NHSDigital
diff --git a/‎.azuredevops/pipelines/deploy.yml‎
Lines changed: 77 additions & 0 deletions b/‎.azuredevops/pipelines/deploy.yml‎
Lines changed: 77 additions & 0 deletions
diff --git a/‎.azuredevops/pipelines/hub-infrastructure-dev.yaml‎
Lines changed: 78 additions & 0 deletions b/‎.azuredevops/pipelines/hub-infrastructure-dev.yaml‎
Lines changed: 78 additions & 0 deletions
diff --git a/‎.gitleaksignore‎
Lines changed: 17 additions & 10 deletions b/‎.gitleaksignore‎
Lines changed: 17 additions & 10 deletions
diff --git a/‎docs/infrastructure/bootstrap.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/infrastructure/bootstrap.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/infrastructure/infra-faq.md‎
Lines changed: 9 additions & 9 deletions b/‎docs/infrastructure/infra-faq.md‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎docs/infrastructure/new-subscription-setup.md‎
Lines changed: 11 additions & 11 deletions b/‎docs/infrastructure/new-subscription-setup.md‎
Lines changed: 11 additions & 11 deletions
diff --git a/‎infrastructure/bootstrap/environments/nonlive/variables.sh‎
Lines changed: 1 addition & 0 deletions b/‎infrastructure/bootstrap/environments/nonlive/variables.sh‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎infrastructure/bootstrap/hub.bicep‎
Lines changed: 26 additions & 4 deletions b/‎infrastructure/bootstrap/hub.bicep‎
Lines changed: 26 additions & 4 deletions
@@ -0,0 +1,77 @@
+trigger: none
+pr: none
+
+parameters:
+  - name: commitSHA
+    displayName: Commit SHA
+    type: string
+  - name: environment
+    displayName: Environment
+    type: string
+  - name: prNumber
+    displayName: Pull request number
+    type: string
+    default: ''
+  - name: pool
+    displayName: ADO management pool
+    type: string
+
+stages:
+  - stage: ${{ parameters.environment }}
+    displayName: Deploy to ${{ parameters.environment }} environment
+    pool:
+      name: ${{ parameters.pool }}
+    lockBehavior: sequential
+    isSkippable: false
+
+    jobs:
+      - deployment: DeployApp
+        displayName: Deploy application
+        environment: ${{ parameters.environment }}
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+
+                - task: UsePythonVersion@0
+                  inputs:
+                    versionSpec: '3.x'
+                    architecture: 'x64'
+
+                - task: TerraformInstaller@1
+                  displayName: Install terraform
+                  inputs:
+                    terraformVersion: 1.7.0
+
+                - task: AzureCLI@2
+                  displayName: Run terraform
+                  inputs:
+                    azureSubscription: lung-${{ parameters.environment }}
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    addSpnToEnvironment: true
+                    inlineScript: |
+                      export ARM_TENANT_ID="$tenantId"
+                      export ARM_CLIENT_ID="$servicePrincipalId"
+                      export ARM_OIDC_TOKEN="$idToken"
+                      export ARM_USE_OIDC=true
+                      make ci ${{ parameters.environment }} terraform-apply DOCKER_IMAGE_TAG=git-sha-${{ parameters.commitSHA }} PR_NUMBER=${{ parameters.prNumber }}
+
+                # - task: AzureCLI@2
+                #   displayName: Run database setup
+                #   inputs:
+                #     azureSubscription: lungcs-${{ parameters.environment }}
+                #     scriptType: bash
+                #     scriptLocation: inlineScript
+                #     addSpnToEnvironment: true
+                #     inlineScript: make ci ${{ parameters.environment }} db-setup PR_NUMBER=${{ parameters.prNumber }}
+
+                # - task: AzureCLI@2
+                #   displayName: Run notifications smoke test
+                #   inputs:
+                #     azureSubscription: lungcs-${{ parameters.environment }}
