NHSDigital · AndyFlintAnswerDigital · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026
@@ -72,7 +72,7 @@ jobs:
           echo "changed=$changed" >> $GITHUB_OUTPUT
 
   deductions-ci:
-    if: contains(needs.get-changed-files.outputs.changed, 'stacks/mesh-forwarder') || contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml')
+    if: contains(needs.get-changed-files.outputs.changed, 'stacks/deductions') || contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml')
     name: Deductions Infrastructure CI
     uses: ./.github/workflows/deploy-stack.yml
     needs: [get-changed-files]
@@ -109,7 +109,12 @@ jobs:
     secrets: inherit
 
   mesh-forwarder-ci:
-    if: contains(needs.get-changed-files.outputs.changed, 'stacks/mesh-forwarder') || contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml')
+    if: |
+      always() && 
+      (needs.deductions-ci.result == 'success' || needs.deductions-ci.result == 'skipped') && 
+      (needs.deductions-cross-account.result == 'success'|| needs.deductions-cross-account.result == 'skipped') && 
+      (contains(needs.get-changed-files.outputs.changed, 'stacks/mesh-forwarder') || 
+      contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml'))
     name: MESH Forwarder Infrastructure
     needs: [get-changed-files, deductions-ci, deductions-cross-account]
     uses: ./.github/workflows/deploy-stack.yml
@@ -121,7 +126,12 @@ jobs:
     secrets: inherit
 
   pds-adaptor-ci:
-    if: contains(needs.get-changed-files.outputs.changed, 'stacks/pds-adaptor') || contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml')
+    if: |
+      always() && 
+      (needs.deductions-ci.result == 'success' || needs.deductions-ci.result == 'skipped') && 
+      (needs.deductions-cross-account.result == 'success'|| needs.deductions-cross-account.result == 'skipped') && 
+      (contains(needs.get-changed-files.outputs.changed, 'stacks/pds-adaptor') || 
+      contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml'))
     name: PDS Adaptor Infrastructure
     needs: [get-changed-files, deductions-ci, deductions-cross-account]
     uses: ./.github/workflows/deploy-stack.yml
@@ -133,7 +143,12 @@ jobs:
     secrets: inherit
 
   re-registration-service-ci:
-    if: contains(needs.get-changed-files.outputs.changed, 'stacks/re-registration-service') || contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml')
+    if: |
+      always() && 
+      (needs.deductions-ci.result == 'success' || needs.deductions-ci.result == 'skipped') && 
+      (needs.deductions-cross-account.result == 'success'|| needs.deductions-cross-account.result == 'skipped') && 
+      (contains(needs.get-changed-files.outputs.changed, 'stacks/re-registration-service') || 
+      contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml'))
     name: Re-Registration Service Infrastructure
     needs: [get-changed-files, deductions-ci, deductions-cross-account]
     uses: ./.github/workflows/deploy-stack.yml
@@ -145,7 +160,12 @@ jobs:
     secrets: inherit
 
   suspension-service-ci:
-    if: contains(needs.get-changed-files.outputs.changed, 'stacks/suspension-service') || contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml')
+    if: |
+      always() && 
+      (needs.deductions-ci.result == 'success' || needs.deductions-ci.result == 'skipped') && 
+      (needs.deductions-cross-account.result == 'success'|| needs.deductions-cross-account.result == 'skipped') && 
+      (contains(needs.get-changed-files.outputs.changed, 'stacks/suspension-service') || 
+      contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml'))
     name: Suspension Service Infrastructure
     needs: [get-changed-files, deductions-ci, deductions-cross-account]
     uses: ./.github/workflows/deploy-stack.yml
@@ -157,7 +177,12 @@ jobs:
     secrets: inherit
 
