NHSDigital
diff --git a/‎infrastructure/ecr.tf‎
Lines changed: 11 additions & 10 deletions b/‎infrastructure/ecr.tf‎
Lines changed: 11 additions & 10 deletions
diff --git a/‎infrastructure/modules/ecr/README.md‎
Lines changed: 18 additions & 22 deletions b/‎infrastructure/modules/ecr/README.md‎
Lines changed: 18 additions & 22 deletions
diff --git a/‎infrastructure/modules/kms/README.md‎
Lines changed: 25 additions & 30 deletions b/‎infrastructure/modules/kms/README.md‎
Lines changed: 25 additions & 30 deletions
@@ -1,14 +1,15 @@
 module "ndr-docker-ecr-ui" {
-  source   = "./modules/ecr/"
-  app_name = "ndr-${terraform.workspace}-app"
-
-  environment = var.environment
-  owner       = var.owner
+  source             = "./modules/ecr/"
+  app_name           = "ndr-${terraform.workspace}-app"
+  current_account_id = data.aws_caller_identity.current.account_id
+  environment        = var.environment
+  owner              = var.owner
 }
 module "ndr-docker-ecr-data-collection" {
-  count       = local.is_sandbox ? 0 : 1
-  source      = "./modules/ecr/"
-  app_name    = "${terraform.workspace}-data-collection"
-  environment = var.environment
-  owner       = var.owner
+  count              = local.is_sandbox ? 0 : 1
+  source             = "./modules/ecr/"
+  app_name           = "${terraform.workspace}-data-collection"
+  current_account_id = data.aws_caller_identity.current.account_id
+  environment        = var.environment
+  owner              = var.owner
 }
@@ -30,34 +30,30 @@ module "ecr_repository" {
 ```
 
 <!-- BEGIN_TF_DOCS -->
-
 ## Requirements
 
-| Name                                                   | Version |
-| ------------------------------------------------------ | ------- |
-| <a name="requirement_aws"></a> [aws](#requirement_aws) | ~> 5.0  |
-
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
 ## Resources
 
-| Name                                                                                                                                                     | Type        |
-| -------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
-| [aws_ecr_lifecycle_policy.ndr_ecr_lifecycle_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy)    | resource    |
-| [aws_ecr_repository.ndr-ecr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository)                                 | resource    |
-| [aws_ecr_repository_policy.ndr_ecr_repository_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy) | resource    |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity)                            | data source |
-
+| Name | Type |
+|------|------|
+| [aws_ecr_lifecycle_policy.ndr_ecr_lifecycle_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
+| [aws_ecr_repository.ndr-ecr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
+| [aws_ecr_repository_policy.ndr_ecr_repository_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 ## Inputs
 
-| Name                                                               | Description         | Type     | Default | Required |
-| ------------------------------------------------------------------ | ------------------- | -------- | ------- | :------: |
-| <a name="input_app_name"></a> [app_name](#input_app_name)          | the name of the app | `string` | n/a     |   yes    |
-| <a name="input_environment"></a> [environment](#input_environment) | n/a                 | `string` | n/a     |   yes    |
-| <a name="input_owner"></a> [owner](#input_owner)                   | n/a                 | `string` | n/a     |   yes    |
-
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_app_name"></a> [app\_name](#input\_app\_name) | Name of the application (used in repository naming). | `string` | n/a | yes |
+| <a name="input_current_account_id"></a> [current\_account\_id](#input\_current\_account\_id) | AWS account ID where the repository is created. | `string` | n/a | yes |
+| <a name="input_environment"></a> [environment](#input\_environment) | Deployment environment tag used for naming and labeling (e.g., dev, prod). | `string` | n/a | yes |
+| <a name="input_owner"></a> [owner](#input\_owner) | Identifies the team or person responsible for the resource (used for tagging). | `string` | n/a | yes |
 ## Outputs
 
-| Name                                                                                      | Description |
-| ----------------------------------------------------------------------------------------- | ----------- |
-| <a name="output_ecr_repository_url"></a> [ecr_repository_url](#output_ecr_repository_url) | n/a         |
-
+| Name | Description |
+|------|-------------|
+| <a name="output_ecr_repository_url"></a> [ecr\_repository\_url](#output\_ecr\_repository\_url) | n/a |
 <!-- END_TF_DOCS -->
@@ -50,43 +50,38 @@ module "kms_key" {
 ```
 