+                #     scriptType: bash
+                #     scriptLocation: inlineScript
+                #     addSpnToEnvironment: true
+                #     inlineScript: make ci ${{ parameters.environment }} notifications-smoke-test PR_NUMBER=${{ parameters.prNumber }}
@@ -0,0 +1,78 @@
+---
+name: $(Build.SourceBranchName)-$(Date:yyyyMMdd)_$(Rev:r)
+trigger: none
+pr: none
+
+pool:
+  name: private-pool-hub-nonlive-uks
+  # vmImage: ubuntu-latest
+
+resources:
+  repositories:
+    - repository: dtos-devops-templates
+      type: github
+      name: NHSDigital/dtos-devops-templates
+      ref: main
+      endpoint: NHSDigital
+
+variables:
+  - group: NON_LIVE_hub_backend
+  - name: TF_DIRECTORY
+    value: $(System.DefaultWorkingDirectory)/lung_cancer_screening/infrastructure/terraform/hub
+  - name: TF_VERSION
+    value: 1.14.3
+  - name: TF_PLAN_ARTIFACT
+    value: tf_plan_hub_art_NONLIVE_dev
+  - name: ENVIRONMENT
+    value: nonlive-hub
+
+stages:
+  - stage: terraform_plan
+    displayName: Terraform Plan
+    condition: eq(variables['Build.Reason'], 'Manual')
+    variables:
+      tfVarsFile: ../../environments/$(ENVIRONMENT)/variables.tfvars
+    jobs:
+      - job: init_and_plan
+        displayName: Init, plan, store artifact
+        steps:
+          - checkout: self
+          - checkout: dtos-devops-templates
+          - task: Bash@3
+            displayName: 'Debug Terraform directory'
+            inputs:
+              targetType: 'inline'
+              script: |
+                find . -type d | grep dtos-devops-templates
+                pwd
+                ls -la
+                echo "TF_DIRECTORY=$(TF_DIRECTORY)"
+                # cd $(TF_DIRECTORY)
+                ls -ltr
+                find .
+                terraform --version || true
+          - template: .azuredevops/templates/steps/tf_plan.yaml@dtos-devops-templates
+
+  - stage: terraform_apply
+    displayName: Terraform Apply
+    dependsOn: [terraform_plan]
+    condition: and(eq(dependencies.terraform_plan.outputs['init_and_plan.TerraformPlan.changesPresent'], 'true'), eq(variables['Build.Reason'], 'Manual'))
+    jobs:
+      - deployment: terraform_apply
+        displayName: Init, get plan artifact, apply
+        environment: $(ENVIRONMENT)
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+                - checkout: dtos-devops-templates
+                - template: .azuredevops/templates/steps/tf_apply.yaml@dtos-devops-templates
+                  # parameters:
+                  #   # The Application Gateway Config null resource needs an authenticated PowerShell context, hence our shell is pscore
+                  #   # AzureCLI@2 task is used rather than AzurePowerShell@5 because Terraform is unable to use a PowerShell authentication context directly
+                  #   tfApplyShell: pscore
+                  #   tfApplyScript: |
+                  #     if (-not (Get-Module -ListAvailable -Name Az)) { Install-Module -Name Az -AllowClobber -Scope CurrentUser -Force -SkipPublisherCheck }
+                  #     $token = az account get-access-token --resource https://management.azure.com/ --query accessToken --output tsv
+                  #     Connect-AzAccount -AccessToken $token -AccountId $env:servicePrincipalId -Tenant $env:tenantId -Subscription $(TF_VAR_TARGET_SUBSCRIPTION_ID) -ErrorAction Stop
@@ -1,16 +1,16 @@
 # SEE: https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore
 
 cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:generic-api-key:37
-infrastructure/terraform/resource_group_init/core.bicep:generic-api-key:10
-infrastructure/terraform/resource_group_init/core.bicep:generic-api-key:11
-infrastructure/terraform/resource_group_init/core.bicep:generic-api-key:12
-infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:29
-infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:30
-infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:31
-infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:32
-infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:33
-infrastructure/terraform/resource_group_init/storage.bicep:generic-api-key:59
-infrastructure/terraform/resource_group_init/keyVault.bicep:generic-api-key:10
+infrastructure/terraform/spoke/resource_group_init/core.bicep:generic-api-key:10
+infrastructure/terraform/spoke/resource_group_init/core.bicep:generic-api-key:11
+infrastructure/terraform/spoke/resource_group_init/core.bicep:generic-api-key:12
+infrastructure/terraform/spoke/resource_group_init/main.bicep:generic-api-key:29
+infrastructure/terraform/spoke/resource_group_init/main.bicep:generic-api-key:30
+infrastructure/terraform/spoke/resource_group_init/main.bicep:generic-api-key:31
+infrastructure/terraform/spoke/resource_group_init/main.bicep:generic-api-key:32
+infrastructure/terraform/spoke/resource_group_init/main.bicep:generic-api-key:33
+infrastructure/terraform/spoke/resource_group_init/storage.bicep:generic-api-key:59
+infrastructure/terraform/spoke/resource_group_init/keyVault.bicep:generic-api-key:10
 infrastructure/bootstrap/core.bicep:generic-api-key:10
 infrastructure/bootstrap/core.bicep:generic-api-key:11
 infrastructure/bootstrap/core.bicep:generic-api-key:12
@@ -21,10 +21,17 @@ infrastructure/bootstrap/hub.bicep:generic-api-key:56
 infrastructure/bootstrap/hub.bicep:generic-api-key:57
 infrastructure/bootstrap/hub.bicep:generic-api-key:58
 infrastructure/bootstrap/hub.bicep:generic-api-key:59
+infrastructure/bootstrap/hub.bicep:generic-api-key:60
+infrastructure/bootstrap/hub.bicep:generic-api-key:61
 infrastructure/bootstrap/main.bicep:generic-api-key:29
 infrastructure/bootstrap/main.bicep:generic-api-key:30
 infrastructure/bootstrap/main.bicep:generic-api-key:31
 infrastructure/bootstrap/main.bicep:generic-api-key:32
 infrastructure/bootstrap/modules/storage.bicep:generic-api-key:59
 infrastructure/bootstrap/modules/keyVault.bicep:generic-api-key:10
 infrastructure/bootstrap/modules/storage.bicep:generic-api-key:59
+infrastructure/terraform/hub/data.tf:generic-api-key:18
+infrastructure/terraform/hub/data.tf:generic-api-key:22
+infrastructure/terraform/resource_group_init/core.bicep:generic-api-key:11
+infrastructure/terraform/resource_group_init/keyVault.bicep:generic-api-key:10
+infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:30
@@ -0,0 +1 @@
+make hub-nonlive bootstrap
@@ -22,7 +22,7 @@ Below is an example of how to do it.
 export ARM_USE_AZUREAD=true
 export MSYS_NO_PATHCONV=true
 
-terraform -chdir=infrastructure/terraform import  -var-file ../environments/${ENV_CONFIG}/variables.tfvars module.infra[0].module.postgres_subnet.azurerm_subnet.subnet  /subscriptions/xxx/resourceGroups/rg-lungrc-review-uks/providers/Microsoft.Network/virtualNetworks/vnet-review-uks-lungrc/subnets/snet-postgres
+terraform -chdir=infrastructure/terraform/spoke import  -var-file ../environments/${ENV_CONFIG}/variables.tfvars module.infra[0].module.postgres_subnet.azurerm_subnet.subnet  /subscriptions/xxx/resourceGroups/rg-lungcs-review-uks/providers/Microsoft.Network/virtualNetworks/vnet-review-uks-lungcs/subnets/snet-postgres
 ```
 
 ### Error: Failed to load state
@@ -65,7 +65,7 @@ Example:
 Running Azure CLI Login.
 ...
 Attempting Azure CLI login by using OIDC...
-Error: AADSTS70025: The client '***'(mi-lungrc-ado-review-temp) has no configured federated identity credentials. Trace ID: xxx Correlation ID: xxx Timestamp: xxx
+Error: AADSTS70025: The client '***'(mi-lungcs-ado-review-temp) has no configured federated identity credentials. Trace ID: xxx Correlation ID: xxx Timestamp: xxx
 
 Error: Interactive authentication is needed. Please run:
 az login
@@ -122,10 +122,10 @@ The ADO group must have the "View project-level information" permission.
