NHSDigital · JamesW1-NHS · Jan 21, 2026 · Jan 22, 2026 · Jan 22, 2026 · Jan 22, 2026
diff --git a/infrastructure/grafana/non-prod/docker/build_push_to_ecr.sh b/infrastructure/grafana/non-prod/docker/build_push_to_ecr.sh
@@ -1,49 +1,38 @@
 #!/bin/bash
 
+# Build the Grafana docker image.
+# This will be done manually. 
+# We assume the ECR artifacts have been created already by the Makefile.
+
 # Set variables
 
 dirname=$(dirname "${0}")
 DOCKERFILE_DIR=$(realpath "${dirname}")
 echo "DOCKERFILE_DIR: ${DOCKERFILE_DIR}"
 
-# if parameter not passed, prompt for the environment.
-# Do not accept response if it is not one of the following: prod, int, ref, internal-dev
-# loop until valid response is received
-if [[ -z "${1}" ]]; then
-  while true; do
-    read -r -p "Enter the environment (prod, int, ref, internal-dev): " ENVIRONMENT
-    case "${ENVIRONMENT}" in
-      prod|int|ref|internal-dev)
-        break
-        ;;
-      *)
-        echo "Invalid environment. Please enter one of: prod, int, ref, internal-dev."
-        ;;
-    esac
-  done
-else
-  ENVIRONMENT="${1}"
-fi
-# Check if the environment is valid
-if [[ ! "${ENVIRONMENT}" =~ ^(prod|int|ref|internal-dev)$ ]]; then
-  echo "Invalid environment. Please enter one of: prod, int, ref, internal-dev."
-  exit 1
+# Import the terraform's .env file; it should contain the ENVIRONMENT
+source ../terraform/.env
+
+# If it doesn't, prompt for the environment.
+# Do not accept response if it is not one of the following: dev, preprod, prod
+
+environments=(dev preprod prod)
+if [[ ! "${ENVIRONMENT}" =~ "$environments" ]] ; then
+  echo "Invalid environment: ${ENVIRONMENT}"
+  read -r -p "Please enter one of: ${environments[*]}: " ENVIRONMENT
+  if [[ ! "${ENVIRONMENT}" =~ "$environments" ]] ; then
+    echo "Invalid environment"
+    exit 1
+  fi
 fi
 
 # Set the prefix and other variables
 PREFIX="imms-${ENVIRONMENT}"
-AWS_REGION="eu-west-2"
 ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
 REPOSITORY_NAME="${PREFIX}-grafana-app"
 IMAGE_TAG="11.0.0-22.04_stable"
 LOCAL_IMAGE_NAME="${REPOSITORY_NAME}:${IMAGE_TAG}"
 IMAGE_NAME="${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${LOCAL_IMAGE_NAME}"
-TAGS='[
-  {"Key": "Environment", "Value": "non-prod"},
-  {"Key": "Project", "Value": "immunisation-fhir-api-grafana"},
-  {"Key": "Environment", "Value": "'"${ENVIRONMENT}"'"}
-]'
-LIFECYCLE_POLICY_FILE="lifecycle-policy.json"
 
 # Change to the directory containing the Dockerfile
 if ! cd "${DOCKERFILE_DIR}"; then
@@ -57,17 +46,6 @@ if [[ ! -f Dockerfile ]]; then
   exit 1
 fi
 
-# Create ECR repository if it does not exist
-if ! aws ecr describe-repositories --repository-names "${REPOSITORY_NAME}" --region "${AWS_REGION}" > /dev/null 2>&1; then
-  echo "Creating ECR repository: ${REPOSITORY_NAME}"
-  aws ecr create-repository --repository-name "${REPOSITORY_NAME}" --region "${AWS_REGION}"
-  # Add tags to the repository
-  aws ecr tag-resource --resource-arn "arn:aws:ecr:${AWS_REGION}:${ACCOUNT_ID}:repository/${REPOSITORY_NAME}" --tags "${TAGS}"
-fi
-
-# Apply lifecycle policy to the ECR repository
-aws ecr put-lifecycle-policy --repository-name "${REPOSITORY_NAME}" --lifecycle-policy-text "file://${LIFECYCLE_POLICY_FILE}" --region "${AWS_REGION}"
-
 printf "Building and pushing Docker image to ECR...\n"
 # Authenticate Docker to ECR
 aws ecr get-login-password --region "${AWS_REGION}" | docker login --username AWS --password-stdin "${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"

