From bb00be567b036aae35ba66e15367fb138ec42159 Mon Sep 17 00:00:00 2001
From: aidenvaines-bjss <aiden.vaines@bjss.com>
Date: Wed, 9 Jul 2025 16:05:04 +0100
Subject: [PATCH 1/4] CCM-11033 branch uptodate with main

---
 .../cloudwatch_log_group_route53_query_log.tf | 37 ------------
 .../acct/iam_policy_github_deploy_overload.tf | 22 -------
 .../components/acct/route53_delegation_set.tf |  3 -
 .../components/acct/route53_query_log.tf      |  9 ---
 .../terraform/components/acct/route53_zone.tf |  5 --
 .../terraform/components/acct/variables.tf    | 18 ++++++
 .../examplecomponent/.tool-versions           |  1 -
 .../components/examplecomponent/README.md     | 28 ---------
 .../examplecomponent/locals_remote_state.tf   | 40 -------------
 .../examplecomponent/locals_tfscaffold.tf     | 44 --------------
 .../components/examplecomponent/main.tf       |  1 -
 .../components/examplecomponent/outputs.tf    |  1 -
 .../components/examplecomponent/variables.tf  | 58 -------------------
 .../terraform/etc/env_eu-west-1_dev1.tfvars   |  1 -
 .../terraform/etc/env_eu-west-1_dev2.tfvars   |  5 +-
 15 files changed, 20 insertions(+), 253 deletions(-)
 delete mode 100644 infrastructure/terraform/components/acct/cloudwatch_log_group_route53_query_log.tf
 delete mode 100644 infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf
 delete mode 100644 infrastructure/terraform/components/acct/route53_delegation_set.tf
 delete mode 100644 infrastructure/terraform/components/acct/route53_query_log.tf
 delete mode 100644 infrastructure/terraform/components/acct/route53_zone.tf
 delete mode 100644 infrastructure/terraform/components/examplecomponent/.tool-versions
 delete mode 100644 infrastructure/terraform/components/examplecomponent/README.md
 delete mode 100644 infrastructure/terraform/components/examplecomponent/locals_remote_state.tf
 delete mode 100644 infrastructure/terraform/components/examplecomponent/locals_tfscaffold.tf
 delete mode 100644 infrastructure/terraform/components/examplecomponent/main.tf
 delete mode 100644 infrastructure/terraform/components/examplecomponent/outputs.tf
 delete mode 100644 infrastructure/terraform/components/examplecomponent/variables.tf