 Example:
 
 ```shell
-The pipeline is not valid. Job DeployApp: Step input azureSubscription references service connection lungrc-review which could not be found. The service connection does not exist, has been disabled or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz. Job DeployApp: Step input azureSubscription references service connection lungrc-review which could not be found. The service connection does not exist, has been disabled or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz.
+The pipeline is not valid. Job DeployApp: Step input azureSubscription references service connection lungcs-review which could not be found. The service connection does not exist, has been disabled or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz. Job DeployApp: Step input azureSubscription references service connection lungcs-review which could not be found. The service connection does not exist, has been disabled or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz.
 ```
 
-The Azure service connection lungrc-[environment] is missing
+The Azure service connection lungcs-[environment] is missing
 
 ## Bicep errors
 
@@ -149,7 +149,7 @@ If you can't find the right scope, follow this process:
 
 ```shell
  ~ Microsoft.Authorization/roleAssignments/abcd-123 [2022-04-01]
-    ~ properties.principalId: "xxx" => "[reference('/subscriptions/xxx/resourceGroups/rg-mi-review-uks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-lungrc-ado-review-uks', '2024-11-30').principalId]"
+    ~ properties.principalId: "xxx" => "[reference('/subscriptions/xxx/resourceGroups/rg-mi-review-uks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-lungcs-ado-review-uks', '2024-11-30').principalId]"
 ```
 
 - Get the subscription id
@@ -207,20 +207,20 @@ When initially creating the terraform; the pipeline will try to create a state f
 Example:
 
 ```shell
-Failed to get existing workspaces: containers.Client#ListBlobs: Failure sending request: StatusCode=0 -- Original Error: Get "https://salungrcpreprodtfstate.blob.core.windows.net/terraform-state?comp=list&prefix=preprod.tfstateenv%3A&restype=container": dial tcp: lookup salungrcpreprodtfstate.blob.core.windows.net on *.*.*.*:53: no such host
+Failed to get existing workspaces: containers.Client#ListBlobs: Failure sending request: StatusCode=0 -- Original Error: Get "https://salungcspreprodtfstate.blob.core.windows.net/terraform-state?comp=list&prefix=preprod.tfstateenv%3A&restype=container": dial tcp: lookup salungcspreprodtfstate.blob.core.windows.net on *.*.*.*:53: no such host
 ```
 
 You can check to see if the blobstorage is accessible via logging into the VDI machine and trying to do an nslookup on the blob storage account: -
 
 ```shell
-$ nslookup salungrcpreprodtfstate.blob.core.windows.net
+$ nslookup salungcspreprodtfstate.blob.core.windows.net
 Server: UnKnown
 Address: _._._._
 
 Non-authoritative answer:
-Name: salungrcpreprodtfstate.privatelink.blob.core.windows.net
+Name: salungcspreprodtfstate.privatelink.blob.core.windows.net
 Address: _._._._
-Aliases: salungrcpreprodtfstate.blob.core.windows.net
+Aliases: salungcspreprodtfstate.blob.core.windows.net
 ```
 
 In the above example it was discoverd that the pipeline pool was on the wrong ADO management pool, i.e on the private-pool-dev-uks instead of the private-pool-prod-uks.