diff --git a/infrastructure/grafana/non-prod/terraform/.terraform.lock.hcl b/infrastructure/grafana/non-prod/terraform/.terraform.lock.hcl
diff --git a/infrastructure/grafana/non-prod/terraform/Makefile b/infrastructure/grafana/non-prod/terraform/Makefile
@@ -0,0 +1,63 @@
+-include .env
+
+environment         ?= $(ENVIRONMENT)
+region              ?= $(AWS_REGION)
+
+tf_cmd = AWS_PROFILE=$(AWS_PROFILE) terraform
+
+bucket_name = immunisation-$(environment)-grafana-terraform-state
+state_key=state/$(environment)/terraform.tfstate
+
+tf_state = \
+  -backend-config="key=$(state_key)" \
+  -backend-config="bucket=$(bucket_name)" \
+  -backend-config="region=$(region)" 
+
+tf_vars = \
+  -var="environment=$(environment)" \
+  -var-file="./terraform.tfvars"
+
+tf_bucket_vars = \
+  --bucket "$(bucket_name)" \
+  --region "$(region)" \
+  --create-bucket-configuration LocationConstraint="$(region)"
+
+tf_bucket_versioning = \
+  --bucket "$(bucket_name)" \
+  --versioning-configuration Status=Enabled \
+
+bucket-exists:
+	@echo 'Checking if the S3 bucket $(bucket_name) exists...'
+	@aws s3 ls $(bucket_name) >/dev/null 2>&1 || echo "aws s3 bucket $(bucket_name) does not exist"
+
+bucket-create:
+	aws s3api create-bucket $(tf_bucket_vars)
+	aws s3api put-bucket-versioning $(tf_bucket_versioning)
+
+init:
+	$(tf_cmd) init $(tf_state) -upgrade
+
+init-reconfigure:
+	$(tf_cmd) init $(tf_state) -reconfigure
+
+workspace:
+	$(tf_cmd) workspace select -or-create $(environment) && echo "Switched to workspace/environment: $(environment)"
+
+plan: workspace
+	 $(tf_cmd) plan $(tf_vars)
+
+plan-ci: workspace
+	 $(tf_cmd) plan $(tf_vars) -out=tfplan -input=false
+
+plan-changes: workspace
+	 $(tf_cmd) plan $(tf_vars) -out=plan && $(tf_cmd) show -no-color -json plan | jq -r '.resource_changes[] | select(.change.actions[0]=="update" or .change.actions[0]=="create" or .change.actions[0]=="add") | .address'
+
+# TODO: the actual application will be in infrastructure/account
+# this implementation of 'apply' is for test purposes
+apply: workspace
+	 $(tf_cmd) apply $(tf_vars) -auto-approve
+
+clean:
+	rm -rf build .terraform upload-key
+
+.PHONY : workspace init plan clean
diff --git a/infrastructure/grafana/non-prod/terraform/grafana.tf b/infrastructure/grafana/non-prod/terraform/grafana.tf
@@ -0,0 +1,41 @@
+# S3 state bucket
+resource "aws_s3_bucket" "grafana_tf_state_bucket" {
+  bucket = "immunisation-${var.environment}-grafana-terraform-state"
+  region = var.aws_region
+}
+
+resource "aws_s3_bucket_versioning" "grafana_tf_state_bucket_versioning" {
+  bucket = aws_s3_bucket.grafana_tf_state_bucket.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+# Grafana ECR repo
+resource "aws_ecr_repository" "grafana_ecr_repository" {
+  name = "${local.prefix}-app"
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "grafana_ecr_lifecycle_policy" {
+  repository = aws_ecr_repository.grafana_ecr_repository.name
+
+  policy = jsonencode({
+    rules = [
+      {
+        rule_priority = 1
+        description   = "Keep only 10 images"
+        selection = {
+          count_type   = "imageCountMoreThan"
+          count_number = 10
+          tag_status   = "any"
+        }
+        action = {
+          type = "expire"
+        }
+      }
+    ]
+  })
+}
diff --git a/infrastructure/grafana/non-prod/terraform/main.tf b/infrastructure/grafana/non-prod/terraform/main.tf
@@ -23,17 +23,17 @@ terraform {
 }
 
