NHSDigital · josielsouzanordcloud · Aug 19, 2025 · Aug 13, 2025 · Aug 13, 2025 · Aug 13, 2025
diff --git a/.azuredevops/pipelines/delete-review-app.yml b/.azuredevops/pipelines/delete-review-app.yml
@@ -0,0 +1,46 @@
+trigger: none
+pr: none
+
+parameters:
+  - name: commitSHA
+    displayName: Commit SHA
+    type: string
+  - name: prNumber
+    displayName: Pull request number
+    type: string
+
+stages:
+  - stage: review
+    displayName: Delete review app
+    pool:
+      name: private-pool-dev-uks
+    isSkippable: false
+
+    jobs:
+      - deployment: DeleteReviewApp
+        displayName: Delete review app
+        environment: review
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+
+                - task: TerraformInstaller@1
+                  displayName: Install terraform
+                  inputs:
+                    terraformVersion: 1.7.0
+
+                - task: AzureCLI@2
+                  displayName: Run terraform
+                  inputs:
+                    azureSubscription: manbrs-review
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    addSpnToEnvironment: true
+                    inlineScript: |
+                      export ARM_TENANT_ID="$tenantId"
+                      export ARM_CLIENT_ID="$servicePrincipalId"
+                      export ARM_OIDC_TOKEN="$idToken"
+                      export ARM_USE_OIDC=true
+                      make ci review terraform-destroy DOCKER_IMAGE_TAG=git-sha-${{ parameters.commitSHA }} PR_NUMBER=${{ parameters.prNumber }}
diff --git a/.azuredevops/pipelines/deploy.yml b/.azuredevops/pipelines/deploy.yml
@@ -5,54 +5,56 @@ parameters:
   - name: commitSHA
     displayName: Commit SHA
     type: string
-  - name: environments
-    type: object
-    default:
-      - dev
+  - name: environment
+    displayName: Environment
+    type: string
+  - name: prNumber
+    displayName: Pull request number
+    type: string
+    default: ''
 
 stages:
-  - ${{ each env in parameters.environments }}:
-      - stage: ${{ env }}
-        displayName: Deploy to ${{ env }} environment
-        pool:
-          name: private-pool-dev-uks
-        lockBehavior: sequential
-        isSkippable: false
+  - stage: ${{ parameters.environment }}
+    displayName: Deploy to ${{ parameters.environment }} environment
+    pool:
+      name: private-pool-dev-uks
+    lockBehavior: sequential
+    isSkippable: false
 
-        jobs:
-          - deployment: DeployApp
-            displayName: Deploy application
-            environment: ${{ env }}
-            strategy:
-              runOnce:
-                deploy:
-                  steps:
-                    - checkout: self
+    jobs:
+      - deployment: DeployApp
+        displayName: Deploy application
+        environment: ${{ parameters.environment }}
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
 
-                    - task: TerraformInstaller@1
-                      displayName: Install terraform
-                      inputs:
-                        terraformVersion: 1.7.0
+                - task: TerraformInstaller@1
+                  displayName: Install terraform
+                  inputs:
+                    terraformVersion: 1.7.0
 
-                    - task: AzureCLI@2
-                      displayName: Run terraform
-                      inputs:
-                        azureSubscription: manbrs-${{ env }}
-                        scriptType: bash
-                        scriptLocation: inlineScript
-                        addSpnToEnvironment: true
-                        inlineScript: |
-                          export ARM_TENANT_ID="$tenantId"
-                          export ARM_CLIENT_ID="$servicePrincipalId"
-                          export ARM_OIDC_TOKEN="$idToken"
-                          export ARM_USE_OIDC=true
-                          make ci ${{ env }} terraform-apply DOCKER_IMAGE_TAG=git-sha-${{ parameters.commitSHA }}
+                - task: AzureCLI@2
+                  displayName: Run terraform
+                  inputs:
+                    azureSubscription: manbrs-${{ parameters.environment }}
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    addSpnToEnvironment: true
+                    inlineScript: |
+                      export ARM_TENANT_ID="$tenantId"
+                      export ARM_CLIENT_ID="$servicePrincipalId"
+                      export ARM_OIDC_TOKEN="$idToken"
+                      export ARM_USE_OIDC=true
+                      make ci ${{ parameters.environment }} terraform-apply DOCKER_IMAGE_TAG=git-sha-${{ parameters.commitSHA }} PR_NUMBER=${{ parameters.prNumber }}
 