   nems-event-processor-ci:
-    if: contains(needs.get-changed-files.outputs.changed, 'stacks/nems-event-processor') || contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml')
+    if: |
+      always() && 
+      (needs.deductions-ci.result == 'success' || needs.deductions-ci.result == 'skipped') && 
+      (needs.deductions-cross-account.result == 'success'|| needs.deductions-cross-account.result == 'skipped') && 
+      (contains(needs.get-changed-files.outputs.changed, 'stacks/nems-event-processor') || 
+      contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml'))
     name: NEMS Event Processor Infrastructure
     needs: [get-changed-files, deductions-ci, deductions-cross-account]
     uses: ./.github/workflows/deploy-stack.yml
@@ -169,7 +194,12 @@ jobs:
     secrets: inherit
 
   ehr-repo-ci:
-    if: contains(needs.get-changed-files.outputs.changed, 'stacks/ehr-repo') || contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml')
+    if: |
+      always() && 
+      (needs.deductions-ci.result == 'success' || needs.deductions-ci.result == 'skipped') && 
+      (needs.deductions-cross-account.result == 'success'|| needs.deductions-cross-account.result == 'skipped') && 
+      (contains(needs.get-changed-files.outputs.changed, 'stacks/ehr-repo') || 
+      contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml'))
     name: EHR Repo Infrastructure CI
     uses: ./.github/workflows/deploy-stack.yml
     needs: [get-changed-files, deductions-ci, deductions-cross-account]
@@ -181,7 +211,10 @@ jobs:
     secrets: inherit
 
   ehr-repo-db-roles-ci:
-    if: contains(needs.get-changed-files.outputs.changed, 'stacks/ehr-repo') || contains(needs.get-changed-files.outputs.changed, 'stacks/ehr-repo-db-roles') || contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml')
+    if: |
+      always() && 
+      (needs.deductions-ci.result == 'success' || needs.deductions-ci.result == 'skipped') && 
+      (contains(needs.get-changed-files.outputs.changed, 'stacks/ehr-repo') || contains(needs.get-changed-files.outputs.changed, 'stacks/ehr-repo-db-roles') || contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml'))
     name: EHR Repo DB Roles Infrastructure CI
     uses: ./.github/workflows/deploy-stack.yml
     needs: [get-changed-files, deductions-ci, ehr-repo-ci]
@@ -193,7 +226,11 @@ jobs:
     secrets: inherit
 
   ehr-out-service-ci:
-    if: contains(needs.get-changed-files.outputs.changed, 'stacks/ehr-out-service') || contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml')
+    if: |
+      always() && 
+      (needs.deductions-ci.result == 'success' || needs.deductions-ci.result == 'skipped') && 
+      (needs.deductions-cross-account.result == 'success'|| needs.deductions-cross-account.result == 'skipped') && 
+      (contains(needs.get-changed-files.outputs.changed, 'stacks/ehr-out-service') || contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml'))
     name: EHR Out Service Infrastructure CI
     uses: ./.github/workflows/deploy-stack.yml
     needs: [get-changed-files, deductions-ci, deductions-cross-account]
@@ -205,7 +242,12 @@ jobs:
     secrets: inherit
 
   ehr-transfer-service-ci:
-    if: contains(needs.get-changed-files.outputs.changed, 'stacks/ehr-transfer-service') || contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml')
+    if: |
+      always() && 
+      (needs.deductions-ci.result == 'success' || needs.deductions-ci.result == 'skipped') && 
+      (needs.deductions-cross-account.result == 'success'|| needs.deductions-cross-account.result == 'skipped') && 
+      contains(needs.get-changed-files.outputs.changed, 'stacks/ehr-transfer-service') || 
+      contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml')
     name: EHR Transfer Service Infrastructure CI
     uses: ./.github/workflows/deploy-stack.yml
     needs: [get-changed-files, deductions-ci, deductions-cross-account]
@@ -217,7 +259,12 @@ jobs:
     secrets: inherit
 
   gp2gp-messenger-ci:
-    if: contains(needs.get-changed-files.outputs.changed, 'stacks/gp2gp-messenger') || contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml')
+    if: |
+      always() && 
+      (needs.deductions-ci.result == 'success' || needs.deductions-ci.result == 'skipped') && 
+      (needs.deductions-cross-account.result == 'success'|| needs.deductions-cross-account.result == 'skipped') && 
+      (contains(needs.get-changed-files.outputs.changed, 'stacks/gp2gp-messenger') || 
+      contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml'))
     name: GP2GP Messenger Infrastructure CI
     uses: ./.github/workflows/deploy-stack.yml
     needs: [get-changed-files, deductions-ci, deductions-cross-account]
@@ -229,7 +276,12 @@ jobs:
     secrets: inherit
 
