From 39565cc5ab1245e4e6a6368c19fd0aa9a187733a Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 17 Mar 2026 16:05:41 +0000 Subject: [PATCH 1/5] CCM-14316: Gateway Cluster Deployment --- .../terraform/components/reporting/README.md | 1 + .../autoscaling_group_powerbi_gateway.tf | 25 ------- .../autoscaling_schedule_scale_in.tf | 11 --- .../autoscaling_schedule_scale_out.tf | 11 --- .../ec2_instances_powerbi_gateway.tf | 3 +- .../iam_instance_profile_powerbi_gateway.tf | 18 ----- .../launch_template_powerbi_gateway_asg.tf | 71 ------------------- .../terraform/components/reporting/locals.tf | 11 +-- .../ssm_maintenance_window_patch_window.tf | 12 ---- ...tenance_window_target_windows_instances.tf | 15 ---- .../ssm_maintenance_window_task_patch_task.tf | 29 -------- ...ssm_parameter_powerbi_gateway_client_id.tf | 14 ---- ...parameter_powerbi_gateway_client_secret.tf | 14 ---- ..._parameter_powerbi_gateway_recovery_key.tf | 2 +- ...ssm_parameter_powerbi_gateway_tenant_id.tf | 14 ---- .../reporting/templates/cloudinit_config.tmpl | 27 +------ .../components/reporting/variables.tf | 6 ++ .../terraform/etc/env_eu-west-2_main.tfvars | 2 + 18 files changed, 16 insertions(+), 270 deletions(-) delete mode 100644 infrastructure/terraform/components/reporting/autoscaling_group_powerbi_gateway.tf delete mode 100644 infrastructure/terraform/components/reporting/autoscaling_schedule_scale_in.tf delete mode 100644 infrastructure/terraform/components/reporting/autoscaling_schedule_scale_out.tf delete mode 100644 infrastructure/terraform/components/reporting/launch_template_powerbi_gateway_asg.tf delete mode 100644 infrastructure/terraform/components/reporting/ssm_parameter_powerbi_gateway_client_id.tf delete mode 100644 infrastructure/terraform/components/reporting/ssm_parameter_powerbi_gateway_client_secret.tf delete mode 100644 infrastructure/terraform/components/reporting/ssm_parameter_powerbi_gateway_tenant_id.tf diff --git a/infrastructure/terraform/components/reporting/README.md b/infrastructure/terraform/components/reporting/README.md index 82985d40..4c57c0ed 100644 --- a/infrastructure/terraform/components/reporting/README.md +++ b/infrastructure/terraform/components/reporting/README.md @@ -13,6 +13,7 @@ No requirements. | [account\_name](#input\_account\_name) | The name of the AWS Account to deploy into (see globals.tfvars) | `string` | n/a | yes | | [app\_deployer\_role\_name](#input\_app\_deployer\_role\_name) | Name of the app deployer role that is allowed to deploy Comms Mgr applications but not create other IAM roles | `string` | n/a | yes | | [app\_deployer\_role\_permission\_account\_ids](#input\_app\_deployer\_role\_permission\_account\_ids) | All AWS Account IDs for this project that have the AppDeployer role created | `map(string)` | `{}` | no | +| [athena\_driver\_url](#input\_athena\_driver\_url) | Amazon Athena ODBC MSI download URL for PowerBI gateway bootstrap | `string` | `"https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi"` | no | | [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes | | [batch\_client\_ids](#input\_batch\_client\_ids) | List of client ids that require additional batch identifier dimensions when aggregating data | `list(string)` | 
[
  "NULL"
]
| no | | [cloudtrail\_log\_group\_name](#input\_cloudtrail\_log\_group\_name) | The name of the Cloudtrail log group name on the account (see globals.tfvars) | `string` | n/a | yes | diff --git a/infrastructure/terraform/components/reporting/autoscaling_group_powerbi_gateway.tf b/infrastructure/terraform/components/reporting/autoscaling_group_powerbi_gateway.tf deleted file mode 100644 index 5e7c6872..00000000 --- a/infrastructure/terraform/components/reporting/autoscaling_group_powerbi_gateway.tf +++ /dev/null @@ -1,25 +0,0 @@ -resource "aws_autoscaling_group" "powerbi_gateway" { - count = var.enable_powerbi_gateway ? 