Merge branch 'main' into dependabot/npm_and_yarn/rollup/plugin-node-resolve-16.0.3

Themitchell · web-flow · commit 80e93aa21b51 · 2025-10-14T14:47:25.000+01:00
diff --git a/.env.example b/.env.example
@@ -1,9 +1,13 @@
 DEBUG=True
 SECRET_KEY=somesercetkey
-DATABASE_URL=
 ALLOWED_HOSTS=localhost,127.0.0.1
 
-POSTGRES_HOST=db
+DATABASE_HOST=db
+DATABASE_NAME=lung_cancer_screening
+DATABASE_USER=lung_cancer_screening
+DATABASE_PASSWORD=password
+
+# Required to provision development / test postgres container
 POSTGRES_DB=lung_cancer_screening
 POSTGRES_USER=lung_cancer_screening
 POSTGRES_PASSWORD=password
diff --git a/.github/workflows/test-deploy.yaml b/.github/workflows/test-deploy.yaml
@@ -39,4 +39,4 @@ jobs:
           terraform_version: 1.11.4
 
       - name: Terraform plan
-        run: make ${TARGET_ENV} ci terraform-apply
+        run: make ${TARGET_ENV} ci terraform-apply DOCKER_IMAGE_TAG=git-sha-${{ github.sha }}
diff --git a/.python-version b/.python-version
@@ -0,0 +1 @@
+3.13.7
diff --git a/infrastructure/environments/poc/variables.sh b/infrastructure/environments/poc/variables.sh
@@ -6,4 +6,3 @@ STORAGE_ACCOUNT_RG=rg-tfstate-poc-uks
 TERRAFORM_MODULES_REF=main
 ENABLE_SOFT_DELETE=false
 DOCKER_IMAGE=ghcr.io/nhsdigital/lung_cancer_screening
-DOCKER_IMAGE_TAG=PPHA-369-build-and-push-doker-image-to-gchr
diff --git a/infrastructure/environments/poc/variables.tfvars b/infrastructure/environments/poc/variables.tfvars
@@ -4,6 +4,9 @@ features = {
   hub_and_spoke      = false
   private_networking = false
 }
+fetch_secrets_from_app_key_vault      = true
+github_mi_name                        = "mi-lungcs-poc-ghtoaz-uks"
+key_vault_secrets_officer_groups      = ["Azure-Lung-Cancer-Screening---Dev-Owner"]
 postgres_backup_retention_days        = 7
 postgres_geo_redundant_backup_enabled = false
 protect_keyvault                      = false
diff --git a/infrastructure/modules/container-apps/jobs.tf b/infrastructure/modules/container-apps/jobs.tf
@@ -0,0 +1,29 @@
+module "db_setup" {
+  source = "../dtos-devops-templates/infrastructure/modules/container-app-job"
+
+  name                         = "${var.app_short_name}-dbm-${var.environment}"
+  container_app_environment_id = var.container_app_environment_id
+  resource_group_name          = azurerm_resource_group.main.name
+
+  container_command = ["/bin/sh", "-c"]
+
+  container_args = [
+    "python manage.py migrate"
+  ]
+  secret_variables = var.deploy_database_as_container ? { DATABASE_PASSWORD = resource.random_password.admin_password[0].result } : {}
+  docker_image     = var.docker_image
+  user_assigned_identity_ids = flatten([
+    [module.azure_blob_storage_identity.id],
+    [module.azure_queue_storage_identity.id],
+    var.deploy_database_as_container ? [] : [module.db_connect_identity[0].id]
+  ])
+  environment_variables = merge(
+    local.common_env,
+    var.deploy_database_as_container ? local.container_db_env : local.azure_db_env
+  )
+  depends_on = [
+    module.queue_storage_role_assignment,
+    module.blob_storage_role_assignment
+  ]
+
+}
diff --git a/infrastructure/modules/container-apps/main.tf b/infrastructure/modules/container-apps/main.tf
@@ -17,7 +17,7 @@ module "webapp" {
   fetch_secrets_from_app_key_vault = var.fetch_secrets_from_app_key_vault
   infra_key_vault_name             = "kv-${var.app_short_name}-${var.env_config}-inf"
   infra_key_vault_rg               = "rg-${var.app_short_name}-${var.env_config}-infra"
-  enable_auth                      = var.enable_auth
+  enable_entra_id_authentication   = var.enable_entra_id_authentication
   app_key_vault_id                 = var.app_key_vault_id
   docker_image                     = var.docker_image
   user_assigned_identity_ids       = var.deploy_database_as_container ? [] : [module.db_connect_identity[0].id]
diff --git a/infrastructure/modules/container-apps/storage.tf b/infrastructure/modules/container-apps/storage.tf
@@ -32,8 +32,10 @@ module "storage" {
     private_endpoint_resource_group_name = azurerm_resource_group.main.name
     private_service_connection_is_manual = false
   } : null
-  queues              = local.storage_queues
-  resource_group_name = azurerm_resource_group.main.name
+
+  public_network_access_enabled = !var.features.private_networking
+  queues                        = local.storage_queues
+  resource_group_name           = azurerm_resource_group.main.name
 }
 
 module "blob_storage_role_assignment" {
diff --git a/infrastructure/modules/container-apps/variables.tf b/infrastructure/modules/container-apps/variables.tf
@@ -35,7 +35,7 @@ variable "docker_image" {
   type        = string
 }
 