-                    - task: AzureCLI@2
-                      displayName: Run database migration
-                      inputs:
-                        azureSubscription: manbrs-${{ env }}
-                        scriptType: bash
-                        scriptLocation: inlineScript
-                        addSpnToEnvironment: true
-                        inlineScript: ./scripts/bash/db_migrate.sh ${{ env }}
+                - task: AzureCLI@2
+                  displayName: Run database migration
+                  inputs:
+                    azureSubscription: manbrs-${{ parameters.environment }}
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    addSpnToEnvironment: true
+                    inlineScript: ./scripts/bash/db_migrate.sh ${{ parameters.environment }} ${{ parameters.prNumber }}
diff --git a/.github/workflows/cicd-1-pull-request-closed.yaml b/.github/workflows/cicd-1-pull-request-closed.yaml
@@ -0,0 +1,46 @@
+name: Delete review app
+
+on:
+  pull_request:
+    types: [closed]
+
+jobs:
+  destroy:
+    if: contains(github.event.pull_request.labels.*.name, 'deploy')
+    name: Delete review app pr-${{ github.event.pull_request.number }}
+    permissions:
+      id-token: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    environment: review
+    concurrency: deploy-review-${{ github.ref }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Call delete review app pipeline
+        run: |
+          echo "Starting Azure devops pipeline \"Delete review app\"..."
+          RUN_ID=$(az pipelines run \
+            --commit-id ${{ github.event.pull_request.head.sha }}\
+            --name "Delete review app"\
+            --org https://dev.azure.com/nhse-dtos \
+            --project dtos-manage-breast-screening \
+            --parameters commitSHA=${{ github.event.pull_request.head.sha }} prNumber=${{ github.event.pull_request.number }} \
+            --output tsv --query id)
+
+          scripts/bash/wait_ado_pipeline.sh "$RUN_ID" https://dev.azure.com/nhse-dtos dtos-manage-breast-screening
+
+      - name: Post URL to PR comments
+        uses: marocchino/sticky-pull-request-comment@8ac02941f254c53fbda0cf44288785e1367e13bf
+        with:
+          message: |
+            The review app at this URL has been deleted:
+            https://pr-${{ github.event.pull_request.number }}.manage-breast-screening.non-live.screening.nhs.uk
diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml
@@ -2,7 +2,7 @@ name: 'CI/CD pull request'
 
 on:
   pull_request:
-    types: [opened, reopened, synchronize]
+    types: [opened, reopened, synchronize, labeled]
 
 jobs:
   metadata:
@@ -72,3 +72,30 @@ jobs:
       terraform_version: '${{ needs.metadata.outputs.terraform_version }}'
       version: '${{ needs.metadata.outputs.version }}'
     secrets: inherit
+  deploy-stage:
+    if: contains(github.event.pull_request.labels.*.name, 'deploy')
+    name: Deploy review app pr-${{ github.event.pull_request.number }}
+    needs: [build-stage]
+    permissions:
+      id-token: write
+    uses: ./.github/workflows/stage-4-deploy.yaml
+    with:
+      environments: "[\"review\"]"
+      commit_sha: ${{ github.event.pull_request.head.sha }}
+      pr_number: ${{ github.event.pull_request.number }}
+    secrets: inherit
+  post-url:
+    if: contains(github.event.pull_request.labels.*.name, 'deploy')
+    name: Post URL pr-${{ github.event.pull_request.number }} to PR comments
+    runs-on: ubuntu-latest
+    needs: [deploy-stage]
+    permissions:
+      pull-requests: write
+    steps:
+    - name: Post URL to PR comments
+      uses: marocchino/sticky-pull-request-comment@8ac02941f254c53fbda0cf44288785e1367e13bf
+      with:
+        message: |
+          The review app is available at this URL:
+          https://pr-${{ github.event.pull_request.number }}.manage-breast-screening.non-live.screening.nhs.uk
+          You must authenticate with Entra ID
diff --git a/.github/workflows/cicd-2-main-branch.yaml b/.github/workflows/cicd-2-main-branch.yaml
@@ -85,5 +85,6 @@ jobs:
       id-token: write
     uses: ./.github/workflows/stage-4-deploy.yaml
     with:
+      environments: "[\"review\",\"dev\"]"
       commit_sha: ${{ github.sha }}
     secrets: inherit
diff --git a/.github/workflows/stage-4-deploy.yaml b/.github/workflows/stage-4-deploy.yaml
@@ -3,16 +3,29 @@ name: Deployment stage
 on:
   workflow_call:
     inputs:
+      environments:
+        description: List of environments to deploy to (String array)
+        required: true
+        type: string
       commit_sha:
         description: Commit SHA used to fetch ADO pipeline and docker image
         required: true
         type: string
+      pr_number:
+        description: Pull request number when used in a pull request
+        required: false
+        type: string
 
 jobs:
   deploy:
     name: Deploy
     runs-on: ubuntu-latest
-    environment: azure
+    strategy:
+      matrix:
+        environment: ${{ fromJson(inputs.environments) }}
+      max-parallel: 1
+    environment: ${{ matrix.environment }}
+    concurrency: deploy-${{ matrix.environment }}-${{ github.ref }}
 
     steps:
       - name: Checkout code
@@ -26,5 +39,13 @@ jobs:
 
