NHSDigital · wildjames · Mar 27, 2026 · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026
diff --git a/packages/cdkConstructs/src/constructs/SsmParametersConstruct.ts b/packages/cdkConstructs/src/constructs/SsmParametersConstruct.ts
@@ -0,0 +1,122 @@
+import {CfnOutput} from "aws-cdk-lib"
+import {Effect, ManagedPolicy, PolicyStatement} from "aws-cdk-lib/aws-iam"
+import {StringParameter} from "aws-cdk-lib/aws-ssm"
+import {Construct} from "constructs"
+
+export interface SsmParameterDefinition {
+  /**
+   * Unique identifier used for construct and output logical IDs.
+   */
+  readonly id: string
+  /**
+   * Suffix appended to stackName to create the parameter name.
+   * The final SSM parameter name is `${stackName}-${nameSuffix}`.
+   */
+  readonly nameSuffix: string
+  /**
+   * Description stored with the SSM parameter.
+   */
+  readonly description: string
+  /**
+   * Value stored in the SSM parameter.
+   */
+  readonly value: string
+  /**
+   * Optional export suffix for the output containing the parameter name.
+   * Defaults to `${nameSuffix}Parameter`.
+   */
+  readonly outputExportSuffix?: string
+  /**
+   * Optional output description.
+   */
+  readonly outputDescription?: string
+}
+
+export interface SsmParametersConstructProps {
+  /**
+   * Prefix used in SSM parameter names and CloudFormation export names.
+   */
+  readonly stackName: string
+  /**
+   * List of SSM parameters to create.
+   */
+  readonly parameters: Array<SsmParameterDefinition>
+  /**
+   * Description for the managed policy that grants read access.
+   * @default "Allows reading SSM parameters"
+   */
+  readonly readPolicyDescription?: string
+  /**
+   * Description for the output exporting the managed policy ARN.
+   * @default "Access to the parameters used by the integration"
+   */
+  readonly readPolicyOutputDescription?: string
+  /**
+   * Export suffix for the output exporting the managed policy ARN.
+   * @default "GetParametersPolicy"
+   */
+  readonly readPolicyExportSuffix?: string
+}
+
+/**
+ * Creates a bundle of SSM String parameters, a managed policy to read them,
+ * and CloudFormation outputs to export parameter names and policy ARN.
+ */
+export class SsmParametersConstruct extends Construct {
+  public readonly parameters: Record<string, StringParameter>
+  public readonly readParametersPolicy: ManagedPolicy
+
+  public constructor(scope: Construct, id: string, props: SsmParametersConstructProps) {
+    super(scope, id)
+
+    const {
+      stackName,
+      parameters,
+      readPolicyDescription = "Allows reading SSM parameters",
+      readPolicyOutputDescription = "Access to the parameters used by the integration",
+      readPolicyExportSuffix = "GetParametersPolicy"
+    } = props
+
+    if (parameters.length === 0) {
+      throw new Error("SsmParametersConstruct requires at least one parameter definition")
+    }
+
+    const createdParameters: Record<string, StringParameter> = {}
+
+    for (const parameter of parameters) {
+      const ssmParameter = new StringParameter(this, `${parameter.id}Parameter`, {
+        parameterName: `${stackName}-${parameter.nameSuffix}`,
+        description: parameter.description,
+        stringValue: parameter.value
+      })
+
+      createdParameters[parameter.id] = ssmParameter
+
+      new CfnOutput(this, `${parameter.id}ParameterNameOutput`, {
+        description: parameter.outputDescription ?? `Name of the SSM parameter holding ${parameter.nameSuffix}`,
+        value: ssmParameter.parameterName,
+        exportName: `${stackName}-${parameter.outputExportSuffix ?? `${parameter.nameSuffix}Parameter`}`
+      })
+    }
+
+    const readParametersPolicy = new ManagedPolicy(this, "GetParametersPolicy", {
+      description: readPolicyDescription,
+      statements: [
+        new PolicyStatement({
+          effect: Effect.ALLOW,
+          actions: ["ssm:GetParameter", "ssm:GetParameters"],
+          resources: Object.values(createdParameters).map((parameter) => parameter.parameterArn)
+        })
+      ]
+    })
+
+    new CfnOutput(this, "ReadParametersPolicyOutput", {
+      description: readPolicyOutputDescription,
+      value: readParametersPolicy.managedPolicyArn,
+      exportName: `${stackName}-${readPolicyExportSuffix}`
+    })
+
+    this.parameters = createdParameters
+    this.readParametersPolicy = readParametersPolicy
+  }
+}
diff --git a/packages/cdkConstructs/src/index.ts b/packages/cdkConstructs/src/index.ts
@@ -1,6 +1,7 @@
 // Export all constructs
 export * from "./constructs/TypescriptLambdaFunction.js"
