NHSDigital · patrickmoore-nc · Jun 4, 2025 · May 23, 2025
diff --git a/.github/actions/scan-vulnerabilities/action.yaml b/.github/actions/scan-vulnerabilities/action.yaml
@@ -52,6 +52,7 @@ runs:
             echo "${SCAN_RESULTS}" | grep -i "${SEVERITY}" || echo "No ${SEVERITY} vulnerabilities found."
           } | tee -a "vulnerabilities/${VULNERABILITIES_SUMMARY_LOGFILE}"
         done
+
     - name: Upload vulnerabilities report
       uses: actions/upload-artifact@v4
       with:

diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml
@@ -255,16 +255,14 @@ jobs:
     name: Aggregate reports
     runs-on: ubuntu-latest
     needs: [build-and-push, containers-to-build]
-    env:
-      PR_NUM_TAG: ${{ needs.containers-to-build.outputs.pr_num_tag }}
     steps:
       - name: Get all artifacts
         uses: actions/download-artifact@v4
         with:
-          path: reports-${{ needs.containers-to-build.outputs.pr_num_tag }}
+          path: aggregated-reports
 
       - name: Aggregate reports
         uses: actions/upload-artifact@v4
         with:
           name: aggregated-reports-${{ needs.containers-to-build.outputs.pr_num_tag }}
-          path: reports-${{ needs.containers-to-build.outputs.pr_num_tag }}
+          path: aggregated-reports
diff --git a/infrastructure/modules/acme-certificate/README.md b/infrastructure/modules/acme-certificate/README.md
@@ -9,9 +9,9 @@ A Terraform module to obtain a publicly trusted SSL certificate from the Let's E
 - Automates [DNS-01 challenges](https://letsencrypt.org/docs/challenge-types/) via the [Lego azuredns](https://go-acme.github.io/lego/dns/azuredns/) provider.
 - Handles Lego's requirement for authoritative NS records on the leaf zone. e.g. if you need a certificate for `www.private.example.com` but only have a zone for `example.com`, you can use CNAME redirection (see examples below).
 - CNAME redirection of DNS challenge records, including optional creation of corresponding CNAMEs in Azure Private DNS zones to satisfy Lego's local checks (wildcards supported).
-- Stores certificates in Azure Key Vault as Certificate objects.
+- Stores the issued certificate in Azure Key Vault as a Certificate object.
 - Also stores the certificate as a `.pfx` file in a base64-encoded Key Vault Secret with a strong randomised password, for compatibility with consumers that cannot use Certificate objects.
-- Supports multiple subscriptions (e.g. hub/spoke models).
+- Supports multiple subscriptions (e.g. hub/spoke solution designs).
 - Supports multiple Azure regions.
 
 ## Example Usage

diff --git a/infrastructure/modules/container-app-environment/tfdocs.md b/infrastructure/modules/container-app-environment/tfdocs.md
@@ -42,7 +42,7 @@ Default: `"UK South"`
 
 ### <a name="input_private_dns_zone_rg_name"></a> [private\_dns\_zone\_rg\_name](#input\_private\_dns\_zone\_rg\_name)
 
-Description: Name of the hub resource group where the private DNS zone is located. This is only required if adding custom DNS records, for instance when hosting container apps with an HTTP ingress..
+Description: Name of the hub resource group where the private DNS zone is located. This is only required if adding custom DNS records, for instance when hosting container apps with an HTTP ingress.
 
 Type: `string`
 

diff --git a/infrastructure/modules/function-app/main.tf b/infrastructure/modules/function-app/main.tf
@@ -21,8 +21,8 @@ resource "azurerm_linux_function_app" "function_app" {
   # }
 
   identity {
-    type         = "SystemAssigned, UserAssigned"
-    identity_ids = var.assigned_identity_ids
+    type         = length(var.assigned_identity_ids) > 0 ? "SystemAssigned, UserAssigned" : "SystemAssigned"
+    identity_ids = length(var.assigned_identity_ids) > 0 ? var.assigned_identity_ids : null
   }
 
   site_config {
@@ -75,6 +75,11 @@ resource "azurerm_linux_function_app" "function_app" {
   storage_uses_managed_identity = var.storage_uses_managed_identity
 
   tags = var.tags
+
+  # To prevent Terraform removing 'hidden-link:' tagging created automatically by AzureRM
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
 
 /* --------------------------------------------------------------------------------------------------

diff --git a/infrastructure/modules/function-app/tfdocs.md b/infrastructure/modules/function-app/tfdocs.md
@@ -10,12 +10,6 @@ Description: The login server for the Azure Container Registry.
 