diff --git a/infrastructure/terraform/components/acct/cloudwatch_log_group_route53_query_log.tf b/infrastructure/terraform/components/acct/cloudwatch_log_group_route53_query_log.tf
deleted file mode 100644
index ffec327..0000000
--- a/infrastructure/terraform/components/acct/cloudwatch_log_group_route53_query_log.tf
+++ /dev/null
@@ -1,37 +0,0 @@
-resource "aws_cloudwatch_log_group" "aws_route53_query_log" {
-  provider = aws.us-east-1 # Route53 query logging must be in us-east-1 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_query_log
-
-  name              = "/aws/route53/${local.csi}"
-  retention_in_days = var.log_retention_in_days
-}
-
-resource "aws_cloudwatch_log_resource_policy" "route53_query_logging_policy" {
-  provider = aws.us-east-1 # Route53 query logging must be in us-east-1 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_query_log
-
-  policy_document = data.aws_iam_policy_document.route53_logs.json
-  policy_name     = "${local.csi}-route53-query-logging-policy"
-}
-
-data "aws_iam_policy_document" "route53_logs" {
-  statement {
-    effect = "Allow"
-
-    principals {
-      type = "Service"
-
-      identifiers = [
-        "route53.amazonaws.com"
-      ]
-    }
-
-    actions = [
-      "logs:CreateLogStream",
-      "logs:PutLogEvents",
-    ]
-
-    resources = [
-      aws_cloudwatch_log_group.aws_route53_query_log.arn,
-      "${aws_cloudwatch_log_group.aws_route53_query_log.arn}:*",
-    ]
-  }
-}
diff --git a/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf b/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf
deleted file mode 100644
index 6906b1d..0000000
--- a/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf
+++ /dev/null
@@ -1,22 +0,0 @@
-resource "aws_iam_policy" "github_deploy_overload" {
-  name        = "${local.csi}-github-deploy-overload"
-  description = "Overloads the github permission to perform build actions for services in this account"
-  policy      = data.aws_iam_policy_document.github_deploy.json
-}
-
-resource "aws_iam_role_policy_attachment" "github_deploy_overload" {
-  role       = local.bootstrap.iam_github_deploy_role["name"]
-  policy_arn = aws_iam_policy.github_deploy_overload.arn
-}
-
-#trivy:ignore:aws-iam-no-policy-wildcards Policy voilation expected for CI user role
-data "aws_iam_policy_document" "github_deploy" {
-  statement {
-    effect = "Allow"
-
-    actions = [
-      "grafana:*",
-    ]
-    resources = ["*"]
-  }
-}
diff --git a/infrastructure/terraform/components/acct/route53_delegation_set.tf b/infrastructure/terraform/components/acct/route53_delegation_set.tf
deleted file mode 100644
index d3d0896..0000000
--- a/infrastructure/terraform/components/acct/route53_delegation_set.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-resource "aws_route53_delegation_set" "main" {
-  reference_name = "unset.${var.root_domain_name}"
-}
diff --git a/infrastructure/terraform/components/acct/route53_query_log.tf b/infrastructure/terraform/components/acct/route53_query_log.tf
deleted file mode 100644
index 305ebb4..0000000
--- a/infrastructure/terraform/components/acct/route53_query_log.tf
+++ /dev/null
@@ -1,9 +0,0 @@
-resource "aws_route53_query_log" "main" {
-  zone_id = aws_route53_zone.main.zone_id
-
-  cloudwatch_log_group_arn = aws_cloudwatch_log_group.aws_route53_query_log.arn
-
-  depends_on = [
-    aws_cloudwatch_log_resource_policy.route53_query_logging_policy
-  ]
-}
diff --git a/infrastructure/terraform/components/acct/route53_zone.tf b/infrastructure/terraform/components/acct/route53_zone.tf
deleted file mode 100644
index cfd7be2..0000000
--- a/infrastructure/terraform/components/acct/route53_zone.tf
+++ /dev/null
@@ -1,5 +0,0 @@
-resource "aws_route53_zone" "main" {
-  name = "unset.${var.root_domain_name}"
-
-  delegation_set_id = aws_route53_delegation_set.main.id
-}
diff --git a/infrastructure/terraform/components/acct/variables.tf b/infrastructure/terraform/components/acct/variables.tf
index 14cf64d..0d2154c 100644
--- a/infrastructure/terraform/components/acct/variables.tf
+++ b/infrastructure/terraform/components/acct/variables.tf
@@ -62,3 +62,21 @@ variable "root_domain_name" {
   description = "The service's root DNS root nameespace, like nonprod.nhsnotify.national.nhs.uk"
   default     = "nonprod.nhsnotify.national.nhs.uk"
 }
+
+variable "cost_alarm_recipients" {
+  type        = list(string)
+  description = "A list of email addresses to receive alarm notifications"
+  default     = []
+}
+
+variable "budget_amount" {
+  type        = number
+  description = "The budget amount in USD for the account"
+  default     = 500
+}
+
+variable "cost_anomaly_threshold" {
+  type        = number
+  description = "The threshold percentage for cost anomaly detection"
+  default     = 10
+}
diff --git a/infrastructure/terraform/components/examplecomponent/.tool-versions b/infrastructure/terraform/components/examplecomponent/.tool-versions
deleted file mode 100644
index 3874604..0000000
--- a/infrastructure/terraform/components/examplecomponent/.tool-versions
+++ /dev/null
@@ -1 +0,0 @@
-terraform 1.9.2
diff --git a/infrastructure/terraform/components/examplecomponent/README.md b/infrastructure/terraform/components/examplecomponent/README.md
deleted file mode 100644
index b03423f..0000000
--- a/infrastructure/terraform/components/examplecomponent/README.md
+++ /dev/null
@@ -1,28 +0,0 @@
-<!-- BEGIN_TF_DOCS -->
-<!-- markdownlint-disable -->
-<!-- vale off -->
-
-## Requirements
-
-No requirements.
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
-| <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"examplecomponent"` | no |
-| <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