       - name: Call deployment pipeline
         run: |
-          az pipelines run --commit-id ${{inputs.commit_sha}} --name "Deploy to Azure" --org https://dev.azure.com/nhse-dtos --project dtos-manage-breast-screening \
-            --parameters commitSHA=${{inputs.commit_sha}}
+          echo "Starting Azure devops pipeline \"Deploy to Azure - ${{ matrix.environment }}\"..."
+          RUN_ID=$(az pipelines run \
+            --commit-id ${{inputs.commit_sha}} \
+            --name "Deploy to Azure - ${{ matrix.environment }}" \
+            --org https://dev.azure.com/nhse-dtos \
+            --project dtos-manage-breast-screening \
+            --parameters commitSHA=${{inputs.commit_sha}} prNumber=${{inputs.pr_number}} environment=${{ matrix.environment }} \
+            --output tsv --query id)
+
+          scripts/bash/wait_ado_pipeline.sh "$RUN_ID" https://dev.azure.com/nhse-dtos dtos-manage-breast-screening
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -10,5 +10,10 @@ manage_breast_screening/templates/components/pagination/template.njk:ipv4:26
 infrastructure/terraform/resource_group_init/core.bicep:generic-api-key:10
 infrastructure/terraform/resource_group_init/core.bicep:generic-api-key:11
 infrastructure/terraform/resource_group_init/core.bicep:generic-api-key:12
-infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:80
+infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:29
+infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:30
+infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:31
+infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:32
+infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:33
 infrastructure/terraform/resource_group_init/storage.bicep:generic-api-key:59
+infrastructure/terraform/resource_group_init/keyVault.bicep:generic-api-key:10
diff --git a/README.md b/README.md
@@ -110,58 +110,9 @@ To generate a new app, run:
 poetry run ./manage.py startapp <app_name> manage_breast_screening/`
 ```
 
-## Manual Deployment
+## Deployment
 
-The build pipeline builds and pushes a docker image to [Github container registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry). The app is deployed to an [Azure container app](https://azure.microsoft.com/en-us/products/container-apps) using terraform.
-
-For each environment, e.g. 'dev':
-
-1. Connect to [Azure virtual desktop](https://azure.microsoft.com/en-us/products/virtual-desktop). Ask the platform team for access with Administrator role.
-1. If not present, install the following software: terraform (version 1.7.0), git, make, jq.
-   - Run a Command prompt as administrator
-   - choco install terraform --version 1.7.0
-   - choco install terraform git make jq
-1. Open git bash
-1. Clone the repository: `git clone https://github.com/NHSDigital/dtos-manage-breast-screening.git`
-1. Enter the directory and select the branch, tag, commit...
-1. Login: `az login`
-1. Create the resource group: `make dev resource-group-init`. This is only required when creating the environment from scratch.
-1. Deploy:
-   ```shell
-   make dev terraform-plan DOCKER_IMAGE_TAG=git-sha-af32637e7e6a07e36158dcb8d7ed90be49be1xyz
-   ```
-1. The web app URL will be displayed as output. Copy it into a browser on the AVD to access the app.
-
-## Manual deployment of the review environments
-
-Review environments differ slightly from other environments. They are lightweight versions of the application and are designed to share much of the core Azure infrastructure. As a result, there is a one-to-many relationship between the container apps and the container app environment.
-
-### Step 1
-If you run the following command *without* the `PR_NUMBER` parameter, it will apply only the infrastructure module:
-
-```shell
-make review terraform-apply
-```
-
-### Step 2
-
-If you include the `PR_NUMBER` parameter, it will apply the container_app module instead of the infrastructure module:
-
-```shell
-make review terraform-apply DOCKER_IMAGE_TAG=git-sha-01ecb79d561f55be60072a093dd167fe8eb5b42e PR_NUMBER=123
-```
-
-## Continuous deployment
-
-When a PR is merged, Github actions securely triggers the deployment pipeline on the Azure devops pool running on the internal network. It currently deploys the dev environment automatically.
-
-Access [Azure devops](https://dev.azure.com/nhse-dtos/dtos-manage-breast-screening/_build?definitionId=86) to see the pipeline.
-
-## Application secrets
-
-The app requires secrets provided as environment variables. Terraform creates an Azure key vault and all its secrets are mapped directly to the app as environment variables. Devs can access the key vault to create and update the secrets manually.
-
-Note [the process requires multiple steps](https://github.com/NHSDigital/dtos-devops-templates/tree/main/infrastructure/modules/container-app#key-vault-secrets) to set up an environment initially.
+See [Deployment](docs/infrastructure/deployment.md).
 
 ## Contributing