 provider "aws" {
-  region  = var.aws_region
-  profile = "apim-dev"
+  region = var.aws_region
+  #  profile = "apim-dev"
   default_tags {
     tags = var.tags
   }
 }
 
 provider "aws" {
-  alias   = "acm_provider"
-  region  = var.aws_region
-  profile = "apim-dev"
+  alias  = "acm_provider"
+  region = var.aws_region
+  #  profile = "apim-dev"
 }
 
 data "aws_region" "current" {}

diff --git a/infrastructure/grafana/non-prod/terraform/tf_init.sh b/infrastructure/grafana/non-prod/terraform/tf_init.sh
@@ -1,55 +1,4 @@
 #!/bin/bash
 
-# Exit immediately if a command fails
-set -e
-
-# Check if an environment is provided
-if [ -z "$1" ]; then
-  echo "Usage: $0 <environment> [migrate|reconfigure]"
-  exit 1
-fi
-
-ENVIRONMENT=$1
-ACTION=${2:-""} # Optional second argument for migrate or reconfigure
-
-# Define backend configuration
-BUCKET="immunisation-grafana-terraform-state"
-REGION="eu-west-2"
-STATE_KEY="state/${ENVIRONMENT}/terraform.tfstate"
-
-# Check if the S3 bucket exists, create it if it doesn't
-if ! aws s3api head-bucket --bucket "$BUCKET" 2>/dev/null; then
-  echo "S3 bucket $BUCKET does not exist. Creating it..."
-  aws s3api create-bucket \
-    --bucket "$BUCKET" \
-    --region "$REGION" \
-    --create-bucket-configuration LocationConstraint="$REGION"
-
-  # Enable versioning on the bucket
-  echo "Enabling versioning on S3 bucket $BUCKET..."
-  aws s3api put-bucket-versioning \
-    --bucket "$BUCKET" \
-    --versioning-configuration Status=Enabled
-else
-  echo "S3 bucket $BUCKET already exists."
-fi
-
-# Initialize Terraform with dynamic backend configuration
-if [ "$ACTION" == "migrate" ]; then
-  terraform init -migrate-state \
-    -backend-config="key=${STATE_KEY}" \
-    -backend-config="bucket=${BUCKET}" \
-    -backend-config="region=${REGION}"
-elif [ "$ACTION" == "reconfigure" ]; then
-  terraform init -reconfigure \
-    -backend-config="key=${STATE_KEY}" \
-    -backend-config="bucket=${BUCKET}" \
-    -backend-config="region=${REGION}"
-else
-  terraform init \
-    -backend-config="key=${STATE_KEY}" \
-    -backend-config="bucket=${BUCKET}" \
-    -backend-config="region=${REGION}"
-fi
-
-echo "Terraform initialized for environment: ${ENVIRONMENT}"
+echo "This script file is no longer used. Use the Makefile instead."
+exit 1
diff --git a/infrastructure/grafana/non-prod/terraform/variables.tf b/infrastructure/grafana/non-prod/terraform/variables.tf
@@ -1,3 +1,5 @@
+variable "environment" {}
+
 variable "project_name" {
   default = "immunisations"
 }