NHSDigital · aidenvaines-cgi · Feb 10, 2026 · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026
@@ -7,15 +7,16 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - name: "Install Terraform binary"
+      shell: bash
+      run: |
+        asdf plugin add terraform || true
+        asdf install terraform || true
     - name: "Check Terraform format"
       shell: bash
       run: |
         check_only=true scripts/githooks/check-terraform-format.sh
     - name: "Validate Terraform"
       shell: bash
       run: |
-        stacks=${{ inputs.root-modules }}
-        for dir in $(find infrastructure/environments -maxdepth 1 -mindepth 1 -type d; echo ${stacks//,/$'\n'}); do
-          dir=$dir opts='-backend=false' make terraform-init
-          dir=$dir make terraform-validate
-        done
+        make terraform-validate-all
@@ -148,6 +148,8 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
+      - name: "Setup ASDF"
+        uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
       - name: "Lint Terraform"
         uses: ./.github/actions/lint-terraform
   trivy-iac:

@@ -1,4 +1,4 @@
 resource "aws_cloudwatch_event_bus" "main" {
-  name = "${local.csi}"
+  name               = local.csi
   kms_key_identifier = module.kms.key_arn
 }
@@ -2,11 +2,11 @@ module "client_destination" {
   source   = "../../modules/client-destination"
   for_each = local.clients_by_name
 
-  project     = var.project
-  aws_account_id = var.aws_account_id
-  region = var.region
-  component   = var.component
-  environment = var.environment
+  project         = var.project
+  aws_account_id  = var.aws_account_id
+  region          = var.region
+  component       = var.component
+  environment     = var.environment
   client_bus_name = aws_cloudwatch_event_bus.main.name
 
   kms_key_arn = module.kms.key_arn
@@ -18,7 +18,7 @@ module "client_destination" {
   http_method                      = each.value.http_method
   header_name                      = each.value.header_name
   header_value                     = each.value.header_value
-  client_detail = each.value.client_detail
+  client_detail                    = each.value.client_detail
 
 
 

@@ -18,18 +18,18 @@ resource "aws_pipes_pipe" "main" {
     }
   }
 
-      target_parameters {
-      eventbridge_event_bus_parameters {
+  target_parameters {
+    eventbridge_event_bus_parameters {
 
-      }
+    }
 
-      input_template = <<EOF
+    input_template = <<EOF
 {
   "dataschemaversion": <$.body.dataschemaversion>,
   "type": <$.body.type>
 }
 EOF
-    }
+  }
 
   depends_on = [aws_iam_role_policy_attachment.main_pipe]
 }
@@ -104,11 +104,11 @@ variable "clients" {
 }
 
 variable "pipe_sqs_input_batch_size" {
-  type = number
+  type    = number
   default = 1
 }
 
 variable "pipe_sqs_max_batch_window" {
-  type = number
+  type    = number
   default = 2
 }
@@ -17,7 +17,7 @@ resource "aws_cloudwatch_event_target" "main" {
   rule           = aws_cloudwatch_event_rule.main.name
   arn            = aws_cloudwatch_event_api_destination.main.arn
   target_id      = "${local.csi}-${var.connection_name}"
-  role_arn = aws_iam_role.api_target_role.arn
+  role_arn       = aws_iam_role.api_target_role.arn
   event_bus_name = var.client_bus_name
 
   dead_letter_config {

@@ -44,32 +44,32 @@ data "aws_iam_policy_document" "api_target_role" {
   }
 
   statement {
-      sid    = replace("AllowSQSSendMessageForDLQFor${var.connection_name}", "-", "")
-      effect = "Allow"
+    sid    = replace("AllowSQSSendMessageForDLQFor${var.connection_name}", "-", "")
+    effect = "Allow"
 
-      actions = [
-        "sqs:SendMessage",
-      ]
+    actions = [
+      "sqs:SendMessage",
+    ]
 
-      resources = [
-        module.target_dlq.sqs_queue_arn,
-      ]
-    }
+    resources = [
+      module.target_dlq.sqs_queue_arn,
+    ]
+  }
 
   statement {
-      sid    = replace("AllowKMSForDLQFor${var.connection_name}", "-", "")
-      effect = "Allow"
+    sid    = replace("AllowKMSForDLQFor${var.connection_name}", "-", "")
+    effect = "Allow"
 
-      actions = [
-        "kms:ReEncrypt*",
-        "kms:GenerateDataKey*",
-        "kms:Encrypt",
-        "kms:DescribeKey",
-        "kms:Decrypt"
-      ]
+    actions = [
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Encrypt",
+      "kms:DescribeKey",
+      "kms:Decrypt"
+    ]
 
-      resources = [
-        var.kms_key_arn,
-      ]
-    }
+    resources = [
+      var.kms_key_arn,
+    ]
   }
+}
@@ -13,6 +13,7 @@ repos:
       - id: mixed-line-ending
       - id: pretty-format-json
         args: ['--autofix']
+        exclude: '(^|/)package(-lock)?\.json$'
     # -   id: ...
   - repo: local
     hooks:

@@ -8,5 +8,5 @@ MarkupSafe==2.1.3
 pip==23.3
 setuptools==78.1.1
 Werkzeug==3.0.6
-wheel==0.41.1
+wheel==0.46.2
 WTForms==3.0.1
@@ -29,11 +29,11 @@ function main() {
 #   check_only=[do not format, run check only]
 function terraform-fmt() {
 
-  local opts=
   if is-arg-true "$check_only"; then
-    opts="-check"
+    make terraform-fmt-check
+  else
+    make terraform-fmt
   fi
-  opts=$opts make terraform-fmt
 }
 
 # ==============================================================================