-variable "enable_auth" {
+variable "enable_entra_id_authentication" {
   description = "Enable authentication for the container app. If true, the app will use Azure AD authentication."
   type        = bool
 }
diff --git a/infrastructure/modules/infra/data.tf b/infrastructure/modules/infra/data.tf
@@ -0,0 +1,9 @@
+data "azuread_service_principal" "github-mi" {
+  display_name = var.github_mi_name
+}
+
+data "azuread_group" "kv_officers" {
+  for_each = toset(var.key_vault_secrets_officer_groups)
+
+  display_name = each.value
+}
diff --git a/infrastructure/modules/infra/main.tf b/infrastructure/modules/infra/main.tf
@@ -24,6 +24,21 @@ module "app-key-vault" {
   purge_protection_enabled      = var.protect_keyvault
 }
 
+module "key_vault_rbac_assignments" {
+  source = "../dtos-devops-templates/infrastructure/modules/rbac-assignment"
+
+  for_each = merge(
+    {
+      (var.github_mi_name) = data.azuread_service_principal.github-mi
+    },
+    data.azuread_group.kv_officers
+  )
+
+  principal_id         = each.value.object_id
+  role_definition_name = "Key Vault Secrets Officer"
+  scope                = module.app-key-vault.key_vault_id
+}
+
 module "log_analytics_workspace_audit" {
   source = "../dtos-devops-templates/infrastructure/modules/log-analytics-workspace"
 
diff --git a/infrastructure/modules/infra/providers.tf b/infrastructure/modules/infra/providers.tf
@@ -4,5 +4,10 @@ terraform {
       source                = "hashicorp/azurerm"
       configuration_aliases = [azurerm.hub]
     }
+
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "3.4.0"
+    }
   }
 }
diff --git a/infrastructure/modules/infra/variables.tf b/infrastructure/modules/infra/variables.tf
@@ -17,6 +17,16 @@ variable "features" {
   })
 }
 
+variable "github_mi_name" {
+  description = "Name of the GitHub Managed Identity."
+  type        = string
+}
+
+variable "key_vault_secrets_officer_groups" {
+  description = "List of Entra ID group names which will have Key Vault Secrets Officer RBAC role."
+  type        = list(string)
+}
+
 variable "resource_group_name" {
   description = "Infra resource group name"
   type        = string
diff --git a/infrastructure/terraform/main.tf b/infrastructure/terraform/main.tf
@@ -8,14 +8,16 @@ module "infra" {
     azurerm.hub = azurerm.hub
   }
 
-  region              = local.region
-  resource_group_name = local.resource_group_name
-  app_short_name      = var.app_short_name
-  environment         = var.env_config
-  features            = var.features
-  hub                 = var.hub
-  protect_keyvault    = var.protect_keyvault
-  vnet_address_space  = var.vnet_address_space
+  region                           = local.region
+  resource_group_name              = local.resource_group_name
+  app_short_name                   = var.app_short_name
+  environment                      = var.env_config
+  features                         = var.features
+  github_mi_name                   = var.github_mi_name
+  hub                              = var.hub
+  key_vault_secrets_officer_groups = var.key_vault_secrets_officer_groups
+  protect_keyvault                 = var.protect_keyvault
+  vnet_address_space               = var.vnet_address_space
 }
 
 module "container-apps" {
@@ -36,7 +38,7 @@ module "container-apps" {
   dns_zone_name                         = var.dns_zone_name
   docker_image                          = var.docker_image
   deploy_database_as_container          = var.deploy_database_as_container
-  enable_auth                           = var.enable_auth
+  enable_entra_id_authentication        = var.enable_entra_id_authentication
   environment                           = var.environment
   env_config                            = var.env_config
   features                              = var.features
diff --git a/infrastructure/terraform/variables.tf b/infrastructure/terraform/variables.tf
@@ -1,7 +1,6 @@
-variable "deploy_infra" {
-  description = "The foundational layer of infrastructure for the application to run on"
-  type        = bool
-  default     = true
+variable "app_short_name" {
+  description = "Application short name (6 characters)"
+  type        = string
 }
 
 variable "deploy_container_apps" {
@@ -10,41 +9,54 @@ variable "deploy_container_apps" {
   default     = true
 }
 
-variable "app_short_name" {
-  description = "Application short name (6 characters)"
-  type        = string
+variable "deploy_database_as_container" {
+  description = "Whether to deploy the database as a container or as an Azure postgres flexible server."
+  type        = bool
+  default     = false
 }
 
-variable "environment" {
-  description = "Application environment name"
-  type        = string
+variable "deploy_infra" {
+  description = "The foundational layer of infrastructure for the application to run on"
+  type        = bool
+  default     = true
 }
 
-variable "env_config" {
-  description = "Environment configuration. Different environments may share the same environment config and the same infrastructure"
+variable "docker_image" {
+  description = "Docker image full path including registry, repository and tag"
   type        = string
 }
 
-variable "hub" {
-  description = "Hub name (dev or prod)"
+variable "dns_zone_name" {
+  description = "Value of the DNS zone name to use for the Front Door endpoint"
   type        = string
+  default     = ""
 }
 
-variable "docker_image" {
-  description = "Docker image full path including registry, repository and tag"
-  type        = string
+variable "enable_entra_id_authentication" {
+  description = "Enable authentication for the container app. If true, the app will use Azure AD authentication."
+  type        = bool
+  default     = false
 }
 
-variable "hub_subscription_id" {
-  description = "ID of the hub Azure subscription"
+variable "environment" {
+  description = "Application environment name"
   type        = string
 }
 
-variable "vnet_address_space" {
-  description = "VNET address space. Must be unique across the hub."
+variable "env_config" {
+  description = "Environment configuration. Different environments may share the same environment config and the same infrastructure"
   type        = string
 }
 
+variable "features" {
+  description = "Feature flags for the deployment"
+  type = object({
+    front_door         = optional(bool, true)
+    hub_and_spoke      = optional(bool, true)
+    private_networking = optional(bool, true)
+  })
+}
+
 variable "fetch_secrets_from_app_key_vault" {
   description = <<EOT
     Set to false initially to create and populate the app key vault.
@@ -55,6 +67,32 @@ variable "fetch_secrets_from_app_key_vault" {
   type        = bool
 }
 
+variable "front_door_profile" {
+  description = "Name of the front door profile created for this application in the hub subscription"
+  type        = string
+  default     = null
+}
+
+variable "github_mi_name" {
+  description = "Name of the GitHub Managed Identity."
+  type        = string
+}
+
+variable "hub" {
+  description = "Hub name (dev or prod)"
+  type        = string
+}
+
+variable "hub_subscription_id" {
+  description = "ID of the hub Azure subscription"
+  type        = string
+}
+
+variable "key_vault_secrets_officer_groups" {
+  description = "List of Entra ID group names which will have Key Vault Secrets Officer RBAC role."
+  type        = list(string)
+}
+
 variable "protect_keyvault" {
   description = "Ability to recover the key vault or its secrets after deletion"
   default     = true
@@ -73,12 +111,6 @@ variable "postgres_geo_redundant_backup_enabled" {
   default     = true
 }
 
-variable "deploy_database_as_container" {
-  description = "Whether to deploy the database as a container or as an Azure postgres flexible server."
-  type        = bool
-  default     = false
-}
-
 variable "postgres_sku_name" {
   description = "Value of the PostgreSQL Flexible Server SKU name"
   default     = "B_Standard_B1ms"
@@ -97,8 +129,8 @@ variable "postgres_storage_tier" {
   type        = string
 }
 
-variable "enable_auth" {
-  description = "Enable authentication for the container app. If true, the app will use Azure AD authentication."
+variable "seed_demo_data" {
+  description = "Whether or not to seed the demo data in the database."
   type        = bool
   default     = false
 }
@@ -109,32 +141,11 @@ variable "use_apex_domain" {
   default     = false
 }
 
-variable "dns_zone_name" {
-  description = "Value of the DNS zone name to use for the Front Door endpoint"
-  type        = string
-  default     = ""
-}
-
-variable "features" {
-  description = "Feature flags for the deployment"
-  type = object({
-    front_door         = optional(bool, true)
-    hub_and_spoke      = optional(bool, true)
-    private_networking = optional(bool, true)
-  })
-}
-
-variable "front_door_profile" {
-  description = "Name of the front door profile created for this application in the hub subscription"
+variable "vnet_address_space" {
+  description = "VNET address space. Must be unique across the hub."
   type        = string
-  default     = null
 }
 
-variable "seed_demo_data" {
-  description = "Whether or not to seed the demo data in the database."
-  type        = bool
-  default     = false
-}
 
 locals {
   region              = "uksouth"
diff --git a/lung_cancer_screening/config/__init__.py b/lung_cancer_screening/config/__init__.py
diff --git a/lung_cancer_screening/config/postgresql/__init__.py b/lung_cancer_screening/config/postgresql/__init__.py
diff --git a/lung_cancer_screening/config/postgresql/base.py b/lung_cancer_screening/config/postgresql/base.py
diff --git a/lung_cancer_screening/settings.py b/lung_cancer_screening/settings.py
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ variable "docker_image" {`
`35`	`35`	`type = string`
`36`	`36`	`}`
`37`	`37`
`38`		`-variable "enable_auth" {`
	`38`	`+variable "enable_entra_id_authentication" {`
`39`	`39`	`description = "Enable authentication for the container app. If true, the app will use Azure AD authentication."`
`40`	`40`	`type = bool`
`41`	`41`	`}`