 <!-- BEGIN_TF_DOCS -->
-
 ## Requirements
 
-| Name                                                   | Version |
-| ------------------------------------------------------ | ------- |
-| <a name="requirement_aws"></a> [aws](#requirement_aws) | ~> 5.0  |
-
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
 ## Resources
 
-| Name                                                                                                                                                    | Type        |
-| ------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
-| [aws_kms_alias.encryption_key_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias)                             | resource    |
-| [aws_kms_key.encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key)                                       | resource    |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity)                           | data source |
+| Name | Type |
+|------|------|
+| [aws_kms_alias.encryption_key_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.combined_policy_documents](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.kms_key_base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)              | data source |
-| [aws_iam_policy_document.kms_key_generate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)          | data source |
-
+| [aws_iam_policy_document.kms_key_base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.kms_key_generate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 ## Inputs
 
-| Name                                                                                                      | Description | Type           | Default | Required |
-| --------------------------------------------------------------------------------------------------------- | ----------- | -------------- | ------- | :------: |
-| <a name="input_allow_decrypt_for_arn"></a> [allow_decrypt_for_arn](#input_allow_decrypt_for_arn)          | n/a         | `bool`         | `false` |    no    |
-| <a name="input_allowed_arn"></a> [allowed_arn](#input_allowed_arn)                                        | n/a         | `list(string)` | `[]`    |    no    |
-| <a name="input_aws_identifiers"></a> [aws_identifiers](#input_aws_identifiers)                            | n/a         | `list(string)` | `[]`    |    no    |
-| <a name="input_environment"></a> [environment](#input_environment)                                        | n/a         | `string`       | n/a     |   yes    |
-| <a name="input_kms_key_description"></a> [kms_key_description](#input_kms_key_description)                | n/a         | `string`       | n/a     |   yes    |
-| <a name="input_kms_key_name"></a> [kms_key_name](#input_kms_key_name)                                     | n/a         | `string`       | n/a     |   yes    |
-| <a name="input_kms_key_rotation_enabled"></a> [kms_key_rotation_enabled](#input_kms_key_rotation_enabled) | n/a         | `bool`         | `true`  |    no    |
-| <a name="input_owner"></a> [owner](#input_owner)                                                          | n/a         | `string`       | n/a     |   yes    |
-| <a name="input_service_identifiers"></a> [service_identifiers](#input_service_identifiers)                | n/a         | `list(string)` | n/a     |   yes    |
-
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_allow_decrypt_for_arn"></a> [allow\_decrypt\_for\_arn](#input\_allow\_decrypt\_for\_arn) | Flag to allow generating a decrypt-only policy for specified ARNs. | `bool` | `false` | no |
+| <a name="input_allowed_arn"></a> [allowed\_arn](#input\_allowed\_arn) | List of ARNs that are allowed full encrypt/decrypt access to the KMS key. | `list(string)` | `[]` | no |
+| <a name="input_aws_identifiers"></a> [aws\_identifiers](#input\_aws\_identifiers) | List of ARNs that will be granted decrypt-only access. | `list(string)` | `[]` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | Deployment environment (e.g., dev, staging, prod). | `string` | n/a | yes |
+| <a name="input_kms_key_description"></a> [kms\_key\_description](#input\_kms\_key\_description) | Description of the KMS key. | `string` | n/a | yes |
+| <a name="input_kms_key_name"></a> [kms\_key\_name](#input\_kms\_key\_name) | Name of the KMS key to be created. | `string` | n/a | yes |
+| <a name="input_kms_key_rotation_enabled"></a> [kms\_key\_rotation\_enabled](#input\_kms\_key\_rotation\_enabled) | Enable automatic KMS key rotation. | `bool` | `true` | no |
+| <a name="input_owner"></a> [owner](#input\_owner) | Owner tag for identifying the resource owner. | `string` | n/a | yes |
+| <a name="input_service_identifiers"></a> [service\_identifiers](#input\_service\_identifiers) | List of AWS service principal identifiers allowed to use the key (e.g., 's3.amazonaws.com'). | `list(string)` | n/a | yes |
 ## Outputs
 
-| Name                                                     | Description |
-| -------------------------------------------------------- | ----------- |
-| <a name="output_id"></a> [id](#output_id)                | n/a         |
-| <a name="output_kms_arn"></a> [kms_arn](#output_kms_arn) | n/a         |
-
+| Name | Description |
+|------|-------------|
+| <a name="output_id"></a> [id](#output\_id) | n/a |
+| <a name="output_kms_arn"></a> [kms\_arn](#output\_kms\_arn) | n/a |
 <!-- END_TF_DOCS -->