NHSDigital · anthony-nhs · Apr 27, 2026 · Apr 29, 2026 · Copilot · Apr 27, 2026
diff --git a/.github/scripts/create_changeset_existing_tags.sh b/.github/scripts/create_changeset_existing_tags.sh
@@ -16,7 +16,7 @@ fi
 
 ROLE=$(echo "$CF_LONDON_EXPORTS" | \
     jq \
-    --arg EXPORT_NAME "ci-resources:CloudFormationExecutionRole" \
+    --arg EXPORT_NAME "iam-cdk:IAM:CloudFormationExecutionRole:Arn" \
     -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
 
 if [ -z "${ROLE}" ]; then
@@ -34,6 +34,7 @@ if [ "${status}" != '"CREATE_COMPLETE"' ] && [ "${status}" != '"UPDATE_ROLLBACK_
 fi
 
 # upload file to s3
+# change this to account-resources-cdk-uk:Bucket:ArtifactsBucket:Arn once other change is merged
 artifact_bucket_arn=$(echo "$CF_LONDON_EXPORTS" | \
     jq \
     --arg EXPORT_NAME "account-resources:ArtifactsBucket" \

diff --git a/.github/scripts/create_changeset_new_tags.sh b/.github/scripts/create_changeset_new_tags.sh
@@ -10,7 +10,7 @@ CF_LONDON_EXPORTS=$(aws cloudformation list-exports --region eu-west-2 --output
 
 ROLE=$(echo "$CF_LONDON_EXPORTS" | \
     jq \
-    --arg EXPORT_NAME "ci-resources:CloudFormationExecutionRole" \
+    --arg EXPORT_NAME "iam-cdk:IAM:CloudFormationExecutionRole:Arn" \
     -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
 if [ -z "${ROLE}" ]; then
     echo "could not retrieve ROLE from aws cloudformation list-exports"
@@ -27,6 +27,7 @@ if [ "${status}" != '"CREATE_COMPLETE"' ] && [ "${status}" != '"UPDATE_ROLLBACK_
 fi
 
 # upload file to s3
+# change this to account-resources-cdk-uk:Bucket:ArtifactsBucket:Arn once other change is merged
 artifact_bucket_arn=$(echo "$CF_LONDON_EXPORTS" | \
     jq \
     --arg EXPORT_NAME "account-resources:ArtifactsBucket" \

diff --git a/.github/scripts/execute_changeset.sh b/.github/scripts/execute_changeset.sh
@@ -4,6 +4,7 @@ AWS_MAX_ATTEMPTS=20
 export AWS_MAX_ATTEMPTS
 
 CF_LONDON_EXPORTS=$(aws cloudformation list-exports --region eu-west-2 --output json)
+# change this to account-resources-cdk-uk:Bucket:ArtifactsBucket:Arn once other change is merged
 artifact_bucket_arn=$(echo "$CF_LONDON_EXPORTS" | \
     jq \
     --arg EXPORT_NAME "account-resources:ArtifactsBucket" \

diff --git a/.github/scripts/release_code.sh b/.github/scripts/release_code.sh
@@ -6,14 +6,23 @@ echo "$COMMIT_ID"
 AWS_MAX_ATTEMPTS=10
 export AWS_MAX_ATTEMPTS
 
-artifact_bucket=$(aws cloudformation list-exports --output json | jq -r '.Exports[] | select(.Name == "account-resources:ArtifactsBucket") | .Value' | grep -o '[^:]*$')
+CF_LONDON_EXPORTS=$(aws cloudformation list-exports --region eu-west-2 --output json)
+# change this to account-resources-cdk-uk:Bucket:ArtifactsBucket:Arn once other change is merged
+artifact_bucket_arn=$(echo "$CF_LONDON_EXPORTS" | \
+    jq \
+    --arg EXPORT_NAME "account-resources:ArtifactsBucket" \
+    -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
+artifact_bucket=$(echo "$artifact_bucket_arn" | cut -d: -f6 | cut -d/ -f1)
 if [ -z "${artifact_bucket}" ]; then
     echo "could not retrieve artifact_bucket from aws cloudformation list-exports"
     exit 1
 fi
 export artifact_bucket
 