-| <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
-| <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
-| <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
-| <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
-| <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
-## Modules
-
-No modules.
-## Outputs
-
-No outputs.
-<!-- vale on -->
-<!-- markdownlint-enable -->
-<!-- END_TF_DOCS -->
diff --git a/infrastructure/terraform/components/examplecomponent/locals_remote_state.tf b/infrastructure/terraform/components/examplecomponent/locals_remote_state.tf
deleted file mode 100644
index 7f87c1f..0000000
--- a/infrastructure/terraform/components/examplecomponent/locals_remote_state.tf
+++ /dev/null
@@ -1,40 +0,0 @@
-locals {
-  bootstrap = data.terraform_remote_state.bootstrap.outputs
-  acct      = data.terraform_remote_state.acct.outputs
-}
-
-data "terraform_remote_state" "bootstrap" {
-  backend = "s3"
-
-  config = {
-    bucket = local.terraform_state_bucket
-
-    key = format(
-      "%s/%s/%s/%s/bootstrap.tfstate",
-      var.project,
-      var.aws_account_id,
-      "eu-west-2",
-      "bootstrap"
-    )
-
-    region = "eu-west-2"
-  }
-}
-
-data "terraform_remote_state" "acct" {
-  backend = "s3"
-
-  config = {
-    bucket = local.terraform_state_bucket
-
-    key = format(
-      "%s/%s/%s/%s/acct.tfstate",
-      var.project,
-      var.aws_account_id,
-      "eu-west-2",
-      var.parent_acct_environment
-    )
-
-    region = "eu-west-2"
-  }
-}
diff --git a/infrastructure/terraform/components/examplecomponent/locals_tfscaffold.tf b/infrastructure/terraform/components/examplecomponent/locals_tfscaffold.tf
deleted file mode 100644
index b7cf321..0000000
--- a/infrastructure/terraform/components/examplecomponent/locals_tfscaffold.tf
+++ /dev/null
@@ -1,44 +0,0 @@
-locals {
-  terraform_state_bucket = format(
-    "%s-tfscaffold-%s-%s",
-    var.project,
-    var.aws_account_id,
-    var.region,
-  )
-
-  csi = replace(
-    format(
-      "%s-%s-%s",
-      var.project,
-      var.environment,
-      var.component,
-    ),
-    "_",
-    "",
-  )
-
-  # CSI for use in resources with a global namespace, i.e. S3 Buckets
-  csi_global = replace(
-    format(
-      "%s-%s-%s-%s-%s",
-      var.project,
-      var.aws_account_id,
-      var.region,
-      var.environment,
-      var.component,
-    ),
-    "_",
-    "",
-  )
-
-  default_tags = merge(
-    var.default_tags,
-    {
-      Project     = var.project
-      Environment = var.environment
-      Component   = var.component
-      Group       = var.group
-      Name        = local.csi
-    },
-  )
-}
diff --git a/infrastructure/terraform/components/examplecomponent/main.tf b/infrastructure/terraform/components/examplecomponent/main.tf
deleted file mode 100644
index 8680564..0000000
--- a/infrastructure/terraform/components/examplecomponent/main.tf
+++ /dev/null
@@ -1 +0,0 @@
-# Create root level resources here...
diff --git a/infrastructure/terraform/components/examplecomponent/outputs.tf b/infrastructure/terraform/components/examplecomponent/outputs.tf
deleted file mode 100644
index 9dcc2f3..0000000
--- a/infrastructure/terraform/components/examplecomponent/outputs.tf
+++ /dev/null
@@ -1 +0,0 @@
-# Define the outputs for the component. The outputs may well be referenced by other component in the same or different environments using terraform_remote_state data sources...
diff --git a/infrastructure/terraform/components/examplecomponent/variables.tf b/infrastructure/terraform/components/examplecomponent/variables.tf
deleted file mode 100644
index 834d5f3..0000000
--- a/infrastructure/terraform/components/examplecomponent/variables.tf
+++ /dev/null
@@ -1,58 +0,0 @@
-##
-# Basic Required Variables for tfscaffold Components
-##
-
-variable "project" {
-  type        = string
-  description = "The name of the tfscaffold project"
-}
-
-variable "environment" {
-  type        = string
-  description = "The name of the tfscaffold environment"
-}
-
-variable "aws_account_id" {
-  type        = string
-  description = "The AWS Account ID (numeric)"
-}
-
-variable "region" {
-  type        = string
-  description = "The AWS Region"
-}
-
-variable "group" {
-  type        = string
-  description = "The group variables are being inherited from (often synonmous with account short-name)"
-}
-
-##
-# tfscaffold variables specific to this component
-##
-
-# This is the only primary variable to have its value defined as
-# a default within its declaration in this file, because the variables
-# purpose is as an identifier unique to this component, rather
-# then to the environment from where all other variables come.
-variable "component" {
-  type        = string
-  description = "The variable encapsulating the name of this component"
-  default     = "examplecomponent"
-}
-
-variable "default_tags" {
-  type        = map(string)
-  description = "A map of default tags to apply to all taggable resources within the component"
-  default     = {}
-}
-
-##
-# Variables specific to the component
-##
-
-variable "log_retention_in_days" {
-  type        = number
-  description = "The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite"
-  default     = 0
-}
diff --git a/infrastructure/terraform/etc/env_eu-west-1_dev1.tfvars b/infrastructure/terraform/etc/env_eu-west-1_dev1.tfvars
index d3950c1..d311a49 100644
--- a/infrastructure/terraform/etc/env_eu-west-1_dev1.tfvars
+++ b/infrastructure/terraform/etc/env_eu-west-1_dev1.tfvars
@@ -1,6 +1,5 @@
 first-run   = false
 environment = "dev1"
-region      = "eu-west-1"
 aws_account_id                = "[[AccountIDHere]]"
 