1 : 0 - - name = local.csi - - launch_template { - id = aws_launch_template.powerbi_gateway[0].id - version = "$Latest" - } - - vpc_zone_identifier = module.powerbi_gateway_vpc[0].private_subnets - desired_capacity = var.desired_capacity - min_size = var.min_size - max_size = var.max_size - - tag { - key = "Name" - value = "${local.csi}-powerbi-gateway-instance" - propagate_at_launch = true - } - - health_check_type = "EC2" - health_check_grace_period = 300 - wait_for_capacity_timeout = "0" -} diff --git a/infrastructure/terraform/components/reporting/autoscaling_schedule_scale_in.tf b/infrastructure/terraform/components/reporting/autoscaling_schedule_scale_in.tf deleted file mode 100644 index 57d330a2..00000000 --- a/infrastructure/terraform/components/reporting/autoscaling_schedule_scale_in.tf +++ /dev/null @@ -1,11 +0,0 @@ -resource "aws_autoscaling_schedule" "scale_in" { - count = var.enable_powerbi_gateway && var.scale_in_recurrence_schedule != null ? 1 : 0 - - scheduled_action_name = "${local.csi}-scale-in" - desired_capacity = 0 - min_size = 0 - max_size = -1 - autoscaling_group_name = aws_autoscaling_group.powerbi_gateway[0].name - - recurrence = coalesce(var.scale_in_recurrence_schedule, null) -} diff --git a/infrastructure/terraform/components/reporting/autoscaling_schedule_scale_out.tf b/infrastructure/terraform/components/reporting/autoscaling_schedule_scale_out.tf deleted file mode 100644 index 50c71f55..00000000 --- a/infrastructure/terraform/components/reporting/autoscaling_schedule_scale_out.tf +++ /dev/null @@ -1,11 +0,0 @@ -resource "aws_autoscaling_schedule" "scale_out" { - count = var.enable_powerbi_gateway && var.scale_out_recurrence_schedule != null ? 1 : 0 - - scheduled_action_name = "${local.csi}-scale-out" - desired_capacity = var.desired_capacity - min_size = var.min_size - max_size = var.max_size - autoscaling_group_name = aws_autoscaling_group.powerbi_gateway[0].name - - recurrence = coalesce(var.scale_in_recurrence_schedule, null) -} diff --git a/infrastructure/terraform/components/reporting/ec2_instances_powerbi_gateway.tf b/infrastructure/terraform/components/reporting/ec2_instances_powerbi_gateway.tf index 9ec3ffa6..3ccd593b 100644 --- a/infrastructure/terraform/components/reporting/ec2_instances_powerbi_gateway.tf +++ b/infrastructure/terraform/components/reporting/ec2_instances_powerbi_gateway.tf @@ -8,6 +8,7 @@ resource "aws_instance" "powerbi_gateway_standalone" { } tags = { - Name = format("%s-powerbi-gateway-standalone-%02d", local.csi, count.index + 1) + "Name" = format("%s-powerbi-gateway-standalone-%02d", local.csi, count.index + 1) + "Patch Group" = aws_ssm_patch_group.windows_patch_group[0].patch_group } } diff --git a/infrastructure/terraform/components/reporting/iam_instance_profile_powerbi_gateway.tf b/infrastructure/terraform/components/reporting/iam_instance_profile_powerbi_gateway.tf index 53b16b72..e2a1efee 100644 --- a/infrastructure/terraform/components/reporting/iam_instance_profile_powerbi_gateway.tf +++ b/infrastructure/terraform/components/reporting/iam_instance_profile_powerbi_gateway.tf @@ -223,22 +223,4 @@ data "aws_iam_policy_document" "powerbi_gateway_permissions_policy" { aws_kms_key.s3.arn ] } - - statement { - sid = "AllowSSMAccess" - effect = "Allow" - - actions = [ - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:GetParameterHistory", - ] - - resources = [ - aws_ssm_parameter.powerbi_gateway_recovery_key[0].arn, - aws_ssm_parameter.powerbi_gateway_client_id[0].arn, - aws_ssm_parameter.powerbi_gateway_client_secret[0].arn, - aws_ssm_parameter.powerbi_gateway_tenant_id[0].arn - ] - } } diff --git a/infrastructure/terraform/components/reporting/launch_template_powerbi_gateway_asg.tf b/infrastructure/terraform/components/reporting/launch_template_powerbi_gateway_asg.tf deleted file mode 100644 index 00c0a657..00000000 --- a/infrastructure/terraform/components/reporting/launch_template_powerbi_gateway_asg.tf +++ /dev/null @@ -1,71 +0,0 @@ -resource "aws_launch_template" "powerbi_gateway" { - count = var.enable_powerbi_gateway ? 