From 2fbfd6e60a0e5bb26b16bb2ae813c924ff20dbdb Mon Sep 17 00:00:00 2001
From: Ed Hall <239591530+edhall-nhs@users.noreply.github.com>
Date: Thu, 29 Jan 2026 16:10:51 +0000
Subject: [PATCH 1/5] Consolidate lambda names to use hyphens

Also tidy us hard coded aws regions and use vars instead
---
 .../account/csoc_eventforwarder_role.tf       |  2 +-
 infrastructure/account/endpoints.tf           |  4 +-
 infrastructure/account/shield_protection.tf   |  2 +-
 infrastructure/instance/ack_lambda.tf         | 22 ++++-----
 .../instance/batch_processor_filter_lambda.tf | 19 +++----
 infrastructure/instance/delta.tf              | 49 +++++++++----------
 infrastructure/instance/endpoints.tf          |  2 +-
 .../instance/file_name_processor.tf           | 20 ++++----
 infrastructure/instance/forwarder_lambda.tf   | 13 ++---
 infrastructure/instance/id_sync_lambda.tf     | 17 +++----
 infrastructure/instance/lambda.tf             | 14 +++---
 infrastructure/instance/main.tf               |  2 +-
 infrastructure/instance/mesh_processor.tf     | 19 +++----
 infrastructure/instance/redis_sync_lambda.tf  | 20 ++++----
 infrastructure/instance/s3_config.tf          | 11 -----
 infrastructure/mesh/main.tf                   |  4 +-
 infrastructure/mesh/variables.tf              |  3 ++
 17 files changed, 105 insertions(+), 118 deletions(-)

diff --git a/infrastructure/account/csoc_eventforwarder_role.tf b/infrastructure/account/csoc_eventforwarder_role.tf
index fc9ad6de6..70d84ffc6 100644
--- a/infrastructure/account/csoc_eventforwarder_role.tf
+++ b/infrastructure/account/csoc_eventforwarder_role.tf
@@ -27,7 +27,7 @@ resource "aws_iam_role_policy" "eventbridge_forwarder_policy" {
       Effect = "Allow",
       Action = ["events:PutEvents"],
       Resource = [
-        "arn:aws:events:eu-west-2:${var.csoc_account_id}:event-bus/shield-eventbus"
+        "arn:aws:events:${var.aws_region}:${var.csoc_account_id}:event-bus/shield-eventbus"
       ]
     }]
   })
diff --git a/infrastructure/account/endpoints.tf b/infrastructure/account/endpoints.tf
index a29c7faf5..98ff22526 100644
--- a/infrastructure/account/endpoints.tf
+++ b/infrastructure/account/endpoints.tf
@@ -1,8 +1,8 @@
 data "aws_ec2_managed_prefix_list" "egress" {
   for_each = toset([
     "com.amazonaws.global.cloudfront.origin-facing",
-    "com.amazonaws.eu-west-2.dynamodb",
-    "com.amazonaws.eu-west-2.s3"
+    "com.amazonaws.${var.aws_region}.dynamodb",
+    "com.amazonaws.${var.aws_region}.s3"
   ])
 
   name = each.value
diff --git a/infrastructure/account/shield_protection.tf b/infrastructure/account/shield_protection.tf
index 4b0ed706c..0809c97d0 100644
--- a/infrastructure/account/shield_protection.tf
+++ b/infrastructure/account/shield_protection.tf
@@ -101,7 +101,7 @@ resource "aws_cloudwatch_event_rule" "shield_ddos_rule_regional" {
 resource "aws_cloudwatch_event_target" "shield_ddos_target_regional" {
   rule      = aws_cloudwatch_event_rule.shield_ddos_rule_regional.name
   target_id = "csoc-eventbus"
-  arn       = "arn:aws:events:eu-west-2:${var.csoc_account_id}:event-bus/shield-eventbus"
+  arn       = "arn:aws:events:${var.aws_region}:${var.csoc_account_id}:event-bus/shield-eventbus"
   role_arn  = aws_iam_role.eventbridge_forwarder_role.arn
 }
 
diff --git a/infrastructure/instance/ack_lambda.tf b/infrastructure/instance/ack_lambda.tf
index 4b30a4cd2..ceca5349a 100644
--- a/infrastructure/instance/ack_lambda.tf
+++ b/infrastructure/instance/ack_lambda.tf
@@ -1,11 +1,9 @@
 # Define the directory containing the Docker image and calculate its SHA-256 hash for triggering redeployments
 locals {
-  ack_lambda_dir = abspath("${path.root}/../../lambdas/ack_backend")
-
-  ack_lambda_files = fileset(local.ack_lambda_dir, "**")
-
+  ack_lambda_dir     = abspath("${path.root}/../../lambdas/ack_backend")
+  ack_lambda_files   = fileset(local.ack_lambda_dir, "**")
   ack_lambda_dir_sha = sha1(join("", [for f in local.ack_lambda_files : filesha1("${local.ack_lambda_dir}/${f}")]))
-  ack_lambda_name    = "${local.short_prefix}-ack_lambda"
+  ack_lambda_name    = "${local.short_prefix}-ack-lambda"
 }
 
 
@@ -72,7 +70,7 @@ resource "aws_ecr_repository_policy" "ack_lambda_ECRImageRetreival_policy" {
         ],
         "Condition" : {
           "StringLike" : {
-            "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-ack-lambda"
+            "aws:sourceArn" : "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.ack_lambda_name}"
           }
         }
       }
@@ -82,7 +80,7 @@ resource "aws_ecr_repository_policy" "ack_lambda_ECRImageRetreival_policy" {
 
 # IAM Role for Lambda
 resource "aws_iam_role" "ack_lambda_exec_role" {
-  name = "${local.short_prefix}-ack-lambda-exec-role"
+  name = "${local.ack_lambda_name}-exec-role"
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
     Statement = [{
@@ -98,7 +96,7 @@ resource "aws_iam_role" "ack_lambda_exec_role" {
 
 # Policy for Lambda execution role
 resource "aws_iam_policy" "ack_lambda_exec_policy" {
-  name = "${local.short_prefix}-ack-lambda-exec-policy"
+  name = "${local.ack_lambda_name}-exec-policy"
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
@@ -109,7 +107,7 @@ resource "aws_iam_policy" "ack_lambda_exec_policy" {
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ]
-        Resource = "arn:aws:logs:eu-west-2:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-ack-lambda:*"
+        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.ack_lambda_name}:*"
       },
       {
         Effect = "Allow"
@@ -145,7 +143,7 @@ resource "aws_iam_policy" "ack_lambda_exec_policy" {
           "sqs:DeleteMessage",
           "sqs:GetQueueAttributes"
         ],
-      Resource = "arn:aws:sqs:eu-west-2:${var.immunisation_account_id}:${local.short_prefix}-ack-metadata-queue.fifo" },
+      Resource = "arn:aws:sqs:${var.aws_region}:${var.immunisation_account_id}:${local.short_prefix}-ack-metadata-queue.fifo" },
       {
         "Effect" : "Allow",
         "Action" : [
@@ -159,7 +157,7 @@ resource "aws_iam_policy" "ack_lambda_exec_policy" {
 }
 
 resource "aws_cloudwatch_log_group" "ack_lambda_log_group" {
-  name              = "/aws/lambda/${local.short_prefix}-ack-lambda"
+  name              = "/aws/lambda/${local.ack_lambda_name}"
   retention_in_days = 30
 }
 