 prompt-model-arn            = "arn:aws:bedrock:eu-west-1:[[AccountIDHere]]:inference-profile/eu.amazon.nova-pro-v1:0"
diff --git a/infrastructure/terraform/etc/env_eu-west-1_dev2.tfvars b/infrastructure/terraform/etc/env_eu-west-1_dev2.tfvars
index d3950c1..bd3fb71 100644
--- a/infrastructure/terraform/etc/env_eu-west-1_dev2.tfvars
+++ b/infrastructure/terraform/etc/env_eu-west-1_dev2.tfvars
@@ -1,7 +1,6 @@
 first-run   = false
-environment = "dev1"
-region      = "eu-west-1"
-aws_account_id                = "[[AccountIDHere]]"
+environment = "dev2"
+region      = "eu-west-2"
 
 prompt-model-arn            = "arn:aws:bedrock:eu-west-1:[[AccountIDHere]]:inference-profile/eu.amazon.nova-pro-v1:0"
 prompt-max-tokens-to-sample = 200

From b4a32db872c96d85d714f3b82a698036224f93f5 Mon Sep 17 00:00:00 2001
From: aidenvaines-bjss <aiden.vaines@bjss.com>
Date: Wed, 9 Jul 2025 16:05:23 +0100
Subject: [PATCH 2/4] CCM-11033 rename variables for POC001 deployement

---
 .../components/acct/budgets_budget.tf         | 31 ++++++++++++++++
 .../components/acct/cost_anomaly_monitor.tf   | 28 +++++++++++++++
 .../terraform/components/acct/outputs.tf      |  7 ----
 .../components/acct/sns_topic_costs.tf        | 36 +++++++++++++++++++
 .../terraform/components/notifyai/lambda.tf   |  2 +-
 .../terraform/components/notifyai/locals.tf   |  4 +++
 .../terraform/components/notifyai/outputs.tf  |  4 +--
 .../components/notifyai/variables.tf          |  4 +--
 .../terraform/etc/env_eu-west-1_dev1.tfvars   | 11 ------
 .../terraform/etc/env_eu-west-2_dev1.tfvars   | 10 ++++++
 ..._dev2.tfvars => env_eu-west-2_dev2.tfvars} |  1 -
 .../terraform/etc/env_eu-west-2_main.tfvars   |  3 ++
 infrastructure/terraform/etc/eu-west-2.tfvars |  2 ++
 infrastructure/terraform/etc/global.tfvars    |  3 ++
 .../etc/group_nhs-notify-poc001.tfvars        | 11 ++++++
 15 files changed, 133 insertions(+), 24 deletions(-)
 create mode 100644 infrastructure/terraform/components/acct/budgets_budget.tf
 create mode 100644 infrastructure/terraform/components/acct/cost_anomaly_monitor.tf
 delete mode 100644 infrastructure/terraform/components/acct/outputs.tf
 create mode 100644 infrastructure/terraform/components/acct/sns_topic_costs.tf
 delete mode 100644 infrastructure/terraform/etc/env_eu-west-1_dev1.tfvars
 create mode 100644 infrastructure/terraform/etc/env_eu-west-2_dev1.tfvars
 rename infrastructure/terraform/etc/{env_eu-west-1_dev2.tfvars => env_eu-west-2_dev2.tfvars} (95%)
 create mode 100644 infrastructure/terraform/etc/env_eu-west-2_main.tfvars
 create mode 100644 infrastructure/terraform/etc/eu-west-2.tfvars
 create mode 100644 infrastructure/terraform/etc/global.tfvars
 create mode 100644 infrastructure/terraform/etc/group_nhs-notify-poc001.tfvars