   mhs-ci:
-    if: contains(needs.get-changed-files.outputs.changed, 'stacks/mhs') || contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml')
+    if: |
+      always() && 
+      (needs.deductions-ci.result == 'success' || needs.deductions-ci.result == 'skipped') && 
+      (needs.deductions-cross-account.result == 'success'|| needs.deductions-cross-account.result == 'skipped') && 
+      (contains(needs.get-changed-files.outputs.changed, 'stacks/mhs') || 
+      contains(needs.get-changed-files.outputs.changed, '.github/workflows/automated-deploy-stack.yml'))
     name: MHS Infrastructure CI
     uses: ./.github/workflows/deploy-stack.yml
     needs: [get-changed-files, deductions-ci, deductions-cross-account]

@@ -118,6 +118,14 @@ locals {
     {
       name  = "${var.environment}-ehr-transfer-service-ehr-complete-observability"
       title = "EHR Complete Observability Queue"
+    },
+    {
+      name  = "${var.environment}-end-of-transfer-service-transfer-complete"
+      title = "Transfer Complete Queue"
+    },
+    {
+      name  = "${var.environment}-end-of-transfer-service-transfer-complete-observability"
+      title = "Transfer Complete Observability Queue"
     }
   ]
 
@@ -131,6 +139,11 @@ locals {
     title = "EHR Transfer Service"
   }
 
+  end_of_transfer_service = {
+    name  = "end-of-transfer-service"
+    title = "End of Transfer Service"
+  }
+
   ehr_repo = {
     name         = "ehr-repo"
     title        = "EHR Repository Service"
@@ -162,6 +175,7 @@ locals {
   repo_task_widget_components = [
     local.re_registration_service,
     local.ehr_transfer_service,
+    local.end_of_transfer_service,
     local.ehr_repo,
     local.gp2gp_messenger,
     local.mhs_inbound,
@@ -190,6 +204,7 @@ module "repo_error_count_widgets" {
   for_each = {
     re_registration_service = local.re_registration_service
     ehr_transfer_service    = local.ehr_transfer_service
+    end_of_transfer_service = local.end_of_transfer_service
     gp2gp_messenger         = local.gp2gp_messenger
     ehr_repo                = local.ehr_repo
     mhs_inbound             = local.mhs_inbound
@@ -203,6 +218,7 @@ module "repo_health_widgets" {
   for_each = {
     re_registration_service = local.re_registration_service
     ehr_transfer_service    = local.ehr_transfer_service
+    end_of_transfer_service = local.end_of_transfer_service
   }
   source      = "./widgets/health_widget"
   component   = each.value

@@ -60,6 +60,7 @@ resource "aws_backup_selection" "cross_account" {
     data.aws_s3_bucket.ehr_repo_bucket.arn,
     data.aws_s3_bucket.ehr_repo_access_logs.arn,
     data.aws_dynamodb_table.ehr_transfer_service_transfer_tracker.arn,
+    data.aws_dynamodb_table.end_of_transfer_service_dynamodb.arn,
     data.aws_dynamodb_table.re_registration_service_active_suspensions.arn,
     data.aws_dynamodb_table.repo_mhs_state.arn,
     data.aws_dynamodb_table.repo_mhs_sync_async_state.arn,

@@ -32,6 +32,10 @@ data "aws_dynamodb_table" "ehr_transfer_service_transfer_tracker" {
   name = "${var.environment}-ehr-transfer-service-transfer-tracker"
 }
 
+data "aws_dynamodb_table" "end_of_transfer_service_dynamodb" {
+  name = "${var.environment}-end-of-transfer-service-dynamodb"
+}
+
 data "aws_dynamodb_table" "re_registration_service_active_suspensions" {
   name = "${var.environment}-re-registration-service-active-suspensions"
 }