-cloud_formation_execution_role=$(aws cloudformation list-exports --output json | jq -r '.Exports[] | select(.Name == "ci-resources:CloudFormationExecutionRole") | .Value' )
+cloud_formation_execution_role=$(echo "$CF_LONDON_EXPORTS" | \
+    jq \
+    --arg EXPORT_NAME "iam-cdk:IAM:CloudFormationExecutionRole:Arn" \
+    -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
 if [ -z "${cloud_formation_execution_role}" ]; then
     echo "could not retrieve cloud_formation_execution_role from aws cloudformation list-exports"
     exit 1

diff --git a/SAMtemplates/common_lambda_resources.yml b/SAMtemplates/common_lambda_resources.yml
@@ -86,9 +86,9 @@ Resources:
         - !Join
           - ","
           - - !Ref LambdaManagedPolicy
-            - !ImportValue lambda-resources:LambdaInsightsLogGroupPolicy
-            - !ImportValue account-resources:LambdaEncryptCloudwatchKMSPolicy
-            - !ImportValue account-resources:LambdaDecryptSecretsKMSPolicy
+            - !ImportValue account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn
+            - !ImportValue account-resources-cdk-uk:IAM:LambdaEncryptCloudwatchKMSPolicy:Arn
+            - !ImportValue secrets-cdk:IAM:LambdaDecryptSecretsKMSPolicy:Arn
             - !If
               - ShouldIncludeAdditionalPolicies
               - !Join

diff --git a/cloudformation/account_resources.yml b/cloudformation/account_resources.yml
@@ -152,7 +152,7 @@ Resources:
             Effect: Allow
             Principal:
               AWS:
-                - !ImportValue ci-resources:CloudFormationExecutionRole
+                - !ImportValue iam-cdk:IAM:CloudFormationExecutionRole:Arn
                 - !Sub arn:aws:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-eu-west-2
             Action:
               - kms:DescribeKey
@@ -255,9 +255,9 @@ Resources:
     Type: AWS::IAM::ManagedPolicy
     Properties:
       Roles:
-        - !ImportValue ci-resources:CloudFormationExecutionRoleName
-        - !ImportValue ci-resources:CloudFormationPrepareChangesetRoleName
-        - !ImportValue ci-resources:CloudFormationDeployRoleName
+        - !ImportValue iam-cdk:IAM:CloudFormationExecutionRole:Name
+        - !ImportValue iam-cdk:IAM:CloudFormationPrepareChangesetRole:Name
+        - !ImportValue iam-cdk:IAM:CloudFormationDeployRole:Name
       PolicyDocument:
         Version: 2012-10-17
         Statement:
@@ -326,9 +326,9 @@ Resources:
           - Effect: Allow
             Principal:
               AWS:
-                - !ImportValue ci-resources:CloudFormationDeployRole
-                - !ImportValue ci-resources:CloudFormationExecutionRole
-                - !ImportValue ci-resources:CloudFormationPrepareChangesetRole
+                - !ImportValue iam-cdk:IAM:CloudFormationDeployRole:Arn
+                - !ImportValue iam-cdk:IAM:CloudFormationExecutionRole:Arn
+                - !ImportValue iam-cdk:IAM:CloudFormationPrepareChangesetRole:Arn
             Action:
               - s3:GetObject*
               - s3:PutObject*
@@ -340,7 +340,7 @@ Resources:
           - Effect: Allow
             Principal:
               AWS:
-                - !ImportValue ci-resources:CloudFormationDeployRole
+                - !ImportValue ciam-cdk:IAM:CloudFormationDeployRole:Arn
-                - !ImportValue ciam-cdk:IAM:CloudFormationDeployRole:Arn
+                - !ImportValue iam-cdk:IAM:CloudFormationDeployRole:Arn
-                - !ImportValue ciam-cdk:IAM:CloudFormationDeployRole:Arn
+                - !ImportValue iam-cdk:IAM:CloudFormationDeployRole:Arn
             Action:
               - s3:DeleteObject*
             Resource:
@@ -374,7 +374,7 @@ Resources:
     Type: AWS::IAM::ManagedPolicy
     Properties:
       Roles:
-        - !ImportValue ci-resources:CloudFormationExecutionRoleName
+        - !ImportValue iam-cdk:IAM:CloudFormationExecutionRole:Name
       PolicyDocument:
         Version: 2012-10-17
         Statement:
@@ -434,8 +434,8 @@ Resources:
           - Effect: Allow
             Principal:
               AWS:
-                - !ImportValue ci-resources:CloudFormationDeployRole
-                - !ImportValue ci-resources:CloudFormationExecutionRole
+                - !ImportValue iam-cdk:IAM:CloudFormationDeployRole:Arn
+                - !ImportValue iam-cdk:IAM:CloudFormationExecutionRole:Arn
                 - !Sub arn:aws:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-eu-west-2
             Action:
               - s3:GetObject*
@@ -1134,7 +1134,7 @@ Resources:
     Type: AWS::IAM::ManagedPolicy
     Properties:
       Roles:
-        - !ImportValue ci-resources:CloudFormationExecutionRoleName
+        - !ImportValue iam-cdk:IAM:CloudFormationExecutionRole:Name
       PolicyDocument:
         Version: 2012-10-17
         Statement:
@@ -1207,7 +1207,7 @@ Resources:
     Type: AWS::IAM::ManagedPolicy
     Properties:
       Roles:
-        - !ImportValue ci-resources:CloudFormationExecutionRoleName
+        - !ImportValue iam-cdk:IAM:CloudFormationExecutionRole:Name
       PolicyDocument:
         Version: 2012-10-17
         Statement:
@@ -1271,7 +1271,7 @@ Resources:
     Type: AWS::IAM::ManagedPolicy
     Properties:
       Roles:
-        - !ImportValue ci-resources:CloudFormationExecutionRoleName
+        - !ImportValue iam-cdk:IAM:CloudFormationExecutionRole:Name
       PolicyDocument:
         Version: 2012-10-17
         Statement:

diff --git a/cloudformation/artillery_resources.yml b/cloudformation/artillery_resources.yml
@@ -57,7 +57,7 @@ Resources:
         DestinationBucketName:
           !Select [
             5,
-            !Split [":", !ImportValue account-resources:AuditLoggingBucket],
+            !Split [":", !ImportValue account-resources-cdk-uk:Bucket:AuditLoggingBucket:Arn],
           ]
         LogFilePrefix: artilleryIO/
       VersioningConfiguration:
@@ -126,7 +126,7 @@ Resources:
         - ","
         - !Join
           - ","
-          - - !ImportValue account-resources:CloudwatchEncryptionKMSPolicyArn
+          - - !ImportValue account-resources-cdk-uk:IAM:CloudwatchEncryptionKMSPolicy:Arn
 
   ArtilleryWorkerPolicy:
     Type: AWS::IAM::ManagedPolicy
@@ -194,7 +194,7 @@ Resources:
     Properties:
       LogGroupName: artilleryio-log-group/artilleryio-cluster
       RetentionInDays: 30
-      KmsKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
+      KmsKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn
 
   ECSCluster:
     Type: "AWS::ECS::Cluster"

diff --git a/cloudformation/ci_resources.yml b/cloudformation/ci_resources.yml
@@ -149,34 +149,34 @@ Resources:
             Action:
               - secretsmanager:GetSecretValue
             Resource:
-              - !ImportValue account-resources:PfpClientKeySecret
-              - !ImportValue account-resources:PfpClientCertSecret
-              - !ImportValue account-resources:PfpClientSandboxKeySecret
-              - !ImportValue account-resources:PfpClientSandboxCertSecret
-              - !ImportValue account-resources:PsuClientKeySecret
-              - !ImportValue account-resources:PsuClientSandboxKeySecret
-              - !ImportValue account-resources:PsuCACertSecret
-              - !ImportValue account-resources:PsuCAKeySecret
-              - !ImportValue account-resources:PsuClientCertSecret
-              - !ImportValue account-resources:PsuClientSandboxCertSecret
-              - !ImportValue account-resources:PSUProxygenPrivateKey
-              - !ImportValue account-resources:PSUProxygenPublicKey
-              - !ImportValue account-resources:CPSUProxygenPrivateKey
-              - !ImportValue account-resources:CPSUProxygenPublicKey
-              - !ImportValue account-resources:ClinicalTrackerClientKeySecret
-              - !ImportValue account-resources:ClinicalTrackerClientSandboxKeySecret
-              - !ImportValue account-resources:ClinicalTrackerCACertSecret
-              - !ImportValue account-resources:ClinicalTrackerCAKeySecret
-              - !ImportValue account-resources:ClinicalTrackerClientCertSecret
-              - !ImportValue account-resources:ClinicalTrackerClientSandboxCertSecret
-              - !ImportValue account-resources:ClinicalTrackerProxygenPrivateKey
-              - !ImportValue account-resources:ClinicalTrackerProxygenPublicKey
-              - !ImportValue account-resources:FhirFacadeClientKeySecret
-              - !ImportValue account-resources:FhirFacadeClientSandboxKeySecret
-              - !ImportValue account-resources:FhirFacadeCACertSecret
-              - !ImportValue account-resources:FhirFacadeCAKeySecret
-              - !ImportValue account-resources:FhirFacadeClientCertSecret
-              - !ImportValue account-resources:FhirFacadeClientSandboxCertSecret
+              - !ImportValue secrets-cdk:Secrets:PfpClientKeySecret:Arn
+              - !ImportValue secrets-cdk:Secrets:PfpClientSandboxCertSecret:Arn
-              - !ImportValue secrets-cdk:Secrets:PfpClientSandboxCertSecret:Arn
+              - !ImportValue secrets-cdk:Secrets:PfpClientCertSecret:Arn
-              - !ImportValue secrets-cdk:Secrets:PfpClientSandboxCertSecret:Arn
+              - !ImportValue secrets-cdk:Secrets:PfpClientCertSecret:Arn
+              - !ImportValue secrets-cdk:Secrets:PfpClientSandboxKeySecret:Arn
+              - !ImportValue secrets-cdk:Secrets:PfpClientSandboxCertSecret:Arn
+              - !ImportValue secrets-cdk:Secrets:PsuClientKeySecret:Arn
+              - !ImportValue secrets-cdk:Secrets:PsuClientSandboxCertSecret:Arn
+              - !ImportValue secrets-cdk:Secrets:PsuCACertSecret:Arn
+              - !ImportValue secrets-cdk:Secrets:PsuCAKeySecret:Arn
+              - !ImportValue secrets-cdk:Secrets:PsuClientCertSecret:Arn
+              - !ImportValue secrets-cdk:Secrets:PsuClientSandboxCertSecret:Arn
-              - !ImportValue secrets-cdk:Secrets:PsuClientSandboxCertSecret:Arn
+              - !ImportValue secrets-cdk:Secrets:PsuClientSandboxKeySecret:Arn
-              - !ImportValue secrets-cdk:Secrets:PsuClientSandboxCertSecret:Arn
+              - !ImportValue secrets-cdk:Secrets:PsuClientSandboxKeySecret:Arn
+              - !ImportValue secrets-cdk:Secrets:PSUProxygenPrivateKey:Arn
+              - !ImportValue secrets-cdk:Secrets:PSUProxygenPublicKey:Arn
+              - !ImportValue secrets-cdk:Secrets:CPSUProxygenPrivateKey:Arn
+              - !ImportValue secrets-cdk:Secrets:CPSUProxygenPublicKey:Arn
+              - !ImportValue secrets-cdk:Secrets:ClinicalTrackerClientKeySecret:Arn
+              - !ImportValue secrets-cdk:Secrets:ClinicalTrackerClientSandboxKeySecret:Arn
+              - !ImportValue secrets-cdk:Secrets:ClinicalTrackerCACertSecret:Arn
+              - !ImportValue secrets-cdk:Secrets:ClinicalTrackerCAKeySecret:Arn
+              - !ImportValue secrets-cdk:Secrets:ClinicalTrackerClientCertSecret:Arn
+              - !ImportValue secrets-cdk:Secrets:ClinicalTrackerClientSandboxCertSecret:Arn
+              - !ImportValue secrets-cdk:Secrets:ClinicalTrackerProxygenPrivateKey:Arn
+              - !ImportValue secrets-cdk:Secrets:ClinicalTrackerProxygenPublicKey:Arn
+              - !ImportValue secrets-cdk:Secrets:FhirFacadeClientKeySecret:Arn
+              - !ImportValue secrets-cdk:Secrets:FhirFacadeClientSandboxKeySecret:Arn
+              - !ImportValue secrets-cdk:Secrets:FhirFacadeCACertSecret:Arn
+              - !ImportValue secrets-cdk:Secrets:FhirFacadeCAKeySecret:Arn
+              - !ImportValue secrets-cdk:Secrets:FhirFacadeClientCertSecret:Arn
+              - !ImportValue secrets-cdk:Secrets:FhirFacadeClientSandboxCertSecret:Arn
           - Effect: Allow
             Action:
               - kms:Decrypt

diff --git a/cloudformation/secrets.yml b/cloudformation/secrets.yml
@@ -5,7 +5,7 @@ Resources:
     Type: AWS::SecretsManager::Secret
     Properties:
       Description: Private key for prescribing proxygen
-      KmsKeyId: !ImportValue account-resources:SecretsKMSKeyAlias
+      KmsKeyId: !ImportValue secrets-cdk:KMS:SecretsKMSKeyAlias:Arn
       SecretString: ChangeMe
       Name: !Sub "${AWS::StackName}-Prescribing-ProxygenPrivateKey"
 
@@ -29,7 +29,7 @@ Resources:
     Type: AWS::SecretsManager::Secret
     Properties:
       Description: Private key for prescribing proxygen prod
-      KmsKeyId: !ImportValue account-resources:SecretsKMSKeyAlias
+      KmsKeyId: !ImportValue secrets-cdk:KMS:SecretsKMSKeyAlias:Arn
       SecretString: ChangeMe
       Name: "FhirPrescribingProxygen-PrivateKey-prod"
 
@@ -53,7 +53,7 @@ Resources:
     Type: AWS::SecretsManager::Secret
     Properties:
       Description: Private key for prescribing proxygen ptl
-      KmsKeyId: !ImportValue account-resources:SecretsKMSKeyAlias
+      KmsKeyId: !ImportValue secrets-cdk:KMS:SecretsKMSKeyAlias:Arn
       SecretString: ChangeMe
       Name: "FhirPrescribingProxygen-PrivateKey-ptl"