1 : 0 - - name = local.csi - description = "Template for the Power BI On-Premises Gateway" - update_default_version = true - image_id = "resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base" - instance_type = var.instance_type - user_data = data.cloudinit_config.powerbi_gateway[0].rendered - instance_initiated_shutdown_behavior = var.enable_spot ? "terminate" : "stop" - ebs_optimized = true - - block_device_mappings { - device_name = "/dev/sda1" - ebs { - delete_on_termination = true - encrypted = true - kms_key_id = aws_kms_key.ebs[0].arn - volume_size = var.root_volume_size - volume_type = "gp3" - } - } - - iam_instance_profile { - name = aws_iam_instance_profile.powerbi_gateway[0].name - } - - dynamic "instance_market_options" { - for_each = var.enable_spot ? [1] : [] - content { - market_type = "spot" - spot_options { - max_price = var.spot_max_price - spot_instance_type = "one-time" - } - } - } - - monitoring { - enabled = true - } - - network_interfaces { - delete_on_termination = true - associate_public_ip_address = false - security_groups = [ - aws_security_group.powerbi_gateway[0].id - ] - subnet_id = element(module.powerbi_gateway_vpc[0].private_subnets, count.index) - } - - metadata_options { - http_endpoint = "enabled" - http_tokens = "required" - http_put_response_hop_limit = 5 - } - - tag_specifications { - resource_type = "instance" - tags = merge(local.deployment_default_tags, - { - "Patch Group" = "${local.csi}-windows-group" - } - ) - } - - tag_specifications { - resource_type = "volume" - tags = local.deployment_default_tags - } -} diff --git a/infrastructure/terraform/components/reporting/locals.tf b/infrastructure/terraform/components/reporting/locals.tf index 3d4c48ab..761faa69 100644 --- a/infrastructure/terraform/components/reporting/locals.tf +++ b/infrastructure/terraform/components/reporting/locals.tf @@ -54,26 +54,17 @@ locals { this_account = local.base_parameter_bundle.account_ids[local.base_parameter_bundle.account_name] - # Check if each required SSM parameter exists individually - recovery_key = length(aws_ssm_parameter.powerbi_gateway_recovery_key) > 0 ? aws_ssm_parameter.powerbi_gateway_recovery_key[0].name : null - client_secret = length(aws_ssm_parameter.powerbi_gateway_client_secret) > 0 ? aws_ssm_parameter.powerbi_gateway_client_secret[0].name : null - client_id = length(aws_ssm_parameter.powerbi_gateway_client_id) > 0 ? aws_ssm_parameter.powerbi_gateway_client_id[0].name : null - tenant_id = length(aws_ssm_parameter.powerbi_gateway_tenant_id) > 0 ? aws_ssm_parameter.powerbi_gateway_tenant_id[0].name : null - # Create the powerbi_gateway_script only if var.enable_powerbi_gateway is true powerbi_gateway_script = var.enable_powerbi_gateway ? templatefile("${path.module}/templates/cloudinit_config.tmpl", { odbc_dsn_name = "${local.csi}-dsn" odbc_description = "AWS Simba Athena ODBC Connection for ${local.csi}" + athena_driver_url = var.athena_driver_url region = var.region catalog = "AWSDataCatalog" database = aws_glue_catalog_database.reporting.name workgroup = aws_athena_workgroup.user.name authentication_type = "Instance Profile" gateway_name = "${local.csi}-gateway" - recovery_key = local.recovery_key - client_secret = local.client_secret - client_id = local.client_id - tenant_id = local.tenant_id }) : null use_core_glue_catalog_resources = length(var.core_account_ids) > 0 ? true : false diff --git a/infrastructure/terraform/components/reporting/ssm_maintenance_window_patch_window.tf b/infrastructure/terraform/components/reporting/ssm_maintenance_window_patch_window.tf index ea6005ec..456bc65b 100644 --- a/infrastructure/terraform/components/reporting/ssm_maintenance_window_patch_window.tf +++ b/infrastructure/terraform/components/reporting/ssm_maintenance_window_patch_window.tf @@ -19,15 +19,3 @@ resource "aws_ssm_maintenance_window" "patch_window_wednesday" { cutoff = 1 allow_unassociated_targets = true } - -## Remove me later - replaced by above two windows -resource "aws_ssm_maintenance_window" "patch_window" { - count = var.enable_powerbi_gateway ? 