 Type: `string`
 
-### <a name="input_acr_mi_client_id"></a> [acr\_mi\_client\_id](#input\_acr\_mi\_client\_id)
-
-Description: The Managed Identity Id for the Azure Container Registry.
-
-Type: `any`
-
 ### <a name="input_ai_connstring"></a> [ai\_connstring](#input\_ai\_connstring)
 
 Description: The App Insights connection string.
@@ -40,18 +34,6 @@ Description: The ID of the AppServicePlan.
 
 Type: `string`
 
-### <a name="input_assigned_identity_ids"></a> [assigned\_identity\_ids](#input\_assigned\_identity\_ids)
-
-Description: The list of User Assigned Identity IDs to assign to the Function App.
-
-Type: `list(string)`
-
-### <a name="input_cont_registry_use_mi"></a> [cont\_registry\_use\_mi](#input\_cont\_registry\_use\_mi)
-
-Description: Should connections for Azure Container Registry use Managed Identity.
-
-Type: `any`
-
 ### <a name="input_function_app_name"></a> [function\_app\_name](#input\_function\_app\_name)
 
 Description: Name of the Function App
@@ -145,6 +127,14 @@ Type: `bool`
 
 The following input variables are optional (have default values):
 
+### <a name="input_acr_mi_client_id"></a> [acr\_mi\_client\_id](#input\_acr\_mi\_client\_id)
+
+Description: The Managed Identity Id for the Azure Container Registry.
+
+Type: `any`
+
+Default: `null`
+
 ### <a name="input_always_on"></a> [always\_on](#input\_always\_on)
 
 Description: Should the Function App be always on. Override standard default.
@@ -161,6 +151,22 @@ Type: `map`
 
 Default: `{}`
 
+### <a name="input_assigned_identity_ids"></a> [assigned\_identity\_ids](#input\_assigned\_identity\_ids)
+
+Description: The list of User Assigned Identity IDs to assign to the Function App.
+
+Type: `list(string)`
+
+Default: `[]`
+
+### <a name="input_cont_registry_use_mi"></a> [cont\_registry\_use\_mi](#input\_cont\_registry\_use\_mi)
+
+Description: Should connections for Azure Container Registry use Managed Identity.
+
+Type: `bool`
+
+Default: `false`
+
 ### <a name="input_cors_allowed_origins"></a> [cors\_allowed\_origins](#input\_cors\_allowed\_origins)
 
 Description: n/a

diff --git a/infrastructure/modules/function-app/variables.tf b/infrastructure/modules/function-app/variables.tf
@@ -5,6 +5,7 @@ variable "acr_login_server" {
 
 variable "acr_mi_client_id" {
   description = "The Managed Identity Id for the Azure Container Registry."
+  default     = null
 }
 
 variable "ai_connstring" {
@@ -41,10 +42,12 @@ variable "asp_id" {
 variable "assigned_identity_ids" {
   type        = list(string)
   description = "The list of User Assigned Identity IDs to assign to the Function App."
+  default     = []
 }
 
 variable "cont_registry_use_mi" {
   description = "Should connections for Azure Container Registry use Managed Identity."
+  default     = false
 }
 
 variable "cors_allowed_origins" {

diff --git a/infrastructure/modules/service-bus-subscription/tfdocs.md b/infrastructure/modules/service-bus-subscription/tfdocs.md
@@ -16,12 +16,6 @@ Description: The name of the Service Bus namespace.
 
 Type: `string`
 
-### <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name)
-
-Description: The name of the resource group containing the Service Bus namespace.
-
-Type: `string`
-
 ### <a name="input_service_bus_namespace_id"></a> [service\_bus\_namespace\_id](#input\_service\_bus\_namespace\_id)
 
 Description: The ID of the Service Bus namespace resource for role assignment scope.
@@ -34,7 +28,7 @@ Description: The name of the Service Bus subscription.
 
 Type: `string`
 
-### <a name="input_topic_name"></a> [topic\_name](#input\_topic\_name)
+### <a name="input_topic_id"></a> [topic\_id](#input\_topic\_id)
 
 Description: The name of the Service Bus topic.
 
@@ -52,14 +46,6 @@ Type: `number`
 
 Default: `10`
 
-### <a name="input_tags"></a> [tags](#input\_tags)
-
-Description: A map of tags to assign to the subscription.
-
-Type: `map(string)`
-
-Default: `{}`
-
 
 ## Resources
 

diff --git a/infrastructure/modules/service-bus/tfdocs.md b/infrastructure/modules/service-bus/tfdocs.md
@@ -132,8 +132,16 @@ The following outputs are exported:
 
 Description: n/a
 
+### <a name="output_namespace_name"></a> [namespace\_name](#output\_namespace\_name)
+
+Description: n/a
+
 ### <a name="output_servicebus_connection_string"></a> [servicebus\_connection\_string](#output\_servicebus\_connection\_string)
 
+Description: n/a
+
+### <a name="output_topic_ids"></a> [topic\_ids](#output\_topic\_ids)
+
 Description: n/a
 ## Resources
 

diff --git a/infrastructure/modules/storage/main.tf b/infrastructure/modules/storage/main.tf
@@ -30,6 +30,14 @@ resource "azurerm_storage_container" "container" {
   container_access_type = each.value.container_access_type
 }
 
+resource "azurerm_storage_queue" "queue" {
+  for_each = var.queues != null ? toset(var.queues) : toset([])
+
+  name                 = each.value
+  storage_account_name = azurerm_storage_account.storage_account.name
+}
+
+
 /* --------------------------------------------------------------------------------------------------
   Private Endpoint Configuration
 -------------------------------------------------------------------------------------------------- */

diff --git a/infrastructure/modules/storage/tfdocs.md b/infrastructure/modules/storage/tfdocs.md
@@ -6,7 +6,7 @@ The following input variables are required:
 
 ### <a name="input_containers"></a> [containers](#input\_containers)
 
-Description: Definition of Containers configuration
+Description: Definition of Storage Containers configuration
 
 Type:
 
@@ -115,6 +115,14 @@ Type: `bool`
 
 Default: `false`
 
+### <a name="input_queues"></a> [queues](#input\_queues)
+
+Description: List of Storage Queues to create.
+
+Type: `list(string)`
+
+Default: `[]`
+
 ### <a name="input_rbac_roles"></a> [rbac\_roles](#input\_rbac\_roles)
 
 Description: List of RBAC roles to assign to the Storage Account.
@@ -213,4 +221,5 @@ The following resources are used by this module:
 
 - [azurerm_storage_account.storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) (resource)
 - [azurerm_storage_container.container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) (resource)
+- [azurerm_storage_queue.queue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_queue) (resource)
 - [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) (data source)
diff --git a/infrastructure/modules/storage/variables.tf b/infrastructure/modules/storage/variables.tf
@@ -44,7 +44,7 @@ variable "blob_properties_versioning_enabled" {
 }
 
 variable "containers" {
-  description = "Definition of Containers configuration"
+  description = "Definition of Storage Containers configuration"
   type = map(object({
     container_name        = string
     container_access_type = string
@@ -98,6 +98,12 @@ variable "public_network_access_enabled" {
   default     = false
 }
 
+variable "queues" {
+  description = "List of Storage Queues to create."
+  type        = list(string)
+  default     = []
+}
+
 variable "rbac_roles" {
   description = "List of RBAC roles to assign to the Storage Account."
   type        = list(string)

diff --git a/scripts/deployments/get-docker-names.sh b/scripts/deployments/get-docker-names.sh
@@ -141,7 +141,7 @@ done
 
 if [ ${#non_matched_changes[@]} -ne 0 ]; then
     # Remove duplicates (non-matched items across several compose files)
-    unique_changes=("$(printf "%s\n" "${non_matched_changes[@]}" | sort -u)")
+    mapfile -t unique_changes < <(printf "%s\n" "${non_matched_changes[@]}" | sort -u)
 
     warning_message=$(
         cat <<EOF