Run lint:prettier:fix

Author: MatMoore

.github/workflows/cicd-1-pull-request.yaml

@@ -80,7 +80,7 @@ jobs:
       id-token: write
     uses: ./.github/workflows/stage-4-deploy.yaml
     with:
-      environments: "[\"review\"]"
+      environments: '["review"]'
       commit_sha: ${{ github.event.pull_request.head.sha }}
       pr_number: ${{ github.event.pull_request.number }}
     secrets: inherit
@@ -92,10 +92,10 @@ jobs:
     permissions:
       pull-requests: write
     steps:
-    - name: Post URL to PR comments
-      uses: marocchino/sticky-pull-request-comment@8ac02941f254c53fbda0cf44288785e1367e13bf
-      with:
-        message: |
-          The review app is available at this URL:
-          https://pr-${{ github.event.pull_request.number }}.manage-breast-screening.non-live.screening.nhs.uk
-          You must authenticate with Entra ID
+      - name: Post URL to PR comments
+        uses: marocchino/sticky-pull-request-comment@8ac02941f254c53fbda0cf44288785e1367e13bf
+        with:
+          message: |
+            The review app is available at this URL:
+            https://pr-${{ github.event.pull_request.number }}.manage-breast-screening.non-live.screening.nhs.uk
+            You must authenticate with Entra ID

.github/workflows/cicd-2-main-branch.yaml

@@ -85,6 +85,6 @@ jobs:
       id-token: write
     uses: ./.github/workflows/stage-4-deploy.yaml
     with:
-      environments: "[\"review\",\"dev\"]"
+      environments: '["review","dev"]'
       commit_sha: ${{ github.sha }}
     secrets: inherit

.vscode/settings.json

@@ -4,9 +4,7 @@
     "MD024": { "siblings_only": true },
     "MD033": false
   },
-  "python.testing.pytestArgs": [
-    "."
-  ],
+  "python.testing.pytestArgs": ["."],
   "python.testing.unittestEnabled": false,
   "python.testing.pytestEnabled": true
 }

README.md

@@ -138,6 +138,7 @@ For more information, see the following developer guides:
 - [Scripting Docker](https://github.com/NHSDigital/repository-template/blob/main/docs/developer-guides/Scripting_Docker.md)
 
 ### More documentation
+
 Explore [the docs directory](docs).
 
 ## Licence

docs/adr/ADR-003-Subclass_Django_Form_fields.md

@@ -18,20 +18,21 @@ This was very error prone and verbose, because we had to map between Django's fo
 
 We decided to introduce a set of `Field` subclasses that customise the internal templates, so that they are rendered using the design system components.
 
-| Field class | Widget class | Rendered component |
-| -- | -- | -- |
-| core.form_fields.CharField | TextInput, EmailInput, etc | input |
-| core.form_fields.CharField | TextArea | textarea |
-| core.form_fields.ChoiceField | RadioSelect | radios |
-| core.form_fields.ChoiceField | Select | select |
-| core.form_fields.MultipleChoiceField | CheckboxSelectMultiple | checkboxes |
-| core.form_fields.SplitDateField | SplitDateWidget | date-input |
+| Field class                          | Widget class               | Rendered component |
+| ------------------------------------ | -------------------------- | ------------------ |
+| core.form_fields.CharField           | TextInput, EmailInput, etc | input              |
+| core.form_fields.CharField           | TextArea                   | textarea           |
+| core.form_fields.ChoiceField         | RadioSelect                | radios             |
+| core.form_fields.ChoiceField         | Select                     | select             |
+| core.form_fields.MultipleChoiceField | CheckboxSelectMultiple     | checkboxes         |
+| core.form_fields.SplitDateField      | SplitDateWidget            | date-input         |
 
 In a template, they are rendered with `{{ form.field.as_field_group() }}` this encpauslates all the complexity of mapping parameters between Django's form API and the [Jinja2 component macros](./ADR-002-Use_Jinja2.md).
 
 ## Consequences
 
 the custom form field subclasses:
+
 - make it possible to add new forms without writing a lot of HTML or Jinja in the template
 - should be intuitive to developers already familiar with Django
 - may need extending to support additional params for the underlying component

docs/infrastructure/create-environment.md

@@ -3,81 +3,87 @@
 This is the initial manual process to create a new environment like review, dev, production...
 
 ## Code
+
 - Create the configuration files in `infrastructure/environments/[environment]`
 - Add the `[environment]:` target in `scripts/terraform/terraform.mk`
 - Add [environment] to the list of environments in `deploy-stage` step of `cicd-2-main-branch.yaml`. For the review enviornment, there is a single item in `cicd-1-pull-request.yaml`.
 - Set the `fetch_secrets_from_app_key_vault` terraform variable to `false`. This is to let terraform create the key vault and prevent reading before it is ready.
 