 export * from "./constructs/PythonLambdaFunction.js"
+export * from "./constructs/SsmParametersConstruct.js"
 export * from "./apps/createApp.js"
 export * from "./config/index.js"
 export * from "./utils/helpers.js"

diff --git a/packages/cdkConstructs/tests/constructs/ssmParametersConstruct.test.ts b/packages/cdkConstructs/tests/constructs/ssmParametersConstruct.test.ts
@@ -0,0 +1,126 @@
+import {App, Stack} from "aws-cdk-lib"
+import {Template} from "aws-cdk-lib/assertions"
+import {
+  beforeAll,
+  describe,
+  expect,
+  test
+} from "vitest"
+
+import {SsmParametersConstruct} from "../../src/constructs/SsmParametersConstruct"
+
+describe("SsmParametersConstruct", () => {
+  let template: Template
+
+  beforeAll(() => {
+    const app = new App()
+    const stack = new Stack(app, "parameterStack")
+
+    new SsmParametersConstruct(stack, "TestingParameters", {
+      stackName: "mock-stack",
+      parameters: [
+        {
+          id: "MockParam1",
+          nameSuffix: "MockParam1",
+          description: "Description for mock parameter 1",
+          value: "mock-value-1",
+          outputExportSuffix: "MockParam1Parameter",
+          outputDescription: "Name of the SSM parameter holding MockParam1"
+        },
+        {
+          id: "MockParam2",
+          nameSuffix: "MockParam2",
+          description: "Description for mock parameter 2",
+          value: "mock-value-2",
+          outputExportSuffix: "MockParam2Parameter",
+          outputDescription: "Name of the SSM parameter holding MockParam2"
+        },
+        {
+          id: "MockParam3",
+          nameSuffix: "MockParam3",
+          description: "Description for mock parameter 3",
+          value: "mock-value-3",
+          outputExportSuffix: "MockParam3Parameter",
+          outputDescription: "Name of the SSM parameter holding MockParam3"
+        }
+      ],
+      readPolicyDescription: "Mock policy description",
+      readPolicyOutputDescription: "Mock read policy output description",
+      readPolicyExportSuffix: "MockGetParametersPolicy"
+    })
+
+    template = Template.fromStack(stack)
+  })
+
+  test("creates all SSM parameters", () => {
+    template.hasResourceProperties("AWS::SSM::Parameter", {
+      Name: "mock-stack-MockParam1",
+      Type: "String",
+      Value: "mock-value-1"
+    })
+
+    template.hasResourceProperties("AWS::SSM::Parameter", {
+      Name: "mock-stack-MockParam2",
+      Type: "String",
+      Value: "mock-value-2"
+    })
+
+    template.hasResourceProperties("AWS::SSM::Parameter", {
+      Name: "mock-stack-MockParam3",
+      Type: "String",
+      Value: "mock-value-3"
+    })
+  })
+
+  test("creates read policy with GetParameter actions for all parameters", () => {
+    const policies = template.findResources("AWS::IAM::ManagedPolicy", {
+      Properties: {
+        Description: "Mock policy description"
+      }
+    })
+
+    expect(Object.keys(policies)).toHaveLength(1)
+
+    const policy = Object.values(policies)[0] as {
+      Properties: {
+        PolicyDocument: {
+          Statement: Array<{
+            Action: Array<string>
+            Resource: Array<unknown>
+          }>
+        }
+      }
+    }
+
+    const statement = policy.Properties.PolicyDocument.Statement[0]
+    expect(statement.Action).toEqual(["ssm:GetParameter", "ssm:GetParameters"])
+    expect(statement.Resource).toHaveLength(3)
+  })
+
+  test("exports parameter names and policy ARN", () => {
+    const outputs = template.toJSON().Outputs as Record<string, {
+      Description?: string
+      Export?: {
+        Name?: string
+      }
+    }>
+
+    const exportedNames = Object.values(outputs)
+      .map((output) => output.Export?.Name)
+      .filter((name): name is string => name !== undefined)
+
+    const descriptions = Object.values(outputs)
+      .map((output) => output.Description)
+      .filter((description): description is string => description !== undefined)
+
+    expect(exportedNames).toContain("mock-stack-MockParam1Parameter")
+    expect(exportedNames).toContain("mock-stack-MockParam2Parameter")
+    expect(exportedNames).toContain("mock-stack-MockParam3Parameter")
+    expect(exportedNames).toContain("mock-stack-MockGetParametersPolicy")
+
+    expect(descriptions).toContain("Name of the SSM parameter holding MockParam1")
+    expect(descriptions).toContain("Name of the SSM parameter holding MockParam2")
+    expect(descriptions).toContain("Name of the SSM parameter holding MockParam3")
+    expect(descriptions).toContain("Mock read policy output description")
+  })
+})