Skip to content

[DTOSS-11293] - Create Production Environment & Enhance RBAC #586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
josielsouzanordcloud merged 2 commits into from
Oct 23, 2025
Merged

[DTOSS-11293] - Create Production Environment & Enhance RBAC #586

josielsouzanordcloud merged 2 commits into from
Oct 23, 2025

Conversation

@josielsouzanordcloud
Copy link
Contributor

@josielsouzanordcloud josielsouzanordcloud commented Oct 22, 2025

Description

This PR introduces the production environment configuration for the NHS Digital breast screening management service, implementing secure infrastructure patterns and enhanced RBAC permissions for Entra ID groups using Azure Bicep templates.

Jira link

Changes Made
Production Environment Configuration

  • Added comprehensive production Terraform variables
  • Set production DNS zone (manage-breast-screening.nhs.uk)
  • Enabled secure Key Vault integration (fetch_secrets_from_app_key_vault = true)
  • Configured Front Door profile for production traffic (afd-live-hub-manbrs)
  • Set geo-redundant PostgreSQL backups for business continuity
  • Disabled demo data seeding for production environment
  • Enabled production monitoring and alerting

Enhanced Infrastructure Security

  • Updated Bicep templates for resource group initialisation
  • Implemented RBAC role assignments for Entra ID groups
  • Added proper permission inheritance patterns
  • Enhanced security model supporting both managed identities and groups
  • Implemented conditional RBAC assignments with appropriate scoping

Security & Compliance Features

Following Azure best practices:

  • Key Vault Protection: Enabled with secure secret management
  • Network Security: Production VNET configuration (10.11.0.0/16)
  • Data Protection: Geo-redundant backups with 7-day retention
  • Access Control: Enhanced RBAC for Entra ID groups
  • Monitoring: Production alerting enabled
  • API Security: Secure OAuth2 token endpoints configured

Infrastructure Highlights

  • Front Door Profile: afd-live-hub-manbrs for global load balancing
  • Database: PostgreSQL with geo-redundant backups
  • Networking: Dedicated production VNET with proper segmentation
  • Secrets Management: Azure Key Vault integration
  • Monitoring: Azure Monitor with production alerting rules

@josielsouzanordcloud josielsouzanordcloud force-pushed the DTOSS-11293-create-prod-environment branch from 63365dc to 10ea648 Compare October 22, 2025 14:40
saliceti
saliceti reviewed Oct 22, 2025
View reviewed changes
saliceti
saliceti reviewed Oct 22, 2025
View reviewed changes
saliceti
saliceti reviewed Oct 22, 2025
View reviewed changes
saliceti
saliceti reviewed Oct 22, 2025
View reviewed changes
@josielsouzanordcloud josielsouzanordcloud force-pushed the DTOSS-11293-create-prod-environment branch from c0f3331 to 0db733e Compare October 22, 2025 14:52
mrlockstar
mrlockstar reviewed Oct 22, 2025
View reviewed changes
@josielsouzanordcloud josielsouzanordcloud force-pushed the DTOSS-11293-create-prod-environment branch 2 times, most recently from 9bb560d to 27918a6 Compare October 23, 2025 09:49
mrlockstar
mrlockstar reviewed Oct 23, 2025
View reviewed changes
infrastructure/modules/container-apps/variables.tf Outdated
variable "seed_demo_data" {
description = "Whether or not to seed the demo data in the database."
type = bool
default = false
Copy link
Contributor

@mrlockstar mrlockstar Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought we were not going to put defaults on child modules to make them more transferable?

Copy link
Contributor

@mrlockstar mrlockstar Oct 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead we put the defaults in

infrastructure/terraform/variables.tf

Take heed that all the other variables in this file ([infrastructure/modules/container-apps/variables.tf] do
not have defaults.

Copy link
Contributor Author

@josielsouzanordcloud josielsouzanordcloud Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @mrlockstar , I've got a request from @saliceti to apply default values and remove from variables these values when appropriated, and I judged this to be one.

Happy to change if we all think it should be in the infrastructure/terraform/variables.tf

Copy link
Contributor

@saliceti saliceti Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes we agreed to centralise default values at root module level

Copy link
Contributor Author

@josielsouzanordcloud josielsouzanordcloud Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed as agreed.

@josielsouzanordcloud josielsouzanordcloud force-pushed the DTOSS-11293-create-prod-environment branch from 005bf70 to 9b38485 Compare October 23, 2025 10:11
saliceti
saliceti reviewed Oct 23, 2025
View reviewed changes
infrastructure/modules/container-apps/variables.tf Outdated
storage_queues = ["notifications-message-status-updates", "notifications-message-batch-retries"]

always_allowed_paths = ["/sha"]
NO_OP_DATE = "0 0 31 2 *"
Copy link
Contributor

@saliceti saliceti Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this used?

@josielsouzanordcloud
feat(prod): DTOSS-11293 - create production environment with enhanced…
8064b5c 
… RBAC

- Add production Terraform variables configuration
- Enable secure Key Vault integration for secret management
- Configure production DNS (manage-breast-screening.nhs.uk)
- Enable geo-redundant PostgreSQL backups for data protection
- Set up production API endpoints and Front Door profile
- Disable demo data seeding for production environment
- Enable alerting and monitoring for production workloads
- Enhance resource group init with RBAC for Entra ID groups
- Implement group-based permission model in Bicep templates
- Enable use_apex_domain to the environment

Breaking changes: None (new production environment)
Security: Key Vault protection and RBAC groups enabled

Add false positive rbac role GUID entries to .gitleaksignore

rename variables and remove from variables.yml and variables.tfvars variables with default values the same as values set

including '/healthcheck' as always_allowed_paths on Front Door

removing default value with module and let in root

removing unused variable NO_OP_DATE
@josielsouzanordcloud josielsouzanordcloud force-pushed the DTOSS-11293-create-prod-environment branch from a41c547 to 8064b5c Compare October 23, 2025 10:26
mrlockstar
mrlockstar reviewed Oct 23, 2025
View reviewed changes
@josielsouzanordcloud josielsouzanordcloud merged commit 5c34e7e into main Oct 23, 2025
12 checks passed
@josielsouzanordcloud josielsouzanordcloud deleted the DTOSS-11293-create-prod-environment branch October 23, 2025 12:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saliceti saliceti saliceti approved these changes

+2 more reviewers

@mrlockstar mrlockstar mrlockstar left review comments

@josielbruk josielbruk josielbruk left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@josielsouzanordcloud @saliceti @mrlockstar @josielbruk