@@ -40,6 +40,10 @@ data "aws_ssm_parameter" "suspension-service-ecs-sg-id" {
   name = "/repo/${var.environment}/output/suspension-service/ecs-sg-id"
 }
 
+data "aws_ssm_parameter" "end-for-transfer-service-ecs-sg-id" {
+  name = "/repo/${var.environment}/output/end-of-transfer-service/ecs-sg-id"
+}
+
 data "aws_ssm_parameter" "re-registration-ecs-sg-id" {
   name = "/repo/${var.environment}/output/re-registration-service/ecs-sg-id"
 }
@@ -55,3 +55,7 @@ data "aws_ssm_parameter" "active_suspensions_kms_key_id" {
 data "aws_ssm_parameter" "suspension_active_suspensions_topic_arn" {
   name = "/repo/${var.environment}/output/suspension-service/active-suspensions-topic-arn"
 }
+
+data "aws_ssm_parameter" "end_of_transfer_active_suspensions_topic_arn" {
+  name = "/repo/${var.environment}/output/end-of-transfer-service/active-suspensions-topic-arn"
+}
@@ -271,6 +271,7 @@ data "aws_iam_policy_document" "active_suspensions_sns_topic_access_to_queue" {
       test = "ArnEquals"
       values = [
         data.aws_ssm_parameter.suspension_active_suspensions_topic_arn.value,
+        data.aws_ssm_parameter.end_of_transfer_active_suspensions_topic_arn.value
       ]
       variable = "aws:SourceArn"
     }

@@ -11,3 +11,10 @@ resource "aws_sns_topic_subscription" "suspension_active_suspensions" {
   topic_arn            = data.aws_ssm_parameter.suspension_active_suspensions_topic_arn.value
   endpoint             = aws_sqs_queue.active_suspensions.arn
 }
+
+resource "aws_sns_topic_subscription" "end_of_transfer_active_suspensions" {
+  protocol             = "sqs"
+  raw_message_delivery = true
+  topic_arn            = data.aws_ssm_parameter.end_of_transfer_active_suspensions_topic_arn.value
+  endpoint             = aws_sqs_queue.active_suspensions.arn
+}
@@ -0,0 +1,7 @@
+environment = "dev"
+
+synthetic_patient_prefix        = "96937"
+process_only_synthetic_patients = false
+
+ecs_desired_count                       = 0
+repo_process_only_safe_listed_ods_codes = true
@@ -0,0 +1,6 @@
+component_name   = "end-of-transfer-service"
+repo_name        = "end-of-transfer-service"
+metric_namespace = "EndOfTransferService"
+
+can_update_managing_organisation_to_repo = false
+is_end_of_transfer_service               = true
@@ -0,0 +1,6 @@
+environment = "pre-prod"
+
+synthetic_patient_prefix        = "96936"
+process_only_synthetic_patients = true
+
+ecs_desired_count = 0
@@ -0,0 +1,6 @@
+environment = "prod"
+
+synthetic_patient_prefix        = "999"
+process_only_synthetic_patients = true
+
+ecs_desired_count = 0
@@ -1,3 +1,5 @@
 component_name   = "suspension-service"
 repo_name        = "suspension-service"
 metric_namespace = "SuspensionService"
+
+is_end_of_transfer_service = false
@@ -3,6 +3,7 @@ synthetic_patient_prefix                 = "96937"
 component_name                           = "suspension-service"
 repo_name                                = "suspension-service"
 metric_namespace                         = "SuspensionService"
+is_end_of_transfer_service               = false
 can_update_managing_organisation_to_repo = true
 repo_process_only_safe_listed_ods_codes  = true
 process_only_synthetic_patients          = false
@@ -9,7 +9,7 @@ locals {
     { name = "NHS_ENVIRONMENT", value = var.environment },
     { name = "AWS_REGION", value = var.region },
     { name = "LOG_LEVEL", value = var.log_level },
-    { name = "INCOMING_QUEUE_NAME", value = module.suspension-service.suspension_queue_name },
+    { name = "INCOMING_QUEUE_NAME", value = var.is_end_of_transfer_service ? module.end-of-transfer-service[0].transfer_complete_queue_name : module.suspension-service.suspension_queue_name },
     { name = "NOT_SUSPENDED_SNS_TOPIC_ARN", value = aws_sns_topic.not_suspended.arn },
     { name = "NOT_SUSPENDED_QUEUE_NAME", value = aws_sqs_queue.not_suspended_observability.name },
     { name = "MOF_UPDATED_SNS_TOPIC_ARN", value = aws_sns_topic.mof_updated.arn },
@@ -22,7 +22,7 @@ locals {
       value = aws_sns_topic.invalid_suspension_audit_topic.arn
     },
     { name = "DECEASED_PATIENT_SNS_TOPIC_ARN", value = aws_sns_topic.deceased_patient.arn },
-    { name = "REPO_INCOMING_SNS_TOPIC_ARN", value = module.suspension-service.repo_incoming_sns_topic },
+    { name = "REPO_INCOMING_SNS_TOPIC_ARN", value = var.is_end_of_transfer_service ? "" : module.suspension-service.repo_incoming_sns_topic },
     { name = "PDS_ADAPTOR_SUSPENSION_SERVICE_PASSWORD", value = data.aws_ssm_parameter.pds_adaptor_auth_key.value },
     { name = "PROCESS_ONLY_SYNTHETIC_PATIENTS", value = tostring(var.process_only_synthetic_patients) },
     { name = "SYNTHETIC_PATIENT_PREFIX", value = var.synthetic_patient_prefix },