1 : 0 - - name = "${local.csi}-windows-patch-window" - description = "Windows Server 2022 Patch Window" - schedule = "cron(0 3 ? * SUN *)" # Every Sunday at 3 AM - duration = 4 - cutoff = 1 - allow_unassociated_targets = true -} diff --git a/infrastructure/terraform/components/reporting/ssm_maintenance_window_target_windows_instances.tf b/infrastructure/terraform/components/reporting/ssm_maintenance_window_target_windows_instances.tf index af913ec6..ee1854bc 100644 --- a/infrastructure/terraform/components/reporting/ssm_maintenance_window_target_windows_instances.tf +++ b/infrastructure/terraform/components/reporting/ssm_maintenance_window_target_windows_instances.tf @@ -25,18 +25,3 @@ resource "aws_ssm_maintenance_window_target" "windows_instances_wednesday" { values = [aws_instance.powerbi_gateway_standalone[1].id] } } - -## Remove me later - replaced by above two targets -resource "aws_ssm_maintenance_window_target" "windows_instances" { - count = var.enable_powerbi_gateway ? 1 : 0 - - description = "Windows Server 2022 Maintenance Window Target" - window_id = aws_ssm_maintenance_window.patch_window[0].id - resource_type = "INSTANCE" - name = "${local.csi}-maintenance-window-target" - - targets { - key = "tag:Patch Group" - values = ["${local.csi}-windows-group"] - } -} diff --git a/infrastructure/terraform/components/reporting/ssm_maintenance_window_task_patch_task.tf b/infrastructure/terraform/components/reporting/ssm_maintenance_window_task_patch_task.tf index a17e151e..4f7d5b9e 100644 --- a/infrastructure/terraform/components/reporting/ssm_maintenance_window_task_patch_task.tf +++ b/infrastructure/terraform/components/reporting/ssm_maintenance_window_task_patch_task.tf @@ -61,32 +61,3 @@ resource "aws_ssm_maintenance_window_task" "patch_task_wednesday" { max_concurrency = "1" max_errors = "1" } - -## Remove me later - replaced by above two tasks -resource "aws_ssm_maintenance_window_task" "patch_task" { - count = var.enable_powerbi_gateway ? 1 : 0 - - description = "Windows Server 2022 Patch Task" - window_id = aws_ssm_maintenance_window.patch_window[0].id - task_arn = "AWS-RunPatchBaseline" - task_type = "RUN_COMMAND" - - targets { - key = "WindowTargetIds" - values = [aws_ssm_maintenance_window_target.windows_instances[0].id] - } - - task_invocation_parameters { - run_command_parameters { - comment = "Patching Windows Instances" - parameter { - name = "Operation" - values = ["Install"] - } - } - } - - priority = 1 - max_concurrency = "2" - max_errors = "1" -} diff --git a/infrastructure/terraform/components/reporting/ssm_parameter_powerbi_gateway_client_id.tf b/infrastructure/terraform/components/reporting/ssm_parameter_powerbi_gateway_client_id.tf deleted file mode 100644 index 581498a8..00000000 --- a/infrastructure/terraform/components/reporting/ssm_parameter_powerbi_gateway_client_id.tf +++ /dev/null @@ -1,14 +0,0 @@ -resource "aws_ssm_parameter" "powerbi_gateway_client_id" { - count = var.enable_powerbi_gateway ? 1 : 0 - - name = "/${local.csi}/powerbi-gateway-client-id" - description = "The Client (Application) ID for the Service Principal" - type = "SecureString" - value = "CLIENT_ID_PLACEHOLDER" - - lifecycle { - ignore_changes = [ - value, - ] - } -} diff --git a/infrastructure/terraform/components/reporting/ssm_parameter_powerbi_gateway_client_secret.tf b/infrastructure/terraform/components/reporting/ssm_parameter_powerbi_gateway_client_secret.tf deleted file mode 100644 index abff954e..00000000 --- a/infrastructure/terraform/components/reporting/ssm_parameter_powerbi_gateway_client_secret.tf +++ /dev/null @@ -1,14 +0,0 @@ -resource "aws_ssm_parameter" "powerbi_gateway_client_secret" { - count = var.enable_powerbi_gateway ? 