diff --git a/infrastructure/terraform/components/acct/budgets_budget.tf b/infrastructure/terraform/components/acct/budgets_budget.tf
new file mode 100644
index 0000000..6a253fa
--- /dev/null
+++ b/infrastructure/terraform/components/acct/budgets_budget.tf
@@ -0,0 +1,31 @@
+resource "aws_budgets_budget" "main" {
+  name         = "${local.csi}-monthly-budget"
+  budget_type  = "COST"
+  limit_amount = var.budget_amount
+  limit_unit   = "USD"
+  time_unit    = "MONTHLY"
+
+  notification {
+    comparison_operator       = "GREATER_THAN"
+    notification_type         = "FORECASTED"
+    threshold                 = 100
+    threshold_type            = "PERCENTAGE"
+    subscriber_sns_topic_arns = [aws_sns_topic.costs.arn]
+  }
+
+  notification {
+    comparison_operator       = "GREATER_THAN"
+    notification_type         = "ACTUAL"
+    threshold                 = 100
+    threshold_type            = "PERCENTAGE"
+    subscriber_sns_topic_arns = [aws_sns_topic.costs.arn]
+  }
+
+  notification {
+    comparison_operator       = "GREATER_THAN"
+    notification_type         = "ACTUAL"
+    threshold                 = 85
+    threshold_type            = "PERCENTAGE"
+    subscriber_sns_topic_arns = [aws_sns_topic.costs.arn]
+  }
+}
diff --git a/infrastructure/terraform/components/acct/cost_anomaly_monitor.tf b/infrastructure/terraform/components/acct/cost_anomaly_monitor.tf
new file mode 100644
index 0000000..986336a
--- /dev/null
+++ b/infrastructure/terraform/components/acct/cost_anomaly_monitor.tf
@@ -0,0 +1,28 @@
+resource "aws_ce_anomaly_monitor" "anomaly_monitor" {
+  name              = "${local.csi}-anomaly-monitor"
+  monitor_type      = "DIMENSIONAL"
+  monitor_dimension = "SERVICE"
+}
+
+resource "aws_ce_anomaly_subscription" "realtime_subscription" {
+  name      = "${local.csi}-realtime-subscription"
+  frequency = "IMMEDIATE"
+  threshold_expression {
+    dimension {
+      key           = "ANOMALY_TOTAL_IMPACT_PERCENTAGE"
+      values        = [var.cost_anomaly_threshold]
+      match_options = ["GREATER_THAN_OR_EQUAL"]
+    }
+  }
+  monitor_arn_list = [
+    aws_ce_anomaly_monitor.anomaly_monitor.arn,
+  ]
+
+  subscriber {
+    type    = "SNS"
+    address = aws_sns_topic.costs.arn
+  }
+  depends_on = [
+    aws_sns_topic_policy.costs,
+  ]
+}
diff --git a/infrastructure/terraform/components/acct/outputs.tf b/infrastructure/terraform/components/acct/outputs.tf
deleted file mode 100644
index 58f3fef..0000000
--- a/infrastructure/terraform/components/acct/outputs.tf
+++ /dev/null
@@ -1,7 +0,0 @@
-output "dns_zone" {
-  value = {
-    id          = aws_route53_zone.main.id
-    name        = aws_route53_zone.main.name
-    nameservers = aws_route53_zone.main.name_servers
-  }
-}
diff --git a/infrastructure/terraform/components/acct/sns_topic_costs.tf b/infrastructure/terraform/components/acct/sns_topic_costs.tf
new file mode 100644
index 0000000..1a455da
--- /dev/null
+++ b/infrastructure/terraform/components/acct/sns_topic_costs.tf
@@ -0,0 +1,36 @@
+resource "aws_sns_topic" "costs" {
+  name              = "${local.csi}-costs"
+}
+
+resource "aws_sns_topic_policy" "costs" {
+  arn = aws_sns_topic.costs.arn
+
+  policy = data.aws_iam_policy_document.sns_costs.json
+}
+
+data "aws_iam_policy_document" "sns_costs" {
+  statement {
+    sid    = "AllowSNSCosts"
+    effect = "Allow"
+
+    actions = [
+      "SNS:Publish",
+    ]
+
+    resources = [
+      aws_sns_topic.costs.arn,
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["budgets.amazonaws.com", "costalerts.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_sns_topic_subscription" "costs" {
+  for_each  = toset(var.cost_alarm_recipients)
+  topic_arn = aws_sns_topic.costs.arn
+  protocol  = "email"
+  endpoint  = each.value
+}
diff --git a/infrastructure/terraform/components/notifyai/lambda.tf b/infrastructure/terraform/components/notifyai/lambda.tf
index 5f460c1..daa197c 100644
--- a/infrastructure/terraform/components/notifyai/lambda.tf
+++ b/infrastructure/terraform/components/notifyai/lambda.tf
@@ -90,7 +90,7 @@ resource "aws_lambda_function" "bedrock-messager" {
   environment {
     variables = {
       env_region                = "${var.region}",
-      env_model_id              = "${var.prompt-model-arn}",
+      env_model_id              = "${local.prompt-model-arn}",
       env_temperature           = "${var.prompt-temperature}"
       env_max_tokens            = "${var.prompt-max-tokens-to-sample}"
       env_top_p                 = "${var.prompt-top-p}"
diff --git a/infrastructure/terraform/components/notifyai/locals.tf b/infrastructure/terraform/components/notifyai/locals.tf
index 93fac6f..00ba904 100644
--- a/infrastructure/terraform/components/notifyai/locals.tf
+++ b/infrastructure/terraform/components/notifyai/locals.tf
@@ -1,3 +1,7 @@
 locals {
   prompt-file-name = "prompts.jsonl"
+  prompt-model-arn = "arn:aws:bedrock:${var.region}:${var.aws_account_id}:inference-profile/${var.prompt-model}"
+
+  evaluation-evaluator-model-identifier-arn = "arn:aws:bedrock:${var.region}:${var.aws_account_id}:inference-profile/${var.evaluation-evaluator-model-identifier}"
+  evaluation-inference-model-identifier-arn = "arn:aws:bedrock:${var.region}:${var.aws_account_id}:inference-profile/${var.evaluation-inference-model-identifier}"
 }
diff --git a/infrastructure/terraform/components/notifyai/outputs.tf b/infrastructure/terraform/components/notifyai/outputs.tf
index de7a2b4..35e37e2 100644
--- a/infrastructure/terraform/components/notifyai/outputs.tf
+++ b/infrastructure/terraform/components/notifyai/outputs.tf
@@ -25,10 +25,10 @@ output "bedrock_evaluation_results_s3_uri" {
 