 
@@ -7,37 +7,37 @@ New subscription that are created within Azure often have limitations on them, t
 Resource providers components need to be enabled:-
 
 - Microsoft.Authorization
-- Microsoft.AzureTerraform
+- Microsoft.AzureTerraform  +
 - Microsoft.Billing
 - Microsoft.ChangeSafety
 - Microsoft.ClassicSubscription
 - Microsoft.Commerce
-- Microsoft.Compute
-- Microsoft.ComputeSchedule
+- Microsoft.Compute +
+- Microsoft.ComputeSchedule +
 - Microsoft.Consumption
-- Microsoft.ContainerService
+- Microsoft.ContainerService +
 - Microsoft.CostManagement
-- Microsoft.DesktopVirtualization
-- Microsoft.DevCenter
-- Microsoft.DevOpsInfrastructure
+- Microsoft.DesktopVirtualization +
+- Microsoft.DevCenter +
+- Microsoft.DevOpsInfrastructure +
 - Microsoft.Diagnostics
 - Microsoft.Features
 - Microsoft.GuestConfiguration
 - Microsoft.Insights
-- Microsoft.KeyVault
+- Microsoft.KeyVault +
 - Microsoft.ManagedIdentity
 - Microsoft.MarketplaceOrdering
-- Microsoft.Network
+- Microsoft.Network +
 - Microsoft.PolicyInsights
 - Microsoft.Portal
-- Microsoft.Quota
+- Microsoft.Quota +
 - Microsoft.ResourceGraph
 - Microsoft.ResourceIntelligence
 - Microsoft.ResourceNotifications
 - Microsoft.Resources
 - Microsoft.Security
 - Microsoft.SerialConsole
-- Microsoft.Storage
+- Microsoft.Storage +
 - Microsoft.Support
 
 ## Step 2
 
@@ -1,3 +1,4 @@
 AZURE_SUBSCRIPTION="Lung Cancer Risk Check - Non-live hub"
+# AZURE_SUBSCRIPTION="Lung Cancer Screening - Dev"
 BOOTSTRAP=hub
 HUB_TYPE=nonlive
@@ -28,10 +28,9 @@ param vnetAddressPrefixes array
 param enableSoftDelete bool
 
 
-// var keyVaultName = 'kv-lungcs-${envConfig}-inf'
-
 // removed when generalised
-var appShortName = 'lungrc'
+var appShortName = 'lungcs'
+//var appShortName = 'lungal'
 
 var devCenterSuffix = substring(uniqueString(subscription().id), 0, 3)
 var devCenterName = 'devc-hub-${hubType}-${regionShortName}-${devCenterSuffix}'
@@ -50,13 +49,16 @@ var storageAccountName = 'sa${appShortName}${regionShortName}state'
 var miADOtoAZname = 'mi-${appShortName}-${hubType}-adotoaz-${regionShortName}'
 var miGHtoADOname = 'mi-${appShortName}-${hubType}-ghtoado-${regionShortName}'
 
+
 // See: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
 var roleID = {
   CDNContributor: 'ec156ff8-a8d1-4d15-830c-5b80698ca432'
   kvSecretsUser: '4633458b-17de-408a-b874-0445c86b69e6'
   networkContributor: '4d97b98b-1d4f-4787-a291-c67834d212e7'
   rbacAdmin: 'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
   reader: 'acdd72a7-3385-48ef-bd42-f606fba81ae7'
+  contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
+  storageBlobDataContributor: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
 }
 
 
@@ -78,6 +80,7 @@ module virtualNetwork 'modules/virtualNetwork.bicep' = {
 module managedDevopsPool 'modules/managedDevopsPool.bicep' = {
   scope: bootstrapRG
   params: {
+    //adoOrg: 'nhse-pps-1'
     adoOrg: 'nhse-dtos'
     agentProfileMaxAgentLifetime: '00.04:00:00'
     devCenterName: devCenterName
@@ -179,6 +182,26 @@ resource CDNContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-
   }
 }
 
+@description('Let the managed identity deploy terraform on the subscription')
+resource TerraformContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().subscriptionId, hubType, 'TerraformContributor')
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleID.contributor)
+    principalId: managedIdentiyADOtoAZ.outputs.miPrincipalID
+    description: '${miADOtoAZname} Terraform Contributor access to subscription'
+  }
+}
+
+@description('Let the managed identity strore blobs in storage account')
+resource StorageAccountBlobContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().subscriptionId, hubType, 'StorageAccountBlobContributorAssignment')
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleID.storageBlobDataContributor)
+    principalId: managedIdentiyADOtoAZ.outputs.miPrincipalID
+    description: '${miADOtoAZname} Storage Account Blob Contributor access to subscription'
+  }
+}
+
 @description('Create the managed identity assumed by Github actions to trigger Azure devops pipelines')
 module managedIdentiyGHtoADO 'modules/managedIdentity.bicep' = {
   scope: managedIdentityRG
@@ -193,7 +216,6 @@ module managedIdentiyGHtoADO 'modules/managedIdentity.bicep' = {
   }
 }
 
-
 @description('Let the GHtoADO managed identity access a subscription')
 resource readerAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(subscription().subscriptionId, hubType, 'reader')