1 : 0 - - name = "/${local.csi}/powerbi-gateway-client-secret" - description = "The Client Secret for the Service Principal" - type = "SecureString" - value = "CLIENT_SECRET_PLACEHOLDER" - - lifecycle { - ignore_changes = [ - value, - ] - } -} diff --git a/infrastructure/terraform/components/reporting/ssm_parameter_powerbi_gateway_recovery_key.tf b/infrastructure/terraform/components/reporting/ssm_parameter_powerbi_gateway_recovery_key.tf index 367ebb26..eec82770 100644 --- a/infrastructure/terraform/components/reporting/ssm_parameter_powerbi_gateway_recovery_key.tf +++ b/infrastructure/terraform/components/reporting/ssm_parameter_powerbi_gateway_recovery_key.tf @@ -2,7 +2,7 @@ resource "aws_ssm_parameter" "powerbi_gateway_recovery_key" { count = var.enable_powerbi_gateway ? 1 : 0 name = "/${local.csi}/powerbi-gateway-recovery-key" - description = "The Recovery Key for the On-Premises Gateway" + description = "The Recovery Key for the On-Premises Gateway - Updated manually with the actual key value after deployment" type = "SecureString" value = "RECOVERY_KEY_PLACEHOLDER" diff --git a/infrastructure/terraform/components/reporting/ssm_parameter_powerbi_gateway_tenant_id.tf b/infrastructure/terraform/components/reporting/ssm_parameter_powerbi_gateway_tenant_id.tf deleted file mode 100644 index eac5550c..00000000 --- a/infrastructure/terraform/components/reporting/ssm_parameter_powerbi_gateway_tenant_id.tf +++ /dev/null @@ -1,14 +0,0 @@ -resource "aws_ssm_parameter" "powerbi_gateway_tenant_id" { - count = var.enable_powerbi_gateway ? 1 : 0 - - name = "/${local.csi}/powerbi-gateway-tenant-id" - description = "The Tenant ID for the Service Principal" - type = "SecureString" - value = "TENANT_ID_PLACEHOLDER" - - lifecycle { - ignore_changes = [ - value, - ] - } -} diff --git a/infrastructure/terraform/components/reporting/templates/cloudinit_config.tmpl b/infrastructure/terraform/components/reporting/templates/cloudinit_config.tmpl index 5555c9f1..fa3c5a84 100644 --- a/infrastructure/terraform/components/reporting/templates/cloudinit_config.tmpl +++ b/infrastructure/terraform/components/reporting/templates/cloudinit_config.tmpl @@ -19,18 +19,14 @@ if (-not (Get-Command choco -ErrorAction SilentlyContinue)) { } # Install PowerBI On-Premises Gateway and Desktop -choco install -y powerbigateway --version=3000.298.8 --ignore-checksums -choco install -y powerbi --ignore-checksums - -# Install vim -choco install -y vim +choco install -y powerbigateway --ignore-checksums # Install Powershell 7 choco install -y powershell-core # Install Amazon Athena ODBC 2.x Driver -`$athenaDriverUrl = "https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.0.6.0/Windows/AmazonAthenaODBC-2.0.6.0.msi" -`$athenaDriverInstaller = "C:\scripts\SimbaAthenaODBC.msi" +`$athenaDriverUrl = "${athena_driver_url}" +`$athenaDriverInstaller = "C:\scripts\AmazonAthenaODBC.msi" Invoke-WebRequest -Uri `$athenaDriverUrl -OutFile `$athenaDriverInstaller # Silent installation of Amazon Athena ODBC driver @@ -85,23 +81,6 @@ if (Test-Path `$pwshPath) { Write-Output "AWS CLI installation failed or not found in PATH." exit 1 } - - # Get the client (application) and tenant id's - `$clientId = aws ssm get-parameter --name ${client_id} --with-decryption --query Parameter.Value --output text - `$tenantId = aws ssm get-parameter --name ${tenant_id} --with-decryption --query Parameter.Value --output text - - # Get and convert the client secret and recovery key to SecureStrings - `$clientSecretPlainText = aws ssm get-parameter --name ${client_secret} --with-decryption --query Parameter.Value --output text - `$clientSecret = `$clientSecretPlainText | ConvertTo-SecureString -AsPlainText -Force - `$recoveryKeyPlainText = aws ssm