NHSDigital · Themitchell · Oct 14, 2025 · Oct 14, 2025 · Oct 14, 2025 · Oct 14, 2025
diff --git a/.github/workflows/test-deploy.yaml b/.github/workflows/test-deploy.yaml
@@ -39,4 +39,4 @@ jobs:
           terraform_version: 1.11.4
 
       - name: Terraform plan
-        run: make ${TARGET_ENV} ci terraform-apply
+        run: make ${TARGET_ENV} ci terraform-apply DOCKER_IMAGE_TAG=git-sha-${{ github.sha }}
diff --git a/.python-version b/.python-version
@@ -0,0 +1 @@
+3.13.7
diff --git a/infrastructure/environments/poc/variables.tfvars b/infrastructure/environments/poc/variables.tfvars
@@ -4,8 +4,10 @@ features = {
   hub_and_spoke      = false
   private_networking = false
 }
+fetch_secrets_from_app_key_vault      = true
+github_mi_name                        = "mi-lungcs-poc-ghtoaz-uks"
+key_vault_secrets_officer_groups      = ["Azure-Lung-Cancer-Screening---Dev-Owner"]
 postgres_backup_retention_days        = 7
 postgres_geo_redundant_backup_enabled = false
-fetch_secrets_from_app_key_vault      = true
 protect_keyvault                      = false
 vnet_address_space                    = "10.65.0.0/16"
diff --git a/infrastructure/modules/infra/data.tf b/infrastructure/modules/infra/data.tf
@@ -0,0 +1,9 @@
+data "azuread_service_principal" "github-mi" {
+  display_name = var.github_mi_name
+}
+
+data "azuread_group" "kv_officers" {
+  for_each = toset(var.key_vault_secrets_officer_groups)
+
+  display_name = each.value
+}
diff --git a/infrastructure/modules/infra/main.tf b/infrastructure/modules/infra/main.tf
@@ -1,10 +1,3 @@
-locals {
-  key_vault_secrets_officers = [
-    "mi-lungcs-poc-ghtoaz-uks",
-    "Azure-Lung-Cancer-Screening---Dev-Owner"
-  ]
-}
-
 resource "azurerm_resource_group" "main" {
   name     = var.resource_group_name
   location = var.region
@@ -31,17 +24,16 @@ module "app-key-vault" {
   purge_protection_enabled      = var.protect_keyvault
 }
 
-data "azuread_service_principal" "identity" {
-  for_each = local.key_vault_secrets_officers
-
-  display_name = each.value
-}
-
 module "key_vault_rbac_assignments" {
-  for_each = data.azuread_service_principal.identity
-
   source = "../dtos-devops-templates/infrastructure/modules/rbac-assignment"
 
+  for_each = merge(
+    {
+      (var.github_mi_name) = data.azuread_service_principal.github-mi
+    },
+    data.azuread_group.kv_officers
+  )
+
   principal_id         = each.value.object_id
   role_definition_name = "Key Vault Secrets Officer"
   scope                = module.app-key-vault.key_vault_id

diff --git a/infrastructure/modules/infra/variables.tf b/infrastructure/modules/infra/variables.tf
@@ -17,6 +17,16 @@ variable "features" {
   })
 }
 
+variable "github_mi_name" {
+  description = "Name of the GitHub Managed Identity."
+  type        = string
+}
+
+variable "key_vault_secrets_officer_groups" {
+  description = "List of Entra ID group names which will have Key Vault Secrets Officer RBAC role."
+  type        = list(string)
+}
+
 variable "resource_group_name" {
   description = "Infra resource group name"
   type        = string

diff --git a/infrastructure/terraform/main.tf b/infrastructure/terraform/main.tf
@@ -8,14 +8,16 @@ module "infra" {
     azurerm.hub = azurerm.hub
   }
 
-  region              = local.region
-  resource_group_name = local.resource_group_name
-  app_short_name      = var.app_short_name
-  environment         = var.env_config
-  features            = var.features
-  hub                 = var.hub
-  protect_keyvault    = var.protect_keyvault
-  vnet_address_space  = var.vnet_address_space
+  region                           = local.region
+  resource_group_name              = local.resource_group_name
+  app_short_name                   = var.app_short_name
+  environment                      = var.env_config
+  features                         = var.features
+  github_mi_name                   = var.github_mi_name
+  hub                              = var.hub
+  key_vault_secrets_officer_groups = var.key_vault_secrets_officer_groups
+  protect_keyvault                 = var.protect_keyvault
+  vnet_address_space               = var.vnet_address_space
 }
 
 module "container-apps" {

diff --git a/infrastructure/terraform/variables.tf b/infrastructure/terraform/variables.tf
@@ -1,7 +1,6 @@
-variable "deploy_infra" {
-  description = "The foundational layer of infrastructure for the application to run on"
-  type        = bool
-  default     = true
+variable "app_short_name" {
+  description = "Application short name (6 characters)"
+  type        = string
 }
 
 variable "deploy_container_apps" {
@@ -10,41 +9,54 @@ variable "deploy_container_apps" {
   default     = true
 }
 