@@ -200,7 +198,7 @@ resource "aws_iam_role_policy_attachment" "lambda_kms_policy_attachment" {
 
 # Lambda Function with Security Group and VPC.
 resource "aws_lambda_function" "ack_processor_lambda" {
-  function_name = "${local.short_prefix}-ack-lambda"
+  function_name = local.ack_lambda_name
   role          = aws_iam_role.ack_lambda_exec_role.arn
   package_type  = "Image"
   image_uri     = module.ack_processor_docker_image.image_uri
diff --git a/infrastructure/instance/batch_processor_filter_lambda.tf b/infrastructure/instance/batch_processor_filter_lambda.tf
index 89b821e40..f1bc1b5da 100644
--- a/infrastructure/instance/batch_processor_filter_lambda.tf
+++ b/infrastructure/instance/batch_processor_filter_lambda.tf
@@ -3,6 +3,7 @@ locals {
   batch_processor_filter_lambda_dir     = abspath("${path.root}/../../lambdas/batch_processor_filter")
   batch_processor_filter_lambda_files   = fileset(local.batch_processor_filter_lambda_dir, "**")
   batch_processor_filter_lambda_dir_sha = sha1(join("", [for f in local.batch_processor_filter_lambda_files : filesha1("${local.batch_processor_filter_lambda_dir}/${f}")]))
+  batch_processor_filter_lambda_name    = "${local.short_prefix}-batch-processor-filter-lambda"
 }
 
 resource "aws_ecr_repository" "batch_processor_filter_lambda_repository" {
@@ -69,7 +70,7 @@ resource "aws_ecr_repository_policy" "batch_processor_filter_lambda_ECRImageRetr
         ],
         "Condition" : {
           "StringLike" : {
-            "aws:sourceArn" : "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.short_prefix}-batch-processor-filter-lambda"
+            "aws:sourceArn" : "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.batch_processor_filter_lambda_name}"
           }
         }
       }
@@ -79,7 +80,7 @@ resource "aws_ecr_repository_policy" "batch_processor_filter_lambda_ECRImageRetr
 
 # IAM Role for Lambda
 resource "aws_iam_role" "batch_processor_filter_lambda_exec_role" {
-  name = "${local.short_prefix}-batch-processor-filter-lambda-exec-role"
+  name = "${local.batch_processor_filter_lambda_name}-exec-role"
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
     Statement = [{
@@ -95,7 +96,7 @@ resource "aws_iam_role" "batch_processor_filter_lambda_exec_role" {
 
 # Policy for Lambda execution role
 resource "aws_iam_policy" "batch_processor_filter_lambda_exec_policy" {
-  name = "${local.short_prefix}-batch-processor-filter-lambda-exec-policy"
+  name = "${local.batch_processor_filter_lambda_name}-exec-policy"
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
@@ -106,7 +107,7 @@ resource "aws_iam_policy" "batch_processor_filter_lambda_exec_policy" {
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ]
-        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-batch-processor-filter-lambda:*"
+        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.batch_processor_filter_lambda_name}:*"
       },
       {
         Effect = "Allow",
@@ -157,7 +158,7 @@ resource "aws_iam_policy" "batch_processor_filter_lambda_exec_policy" {
 
 # Policy for Lambda to interact with SQS
 resource "aws_iam_policy" "batch_processor_filter_lambda_sqs_policy" {
-  name = "${local.short_prefix}-batch-processor-filter-lambda-sqs-policy"
+  name = "${local.batch_processor_filter_lambda_name}-sqs-policy"
 
   policy = jsonencode({
     Version = "2012-10-17",
@@ -183,7 +184,7 @@ resource "aws_iam_policy" "batch_processor_filter_lambda_sqs_policy" {
 }
 
 resource "aws_iam_policy" "batch_processor_filter_lambda_kms_access_policy" {
-  name        = "${local.short_prefix}-batch-processor-filter-lambda-kms-policy"
+  name        = "${local.batch_processor_filter_lambda_name}-kms-policy"
   description = "Allow Lambda to decrypt environment variables"
 
   policy = jsonencode({
@@ -261,7 +262,7 @@ resource "aws_iam_role_policy_attachment" "batch_processor_filter_lambda_dynamo_
 
 # Lambda Function with Security Group and VPC.
 resource "aws_lambda_function" "batch_processor_filter_lambda" {
-  function_name = "${local.short_prefix}-batch-processor-filter-lambda"
+  function_name = local.batch_processor_filter_lambda_name
   role          = aws_iam_role.batch_processor_filter_lambda_exec_role.arn
   package_type  = "Image"
   image_uri     = module.batch_processor_filter_docker_image.image_uri
@@ -293,7 +294,7 @@ resource "aws_lambda_function" "batch_processor_filter_lambda" {
 }
 
 resource "aws_cloudwatch_log_group" "batch_processor_filter_lambda_log_group" {
-  name              = "/aws/lambda/${local.short_prefix}-batch-processor-filter-lambda"
+  name              = "/aws/lambda/${local.batch_processor_filter_lambda_name}"
   retention_in_days = 30
 }
 
@@ -322,7 +323,7 @@ resource "aws_cloudwatch_log_metric_filter" "batch_processor_filter_error_logs"
 resource "aws_cloudwatch_metric_alarm" "batch_processor_filter_error_alarm" {
   count = var.error_alarm_notifications_enabled ? 1 : 0
 
-  alarm_name          = "${local.short_prefix}-batch-processor-filter-lambda-error"
+  alarm_name          = "${local.batch_processor_filter_lambda_name}-error"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   evaluation_periods  = 1
   metric_name         = "${local.short_prefix}-BatchProcessorFilterErrorLogs"
diff --git a/infrastructure/instance/delta.tf b/infrastructure/instance/delta.tf
index a9e5efd14..1647578f4 100644
--- a/infrastructure/instance/delta.tf
+++ b/infrastructure/instance/delta.tf
@@ -1,10 +1,9 @@
 locals {
-  delta_lambda_dir = abspath("${path.root}/../../lambdas/delta_backend")
-  delta_files      = fileset(local.delta_lambda_dir, "**")
-  delta_dir_sha    = sha1(join("", [for f in local.delta_files : filesha1("${local.delta_lambda_dir}/${f}")]))
-  function_name    = "delta"
-  dlq_name         = "delta-dlq"
-  sns_name         = "delta-sns"
+  delta_lambda_dir  = abspath("${path.root}/../../lambdas/delta_backend")
+  delta_files       = fileset(local.delta_lambda_dir, "**")
+  delta_dir_sha     = sha1(join("", [for f in local.delta_files : filesha1("${local.delta_lambda_dir}/${f}")]))
+  delta_lambda_name = "${local.short_prefix}-delta-lambda"
+  dlq_name          = "delta-dlq"
 }
 
 resource "aws_ecr_repository" "delta_lambda_repository" {
@@ -71,7 +70,7 @@ resource "aws_ecr_repository_policy" "delta_lambda_ECRImageRetreival_policy" {
         ],
         "Condition" : {
           "StringLike" : {
-            "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-${local.function_name}"
+            "aws:sourceArn" : "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.delta_lambda_name}"
           }
         }
       }
@@ -101,33 +100,29 @@ data "aws_iam_policy_document" "delta_policy_document" {
 }
 
 resource "aws_iam_role" "delta_lambda_role" {
-  name               = "${local.short_prefix}-${local.function_name}-role"
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "lambda.amazonaws.com"
+  name = "${local.delta_lambda_name}-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect = "Allow",
+      Sid    = "",
+      Principal = {
+        Service = "lambda.amazonaws.com"
       },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
+      Action = "sts:AssumeRole"
+    }]
+  })
 }
 
 resource "aws_iam_role_policy" "lambda_role_policy" {
-  name   = "${local.prefix}-${local.function_name}-policy"
+  name   = "${local.prefix}-delta-policy"
   role   = aws_iam_role.delta_lambda_role.id
   policy = data.aws_iam_policy_document.delta_policy_document.json
 }
 
 
 resource "aws_lambda_function" "delta_sync_lambda" {
-  function_name = "${local.short_prefix}-${local.function_name}"
+  function_name = local.delta_lambda_name
   role          = aws_iam_role.delta_lambda_role.arn
   package_type  = "Image"
   architectures = ["x86_64"]
@@ -168,7 +163,7 @@ resource "aws_sqs_queue" "dlq" {
 }
 
 resource "aws_cloudwatch_log_group" "delta_lambda" {
-  name              = "/aws/lambda/${local.short_prefix}-${local.function_name}"
+  name              = "/aws/lambda/${local.delta_lambda_name}"
   retention_in_days = 30
 }
 
@@ -190,7 +185,7 @@ resource "aws_cloudwatch_log_metric_filter" "delta_error_logs" {
 resource "aws_cloudwatch_metric_alarm" "delta_error_alarm" {
   count = var.error_alarm_notifications_enabled ? 1 : 0
 
-  alarm_name          = "${local.short_prefix}-delta-lambda-error"
+  alarm_name          = "${local.delta_lambda_name}-error"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   evaluation_periods  = 1
   metric_name         = "${local.short_prefix}-DeltaErrorLogs"
@@ -201,4 +196,4 @@ resource "aws_cloudwatch_metric_alarm" "delta_error_alarm" {
   alarm_description   = "This sets off an alarm for any error logs found in the delta Lambda function"
   alarm_actions       = [data.aws_sns_topic.imms_system_alert_errors.arn]
   treat_missing_data  = "notBreaching"
-}
\ No newline at end of file
+}
diff --git a/infrastructure/instance/endpoints.tf b/infrastructure/instance/endpoints.tf
index edcb76f37..35b80b8ea 100644
--- a/infrastructure/instance/endpoints.tf
+++ b/infrastructure/instance/endpoints.tf
@@ -30,7 +30,7 @@ locals {
     # except for prod and ref, any other env uses PDS int environment
     "PDS_ENV"              = var.pds_environment
     "SPLUNK_FIREHOSE_NAME" = module.splunk.firehose_stream_name
-    "SQS_QUEUE_URL"        = "https://sqs.eu-west-2.amazonaws.com/${var.immunisation_account_id}/${local.short_prefix}-ack-metadata-queue.fifo"
+    "SQS_QUEUE_URL"        = "https://sqs.${var.aws_region}.amazonaws.com/${var.immunisation_account_id}/${local.short_prefix}-ack-metadata-queue.fifo"
     "REDIS_HOST"           = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].address
     "REDIS_PORT"           = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].port
   }
diff --git a/infrastructure/instance/file_name_processor.tf b/infrastructure/instance/file_name_processor.tf
index 0ec044cc3..58fef433e 100644
--- a/infrastructure/instance/file_name_processor.tf
+++ b/infrastructure/instance/file_name_processor.tf
@@ -3,6 +3,8 @@ locals {
   filename_lambda_dir     = abspath("${path.root}/../../lambdas/filenameprocessor")
   filename_lambda_files   = fileset(local.filename_lambda_dir, "**")
   filename_lambda_dir_sha = sha1(join("", [for f in local.filename_lambda_files : filesha1("${local.filename_lambda_dir}/${f}")]))
+  filename_lambda_name    = "${local.short_prefix}-filenameproc-lambda"
+
   dps_bucket_name_for_extended_attribute = (
     var.environment == "prod"
     ? "nhsd-dspp-core-prod-extended-attributes-gdp"
@@ -79,7 +81,7 @@ resource "aws_ecr_repository_policy" "filenameprocessor_lambda_ECRImageRetreival
         ],
         "Condition" : {
           "StringLike" : {
-            "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-filenameproc_lambda"
+            "aws:sourceArn" : "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.filename_lambda_name}"
           }
         }
       }
@@ -89,7 +91,7 @@ resource "aws_ecr_repository_policy" "filenameprocessor_lambda_ECRImageRetreival
 
 # IAM Role for Lambda
 resource "aws_iam_role" "filenameprocessor_lambda_exec_role" {
-  name = "${local.short_prefix}-filenameproc-lambda-exec-role"
+  name = "${local.filename_lambda_name}-exec-role"
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
     Statement = [{
@@ -105,7 +107,7 @@ resource "aws_iam_role" "filenameprocessor_lambda_exec_role" {
 
 # Policy for Lambda execution role
 resource "aws_iam_policy" "filenameprocessor_lambda_exec_policy" {
-  name = "${local.short_prefix}-filenameproc-lambda-exec-policy"
+  name = "${local.filename_lambda_name}-exec-policy"
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
@@ -116,7 +118,7 @@ resource "aws_iam_policy" "filenameprocessor_lambda_exec_policy" {
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ]
-        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-filenameproc_lambda:*"
+        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.filename_lambda_name}:*"
       },
       {
         Effect = "Allow"
@@ -186,7 +188,7 @@ resource "aws_iam_policy" "filenameprocessor_lambda_exec_policy" {
 
 # Policy for Lambda to interact with SQS
 resource "aws_iam_policy" "filenameprocessor_lambda_sqs_policy" {
-  name = "${local.short_prefix}-filenameproc-lambda-sqs-policy"
+  name = "${local.filename_lambda_name}-sqs-policy"
 
   policy = jsonencode({
     Version = "2012-10-17",
@@ -201,7 +203,7 @@ resource "aws_iam_policy" "filenameprocessor_lambda_sqs_policy" {
 }
 
 resource "aws_iam_policy" "filenameprocessor_lambda_kms_access_policy" {
-  name        = "${local.short_prefix}-filenameproc-lambda-kms-policy"
+  name        = "${local.filename_lambda_name}-kms-policy"
   description = "Allow Lambda to decrypt environment variables"
 
   policy = jsonencode({
@@ -268,7 +270,7 @@ resource "aws_iam_policy" "filenameprocessor_dps_extended_attribute_kms_policy"
           "kms:GenerateDataKey",
           "kms:DescribeKey"
         ],
-        Resource = "arn:aws:kms:eu-west-2:${var.dspp_core_account_id}:key/*",
+        Resource = "arn:aws:kms:${var.aws_region}:${var.dspp_core_account_id}:key/*",
         "Condition" = {
           "ForAnyValue:StringEquals" = {
             "kms:ResourceAliases" = "alias/${var.dspp_kms_key_alias}"
@@ -311,7 +313,7 @@ resource "aws_iam_role_policy_attachment" "filenameprocessor_lambda_dynamo_acces
 
 # Lambda Function with Security Group and VPC.
 resource "aws_lambda_function" "file_processor_lambda" {
-  function_name = "${local.short_prefix}-filenameproc_lambda"
+  function_name = local.filename_lambda_name
   role          = aws_iam_role.filenameprocessor_lambda_exec_role.arn
   package_type  = "Image"
   image_uri     = module.file_processor_docker_image.image_uri
@@ -371,7 +373,7 @@ resource "aws_s3_bucket_notification" "datasources_lambda_notification" {
 }
 
 resource "aws_cloudwatch_log_group" "file_name_processor_log_group" {
-  name              = "/aws/lambda/${local.short_prefix}-filenameproc_lambda"
+  name              = "/aws/lambda/${local.filename_lambda_name}"
   retention_in_days = 30
 }
 
diff --git a/infrastructure/instance/forwarder_lambda.tf b/infrastructure/instance/forwarder_lambda.tf
index 6d81c9e99..4101d0484 100644
--- a/infrastructure/instance/forwarder_lambda.tf
+++ b/infrastructure/instance/forwarder_lambda.tf
@@ -3,6 +3,7 @@ locals {
   forwarder_lambda_dir     = abspath("${path.root}/../../lambdas/recordforwarder")
   forwarder_lambda_files   = fileset(local.forwarder_lambda_dir, "**")
   forwarder_lambda_dir_sha = sha1(join("", [for f in local.forwarder_lambda_files : filesha1("${local.forwarder_lambda_dir}/${f}")]))
+  forwarder_lambda_name    = "${local.short_prefix}-forwarding-lambda"
 }
 
 resource "aws_ecr_repository" "forwarder_lambda_repository" {
@@ -69,7 +70,7 @@ resource "aws_ecr_repository_policy" "forwarder_lambda_ECRImageRetreival_policy"
         ],
         "Condition" : {
           "StringLike" : {
-            "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-forwarding_lambda"
+            "aws:sourceArn" : "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.forwarder_lambda_name}"
           }
         }
       }
@@ -79,7 +80,7 @@ resource "aws_ecr_repository_policy" "forwarder_lambda_ECRImageRetreival_policy"
 
 # IAM Role for Lambda
 resource "aws_iam_role" "forwarding_lambda_exec_role" {
-  name = "${local.short_prefix}-forwarding-lambda-exec-role"
+  name = "${local.forwarder_lambda_name}-exec-role"
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
     Statement = [{
@@ -95,7 +96,7 @@ resource "aws_iam_role" "forwarding_lambda_exec_role" {
 
 # Policy for Lambda execution role to interact with logs, S3, KMS, and Kinesis.
 resource "aws_iam_policy" "forwarding_lambda_exec_policy" {
-  name = "${local.short_prefix}-forwarding-lambda-exec-policy"
+  name = "${local.forwarder_lambda_name}-exec-policy"
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
@@ -106,7 +107,7 @@ resource "aws_iam_policy" "forwarding_lambda_exec_policy" {
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ]
-        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-forwarding_lambda:*",
+        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.forwarder_lambda_name}:*",
       },
       {
         Effect = "Allow"
@@ -204,7 +205,7 @@ resource "aws_iam_role_policy_attachment" "forwarding_lambda_exec_policy_attachm
 
 # Lambda Function
 resource "aws_lambda_function" "forwarding_lambda" {
-  function_name = "${local.short_prefix}-forwarding_lambda"
+  function_name = local.forwarder_lambda_name
   role          = aws_iam_role.forwarding_lambda_exec_role.arn
   package_type  = "Image"
   architectures = ["x86_64"]
@@ -250,6 +251,6 @@ resource "aws_lambda_event_source_mapping" "kinesis_event_source_mapping_forward
 }
 
 resource "aws_cloudwatch_log_group" "forwarding_lambda_log_group" {
-  name              = "/aws/lambda/${local.short_prefix}-forwarding_lambda"
+  name              = "/aws/lambda/${local.forwarder_lambda_name}"
   retention_in_days = 30
 }
diff --git a/infrastructure/instance/id_sync_lambda.tf b/infrastructure/instance/id_sync_lambda.tf
index 5bb92a60a..75329caaf 100644
--- a/infrastructure/instance/id_sync_lambda.tf
+++ b/infrastructure/instance/id_sync_lambda.tf
@@ -5,7 +5,7 @@ locals {
   id_sync_lambda_files = fileset(local.id_sync_lambda_dir, "**")
 
   id_sync_lambda_dir_sha = sha1(join("", [for f in local.id_sync_lambda_files : filesha1("${local.id_sync_lambda_dir}/${f}")]))
-  id_sync_lambda_name    = "${local.short_prefix}-id_sync_lambda"
+  id_sync_lambda_name    = "${local.short_prefix}-id-sync-lambda"
 }
 
 resource "aws_ecr_repository" "id_sync_lambda_repository" {
@@ -81,7 +81,7 @@ resource "aws_ecr_repository_policy" "id_sync_lambda_ECRImageRetreival_policy" {
 
 # IAM Role for Lambda
 resource "aws_iam_role" "id_sync_lambda_exec_role" {
-  name = "${local.short_prefix}-id-sync-lambda-exec-role"
+  name = "${local.id_sync_lambda_name}-exec-role"
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
     Statement = [{
@@ -97,7 +97,7 @@ resource "aws_iam_role" "id_sync_lambda_exec_role" {
 
 # Policy for Lambda execution role
 resource "aws_iam_policy" "id_sync_lambda_exec_policy" {
-  name = "${local.short_prefix}-id-sync-lambda-exec-policy"
+  name = "${local.id_sync_lambda_name}-exec-policy"
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
@@ -108,7 +108,7 @@ resource "aws_iam_policy" "id_sync_lambda_exec_policy" {
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ]
-        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-id_sync_lambda:*"
+        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.id_sync_lambda_name}:*"
       },
       {
         Effect = "Allow"
@@ -172,8 +172,6 @@ resource "aws_iam_policy" "id_sync_lambda_exec_policy" {
           "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.id_sync_lambda_name}",
         ]
       },
-      # NEW
-      # NB anomaly: do we want this in "id_sync_lambda_sqs_access_policy"?
       {
         Effect = "Allow",
         Action = [
@@ -183,7 +181,6 @@ resource "aws_iam_policy" "id_sync_lambda_exec_policy" {
         ],
         Resource = aws_sqs_queue.id_sync_queue.arn
       },
-      # NB anomaly: in redis_sync this appears in "redis_sync_lambda_kms_access_policy"
       {
         Effect = "Allow",
         Action = [
@@ -197,7 +194,7 @@ resource "aws_iam_policy" "id_sync_lambda_exec_policy" {
 }
 
 resource "aws_iam_policy" "id_sync_lambda_kms_access_policy" {
-  name        = "${local.short_prefix}-id-sync-lambda-kms-policy"
+  name        = "${local.id_sync_lambda_name}-kms-policy"
   description = "Allow Lambda to decrypt environment variables"
 
   policy = jsonencode({
@@ -264,7 +261,7 @@ data "aws_iam_policy_document" "id_sync_policy_document" {
 }
 
 resource "aws_iam_policy" "id_sync_lambda_dynamodb_access_policy" {
-  name        = "${local.short_prefix}-id-sync-lambda-dynamodb-access-policy"
+  name        = "${local.id_sync_lambda_name}-dynamodb-access-policy"
   description = "Allow Lambda to access DynamoDB"
   policy      = data.aws_iam_policy_document.id_sync_policy_document.json
 }
@@ -326,7 +323,7 @@ resource "aws_cloudwatch_log_metric_filter" "id_sync_error_logs" {
 resource "aws_cloudwatch_metric_alarm" "id_sync_error_alarm" {
   count = var.error_alarm_notifications_enabled ? 1 : 0
 
-  alarm_name          = "${local.short_prefix}-id-sync-lambda-error"
+  alarm_name          = "${local.id_sync_lambda_name}-error"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   evaluation_periods  = 1
   metric_name         = "${local.short_prefix}-IdSyncErrorLogs"
diff --git a/infrastructure/instance/lambda.tf b/infrastructure/instance/lambda.tf
index 28992a9e5..d4fb92a55 100644
--- a/infrastructure/instance/lambda.tf
+++ b/infrastructure/instance/lambda.tf
@@ -70,13 +70,13 @@ resource "aws_ecr_repository_policy" "operation_lambda_ECRImageRetreival_policy"
         "Condition" : {
           "StringLike" : {
             "aws:sourceArn" : [
-              "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}_get_status",
-              "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}_not_found",
-              "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}_search_imms",
-              "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}_get_imms",
-              "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}_delete_imms",
-              "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}_create_imms",
-              "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}_update_imms"
+              "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.short_prefix}_get_status",
+              "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.short_prefix}_not_found",
+              "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.short_prefix}_search_imms",
+              "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.short_prefix}_get_imms",
+              "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.short_prefix}_delete_imms",
+              "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.short_prefix}_create_imms",
+              "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.short_prefix}_update_imms"
             ]
           }
         }
diff --git a/infrastructure/instance/main.tf b/infrastructure/instance/main.tf
index aa7e24a45..940d55b45 100644
--- a/infrastructure/instance/main.tf
+++ b/infrastructure/instance/main.tf
@@ -10,7 +10,7 @@ terraform {
     }
   }
   backend "s3" {
-    region       = "eu-west-2"
+    region       = var.aws_region
     key          = "state"
     use_lockfile = true
   }
diff --git a/infrastructure/instance/mesh_processor.tf b/infrastructure/instance/mesh_processor.tf
index 8d6d7f0ae..d6b70ea5a 100644
--- a/infrastructure/instance/mesh_processor.tf
+++ b/infrastructure/instance/mesh_processor.tf
@@ -3,6 +3,7 @@ locals {
   mesh_processor_lambda_dir     = abspath("${path.root}/../../lambdas/mesh_processor")
   mesh_processor_lambda_files   = fileset(local.mesh_processor_lambda_dir, "**")
   mesh_processor_lambda_dir_sha = sha1(join("", [for f in local.mesh_processor_lambda_files : filesha1("${local.mesh_processor_lambda_dir}/${f}")]))
+  mesh_processor_lambda_name    = "${local.short_prefix}-mesh-processor-lambda"
   # This should match the prefix used in the global Terraform
   mesh_module_prefix = "imms-${var.environment}-mesh"
 }
@@ -25,7 +26,7 @@ resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" {
   image_scanning_configuration {
     scan_on_push = true
   }
-  name         = "${local.short_prefix}-mesh_processor-repo"
+  name         = "${local.short_prefix}-mesh-processor-repo"
   force_delete = local.is_temp
 }
 
@@ -89,7 +90,7 @@ resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_po
         ],
         "Condition" : {
           "StringLike" : {
-            "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-mesh_processor_lambda"
+            "aws:sourceArn" : "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.mesh_processor_lambda_name}"
           }
         }
       }
@@ -101,7 +102,7 @@ resource "aws_ecr_repository_policy" "mesh_processor_lambda_ECRImageRetreival_po
 resource "aws_iam_role" "mesh_processor_lambda_exec_role" {
   count = var.create_mesh_processor ? 1 : 0
 
-  name = "${local.short_prefix}-mesh_processor-lambda-exec-role"
+  name = "${local.mesh_processor_lambda_name}-exec-role"
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
     Statement = [{
@@ -119,7 +120,7 @@ resource "aws_iam_role" "mesh_processor_lambda_exec_role" {
 resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" {
   count = var.create_mesh_processor ? 1 : 0
 
-  name = "${local.short_prefix}-mesh_processor-lambda-exec-policy"
+  name = "${local.mesh_processor_lambda_name}-exec-policy"
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
@@ -130,7 +131,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" {
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ]
-        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-mesh_processor_lambda:*"
+        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.mesh_processor_lambda_name}:*"
       },
       {
         Effect = "Allow"
@@ -167,7 +168,7 @@ resource "aws_iam_policy" "mesh_processor_lambda_exec_policy" {
 resource "aws_iam_policy" "mesh_processor_lambda_kms_access_policy" {
   count = var.create_mesh_processor ? 1 : 0
 
-  name        = "${local.short_prefix}-mesh_processor-lambda-kms-policy"
+  name        = "${local.mesh_processor_lambda_name}-kms-policy"
   description = "Allow Lambda to decrypt environment variables"
 
   policy = jsonencode({
@@ -209,7 +210,7 @@ resource "aws_iam_role_policy_attachment" "mesh_processor_lambda_kms_policy_atta
 resource "aws_lambda_function" "mesh_file_converter_lambda" {
   count = var.create_mesh_processor ? 1 : 0
 
-  function_name = "${local.short_prefix}-mesh_processor_lambda"
+  function_name = local.mesh_processor_lambda_name
   role          = aws_iam_role.mesh_processor_lambda_exec_role[0].arn
   package_type  = "Image"
   image_uri     = module.mesh_processor_docker_image[0].image_uri
@@ -255,7 +256,7 @@ resource "aws_s3_bucket_notification" "mesh_datasources_lambda_notification" {
 resource "aws_cloudwatch_log_group" "mesh_file_converter_log_group" {
   count = var.create_mesh_processor ? 1 : 0
 
-  name              = "/aws/lambda/${local.short_prefix}-mesh_processor_lambda"
+  name              = "/aws/lambda/${local.mesh_processor_lambda_name}"
   retention_in_days = 30
 }
 
@@ -276,7 +277,7 @@ resource "aws_cloudwatch_log_metric_filter" "mesh_processor_error_logs" {
 resource "aws_cloudwatch_metric_alarm" "mesh_processor_error_alarm" {
   count = var.create_mesh_processor && var.error_alarm_notifications_enabled ? 1 : 0
 
-  alarm_name          = "${local.short_prefix}-mesh-processor-lambda-error"
+  alarm_name          = "${local.mesh_processor_lambda_name}-error"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   evaluation_periods  = 1
   metric_name         = "${local.short_prefix}-MeshProcessorErrorLogs"
diff --git a/infrastructure/instance/redis_sync_lambda.tf b/infrastructure/instance/redis_sync_lambda.tf
index e0c6d08c3..6aac02fed 100644
--- a/infrastructure/instance/redis_sync_lambda.tf
+++ b/infrastructure/instance/redis_sync_lambda.tf
@@ -5,7 +5,7 @@ locals {
   redis_sync_lambda_files = fileset(local.redis_sync_lambda_dir, "**")
 
   redis_sync_lambda_dir_sha = sha1(join("", [for f in local.redis_sync_lambda_files : filesha1("${local.redis_sync_lambda_dir}/${f}")]))
-  redis_sync_lambda_name    = "${local.short_prefix}-redis_sync_lambda"
+  redis_sync_lambda_name    = "${local.short_prefix}-redis-sync-lambda"
 }
 
 resource "aws_ecr_repository" "redis_sync_lambda_repository" {
@@ -81,7 +81,7 @@ resource "aws_ecr_repository_policy" "redis_sync_lambda_ECRImageRetreival_policy
 
 # IAM Role for Lambda
 resource "aws_iam_role" "redis_sync_lambda_exec_role" {
-  name = "${local.short_prefix}-redis-sync-lambda-exec-role"
+  name = "${local.redis_sync_lambda_name}-exec-role"
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
     Statement = [{
@@ -97,7 +97,7 @@ resource "aws_iam_role" "redis_sync_lambda_exec_role" {
 
 # Policy for Lambda execution role
 resource "aws_iam_policy" "redis_sync_lambda_exec_policy" {
-  name = "${local.short_prefix}-redis-sync-lambda-exec-policy"
+  name = "${local.redis_sync_lambda_name}-exec-policy"
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
@@ -108,7 +108,7 @@ resource "aws_iam_policy" "redis_sync_lambda_exec_policy" {
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ]
-        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-redis_sync_lambda:*"
+        Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.redis_sync_lambda_name}:*"
       },
       {
         Effect = "Allow"
@@ -169,7 +169,7 @@ resource "aws_iam_policy" "redis_sync_lambda_exec_policy" {
         Effect = "Allow"
         Action = "lambda:InvokeFunction"
         Resource = [
-          "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:imms-${var.sub_environment}-redis_sync_lambda",
+          "arn:aws:lambda:${var.aws_region}:${var.immunisation_account_id}:function:${local.redis_sync_lambda_name}}",
         ]
       }
     ]
@@ -177,7 +177,7 @@ resource "aws_iam_policy" "redis_sync_lambda_exec_policy" {
 }
 
 resource "aws_iam_policy" "redis_sync_lambda_kms_access_policy" {
-  name        = "${local.short_prefix}-redis-sync-lambda-kms-policy"
+  name        = "${local.redis_sync_lambda_name}-kms-policy"
   description = "Allow Lambda to decrypt environment variables"
 
   policy = jsonencode({
@@ -219,7 +219,7 @@ resource "aws_iam_role_policy_attachment" "redis_sync_lambda_kms_policy_attachme
 
 # Lambda Function with Security Group and VPC.
 resource "aws_lambda_function" "redis_sync_lambda" {
-  function_name = "${local.short_prefix}-redis_sync_lambda"
+  function_name = local.redis_sync_lambda_name
   role          = aws_iam_role.redis_sync_lambda_exec_role.arn
   package_type  = "Image"
   image_uri     = module.redis_sync_docker_image.image_uri
@@ -236,7 +236,7 @@ resource "aws_lambda_function" "redis_sync_lambda" {
       CONFIG_BUCKET_NAME          = local.config_bucket_name
       REDIS_HOST                  = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].address
       REDIS_PORT                  = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].port
-      REDIS_SYNC_PROC_LAMBDA_NAME = "imms-${var.sub_environment}-redis_sync_lambda"
+      REDIS_SYNC_PROC_LAMBDA_NAME = local.redis_sync_lambda_name
       SPLUNK_FIREHOSE_NAME        = module.splunk.firehose_stream_name
     }
   }
@@ -249,7 +249,7 @@ resource "aws_lambda_function" "redis_sync_lambda" {
 }
 
 resource "aws_cloudwatch_log_group" "redis_sync_log_group" {
-  name              = "/aws/lambda/${local.short_prefix}-redis_sync_lambda"
+  name              = "/aws/lambda/${local.redis_sync_lambda_name}"
   retention_in_days = 30
 }
 
@@ -270,7 +270,7 @@ resource "aws_cloudwatch_log_metric_filter" "redis_sync_error_logs" {
 resource "aws_cloudwatch_metric_alarm" "redis_sync_error_alarm" {
   count = var.error_alarm_notifications_enabled ? 1 : 0
 
-  alarm_name          = "${local.short_prefix}-redis-sync-lambda-error"
+  alarm_name          = local.redis_sync_lambda_name
   comparison_operator = "GreaterThanOrEqualToThreshold"
   evaluation_periods  = 1
   metric_name         = "${local.short_prefix}-RedisSyncErrorLogs"
diff --git a/infrastructure/instance/s3_config.tf b/infrastructure/instance/s3_config.tf
index 27b6d79e5..f3c683fef 100644
--- a/infrastructure/instance/s3_config.tf
+++ b/infrastructure/instance/s3_config.tf
@@ -56,17 +56,6 @@ resource "aws_s3_bucket_policy" "batch_data_source_bucket_policy" {
   })
 }
 
-# resource "aws_s3_bucket_server_side_encryption_configuration" "s3_batch_source_encryption" {
-#   bucket = aws_s3_bucket.batch_data_source_bucket.bucket
-#
-#   rule {
-#     apply_server_side_encryption_by_default {
-#       kms_master_key_id = data.aws_kms_key.existing_s3_encryption_key.arn
-#       sse_algorithm     = "aws:kms"
-#     }
-#   }
-# }
-
 resource "aws_s3_bucket_versioning" "source_versioning" {
   bucket = aws_s3_bucket.batch_data_source_bucket.bucket
   versioning_configuration {
diff --git a/infrastructure/mesh/main.tf b/infrastructure/mesh/main.tf
index 3672dc36a..7ef4257cf 100644
--- a/infrastructure/mesh/main.tf
+++ b/infrastructure/mesh/main.tf
@@ -6,7 +6,7 @@ terraform {
     }
   }
   backend "s3" {
-    region       = "eu-west-2"
+    region       = var.aws_region
     key          = "state"
     use_lockfile = true
   }
@@ -14,7 +14,7 @@ terraform {
 }
 
 provider "aws" {
-  region = "eu-west-2"
+  region = var.aws_region
   default_tags {
     tags = {
       Project     = "immunisation-fhir-api"
diff --git a/infrastructure/mesh/variables.tf b/infrastructure/mesh/variables.tf
index d9ec0d63a..6e05d58da 100644
--- a/infrastructure/mesh/variables.tf
+++ b/infrastructure/mesh/variables.tf
@@ -3,3 +3,6 @@ variable "aws_environment" {}
 variable "mesh_environment" {}
 variable "mesh_mailbox_ids" {}
 variable "mesh_dlq_mailbox_id" {}
+variable "aws_region" {
+  default = "eu-west-2"
+}

From de7748f08324bafc42726081d2d1f5aaf1207dc5 Mon Sep 17 00:00:00 2001
From: Ed Hall <239591530+edhall-nhs@users.noreply.github.com>
Date: Thu, 29 Jan 2026 16:33:47 +0000
Subject: [PATCH 2/5] Revert to hard coded region in main.tf

---
 infrastructure/instance/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/instance/main.tf b/infrastructure/instance/main.tf
index 940d55b45..aa7e24a45 100644
--- a/infrastructure/instance/main.tf
+++ b/infrastructure/instance/main.tf
@@ -10,7 +10,7 @@ terraform {
     }
   }
   backend "s3" {
-    region       = var.aws_region
+    region       = "eu-west-2"
     key          = "state"
     use_lockfile = true
   }

From 8327e6cbe970f7e4f88ffde7d0ab6f9f13c37585 Mon Sep 17 00:00:00 2001
From: Ed Hall <239591530+edhall-nhs@users.noreply.github.com>
Date: Fri, 30 Jan 2026 11:13:14 +0000
Subject: [PATCH 3/5] Review comment

---
 infrastructure/instance/redis_sync_lambda.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/instance/redis_sync_lambda.tf b/infrastructure/instance/redis_sync_lambda.tf
index 6aac02fed..47fcabca5 100644
--- a/infrastructure/instance/redis_sync_lambda.tf
+++ b/infrastructure/instance/redis_sync_lambda.tf
@@ -270,7 +270,7 @@ resource "aws_cloudwatch_log_metric_filter" "redis_sync_error_logs" {
 resource "aws_cloudwatch_metric_alarm" "redis_sync_error_alarm" {
   count = var.error_alarm_notifications_enabled ? 1 : 0
 
-  alarm_name          = local.redis_sync_lambda_name
+  alarm_name          = "${local.redis_sync_lambda_name}-error"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   evaluation_periods  = 1
   metric_name         = "${local.short_prefix}-RedisSyncErrorLogs"

From 18681606c8503afc2cece9cdfe3f73e5e3a7caba Mon Sep 17 00:00:00 2001
From: Ed Hall <239591530+edhall-nhs@users.noreply.github.com>
Date: Fri, 30 Jan 2026 14:47:02 +0000
Subject: [PATCH 4/5] Review comment - add tf validation to aws region

---
 .../instance/modules/api_gateway/variables.tf          | 10 +++++++++-
 infrastructure/instance/redis_sync_lambda.tf           |  9 ++++-----
 infrastructure/instance/variables.tf                   |  6 ++++++
 infrastructure/mesh/variables.tf                       |  6 ++++++
 4 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/infrastructure/instance/modules/api_gateway/variables.tf b/infrastructure/instance/modules/api_gateway/variables.tf
index 2b39907df..aaa0e5d84 100644
--- a/infrastructure/instance/modules/api_gateway/variables.tf
+++ b/infrastructure/instance/modules/api_gateway/variables.tf
@@ -5,6 +5,14 @@ variable "api_domain_name" {}
 variable "environment" {}
 variable "sub_environment" {}
 variable "oas" {}
-variable "aws_region" {}
+variable "aws_region" {
+  type    = string
+  default = "eu-west-2"
+
+  validation {
+    condition     = var.aws_region == "eu-west-2"
+    error_message = "AWS Region must be set to eu-west-2."
+  }
+}
 variable "immunisation_account_id" {}
 variable "csoc_account_id" {}
diff --git a/infrastructure/instance/redis_sync_lambda.tf b/infrastructure/instance/redis_sync_lambda.tf
index 47fcabca5..76c81ee03 100644
--- a/infrastructure/instance/redis_sync_lambda.tf
+++ b/infrastructure/instance/redis_sync_lambda.tf
@@ -233,11 +233,10 @@ resource "aws_lambda_function" "redis_sync_lambda" {
 
   environment {
     variables = {
-      CONFIG_BUCKET_NAME          = local.config_bucket_name
-      REDIS_HOST                  = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].address
-      REDIS_PORT                  = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].port
-      REDIS_SYNC_PROC_LAMBDA_NAME = local.redis_sync_lambda_name
-      SPLUNK_FIREHOSE_NAME        = module.splunk.firehose_stream_name
+      CONFIG_BUCKET_NAME   = local.config_bucket_name
+      REDIS_HOST           = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].address
+      REDIS_PORT           = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].port
+      SPLUNK_FIREHOSE_NAME = module.splunk.firehose_stream_name
     }
   }
   kms_key_arn = data.aws_kms_key.existing_lambda_encryption_key.arn
diff --git a/infrastructure/instance/variables.tf b/infrastructure/instance/variables.tf
index 88a2a502b..5ebcc195a 100644
--- a/infrastructure/instance/variables.tf
+++ b/infrastructure/instance/variables.tf
@@ -33,7 +33,13 @@ variable "service" {
 }
 
 variable "aws_region" {
+  type    = string
   default = "eu-west-2"
+
+  validation {
+    condition     = var.aws_region == "eu-west-2"
+    error_message = "AWS Region must be set to eu-west-2."
+  }
 }
 
 variable "pds_environment" {
diff --git a/infrastructure/mesh/variables.tf b/infrastructure/mesh/variables.tf
index 6e05d58da..e534bbd91 100644
--- a/infrastructure/mesh/variables.tf
+++ b/infrastructure/mesh/variables.tf
@@ -4,5 +4,11 @@ variable "mesh_environment" {}
 variable "mesh_mailbox_ids" {}
 variable "mesh_dlq_mailbox_id" {}
 variable "aws_region" {
+  type    = string
   default = "eu-west-2"
+
+  validation {
+    condition     = var.aws_region == "eu-west-2"
+    error_message = "AWS Region must be set to eu-west-2."
+  }
 }

From 8e63835dd20a1a0c44314e1ac2ad347e4418329d Mon Sep 17 00:00:00 2001
From: Ed Hall <239591530+edhall-nhs@users.noreply.github.com>
Date: Fri, 30 Jan 2026 14:52:09 +0000
Subject: [PATCH 5/5] Tidy up generic validator code from redis_sync lambda

---
 lambdas/redis_sync/src/constants.py               |  1 -
 lambdas/redis_sync/src/transform_configs.py       |  4 ----
 lambdas/redis_sync/src/transform_map.py           |  3 ---
 lambdas/redis_sync/tests/test_transform_config.py |  7 -------
 lambdas/redis_sync/tests/test_transform_map.py    | 13 -------------
 5 files changed, 28 deletions(-)

diff --git a/lambdas/redis_sync/src/constants.py b/lambdas/redis_sync/src/constants.py
index d26cce29e..73ecfa42e 100644
--- a/lambdas/redis_sync/src/constants.py
+++ b/lambdas/redis_sync/src/constants.py
@@ -1,4 +1,3 @@
 class RedisCacheKey:
     PERMISSIONS_CONFIG_FILE_KEY = "permissions_config.json"
     DISEASE_MAPPING_FILE_KEY = "disease_mapping.json"
-    VALIDATION_RULES_FILE_KEY = "validation_rules.json"
diff --git a/lambdas/redis_sync/src/transform_configs.py b/lambdas/redis_sync/src/transform_configs.py
index 24baa6776..568e9dead 100644
--- a/lambdas/redis_sync/src/transform_configs.py
+++ b/lambdas/redis_sync/src/transform_configs.py
@@ -39,7 +39,3 @@ def transform_supplier_permissions(mapping):
         "supplier_permissions": supplier_permissions,
         "ods_code_to_supplier": ods_code_to_supplier,
     }
-
-
-def transform_validation_rules(data) -> dict:
-    return {"validation_rules": data}
diff --git a/lambdas/redis_sync/src/transform_map.py b/lambdas/redis_sync/src/transform_map.py
index b3ee88f8e..e274fcc6e 100644
--- a/lambdas/redis_sync/src/transform_map.py
+++ b/lambdas/redis_sync/src/transform_map.py
@@ -3,7 +3,6 @@
 from transform_configs import (
     transform_supplier_permissions,
     transform_vaccine_map,
-    transform_validation_rules,
 )
 
 """
@@ -18,8 +17,6 @@ def transform_map(data, file_type) -> dict:
         return transform_supplier_permissions(data)
     if file_type == RedisCacheKey.DISEASE_MAPPING_FILE_KEY:
         return transform_vaccine_map(data)
-    if file_type == RedisCacheKey.VALIDATION_RULES_FILE_KEY:
-        return transform_validation_rules(data)
 
     logger.info("No specific transformation defined for file type: %s", file_type)
     return data  # Default case, return data as is if no transformation is defined
diff --git a/lambdas/redis_sync/tests/test_transform_config.py b/lambdas/redis_sync/tests/test_transform_config.py
index 408dd572d..d81611064 100644
--- a/lambdas/redis_sync/tests/test_transform_config.py
+++ b/lambdas/redis_sync/tests/test_transform_config.py
@@ -5,7 +5,6 @@
 from transform_configs import (
     transform_supplier_permissions,
     transform_vaccine_map,
-    transform_validation_rules,
 )
 
 
@@ -47,12 +46,6 @@ def test_ods_code_to_supplier(self):
         result = transform_supplier_permissions(self.supplier_data)
         self.assertEqual(result["ods_code_to_supplier"], expected)
 
-    def test_validation_rules(self):
-        # validation schema is simple json returned as is to key "validation_rules"
-        sample_schema = {"type": "object", "properties": {"name": {"type": "string"}}}
-        result = transform_validation_rules(sample_schema)
-        self.assertEqual(result, {"validation_rules": sample_schema})
-
     def test_empty_input(self):
         result = transform_supplier_permissions([])
         self.assertEqual(
diff --git a/lambdas/redis_sync/tests/test_transform_map.py b/lambdas/redis_sync/tests/test_transform_map.py
index a3e2a3973..5bdf9e3a4 100644
--- a/lambdas/redis_sync/tests/test_transform_map.py
+++ b/lambdas/redis_sync/tests/test_transform_map.py
@@ -14,7 +14,6 @@ def setUp(self):
             return_value={"result": "supplier"},
         ).start()
         self.mock_vaccine_map = patch("transform_map.transform_vaccine_map", return_value={"result": "vaccine"}).start()
-        self.mock_validation_rules = patch("transform_map.transform_validation_rules").start()
 
     def tearDown(self):
         patch.stopall()
@@ -31,7 +30,6 @@ def test_permissions_config_file_key_calls_supplier_permissions(self):
 
     def test_disease_mapping_file_key_calls_vaccine_map(self):
         data = {"other": "data"}
-        self.mock_validation_rules.return_value = {"validation_rules": data}
         result = transform_map(data, RedisCacheKey.DISEASE_MAPPING_FILE_KEY)
         self.mock_vaccine_map.assert_called_once_with(data)
         self.assertEqual(result, {"result": "vaccine"})
@@ -39,14 +37,3 @@ def test_disease_mapping_file_key_calls_vaccine_map(self):
             "Transforming data for file type: %s",
             RedisCacheKey.DISEASE_MAPPING_FILE_KEY,
         )
-
-    def test_validation_rules_file_key_calls_validation_rules(self):
-        data = {"validation": "schema"}
-        self.mock_validation_rules.return_value = {"validation_rules": data}
-        result = transform_map(data, RedisCacheKey.VALIDATION_RULES_FILE_KEY)
-        self.mock_validation_rules.assert_called_once_with(data)
-        self.assertEqual(result, {"validation_rules": data})
-        self.mock_logger_info.assert_any_call(
-            "Transforming data for file type: %s",
-            RedisCacheKey.VALIDATION_RULES_FILE_KEY,
-        )