get-parameter --name ${recovery_key} --with-decryption --query Parameter.Value --output text - `$recoveryKey = `$recoveryKeyPlainText | ConvertTo-SecureString -AsPlainText -Force - - # Login to the PowerBI Service using the Service Principal (proposed, untested) https://learn.microsoft.com/en-us/powershell/module/datagateway.profile/connect-datagatewayserviceaccount?view=datagateway-ps - # Connect-DataGatewayServiceAccount -ApplicationId `$clientId -ClientSecret `$clientSecret -Tenant `$tenantId - # Install the gateway - # Install-DataGateway -AcceptConditions - # Register the Gateway (proposed, untested) https://learn.microsoft.com/en-us/powershell/module/datagateway/add-datagatewaycluster?view=datagateway-ps - # Add-DataGatewayCluster -RecoveryKey `$recoveryKey -Name ${gateway_name} -RegionKey uksouth } } else { diff --git a/infrastructure/terraform/components/reporting/variables.tf b/infrastructure/terraform/components/reporting/variables.tf index 3a1c983a..b7e2c7e5 100644 --- a/infrastructure/terraform/components/reporting/variables.tf +++ b/infrastructure/terraform/components/reporting/variables.tf @@ -103,6 +103,12 @@ variable "enable_powerbi_gateway" { default = true } +variable "athena_driver_url" { + type = string + description = "Amazon Athena ODBC MSI download URL for PowerBI gateway bootstrap" + default = "https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi" +} + variable "powerbi_gateway_instance_count" { description = "Number of standalone Power BI On-Premises Gateway instances created directly from the launch template." type = number diff --git a/infrastructure/terraform/etc/env_eu-west-2_main.tfvars b/infrastructure/terraform/etc/env_eu-west-2_main.tfvars index d3662737..150c6057 100644 --- a/infrastructure/terraform/etc/env_eu-west-2_main.tfvars +++ b/infrastructure/terraform/etc/env_eu-west-2_main.tfvars @@ -15,6 +15,8 @@ core_account_ids = [ # PowerBI On-Premises Gateway variables: enable_powerbi_gateway = true +instance_type = "t3.xlarge" +root_volume_size = 200 public_subnet_cidrs = [ "10.0.1.0/24", From e4994ce0801305d6350bb9e604acdd757c05cea9 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 5 May 2026 10:12:18 +0100 Subject: [PATCH 2/5] CCM-15541: Fix Gitignores --- .gitleaksignore | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.gitleaksignore b/.gitleaksignore index 374d0269..732cac32 100644 --- a/.gitleaksignore +++ b/.gitleaksignore @@ -1,6 +1,6 @@ # SEE: https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore -9469a5a10e20b5c3275ba055e65ba98e7d11e9d2:infrastructure/terraform/components/reporting/README.md:ipv4:16 -9469a5a10e20b5c3275ba055e65ba98e7d11e9d2:infrastructure/terraform/components/reporting/variables.tf:ipv4:109 -ca243cb73d3804a14f3eeefa8073c96802420c52:infrastructure/terraform/etc/env_eu-west-2_int.tfvars:generic-api-key:29 -ca243cb73d3804a14f3eeefa8073c96802420c52:infrastructure/terraform/etc/env_eu-west-2_prod.tfvars:generic-api-key:43 +39565cc5ab1245e4e6a6368c19fd0aa9a187733a:infrastructure/terraform/components/reporting/README.md:ipv4:16 +39565cc5ab1245e4e6a6368c19fd0aa9a187733a:infrastructure/terraform/components/reporting/variables.tf:ipv4:109 +d38af4e4f6c36ca9c3d843193b434386a9bad5ee:infrastructure/terraform/etc/env_eu-west-2_int.tfvars:generic-api-key:29 +d38af4e4f6c36ca9c3d843193b434386a9bad5ee:infrastructure/terraform/etc/env_eu-west-2_prod.tfvars:generic-api-key:43 From d1168f0aba7e5db8a0d0566f08210c2609fa6fc5 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 5 May 2026 10:14:49 +0100 Subject: [PATCH 3/5] CCM-15541: Fix Gitignores --- .gitleaksignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitleaksignore b/.gitleaksignore index 732cac32..70ce96c8 100644 --- a/.gitleaksignore +++ b/.gitleaksignore @@ -2,5 +2,7 @@ 39565cc5ab1245e4e6a6368c19fd0aa9a187733a:infrastructure/terraform/components/reporting/README.md:ipv4:16 