 ## Entra ID
+
 - Create postgres Entra ID group in `DTOS Administrative Unit (AU)`: `postgres_manbrs_[environment]_uks_admin`
 - Ask CCOE to assign role:
-	- [Form for PIM](https://nhsdigitallive.service-now.com/nhs_digital?id=sc_cat_item&sys_id=28f3ab4f1bf3ca1078ac4337b04bcb78&sysparm_category=114fced51bdae1502eee65b9bd4bcbdc)
-	- Approver: Add someone from the infrastructure team
-	- Role Name: `Group.Read.All`
-	- Application Name: `mi-manbrs-[environment]-adotoaz-uks`
-	- Application ID: [client.id]
-	- Managed identity: `mi-manbrs-[environment]-adotoaz-uks`
-	- Description:
-    	- Managed identity: `mi-manbrs-[environment]-adotoaz-uks`
-    	- Role: permanent on Directory
+  - [Form for PIM](https://nhsdigitallive.service-now.com/nhs_digital?id=sc_cat_item&sys_id=28f3ab4f1bf3ca1078ac4337b04bcb78&sysparm_category=114fced51bdae1502eee65b9bd4bcbdc)
+  - Approver: Add someone from the infrastructure team
+  - Role Name: `Group.Read.All`
+  - Application Name: `mi-manbrs-[environment]-adotoaz-uks`
+  - Application ID: [client.id]
+  - Managed identity: `mi-manbrs-[environment]-adotoaz-uks`
+  - Description: - Managed identity: `mi-manbrs-[environment]-adotoaz-uks` - Role: permanent on Directory
 
 ## Bicep
+
 - Run bicep from AVD: `make [environment] resource-group-init`
 
 ## Infra secrets
-- Add the infrastructure secrets to the *inf* key vault `kv-manbrs-[review]-inf`
+
+- Add the infrastructure secrets to the _inf_ key vault `kv-manbrs-[review]-inf`
 
 ## Azure devops
+
 - Create ADO group
-	- Name: `Run pipeline - [environment]`
-	- Members: `mi-manbrs-[environment]-ghtoado-uks`. There may be more than 1 in the list. Check client id printed below the name.
-	- Permissions:
-		- View project-level information
+  - Name: `Run pipeline - [environment]`
+  - Members: `mi-manbrs-[environment]-ghtoado-uks`. There may be more than 1 in the list. Check client id printed below the name.
+  - Permissions:
+    - View project-level information
 - Create new pipeline:
-    - Name: `Deploy to Azure - [environment]`
-    - Pipeline yaml: `.azuredevops/pipelines/deploy.yml`
+  - Name: `Deploy to Azure - [environment]`
+  - Pipeline yaml: `.azuredevops/pipelines/deploy.yml`
 - Manage pipeline security:
-	- Add group: `Run pipeline - [environment]`
-	- Permissions:
-		- Edit queue build configuration
-		- Queue builds
-		- View build pipeline
-		- View builds
+  - Add group: `Run pipeline - [environment]`
+  - Permissions:
+    - Edit queue build configuration
+    - Queue builds
+    - View build pipeline
+    - View builds
 - Create service connection (ADO)
-	- Connection type: `Azure Resource Manager`
-	- Identity type: `Managed identity`
-	- Subscription for managed identity: `Digital Screening DToS - Devops`
-	- Resource group for managed identity: `rg-mi-[environment]-uks`
-	- Managed identity: `mi-manbrs-[environment]-adotoaz-uks`
-	- Scope level: `Subscription`
-	- Subscription: `Digital Screening DToS - Core Services Dev`
-	- Resource group for Service connection: leave blank
-	- Service Connection Name: `manbrs-[environment]`
-	- Do NOT tick: Grant access permission to all pipelines
-	- Security: allow `Deploy to Azure - [environment]` pipeline
+  - Connection type: `Azure Resource Manager`
+  - Identity type: `Managed identity`
+  - Subscription for managed identity: `Digital Screening DToS - Devops`
+  - Resource group for managed identity: `rg-mi-[environment]-uks`
+  - Managed identity: `mi-manbrs-[environment]-adotoaz-uks`
+  - Scope level: `Subscription`
+  - Subscription: `Digital Screening DToS - Core Services Dev`
+  - Resource group for Service connection: leave blank
+  - Service Connection Name: `manbrs-[environment]`
+  - Do NOT tick: Grant access permission to all pipelines
+  - Security: allow `Deploy to Azure - [environment]` pipeline
 - Create ADO environment: [environment]
-	- Set: exclusive lock (except for review)
-	- Add pipeline permission for `Deploy to Azure - [environment]` pipeline
+  - Set: exclusive lock (except for review)
+  - Add pipeline permission for `Deploy to Azure - [environment]` pipeline
 