 output "evaluation-evaluator-model-identifier" {
   description = "Identifier for the Bedrock evaluator model"
-  value       = var.evaluation-evaluator-model-identifier
+  value       = local.evaluation-evaluator-model-identifier-arn
 }
 
 output "evaluation-inference-model-identifier" {
   description = "Identifier for the Bedrock inference model"
-  value       = var.evaluation-inference-model-identifier
+  value       = local.evaluation-inference-model-identifier-arn
 }
diff --git a/infrastructure/terraform/components/notifyai/variables.tf b/infrastructure/terraform/components/notifyai/variables.tf
index b122cae..89e2105 100644
--- a/infrastructure/terraform/components/notifyai/variables.tf
+++ b/infrastructure/terraform/components/notifyai/variables.tf
@@ -69,9 +69,9 @@ variable "first-run" {
 
 
 # Prompt Config
-variable "prompt-model-arn" {
+variable "prompt-model" {
   type        = string
-  description = "Model arn to use for the prompt"
+  description = "Model name to use for the prompt"
 }
 
 variable "prompt-max-tokens-to-sample" {
diff --git a/infrastructure/terraform/etc/env_eu-west-1_dev1.tfvars b/infrastructure/terraform/etc/env_eu-west-1_dev1.tfvars
deleted file mode 100644
index d311a49..0000000
--- a/infrastructure/terraform/etc/env_eu-west-1_dev1.tfvars
+++ /dev/null
@@ -1,11 +0,0 @@
-first-run   = false
-environment = "dev1"
-aws_account_id                = "[[AccountIDHere]]"
-
-prompt-model-arn            = "arn:aws:bedrock:eu-west-1:[[AccountIDHere]]:inference-profile/eu.amazon.nova-pro-v1:0"
-prompt-max-tokens-to-sample = 200
-prompt-temperature          = 0.1
-prompt-top-p                = 0.8
-
-evaluation-evaluator-model-identifier = "arn:aws:bedrock:eu-west-1:[[AccountIDHere]]:inference-profile/eu.amazon.nova-pro-v1:0"
-evaluation-inference-model-identifier = "arn:aws:bedrock:eu-west-1:[[AccountIDHere]]:inference-profile/eu.amazon.nova-pro-v1:0"
diff --git a/infrastructure/terraform/etc/env_eu-west-2_dev1.tfvars b/infrastructure/terraform/etc/env_eu-west-2_dev1.tfvars
new file mode 100644
index 0000000..677ed35
--- /dev/null
+++ b/infrastructure/terraform/etc/env_eu-west-2_dev1.tfvars
@@ -0,0 +1,10 @@
+first-run   = false
+environment = "dev1"
+
+prompt-max-tokens-to-sample = 200
+prompt-temperature          = 0.1
+prompt-top-p                = 0.8
+
+prompt-model            = "eu.amazon.nova-pro-v1:0"
+evaluation-evaluator-model-identifier = "eu.amazon.nova-pro-v1:0"
+evaluation-inference-model-identifier = "eu.amazon.nova-pro-v1:0"
diff --git a/infrastructure/terraform/etc/env_eu-west-1_dev2.tfvars b/infrastructure/terraform/etc/env_eu-west-2_dev2.tfvars
similarity index 95%
rename from infrastructure/terraform/etc/env_eu-west-1_dev2.tfvars
rename to infrastructure/terraform/etc/env_eu-west-2_dev2.tfvars
index bd3fb71..a5f6d6c 100644
--- a/infrastructure/terraform/etc/env_eu-west-1_dev2.tfvars
+++ b/infrastructure/terraform/etc/env_eu-west-2_dev2.tfvars
@@ -1,6 +1,5 @@
 first-run   = false
 environment = "dev2"
-region      = "eu-west-2"
 
