NHSDigital · robertnovac1 · Jul 23, 2025 · Jul 10, 2025 · Jul 11, 2025 · Jul 11, 2025
diff --git a/azure/templates/post-deploy.yml b/azure/templates/post-deploy.yml
@@ -41,8 +41,6 @@ steps:
       set -e
       if ! [[ $APIGEE_ENVIRONMENT =~ .*-*sandbox ]]; then
         export AWS_PROFILE=apim-dev
-        aws_account_no="$(aws sts get-caller-identity --query Account --output text)"
-
         service_name=$(FULLY_QUALIFIED_SERVICE_NAME)
 
         pr_no=$(echo $service_name | { grep -oE '[0-9]+$' || true; })
@@ -58,10 +56,10 @@ steps:
         echo Apigee environment: $APIGEE_ENVIRONMENT
         echo pr_no: $pr_no
 
-          cd terraform
+        cd terraform
 
         make init
-        make apply aws_account_no=${aws_account_no} environment=$workspace
+        make apply environment=${{ parameters.aws_account_type }} sub_environment=$workspace
 
         AWS_DOMAIN_NAME=$(make -s output name=service_domain_name)
         IMMS_DELTA_TABLE_NAME=$(make -s output name=imms_delta_table_name)

diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
diff --git a/terraform/Makefile b/terraform/Makefile
@@ -1,30 +1,33 @@
 -include .env
 
-interactionId=$(environment)
+environment        ?= $(ENVIRONMENT)
+sub_environment    ?= $(SUB_ENVIRONMENT)
+sub_environment_dir := $(if $(findstring pr-,$(sub_environment)),pr,$(sub_environment))
 
-aws_profile = apim-dev
-tf_cmd = AWS_PROFILE=$(aws_profile) terraform
+tf_cmd = AWS_PROFILE=$(AWS_PROFILE) terraform
 
-project_name = immunisation
-project_short_name = imms
-state_bucket = $(project_name)-$(APIGEE_ENVIRONMENT)-terraform-state-files
-tf_state= -backend-config="bucket=$(state_bucket)"
+bucket_name = $(if $(filter dev,$(environment)),immunisation-$(sub_environment),immunisation-$(environment))-terraform-state-files
 
-tf_vars= -var="project_name=$(project_name)" -var="project_short_name=$(project_short_name)"
+tf_state = -backend-config="bucket=$(bucket_name)"
 
-.PHONY : lock-provider workspace init plan apply clean destroy output state-list lambda-zip catch-all-zip
+tf_vars = \
+  -var="sub_environment=$(sub_environment)" \
+  -var-file="./environments/$(environment)/$(sub_environment_dir)/variables.tfvars"
 
 lock-provider:
 	# Run this only when you install a new terraform provider. This will generate sha code in lock file for all platform
 	echo "This may take a while. Be patient!"
 	$(tf_cmd) providers lock -platform=darwin_arm64 -platform=darwin_amd64 -platform=linux_amd64 -platform=windows_amd64
 
 workspace:
-	$(tf_cmd) workspace new $(environment) || $(tf_cmd) workspace select $(environment) && echo "Switched to workspace/environment: $(environment)"
+	$(tf_cmd) workspace new $(sub_environment) || $(tf_cmd) workspace select $(sub_environment) && echo "Switched to workspace/environment: $(sub_environment)"
 
 init:
 	$(tf_cmd) init $(tf_state) -upgrade  $(tf_vars)
 
+init-reconfigure:
+	$(tf_cmd) init $(tf_state) -upgrade $(tf_vars) -reconfigure
+
 plan: workspace
 	 $(tf_cmd) plan $(tf_vars)
 
@@ -40,7 +43,7 @@ clean:
 destroy: workspace
 	$(tf_cmd) destroy $(tf_vars) -auto-approve
 	$(tf_cmd) workspace select default
-	$(tf_cmd) workspace delete $(environment)
+	$(tf_cmd) workspace delete $(sub_environment)
 
 output:
 	$(tf_cmd) output -raw $(name)
@@ -59,3 +62,5 @@ catch-all-zip:
 
 tf-%:
 	$(tf_cmd) $*
+
+.PHONY : lock-provider workspace init plan apply clean destroy output state-list lambda-zip catch-all-zip
diff --git a/terraform/README.md b/terraform/README.md
@@ -1,17 +1,31 @@
-# immunisation-fhir-api Terraform
+# About
+The Terraform configuration in this folder is executed in each PR and sets up lambdas associated with the PR. Once the PR is merged, it will be used by the release pipeline to deploy to INT and REF. This is also run by the production release pipeline to deploy the lambdas to the prod blue and green sub environments.
 
-## Setup for local dev
+## Environments Structure
 
-Add your workspace name to the env file. This is usually your shortcode.
+Terraform is executed via a `Makefile`.
+The environment-specific configuration is structured as follows:
 
-```shell
-echo environment=your-shortcode >> .env
-make init
-make workspace
-make apply
+    environments/
+    └── <ENVIRONMENT>/ # e.g. dev, int, prod (AWS account name)
+        └── <SUB_ENVIRONMENT_DIR> / # e.g. pr, internal-dev
+            └── variables.tfvars
+
+The `Makefile` automatically reads the `.env` file to determine the correct `variables.tfvars` file to use, allowing customization of infrastructure for each sub-environment.
+
+## Run locally
+1. Create a `.env` file with the following values:
+```dotenv
+ENVIRONMENT=dev # Target AWS account (e.g., dev, int, prod)
+SUB_ENVIRONMENT=pr-123 # Sub-environment (e.g., pr-57, internal-dev)
+AWS_REGION=eu-west-2
+AWS_PROFILE=your-aws-profile
 ```
+2. Run `make init` to download providers and dependencies
+3. Run `make plan` to output plan with the changes that terraform will perform
+4. **WARNING**: Run `make apply` only after thoroughly reviewing the plan as this might destroy or modify existing infrastructure
 
-See the Makefile for other commands.
+Note: If you switch environment configuration in .env ensure that you run `make init-reconfigure` to reconfigure the backend to prevent migrating the existing state to the new backend.
 
-If you want to apply Terraform to a workspace created by a PR you can set the above environment to the PR number.
+If you want to apply Terraform to a workspace created by a PR you can set the above SUB_ENVIRONMENT to the `PR-number` and ENVIRONMENT set to `dev`.
 E.g. `pr-57`. You can use this to test out changes when tests fail in CI.
diff --git a/terraform/ack_lambda.tf b/terraform/ack_lambda.tf
@@ -68,7 +68,7 @@ resource "aws_ecr_repository_policy" "ack_lambda_ECRImageRetreival_policy" {
         ],
         "Condition" : {
           "StringLike" : {
-            "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${local.immunisation_account_id}:function:${local.short_prefix}-ack-lambda"
+            "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-ack-lambda"
           }
         }
       }
@@ -105,7 +105,7 @@ resource "aws_iam_policy" "ack_lambda_exec_policy" {
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ]
-        Resource = "arn:aws:logs:eu-west-2:${local.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-ack-lambda:*"
+        Resource = "arn:aws:logs:eu-west-2:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-ack-lambda:*"
       },
       {
         Effect = "Allow"
@@ -148,7 +148,7 @@ resource "aws_iam_policy" "ack_lambda_exec_policy" {
           "sqs:DeleteMessage",
           "sqs:GetQueueAttributes"
         ],
-      Resource = "arn:aws:sqs:eu-west-2:${local.immunisation_account_id}:${local.short_prefix}-ack-metadata-queue.fifo" },
+      Resource = "arn:aws:sqs:eu-west-2:${var.immunisation_account_id}:${local.short_prefix}-ack-metadata-queue.fifo" },
       {
         "Effect" : "Allow",
         "Action" : [
@@ -216,7 +216,7 @@ resource "aws_lambda_function" "ack_processor_lambda" {
     variables = {
       ACK_BUCKET_NAME            = aws_s3_bucket.batch_data_destination_bucket.bucket
       SPLUNK_FIREHOSE_NAME       = module.splunk.firehose_stream_name
-      ENVIRONMENT                = terraform.workspace
+      ENVIRONMENT                = var.sub_environment
       AUDIT_TABLE_NAME           = aws_dynamodb_table.audit-table.name
       FILE_NAME_PROC_LAMBDA_NAME = aws_lambda_function.file_processor_lambda.function_name
     }

diff --git a/terraform/api_gateway/acm_cert.tf b/terraform/api_gateway/acm_cert.tf
diff --git a/terraform/api_gateway/api.tf b/terraform/api_gateway/api.tf
diff --git a/terraform/api_gateway/variables.tf b/terraform/api_gateway/variables.tf
diff --git a/terraform/configs.tf b/terraform/configs.tf
diff --git a/terraform/delta.tf b/terraform/delta.tf
@@ -69,7 +69,7 @@ resource "aws_ecr_repository_policy" "delta_lambda_ECRImageRetreival_policy" {
         ],
         "Condition" : {
           "StringLike" : {
-            "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${local.immunisation_account_id}:function:${local.short_prefix}-${local.function_name}"
+            "aws:sourceArn" : "arn:aws:lambda:eu-west-2:${var.immunisation_account_id}:function:${local.short_prefix}-${local.function_name}"
           }
         }
       }

diff --git a/terraform/dps_role_creation.tf b/terraform/dps_role_creation.tf
@@ -6,7 +6,7 @@ resource "aws_iam_role" "dynamo_s3_access_role" {
       {
         Effect : "Allow",
         Principal : {
-          AWS : "arn:aws:iam::${local.dspp_core_account_id}:root"
+          AWS : "arn:aws:iam::${var.dspp_core_account_id}:root"
         },
         Action : "sts:AssumeRole"
       }
@@ -22,7 +22,7 @@ resource "aws_iam_role_policy" "dynamo_s3_access_policy" {
     Statement = [
       {
         Effect = "Allow",
-        Action = local.environment == "prod" ? [
+        Action = var.environment == "prod" ? [
           "dynamodb:GetItem",
           "dynamodb:Query"
           ] : [