 ## Github
+
 - Create Github environment [environment]
 - Add the protection rule (except in review):
-	- Deselect `Allow administrators to bypass configured protection rules`
-	- In `Deployment branches and tags` choose `Selected branches and tags` from the drop-down menu
-	- Click `Add deployment branch or tag rule` and enter "main"
+  - Deselect `Allow administrators to bypass configured protection rules`
+  - In `Deployment branches and tags` choose `Selected branches and tags` from the drop-down menu
+  - Click `Add deployment branch or tag rule` and enter "main"
 - Add environment secrets, from `mi-manbrs-[environment]-ghtoado-uks` in github
-	- *AZURE_CLIENT_ID*
-	- *AZURE_SUBSCRIPTION_ID*
+  - _AZURE_CLIENT_ID_
+  - _AZURE_SUBSCRIPTION_ID_
 
 ## First run
+
 - Test running terraform manually from the AVD (Optional)
 - Raise a pull request, review and merge to trigger the pipeline
 - Check ADO pipeline. You may be prompted to authorise:
-	- Pipeline: service connection
-	- Environment: service connection and agent pool
+  - Pipeline: service connection
+  - Environment: service connection and agent pool
 
 ## App secrets
-- Add the application secrets to the *app* key vault `kv-manbrs-[review]-app`
+
+- Add the application secrets to the _app_ key vault `kv-manbrs-[review]-app`
 - Set `fetch_secrets_from_app_key_vault` terraform variable to `true`
 - Test running terraform manually from the AVD (Optional)
 - Raise a pull request, review and merge to trigger the pipeline

docs/infrastructure/deployment.md

@@ -1,55 +1,67 @@
 # Deployment
 
 ## Infrastructure
+
 The code is packaged into a docker image which is deployed to [Azure container apps](https://learn.microsoft.com/en-us/azure/container-apps/). The main app is a web application, with an HTTP ingress. And the second one is an [Azure container app job](https://learn.microsoft.com/en-us/azure/container-apps/jobs?tabs=azure-cli), triggered on demand to run the database migration.
 
 The web application does not have a public endpoint. It is only accessible via [Azure front door](https://learn.microsoft.com/en-us/azure/frontdoor/) which is a CDN providing TLS certificates, firewall, scaling and caching. The internal endpoint is accessible via [Azure Virtual Desktop](https://learn.microsoft.com/en-us/azure/virtual-desktop/).
 
 The data is hosted on [Azure postgres flexible server](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/overview).
 
 ## Docker build
+
 The build pipeline builds and pushes a docker image to [Github container registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry). The image is tagged with:
+
 - branch name: for docker build caching
 - commit SHA: to uniquely identify the image during deployment, prefixed by "git-sha-".
 - image digest sha: immutable tag
 
 ## Automated deployment
+
 The deployment is split between:
+
 - [Github actions](https://github.com/features/actions) for Continuous Integration (CI)
 - [Azure devops](https://azure.microsoft.com/en-us/products/devops) pipelines for Continuous Deployment (CD)
 
 ### Github actions
+
 Runs on Github hosted runners on the internet. They run all our tests (unit, functional, security, linting...). They don't have access to our internal network nor any sensitive data.
 
 To deploy an environment, they authenticate to Azure and delegate the work to [Azure devops piplines](#azure-devops-pipelines).
 
 See [all Github actions](https://github.com/NHSDigital/dtos-manage-breast-screening/actions).
 
 ### Azure devops pipelines
+
 We use a public repository as required by the [NHS Service standard](https://service-manual.nhs.uk/standards-and-technology/service-standard-points/12-make-new-source-code-open). For security reasons, deployments cannot run from Github actions and run instead on Azure devops private runners inside our internal network. They have access to the network and any Azure resource deployed onto it.
 
 See [all Azure devops pipelines](https://dev.azure.com/nhse-dtos/dtos-manage-breast-screening/_build).
 