 prompt-model-arn            = "arn:aws:bedrock:eu-west-1:[[AccountIDHere]]:inference-profile/eu.amazon.nova-pro-v1:0"
 prompt-max-tokens-to-sample = 200
diff --git a/infrastructure/terraform/etc/env_eu-west-2_main.tfvars b/infrastructure/terraform/etc/env_eu-west-2_main.tfvars
new file mode 100644
index 0000000..7c13a56
--- /dev/null
+++ b/infrastructure/terraform/etc/env_eu-west-2_main.tfvars
@@ -0,0 +1,3 @@
+environment = "main"
+
+first-run   = false
diff --git a/infrastructure/terraform/etc/eu-west-2.tfvars b/infrastructure/terraform/etc/eu-west-2.tfvars
new file mode 100644
index 0000000..53cd511
--- /dev/null
+++ b/infrastructure/terraform/etc/eu-west-2.tfvars
@@ -0,0 +1,2 @@
+# Specific to region within project/AWS Account
+region = "eu-west-2"
diff --git a/infrastructure/terraform/etc/global.tfvars b/infrastructure/terraform/etc/global.tfvars
new file mode 100644
index 0000000..7980129
--- /dev/null
+++ b/infrastructure/terraform/etc/global.tfvars
@@ -0,0 +1,3 @@
+# Specific to whole project
+tfscaffold_bucket_prefix = "nhs-tfscaffold"
+project = "nhs"
diff --git a/infrastructure/terraform/etc/group_nhs-notify-poc001.tfvars b/infrastructure/terraform/etc/group_nhs-notify-poc001.tfvars
new file mode 100644
index 0000000..72176da
--- /dev/null
+++ b/infrastructure/terraform/etc/group_nhs-notify-poc001.tfvars
@@ -0,0 +1,11 @@
+# Variables shared by any environment that chooses to be subscribed to it
+group          = "nhs-notify-poc001"
+aws_account_id = "767397886959"
+region         = "eu-west-2"
+
+# Generics
+log_retention_in_days = 10
+kms_deletion_window   = 15
+
+budget_amount          = 300
+cost_anomaly_threshold = 20

From 2d90a4bd7475561fa21485be01de7bffc95b0083 Mon Sep 17 00:00:00 2001
From: aidenvaines-bjss <aiden.vaines@bjss.com>
Date: Wed, 9 Jul 2025 16:09:37 +0100
Subject: [PATCH 3/4] CCM-11033 updating region refs

---
 infrastructure/terraform/components/notifyai/bedrock.tf   | 2 +-
 infrastructure/terraform/components/notifyai/lambda.tf    | 2 +-
 .../terraform/components/notifyai/networking.tf           | 8 ++++----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/infrastructure/terraform/components/notifyai/bedrock.tf b/infrastructure/terraform/components/notifyai/bedrock.tf
index 89f4d7b..1830a82 100644
--- a/infrastructure/terraform/components/notifyai/bedrock.tf
+++ b/infrastructure/terraform/components/notifyai/bedrock.tf
@@ -114,7 +114,7 @@ data "aws_iam_policy_document" "bedrock_access_s3" {
       aws_s3_bucket.evaluation_programatic_results.arn,
       "${aws_s3_bucket.evaluation_programatic_results.arn}/*",
       "arn:aws:bedrock:*::foundation-model/*",
-      "arn:aws:bedrock:eu-west-1:${var.aws_account_id}:inference-profile/eu.amazon.nova-pro-v1:0",
+      "arn:aws:bedrock:${var.region}:${var.aws_account_id}:inference-profile/eu.amazon.nova-pro-v1:0",
       "arn:aws:bedrock:${var.region}:${var.aws_account_id}:evaluation-job/*",
       "arn:aws:bedrock:${var.region}::prompt/*",
       "arn:aws:bedrock:*:${var.aws_account_id}:inference-profile/*",
diff --git a/infrastructure/terraform/components/notifyai/lambda.tf b/infrastructure/terraform/components/notifyai/lambda.tf
index daa197c..29a8ecf 100644
--- a/infrastructure/terraform/components/notifyai/lambda.tf
+++ b/infrastructure/terraform/components/notifyai/lambda.tf
@@ -53,7 +53,7 @@ data "aws_iam_policy_document" "bedrock_access" {
       "arn:aws:bedrock:eu-central-1::foundation-model/*",
       "arn:aws:bedrock:eu-north-1::foundation-model/*",
       "arn:aws:bedrock:eu-west-3::foundation-model/*",
-      "arn:aws:bedrock:eu-west-1:${var.aws_account_id}:inference-profile/eu.amazon.nova-pro-v1:0",
+      "arn:aws:bedrock:${var.region}:${var.aws_account_id}:inference-profile/eu.amazon.nova-pro-v1:0",
       "arn:aws:bedrock:*:${var.aws_account_id}:prompt/*",
       aws_s3_bucket.lambda_prompt_logging_s3_bucket.arn,
       "${aws_s3_bucket.lambda_prompt_logging_s3_bucket.arn}/${local.s3_lambda_logging_key}*",
diff --git a/infrastructure/terraform/components/notifyai/networking.tf b/infrastructure/terraform/components/notifyai/networking.tf
index bd98625..175af37 100644
--- a/infrastructure/terraform/components/notifyai/networking.tf
+++ b/infrastructure/terraform/components/notifyai/networking.tf
@@ -14,18 +14,18 @@
 # resource "aws_subnet" "app_runner_subnet_1" {
 #   vpc_id            = aws_vpc.app_vpc.id
 #   cidr_block        = "10.0.2.0/24"
-#   availability_zone = "eu-west-1a"
+#   availability_zone = "${var.region}a"
 #   tags = {
-#     Name = "${local.vpc-name}-eu-west-1a"
+#     Name = "${local.vpc-name}-${var.region}a"
 #   }
 # }
 