-variable "app_short_name" {
-  description = "Application short name (6 characters)"
-  type        = string
+variable "deploy_database_as_container" {
+  description = "Whether to deploy the database as a container or as an Azure postgres flexible server."
+  type        = bool
+  default     = false
 }
 
-variable "environment" {
-  description = "Application environment name"
-  type        = string
+variable "deploy_infra" {
+  description = "The foundational layer of infrastructure for the application to run on"
+  type        = bool
+  default     = true
 }
 
-variable "env_config" {
-  description = "Environment configuration. Different environments may share the same environment config and the same infrastructure"
+variable "docker_image" {
+  description = "Docker image full path including registry, repository and tag"
   type        = string
 }
 
-variable "hub" {
-  description = "Hub name (dev or prod)"
+variable "dns_zone_name" {
+  description = "Value of the DNS zone name to use for the Front Door endpoint"
   type        = string
+  default     = ""
 }
 
-variable "docker_image" {
-  description = "Docker image full path including registry, repository and tag"
-  type        = string
+variable "enable_entra_id_authentication" {
+  description = "Enable authentication for the container app. If true, the app will use Azure AD authentication."
+  type        = bool
+  default     = false
 }
 
-variable "hub_subscription_id" {
-  description = "ID of the hub Azure subscription"
+variable "environment" {
+  description = "Application environment name"
   type        = string
 }
 
-variable "vnet_address_space" {
-  description = "VNET address space. Must be unique across the hub."
+variable "env_config" {
+  description = "Environment configuration. Different environments may share the same environment config and the same infrastructure"
   type        = string
 }
 
+variable "features" {
+  description = "Feature flags for the deployment"
+  type = object({
+    front_door         = optional(bool, true)
+    hub_and_spoke      = optional(bool, true)
+    private_networking = optional(bool, true)
+  })
+}
+
 variable "fetch_secrets_from_app_key_vault" {
   description = <<EOT
     Set to false initially to create and populate the app key vault.
@@ -55,6 +67,32 @@ variable "fetch_secrets_from_app_key_vault" {
   type        = bool
 }
 
+variable "front_door_profile" {
+  description = "Name of the front door profile created for this application in the hub subscription"
+  type        = string
+  default     = null
+}
+
+variable "github_mi_name" {
+  description = "Name of the GitHub Managed Identity."
+  type        = string
+}
+
+variable "hub" {
+  description = "Hub name (dev or prod)"
+  type        = string
+}
+
+variable "hub_subscription_id" {
+  description = "ID of the hub Azure subscription"
+  type        = string
+}
+
+variable "key_vault_secrets_officer_groups" {
+  description = "List of Entra ID group names which will have Key Vault Secrets Officer RBAC role."
+  type        = list(string)
+}
+
 variable "protect_keyvault" {
   description = "Ability to recover the key vault or its secrets after deletion"
   default     = true
@@ -73,12 +111,6 @@ variable "postgres_geo_redundant_backup_enabled" {
   default     = true
 }
 
-variable "deploy_database_as_container" {
-  description = "Whether to deploy the database as a container or as an Azure postgres flexible server."
-  type        = bool
-  default     = false
-}
-
 variable "postgres_sku_name" {
   description = "Value of the PostgreSQL Flexible Server SKU name"
   default     = "B_Standard_B1ms"
@@ -97,8 +129,8 @@ variable "postgres_storage_tier" {
   type        = string
 }
 
-variable "enable_entra_id_authentication" {
-  description = "Enable authentication for the container app. If true, the app will use Azure AD authentication."
+variable "seed_demo_data" {
+  description = "Whether or not to seed the demo data in the database."
   type        = bool
   default     = false
 }
@@ -109,32 +141,11 @@ variable "use_apex_domain" {
   default     = false
 }
 
-variable "dns_zone_name" {
-  description = "Value of the DNS zone name to use for the Front Door endpoint"
-  type        = string
-  default     = ""
-}
-
-variable "features" {
-  description = "Feature flags for the deployment"
-  type = object({
-    front_door         = optional(bool, true)
-    hub_and_spoke      = optional(bool, true)
-    private_networking = optional(bool, true)
-  })
-}
-
-variable "front_door_profile" {
-  description = "Name of the front door profile created for this application in the hub subscription"
+variable "vnet_address_space" {
+  description = "VNET address space. Must be unique across the hub."
   type        = string
-  default     = null
 }
 
-variable "seed_demo_data" {
-  description = "Whether or not to seed the demo data in the database."
-  type        = bool
-  default     = false
-}
 
 locals {
   region              = "uksouth"