 ### Review apps
-When a pull request is raised, add a "deploy" label to deploy a *review app* (concept borrowed from [Heroku](https://devcenter.heroku.com/articles/github-integration-review-apps)). It triggers the [CI/CD pull request](https://github.com/NHSDigital/dtos-manage-breast-screening/actions/workflows/cicd-1-pull-request.yaml) Github action workflow, which runs tests then authenticates to Azure and triggers the [Deploy review app](https://dev.azure.com/nhse-dtos/dtos-manage-breast-screening/_build?definitionId=102) Azure devops pipeline. It runs terraform to deploy the application, database and front door configuration.
+
+When a pull request is raised, add a "deploy" label to deploy a _review app_ (concept borrowed from [Heroku](https://devcenter.heroku.com/articles/github-integration-review-apps)). It triggers the [CI/CD pull request](https://github.com/NHSDigital/dtos-manage-breast-screening/actions/workflows/cicd-1-pull-request.yaml) Github action workflow, which runs tests then authenticates to Azure and triggers the [Deploy review app](https://dev.azure.com/nhse-dtos/dtos-manage-breast-screening/_build?definitionId=102) Azure devops pipeline. It runs terraform to deploy the application, database and front door configuration.
 
 To make this process faster and less costly, most of the infrastructure is reused for all review apps: networking, key vaults, container app environments... The base infrastructure is only updated by the pipeline on the main branch.
 
-When the pull request is closed or merged, and if it has the "deploy" label, the [Delete review app](https://github.com/NHSDigital/dtos-manage-breast-screening/actions/workflows/cicd-1-pull-request-closed.yaml) workflow is triggered, followed by the [Delete review app](https://dev.azure.com/nhse-dtos/dtos-manage-breast-screening/_build?definitionId=103) Azure devops pipeline. It runs *terraform destroy* to delete the resources.
+When the pull request is closed or merged, and if it has the "deploy" label, the [Delete review app](https://github.com/NHSDigital/dtos-manage-breast-screening/actions/workflows/cicd-1-pull-request-closed.yaml) workflow is triggered, followed by the [Delete review app](https://dev.azure.com/nhse-dtos/dtos-manage-breast-screening/_build?definitionId=103) Azure devops pipeline. It runs _terraform destroy_ to delete the resources.
 
 Note: terraform currently deploys a postgres server with a locked database. It must be deleted manually from the Azure portal before the pipeline runs.
 
 ### Main branch
+
 When a pull request is merged to the main branch, the [CI/CD main branch](https://github.com/NHSDigital/dtos-manage-breast-screening/actions/workflows/cicd-2-main-branch.yaml) is triggered. It runs tests then authenticates to Azure and triggers the [Deploy to Azure](https://dev.azure.com/nhse-dtos/dtos-manage-breast-screening/_build?definitionId=93) Azure devops pipeline. It runs terraform to deploy the entire environment, including both infrastructure and applications. Any manual change is overwritten by terraform.
 
 ## Application secrets
-The application requires secrets provided as environment variables. Terraform creates an *app* Azure key vault and all its secrets are mapped directly to the app as environment variables. Developers can access the key vault to create and update the secrets manually.
+
+The application requires secrets provided as environment variables. Terraform creates an _app_ Azure key vault and all its secrets are mapped directly to the app as environment variables. Developers can access the key vault to create and update the secrets manually.
 
 Notes:
+
 - [the process requires multiple steps](https://github.com/NHSDigital/dtos-devops-templates/tree/main/infrastructure/modules/container-app#key-vault-secrets) to set up an environment initially. The process is documented in [create-environment](create-environment.md).
 - The secrets names in key vault are uppercase with hyphen separators. They are mapped to environment variables as uppercase with underscore separator. e.g. `SECRET-KEY` is mapped to `SECRET_KEY`.
 
 ## Manual deployment
+
 For each environment, e.g. 'dev':
 
 1. Connect to [Azure virtual desktop](https://azure.microsoft.com/en-us/products/virtual-desktop). Ask the platform team for access with Administrator role.
@@ -73,7 +85,8 @@ For each environment, e.g. 'dev':
 [Review app environments](#review-apps) differ slightly from other environments. They are lightweight versions of the application and are designed to share much of the core Azure infrastructure. As a result, there is a one-to-many relationship between the container apps and the container app environment.
 
 ### Step 1
-If you run the following command *without* the `PR_NUMBER` parameter, it will apply only the infrastructure module:
+
+If you run the following command _without_ the `PR_NUMBER` parameter, it will apply only the infrastructure module:
 
 ```shell
 make review terraform-apply
@@ -90,7 +103,9 @@ make review terraform-apply DOCKER_IMAGE_TAG=git-sha-01ecb79d561f55be60072a093dd
 ```
 
 ### Delete review app
+
 Run terraform-destroy:
+
 ```shell
 make review terraform-destroy DOCKER_IMAGE_TAG=git-sha-01ecb79d561f55be60072a093dd167fe8eb5b42e PR_NUMBER=123
 ```