml:30:18
       - run_package_code_and_api.yml:16:18
   secrets-outside-env:
     # these are ignored because they are using known secrets