 # resource "aws_subnet" "app_runner_subnet_2" {
 #   vpc_id            = aws_vpc.app_vpc.id
 #   cidr_block        = "10.0.3.0/24"
-#   availability_zone = "eu-west-1b"
+#   availability_zone = "${var.region}b"
 #   tags = {
-#     Name = "${local.vpc-name}-eu-west-1b"
+#     Name = "${local.vpc-name}-${var.region}b"
 #   }
 # }
 

From 08868b3162192777f8148ccac70933c3d0f49b62 Mon Sep 17 00:00:00 2001
From: aidenvaines-bjss <aiden.vaines@bjss.com>
Date: Wed, 9 Jul 2025 16:15:14 +0100
Subject: [PATCH 4/4] CCM-11033 Docs

---
 infrastructure/terraform/components/acct/README.md     | 7 ++++---
 infrastructure/terraform/components/notifyai/README.md | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/infrastructure/terraform/components/acct/README.md b/infrastructure/terraform/components/acct/README.md
index a5ef6c7..80ab867 100644
--- a/infrastructure/terraform/components/acct/README.md
+++ b/infrastructure/terraform/components/acct/README.md
@@ -13,7 +13,10 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
+| <a name="input_budget_amount"></a> [budget\_amount](#input\_budget\_amount) | The budget amount in USD for the account | `number` | `500` | no |
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"acct"` | no |
+| <a name="input_cost_alarm_recipients"></a> [cost\_alarm\_recipients](#input\_cost\_alarm\_recipients) | A list of email addresses to receive alarm notifications | `list(string)` | `[]` | no |
+| <a name="input_cost_anomaly_threshold"></a> [cost\_anomaly\_threshold](#input\_cost\_anomaly\_threshold) | The threshold percentage for cost anomaly detection | `number` | `10` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
@@ -26,9 +29,7 @@
 No modules.
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| <a name="output_dns_zone"></a> [dns\_zone](#output\_dns\_zone) | n/a |
+No outputs.
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->
diff --git a/infrastructure/terraform/components/notifyai/README.md b/infrastructure/terraform/components/notifyai/README.md
index 2f47eca..3ab2b44 100644
--- a/infrastructure/terraform/components/notifyai/README.md
+++ b/infrastructure/terraform/components/notifyai/README.md
@@ -23,7 +23,7 @@
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_prompt-max-tokens-to-sample"></a> [prompt-max-tokens-to-sample](#input\_prompt-max-tokens-to-sample) | Maximum number of tokens to sample for the prompt | `number` | n/a | yes |
-| <a name="input_prompt-model-arn"></a> [prompt-model-arn](#input\_prompt-model-arn) | Model arn to use for the prompt | `string` | n/a | yes |
+| <a name="input_prompt-model"></a> [prompt-model](#input\_prompt-model) | Model name to use for the prompt | `string` | n/a | yes |
 | <a name="input_prompt-temperature"></a> [prompt-temperature](#input\_prompt-temperature) | Temperature setting for the prompt | `number` | n/a | yes |
 | <a name="input_prompt-top-p"></a> [prompt-top-p](#input\_prompt-top-p) | Top-p setting for the prompt | `number` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |