NHSDigital · anthony-nhs · Jun 5, 2025 · Apr 22, 2025 · Apr 22, 2025 · Apr 22, 2025
diff --git a/.github/scripts/deploy_api.sh b/.github/scripts/deploy_api.sh
@@ -85,17 +85,11 @@ fi
 
 # Find and replace securitySchemes
 if [[ "${APIGEE_ENVIRONMENT}" == "prod" ]]; then
-    if [[ "${API_TYPE}" == "standard" ]]; then
-        jq '.components.securitySchemes."app-level3" = {"$ref": "https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/app-level3"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
-    else
-        jq '.components.securitySchemes."app-level0" = {"$ref": "https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/app-level0"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
-    fi
+    jq '.components.securitySchemes."app-level3" = {"$ref": "https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/app-level3"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+    jq '.components.securitySchemes."app-level0" = {"$ref": "https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/app-level0"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
 else
-    if [[ "${API_TYPE}" == "standard" ]]; then
-        jq '.components.securitySchemes."app-level3" = {"$ref": "https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/app-level3"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
-    else
-        jq '.components.securitySchemes."app-level0" = {"$ref": "https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/app-level0"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
-    fi
+    jq '.components.securitySchemes."app-level3" = {"$ref": "https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/app-level3"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+    jq '.components.securitySchemes."app-level0" = {"$ref": "https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/app-level0"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
 fi
 
 # Remove target attributes if the environment is sandbox

diff --git a/.github/workflows/run_release_code_and_api.yml b/.github/workflows/run_release_code_and_api.yml
@@ -85,6 +85,7 @@ on:
         required: false
       REGRESSION_TESTS_PEM:
         required: true
+
 jobs:
   release_code_and_api:
     runs-on: ubuntu-22.04

diff --git a/.vscode/eps-prescription-status-update-api.code-workspace b/.vscode/eps-prescription-status-update-api.code-workspace
@@ -32,6 +32,10 @@
       "name": "packages/nhsNotifyLambda",
       "path": "../packages/nhsNotifyLambda"
     },
+    {
+      "name": "packages/nhsNotifyUpdateCallback",
+      "path": "../packages/nhsNotifyUpdateCallback"
+    },
     {
       "name": "packages/capabilityStatement",
       "path": "../packages/capabilityStatement"
@@ -97,6 +101,7 @@
       "mermade",
       "milliliter",
       "mkhl",
+      "nhsapp",
       "nHSCHI",
       "NHSD",
       "nhsdlogin",

diff --git a/Makefile b/Makefile
@@ -117,6 +117,7 @@ lint-node: compile-node
 	npm run lint --workspace packages/cpsuLambda
 	npm run lint --workspace packages/checkPrescriptionStatusUpdates
 	npm run lint --workspace packages/nhsNotifyLambda
+	npm run lint --workspace packages/nhsNotifyUpdateCallback
 	npm run lint --workspace packages/common/testing
 	npm run lint --workspace packages/common/middyErrorHandler
 	npm run lint --workspace packages/common/commonTypes
@@ -147,6 +148,7 @@ test: compile
 	npm run test --workspace packages/cpsuLambda
 	npm run test --workspace packages/checkPrescriptionStatusUpdates
 	npm run test --workspace packages/nhsNotifyLambda
+	npm run test --workspace packages/nhsNotifyUpdateCallback
 	npm run test --workspace packages/common/middyErrorHandler
 
 clean:
@@ -164,6 +166,8 @@ clean:
 	rm -rf packages/cpsuLambda/lib
 	rm -rf packages/nhsNotifyLambda/coverage
 	rm -rf packages/nhsNotifyLambda/lib
+	rm -rf packages/nhsNotifyUpdateCallback/coverage
+	rm -rf packages/nhsNotifyUpdateCallback/lib
 	rm -rf packages/checkPrescriptionStatusUpdates/lib
 	rm -rf packages/common/testing/lib
 	rm -rf packages/common/middyErrorHandler/lib

diff --git a/README.md b/README.md
@@ -20,6 +20,7 @@ This is the AWS layer that provides an API for EPS Prescription Status Update.
 - `packages/capabilityStatement/` Returns a static capability statement.
 - `packages/cpsuLambda` Handles updating prescription status using a custom format.
 - `packages/nhsNotifyLambda` Handles sending prescription notifications to the NHS notify service.
+- `packages/nhsNotifyUpdateCallback` Handles receiving notification updates from the NHS notify service.
 - `scripts/` Utilities helpful to developers of this specification.
 - `postman/` Postman collections to call the APIs. Documentation on how to use them are in the collections.
 - `SAMtemplates/` Contains the SAM templates used to define the stacks.

diff --git a/SAMtemplates/apis/main.yaml b/SAMtemplates/apis/main.yaml
@@ -54,6 +54,14 @@ Parameters:
     Type: String
     Default: none
 
+  NHSNotifyUpdateCallbackFunctionName:
+    Type: String
+    Default: none
+
+  NHSNotifyUpdateCallbackFunctionArn:
+    Type: String
+    Default: none
+
   LogRetentionInDays:
     Type: Number
 
@@ -427,6 +435,32 @@ Resources:
         - StatusCode: "400"
         - StatusCode: "500"
 
+  NotificationDeliveryStatusCallbackMethod:
+    Type: AWS::ApiGateway::Method
+    Properties:
+      RestApiId: !Ref RestApiGateway
+      ResourceId: !Ref NotificationDeliveryStatusCallbackResource
+      HttpMethod: POST
+      AuthorizationType: NONE # They authenticate with a signature header
+      Integration:
+        Type: AWS_PROXY
+        Credentials: !GetAtt RestApiGatewayResources.Outputs.ApiGwRoleArn
+        IntegrationHttpMethod: POST
+        Uri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${NHSNotifyUpdateCallbackFunctionArn}/invocations
+      MethodResponses:
+        - StatusCode: "202"
+        - StatusCode: "401"
+        - StatusCode: "403"
+        - StatusCode: "429"
+        - StatusCode: "500"
+
+  NotificationDeliveryStatusCallbackResource:
+    Type: AWS::ApiGateway::Resource
+    Properties:
+      RestApiId: !Ref RestApiGateway
+      ParentId: !GetAtt RestApiGateway.RootResourceId
+      PathPart: notification-delivery-status-callback
+
   StatusLambdaMethodResource:
     Type: AWS::ApiGateway::Resource
     Properties:
@@ -516,7 +550,7 @@ Resources:
   # if you add a new endpoint, then change the name of this resource
   # also need to change it in RestApiGatewayStage.Properties.DeploymentId
   # *********************************************************************
-  RestApiGatewayDeploymentV1f:
+  RestApiGatewayDeploymentV2f:
     Type: AWS::ApiGateway::Deployment
     DependsOn:
       # see note above if you add something in here when you add a new endpoint
@@ -525,6 +559,7 @@ Resources:
       - CapabilityStatementMethod
       - Format1UpdatePrescriptionStatusMethod
       - CheckPrescriptionStatusUpdatesWaitCondition
+      - NotificationDeliveryStatusCallbackMethod
       # see note above if you add something in here when you add a new endpoint
     Properties:
       RestApiId: !Ref RestApiGateway
@@ -533,7 +568,7 @@ Resources:
     Type: AWS::ApiGateway::Stage
     Properties:
       RestApiId: !Ref RestApiGateway
-      DeploymentId: !Ref RestApiGatewayDeploymentV1f
+      DeploymentId: !Ref RestApiGatewayDeploymentV2f
       StageName: prod
       TracingEnabled: true
       AccessLogSetting:
@@ -557,6 +592,7 @@ Resources:
           - - Fn::ImportValue: !Sub ${StackName}:state-machines:${UpdatePrescriptionStatusStateMachineName}:ExecuteStateMachinePolicy
             - Fn::ImportValue: !Sub ${StackName}:functions:${StatusFunctionName}:ExecuteLambdaPolicyArn
             - Fn::ImportValue: !Sub ${StackName}:functions:${CapabilityStatementFunctionName}:ExecuteLambdaPolicyArn
+            - Fn::ImportValue: !Sub ${StackName}:functions:${NHSNotifyUpdateCallbackFunctionName}:ExecuteLambdaPolicyArn
             - Fn::ImportValue: !Sub ${StackName}:state-machines:${Format1UpdatePrescriptionsStatusStateMachineName}:ExecuteStateMachinePolicy
             - !If
               - ShouldDeployCheckPrescriptionStatusUpdate

diff --git a/SAMtemplates/functions/lambda_resources.yaml b/SAMtemplates/functions/lambda_resources.yaml
@@ -83,6 +83,7 @@ Resources:
             - !ImportValue lambda-resources:LambdaInsightsLogGroupPolicy
             - !ImportValue account-resources:CloudwatchEncryptionKMSPolicyArn
             - !ImportValue account-resources:LambdaDecryptSecretsKMSPolicy
+            - !ImportValue secrets:GetNotifySecretsManagedPolicy
             - !If
               - ShouldIncludeAdditionalPolicies
               - !Join

diff --git a/SAMtemplates/functions/main.yaml b/SAMtemplates/functions/main.yaml
@@ -25,14 +25,18 @@ Parameters:
     Type: String
     Default: none
 
-  # PrescriptionNotificationStatesTableName:
-  #   Type: String
-  #   Default: none
+  PrescriptionNotificationStatesTableName:
+    Type: String
+    Default: none
 
   NHSNotifyPrescriptionsSQSQueueUrl:
     Type: String
     Default: none
 
+  SQSSaltSecret:
+    Type: String
+    Default: none
+
   EnabledSiteODSCodesParam:
     Type: AWS::SSM::Parameter::Value<String>
 
@@ -41,7 +45,7 @@ Parameters:
 
   BlockedSiteODSCodesParam:
     Type: AWS::SSM::Parameter::Value<String>
-    
+
   LogLevel:
     Type: String
 
@@ -69,17 +73,6 @@ Conditions:
     - !Ref DeployCheckPrescriptionStatusUpdate
 
 Resources:
-  SQSSaltSecret:
-    Type: AWS::SecretsManager::Secret
-    Properties:
-      Name: !Sub ${StackName}-SqsSalt
-      Description: Auto-generated salt for SQS_SALT
-      GenerateSecretString:
-        SecretStringTemplate: "{}"
-        GenerateStringKey: salt
-        PasswordLength: 32
-        ExcludePunctuation: true
-
   UpdatePrescriptionStatus:
     Type: AWS::Serverless::Function
     Properties:
@@ -393,7 +386,7 @@ Resources:
         Variables:
           LOG_LEVEL: !Ref LogLevel
           NHS_NOTIFY_PRESCRIPTIONS_SQS_QUEUE_URL: !Ref NHSNotifyPrescriptionsSQSQueueUrl
-          # TABLE_NAME: !Ref PrescriptionNotificationStatesTableName
+          TABLE_NAME: !Ref PrescriptionNotificationStatesTableName
       Events:
         ScheduleEvent:
           Type: ScheduleV2
@@ -436,9 +429,58 @@ Resources:
           - - Fn::ImportValue: !Sub ${StackName}-WriteNHSNotifyPrescriptionsSQSQueuePolicyArn
             - Fn::ImportValue: !Sub ${StackName}-ReadNHSNotifyPrescriptionsSQSQueuePolicyArn
             - Fn::ImportValue: !Sub ${StackName}-UseNotificationSQSQueueKMSKeyPolicyArn
-            # - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionNotificationStatesTableName}:TableReadPolicyArn
-            # - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionNotificationStatesTableName}:TableWritePolicyArn
-            # - Fn::ImportValue: !Sub ${StackName}:tables:UsePrescriptionNotificationStatesKMSKeyPolicyArn
+            - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionNotificationStatesTableName}:TableReadPolicyArn
+            - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionNotificationStatesTableName}:TableWritePolicyArn
+            - Fn::ImportValue: !Sub ${StackName}:tables:UsePrescriptionNotificationStatesKMSKeyPolicyArn
+
+  NHSNotifyUpdateCallback:
+    Type: AWS::Serverless::Function
+    Properties:
+      FunctionName: !Sub ${StackName}-NHSNotifyUpdateCallback
+      CodeUri: ../../packages/
+      Handler: lambdaHandler.handler
+      Role: !GetAtt NHSNotifyUpdateCallbackResources.Outputs.LambdaRoleArn
+      Environment:
+        Variables:
+          LOG_LEVEL: !Ref LogLevel
+          TABLE_NAME: !Ref PrescriptionNotificationStatesTableName
+          APP_NAME_SECRET: secrets-PSU-Notify-Application-Name
+          API_KEY_SECRET:  secrets-PSU-Notify-API-Key
+    Metadata:
+      BuildMethod: esbuild
+      guard:
+        SuppressedRules:
+          - LAMBDA_DLQ_CHECK
+          - LAMBDA_INSIDE_VPC
+          - LAMBDA_CONCURRENCY_CHECK
+      BuildProperties:
+        Minify: true
+        Target: es2020
+        Sourcemap: true
+        tsconfig: nhsNotifyUpdateCallback/tsconfig.json
+        packages: bundle
+        EntryPoints:
+          - nhsNotifyUpdateCallback/src/lambdaHandler.ts
+
+  NHSNotifyUpdateCallbackResources:
+    Type: AWS::Serverless::Application
+    Properties:
+      Location: lambda_resources.yaml
+      Parameters:
+        StackName: !Ref StackName
+        LambdaName: !Sub ${StackName}-NHSNotifyUpdateCallback
+        LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${StackName}-NHSNotifyUpdateCallback
+        IncludeAdditionalPolicies: true
+        AdditionalPolicies: !Join
+          - ","
+          - - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionNotificationStatesTableName}:TableReadPolicyArn
+            - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionNotificationStatesTableName}:TableWritePolicyArn
+            - Fn::ImportValue: !Sub ${StackName}:tables:UsePrescriptionNotificationStatesKMSKeyPolicyArn
+        LogRetentionInDays: !Ref LogRetentionInDays
+        CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
+        EnableSplunk: !Ref EnableSplunk
+        SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole
+        SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream
 
 Outputs:
   UpdatePrescriptionStatusFunctionName:
@@ -506,3 +548,11 @@ Outputs:
   NotifyProcessorFunctionArn:
     Description: The function ARN of the NHS Notify lambda
     Value: !GetAtt NotifyProcessor.Arn
+
+  NHSNotifyUpdateCallbackFunctionName:
+    Description: The function name of the NHSNotifyUpdateCallback lambda
+    Value: !Ref NHSNotifyUpdateCallback
+
+  NHSNotifyUpdateCallbackFunctionArn:
+    Description: The function ARN of the NHSNotifyUpdateCallback lambda
+    Value: !GetAtt NHSNotifyUpdateCallback.Arn
diff --git a/SAMtemplates/main_template.yaml b/SAMtemplates/main_template.yaml
@@ -90,6 +90,13 @@ Parameters:
     Type: String
 
 Resources:
+  Secrets: 
+    Type: AWS::Serverless::Application
+    Properties:
+      Location: secrets/main.yaml
+      Parameters:
+        StackName: !Ref AWS::StackName
+
   Parameters:
     Type: AWS::Serverless::Application
     Properties:
@@ -131,6 +138,8 @@ Resources:
         CapabilityStatementFunctionArn: !GetAtt Functions.Outputs.CapabilityStatementFunctionArn
         CheckPrescriptionStatusUpdatesFunctionName: !GetAtt Functions.Outputs.CheckPrescriptionStatusUpdatesFunctionName
         CheckPrescriptionStatusUpdatesFunctionArn: !GetAtt Functions.Outputs.CheckPrescriptionStatusUpdatesFunctionArn
+        NHSNotifyUpdateCallbackFunctionName: !GetAtt Functions.Outputs.NHSNotifyUpdateCallbackFunctionName
+        NHSNotifyUpdateCallbackFunctionArn: !GetAtt Functions.Outputs.NHSNotifyUpdateCallbackFunctionArn
         LogRetentionInDays: !Ref LogRetentionInDays
         EnableSplunk: !Ref EnableSplunk
         DeployCheckPrescriptionStatusUpdate: !Ref DeployCheckPrescriptionStatusUpdate
@@ -142,8 +151,9 @@ Resources:
       Parameters:
         StackName: !Ref AWS::StackName
         PrescriptionStatusUpdatesTableName: !GetAtt Tables.Outputs.PrescriptionStatusUpdatesTableName
-        # PrescriptionNotificationStatesTableName: !GetAtt Tables.Outputs.PrescriptionNotificationStatesTableName
+        PrescriptionNotificationStatesTableName: !GetAtt Tables.Outputs.PrescriptionNotificationStatesTableName
         NHSNotifyPrescriptionsSQSQueueUrl: !GetAtt Messaging.Outputs.NHSNotifyPrescriptionsSQSQueueUrl
+        SQSSaltSecret: !GetAtt Secrets.Outputs.SQSSaltSecret
         EnabledSiteODSCodesParam: !GetAtt Parameters.Outputs.EnabledSiteODSCodesParameterName
         EnabledSystemsParam: !GetAtt Parameters.Outputs.EnabledSystemsParameterName
         BlockedSiteODSCodesParam: !GetAtt Parameters.Outputs.BlockedSiteODSCodesParameterName

diff --git a/SAMtemplates/parameters/main.yaml b/SAMtemplates/parameters/main.yaml
@@ -55,9 +55,9 @@ Resources:
       Value: !If
         - IsProd
         - > # Prod notification disabled
-          A83008
+          B3J1Z
         - > # Non-prod
-          A83008
+          B3J1Z
 
 Outputs:
   EnabledSiteODSCodesParameterName:

diff --git a/SAMtemplates/secrets/main.yaml b/SAMtemplates/secrets/main.yaml
@@ -0,0 +1,25 @@
+AWSTemplateFormatVersion: "2010-09-09"
+
+Parameters:
+  StackName:
+    Type: String
+    Default: none
+
+Resources:
+  SQSSaltSecret:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: !Sub ${StackName}-SqsSaltSecret
+      Description: Auto-generated salt for SQS_SALT
+      GenerateSecretString:
+        SecretStringTemplate: "{}"
+        GenerateStringKey: salt
+        PasswordLength: 32
+        ExcludePunctuation: true
+
+Outputs:
+  SQSSaltSecret:
+    Description: The ARN of the randomly generated SQS salt
+    Value: !Ref SQSSaltSecret
+    Export:
+      Name: !Join [":", [!Ref "StackName", "SQSSaltSecret"]]
diff --git a/SAMtemplates/tables/main.yaml b/SAMtemplates/tables/main.yaml
@@ -446,7 +446,7 @@ Resources:
             - !Ref "AWS::NoValue"
       KeySchema:
         - AttributeName: NHSNumber
-          KeyType: HASH       # Partition key!
+          KeyType: HASH       # Partition key
         - AttributeName: ODSCode
           KeyType: RANGE      # Sort key
       BillingMode: !If