@@ -107,7 +107,7 @@ data "aws_iam_policy_document" "sqs_suspensions_ecs_task" {
     ]
     #    TODO: double check what queues should be here
     resources = [
-      module.suspension-service.suspension_queue_arn,
+      var.is_end_of_transfer_service ? module.end-of-transfer-service[0].transfer_complete_queue_arn : module.suspension-service.suspension_queue_arn,
       aws_sqs_queue.not_suspended_observability.arn,
       aws_sqs_queue.mof_updated.arn,
       aws_sqs_queue.mof_not_updated.arn,

@@ -11,6 +11,17 @@ terraform {
   }
 }
 
+module "end-of-transfer-service" {
+  count       = 0
+  source      = "./modules/end-of-transfer-service/"
+  environment = var.environment
+
+  component_name    = var.component_name
+  metric_namespace  = var.metric_namespace
+  repo_name         = var.repo_name
+  ecs_desired_count = var.ecs_desired_count
+}
+
 module "suspension-service" {
   source              = "./modules/suspension-service/"
   environment         = var.environment

@@ -0,0 +1,24 @@
+locals {
+  sqs_namespace = "AWS/SQS"
+}
+
+resource "aws_cloudwatch_metric_alarm" "transfer_complete_queue_age_of_message" {
+  alarm_name          = "${var.environment}-${var.component_name}-transfer-complete-approx-age-of-oldest-message"
+  comparison_operator = "GreaterThanThreshold"
+  threshold           = "1800"
+  evaluation_periods  = "1"
+  metric_name         = "ApproximateAgeOfOldestMessage"
+  namespace           = local.sqs_namespace
+  alarm_description   = "This alarm triggers when messages on the transfer complete queue is not polled by end of transfer service in last 30 mins"
+  statistic           = "Maximum"
+  period              = "300"
+  dimensions = {
+    QueueName = aws_sqs_queue.transfer_complete.name
+  }
+  alarm_actions = [data.aws_sns_topic.alarm_notifications.arn]
+  ok_actions    = [data.aws_sns_topic.alarm_notifications.arn]
+}
+
+data "aws_sns_topic" "alarm_notifications" {
+  name = "${var.environment}-alarm-notifications-sns-topic"
+}
@@ -0,0 +1,6 @@
+data "aws_ssm_parameter" "transfer_complete_kms_key" {
+  name = "/repo/${var.environment}/output/ehr-transfer-service/transfer-complete-encryption-kms-key"
+}
+data "aws_ssm_parameter" "transfer_complete_topic_arn" {
+  name = "/repo/${var.environment}/output/ehr-transfer-service/transfer-complete-sns-topic-arn"
+}