39565cc5ab1245e4e6a6368c19fd0aa9a187733a:infrastructure/terraform/components/reporting/variables.tf:ipv4:109 +ca243cb73d3804a14f3eeefa8073c96802420c52:infrastructure/terraform/etc/env_eu-west-2_int.tfvars:generic-api-key:29 +ca243cb73d3804a14f3eeefa8073c96802420c52:infrastructure/terraform/etc/env_eu-west-2_prod.tfvars:generic-api-key:43 d38af4e4f6c36ca9c3d843193b434386a9bad5ee:infrastructure/terraform/etc/env_eu-west-2_int.tfvars:generic-api-key:29 d38af4e4f6c36ca9c3d843193b434386a9bad5ee:infrastructure/terraform/etc/env_eu-west-2_prod.tfvars:generic-api-key:43 From 429486b307d987cfebc4bfb2b2605dfbb717e45c Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 5 May 2026 11:29:41 +0100 Subject: [PATCH 4/5] CCM-15541: Remove PowerBI install - will do manually --- .../components/reporting/templates/cloudinit_config.tmpl | 3 --- 1 file changed, 3 deletions(-) diff --git a/infrastructure/terraform/components/reporting/templates/cloudinit_config.tmpl b/infrastructure/terraform/components/reporting/templates/cloudinit_config.tmpl index fa3c5a84..399b8d98 100644 --- a/infrastructure/terraform/components/reporting/templates/cloudinit_config.tmpl +++ b/infrastructure/terraform/components/reporting/templates/cloudinit_config.tmpl @@ -18,9 +18,6 @@ if (-not (Get-Command choco -ErrorAction SilentlyContinue)) { iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) } -# Install PowerBI On-Premises Gateway and Desktop -choco install -y powerbigateway --ignore-checksums - # Install Powershell 7 choco install -y powershell-core From e863a3e19766fd9d9e4e0a70e2fa90e6a9f009e9 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 5 May 2026 11:48:30 +0100 Subject: [PATCH 5/5] CCM-15541: Testing Server 2025 --- .../reporting/launch_template_powerbi_gateway_standalone.tf | 2 +- .../reporting/ssm_maintenance_window_patch_window.tf | 4 ++-- .../ssm_maintenance_window_target_windows_instances.tf | 4 ++-- .../reporting/ssm_maintenance_window_task_patch_task.tf | 4 ++-- .../reporting/ssm_patch_baseline_windows_patch_baseline.tf | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/infrastructure/terraform/components/reporting/launch_template_powerbi_gateway_standalone.tf b/infrastructure/terraform/components/reporting/launch_template_powerbi_gateway_standalone.tf index 1199f786..8a5946e2 100644 --- a/infrastructure/terraform/components/reporting/launch_template_powerbi_gateway_standalone.tf +++ b/infrastructure/terraform/components/reporting/launch_template_powerbi_gateway_standalone.tf @@ -4,7 +4,7 @@ resource "aws_launch_template" "powerbi_gateway_standalone" { name = "${local.csi}-standalone" description = "Template for the Power BI On-Premises Gateway (standalone instances)" update_default_version = true - image_id = "resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base" + image_id = "resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2025-English-Full-Base" instance_type = var.instance_type user_data = data.cloudinit_config.powerbi_gateway[0].rendered instance_initiated_shutdown_behavior = var.enable_spot ? "terminate" : "stop" diff --git a/infrastructure/terraform/components/reporting/ssm_maintenance_window_patch_window.tf b/infrastructure/terraform/components/reporting/ssm_maintenance_window_patch_window.tf index 456bc65b..e5f35a5e 100644 --- a/infrastructure/terraform/components/reporting/ssm_maintenance_window_patch_window.tf +++ b/infrastructure/terraform/components/reporting/ssm_maintenance_window_patch_window.tf @@ -2,7 +2,7 @@ resource "aws_ssm_maintenance_window" "patch_window_sunday" { count = var.enable_powerbi_gateway ? 1 : 0 name = "${local.csi}-windows-patch-window-sun" - description = "Windows Server 2022 Sunday Patch Window" + description = "Windows Server 2025 Sunday Patch Window" schedule = "cron(0 3 ? * SUN *)" # Every Sunday at 3 AM duration = 4 cutoff = 1 @@ -13,7 +13,7 @@ resource "aws_ssm_maintenance_window" "patch_window_wednesday" { count = var.enable_powerbi_gateway ? 1 : 0 name = "${local.csi}-windows-patch-window-wed" - description = "Windows Server 2022 Wednesday Patch Window" + description = "Windows Server 2025 Wednesday Patch Window" schedule = "cron(0 3 ? * WED *)" # Every Wednesday at 3 AM duration = 4 cutoff = 1 diff --git a/infrastructure/terraform/components/reporting/ssm_maintenance_window_target_windows_instances.tf b/infrastructure/terraform/components/reporting/ssm_maintenance_window_target_windows_instances.tf index ee1854bc..d4193bc1 100644 --- a/infrastructure/terraform/components/reporting/ssm_maintenance_window_target_windows_instances.tf +++ b/infrastructure/terraform/components/reporting/ssm_maintenance_window_target_windows_instances.tf @@ -1,7 +1,7 @@ resource "aws_ssm_maintenance_window_target" "windows_instances_sunday" { count = var.enable_powerbi_gateway && var.powerbi_gateway_instance_count >= 1 ? 1 : 0 - description = "Windows Server 2022 Sunday Maintenance Window Target " + description = "Windows Server 2025 Sunday Maintenance Window Target " window_id = aws_ssm_maintenance_window.patch_window_sunday[0].id resource_type = "INSTANCE" name = "${local.csi}-maintenance-window-target-sun" @@ -15,7 +15,7 @@ resource "aws_ssm_maintenance_window_target" "windows_instances_sunday" { resource "aws_ssm_maintenance_window_target" "windows_instances_wednesday" { count = var.enable_powerbi_gateway && var.powerbi_gateway_instance_count >= 2 ? 1 : 0 - description = "Windows Server 2022 Wednesday Maintenance Window Target" + description = "Windows Server 2025 Wednesday Maintenance Window Target" window_id = aws_ssm_maintenance_window.patch_window_wednesday[0].id resource_type = "INSTANCE" name = "${local.csi}-maintenance-window-target-wed" diff --git a/infrastructure/terraform/components/reporting/ssm_maintenance_window_task_patch_task.tf b/infrastructure/terraform/components/reporting/ssm_maintenance_window_task_patch_task.tf index 4f7d5b9e..3e0e5aa5 100644 --- a/infrastructure/terraform/components/reporting/ssm_maintenance_window_task_patch_task.tf +++ b/infrastructure/terraform/components/reporting/ssm_maintenance_window_task_patch_task.tf @@ -1,7 +1,7 @@ resource "aws_ssm_maintenance_window_task" "patch_task_sunday" { count = var.enable_powerbi_gateway ? 1 : 0 - description = "Windows Server 2022 Sunday Patch Task" + description = "Windows Server 2025 Sunday Patch Task" window_id = aws_ssm_maintenance_window.patch_window_sunday[0].id task_arn = "AWS-RunPatchBaseline" task_type = "RUN_COMMAND" @@ -33,7 +33,7 @@ resource "aws_ssm_maintenance_window_task" "patch_task_sunday" { resource "aws_ssm_maintenance_window_task" "patch_task_wednesday" { count = var.enable_powerbi_gateway && var.powerbi_gateway_instance_count >= 2 ? 1 : 0 - description = "Windows Server 2022 Wednesday Patch Task" + description = "Windows Server 2025 Wednesday Patch Task" window_id = aws_ssm_maintenance_window.patch_window_wednesday[0].id task_arn = "AWS-RunPatchBaseline" task_type = "RUN_COMMAND" diff --git a/infrastructure/terraform/components/reporting/ssm_patch_baseline_windows_patch_baseline.tf b/infrastructure/terraform/components/reporting/ssm_patch_baseline_windows_patch_baseline.tf index 992c477c..59a8fd1c 100644 --- a/infrastructure/terraform/components/reporting/ssm_patch_baseline_windows_patch_baseline.tf +++ b/infrastructure/terraform/components/reporting/ssm_patch_baseline_windows_patch_baseline.tf @@ -2,12 +2,12 @@ resource "aws_ssm_patch_baseline" "windows_patch_baseline" { count = var.enable_powerbi_gateway ? 1 : 0 name = "${local.csi}-windows-patch-baseline" - description = "Windows Server 2022 Patch Baseline" + description = "Windows Server 2025 Patch Baseline" operating_system = "WINDOWS" approval_rule { patch_filter { key = "PRODUCT" - values = ["WindowsServer2022"] + values = ["WindowsServer2025"] } patch_filter { key = "CLASSIFICATION"