From 00428a3894c103c55148c1259a74066d4dc65287 Mon Sep 17 00:00:00 2001
From: modernisation-platform-ci
 <modernisation-platform+github@digital.justice.gov.uk>
Date: Thu, 23 Feb 2023 17:35:50 +0000
Subject: [PATCH] Workflow: created files in .

---
 .github/CODEOWNERS                            |   1 +
 .../workflows/nomis-combined-reporting.yml    | 177 ++++++++++++++++++
 .../apex/networking.auto.tfvars.json          |   2 +-
 .../ccms-ebs/networking.auto.tfvars.json      |   2 +-
 .../cooker/networking.auto.tfvars.json        |   2 +-
 .../networking.auto.tfvars.json               |   2 +-
 .../delius-iaps/networking.auto.tfvars.json   |   2 +-
 .../delius-jitbit/networking.auto.tfvars.json |   2 +-
 .../networking.auto.tfvars.json               |   2 +-
 .../equip/networking.auto.tfvars.json         |   2 +-
 .../example/networking.auto.tfvars.json       |   2 +-
 .../laa-oem/networking.auto.tfvars.json       |   2 +-
 .../networking.auto.tfvars.json               |   2 +-
 .../maatdb/networking.auto.tfvars.json        |   2 +-
 .../mlra/networking.auto.tfvars.json          |   2 +-
 .../nomis-combined-reporting/README.md        |  76 ++++++++
 .../application_variables.json                |  16 ++
 .../nomis-combined-reporting/data.tf          |   1 +
 .../nomis-combined-reporting/member_locals.tf |   1 +
 .../member_secrets.tf                         |   1 +
 .../networking.auto.tfvars.json               |   9 +
 .../platform_backend.tf                       |  13 ++
 .../platform_base_variables.tf                |   5 +
 .../nomis-combined-reporting/platform_data.tf | 173 +++++++++++++++++
 .../platform_locals.tf                        |  38 ++++
 .../platform_providers.tf                     |  84 +++++++++
 .../platform_secrets.tf                       |  16 ++
 .../platform_versions.tf                      |  13 ++
 .../nomis/networking.auto.tfvars.json         |   2 +-
 .../oas/networking.auto.tfvars.json           |   2 +-
 .../oasys/networking.auto.tfvars.json         |   2 +-
 .../networking.auto.tfvars.json               |   2 +-
 .../ppud/networking.auto.tfvars.json          |   2 +-
 .../refer-monitor/networking.auto.tfvars.json |   2 +-
 .../sprinkler/networking.auto.tfvars.json     |   2 +-
 .../tariff/networking.auto.tfvars.json        |   2 +-
 .../tipstaff/networking.auto.tfvars.json      |   2 +-
 .../xhibit-portal/networking.auto.tfvars.json |   2 +-
 38 files changed, 647 insertions(+), 23 deletions(-)
 create mode 100644 .github/workflows/nomis-combined-reporting.yml
 create mode 100644 terraform/environments/nomis-combined-reporting/README.md
 create mode 100644 terraform/environments/nomis-combined-reporting/application_variables.json
 create mode 100644 terraform/environments/nomis-combined-reporting/data.tf
 create mode 100644 terraform/environments/nomis-combined-reporting/member_locals.tf
 create mode 100644 terraform/environments/nomis-combined-reporting/member_secrets.tf
 create mode 100644 terraform/environments/nomis-combined-reporting/networking.auto.tfvars.json
 create mode 100644 terraform/environments/nomis-combined-reporting/platform_backend.tf
 create mode 100644 terraform/environments/nomis-combined-reporting/platform_base_variables.tf
 create mode 100644 terraform/environments/nomis-combined-reporting/platform_data.tf
 create mode 100644 terraform/environments/nomis-combined-reporting/platform_locals.tf
 create mode 100644 terraform/environments/nomis-combined-reporting/platform_providers.tf
 create mode 100644 terraform/environments/nomis-combined-reporting/platform_secrets.tf
 create mode 100644 terraform/environments/nomis-combined-reporting/platform_versions.tf

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index f7f16a18003..42a849f7ba2 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -14,6 +14,7 @@
 /terraform/environments/long-term-storage @ministryofjustice/modernisation-platform @ministryofjustice/modernisation-platform
 /terraform/environments/maatdb @ministryofjustice/laa-aws-infrastructure @ministryofjustice/modernisation-platform
 /terraform/environments/mlra @ministryofjustice/laa-aws-infrastructure @ministryofjustice/modernisation-platform
+/terraform/environments/nomis-combined-reporting @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform
 /terraform/environments/nomis @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform
 /terraform/environments/oas @ministryofjustice/laa-aws-infrastructure @ministryofjustice/modernisation-platform
 /terraform/environments/oasys @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform
diff --git a/.github/workflows/nomis-combined-reporting.yml b/.github/workflows/nomis-combined-reporting.yml
new file mode 100644
index 00000000000..6511356fd6d
--- /dev/null
+++ b/.github/workflows/nomis-combined-reporting.yml
@@ -0,0 +1,177 @@
+---
+name: nomis-combined-reporting
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'terraform/environments/nomis-combined-reporting/**'
+      - '.github/workflows/nomis-combined-reporting.yml'
+  pull_request:
+    branches:
+      - main
+    types: [opened, edited, reopened, synchronize]
+    paths:
+      - 'terraform/environments/nomis-combined-reporting/**'
+      - '.github/workflows/nomis-combined-reporting.yml'
+  workflow_dispatch:
+env:
+  TF_IN_AUTOMATION: true
+  AWS_REGION: "eu-west-2"
+  ENVIRONMENT_MANAGEMENT: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }}
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read # This is required for actions/checkout
+defaults:
+  run:
+    shell: bash
+
+jobs:
+
+  plan-dev-test:
+    strategy:
+      matrix:
+        include:
+          - environment: development
+          - environment: test
+    name: Plan - ${{  matrix.environment }}
+    runs-on: ubuntu-latest
+    if: github.ref != 'refs/heads/main' || github.event_name == 'workflow_dispatch'
+    env:
+      TF_ENV: ${{ matrix.environment }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+      - name: Set Account Number
+        run: echo "ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${GITHUB_WORKFLOW}-${TF_ENV}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0
+        with:
+          role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions"
+          role-session-name: githubactionsrolesession
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Load and Configure Terraform
+        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
+        with:
+          terraform_version: "~1"
+          terraform_wrapper: false
+      - name: Plan - ${{ matrix.environment }}
+        run: |
+          terraform --version
+          echo "Terraform plan - ${TF_ENV}"
+          bash scripts/terraform-init.sh terraform/environments/$GITHUB_WORKFLOW
+          terraform -chdir="terraform/environments/${GITHUB_WORKFLOW}" workspace select "${GITHUB_WORKFLOW}-${TF_ENV}"
+          bash scripts/terraform-plan.sh terraform/environments/$GITHUB_WORKFLOW
+
+  # These jobs run when creating a pull request
+  deploy-dev-test:
+    needs: plan-dev-test
+    if: success()
+    strategy:
+      matrix:
+        include:
+          - environment: development
+          - environment: test
+    name: Apply - ${{  matrix.environment }}
+    runs-on: ubuntu-latest
+    env:
+      TF_ENV: ${{ matrix.environment }}
+    environment:
+      name: ${{ github.workflow }}-${{ matrix.environment }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+      - name: Set Account Number
+        run: echo "ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${GITHUB_WORKFLOW}-${TF_ENV}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0
+        with:
+          role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions"
+          role-session-name: githubactionsrolesession
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Load and Configure Terraform
+        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
+        with:
+          terraform_version: "~1"
+          terraform_wrapper: false
+      - name: Apply - ${{ matrix.environment }}
+        run: |
+          terraform --version
+          echo "Terraform apply - ${TF_ENV}"
+          bash scripts/terraform-init.sh terraform/environments/$GITHUB_WORKFLOW
+          terraform -chdir="terraform/environments/${GITHUB_WORKFLOW}" workspace select "${GITHUB_WORKFLOW}-${TF_ENV}"
+          bash scripts/terraform-apply.sh terraform/environments/$GITHUB_WORKFLOW
+
+#  # Plan + deploy for pre-production and production environments, only from main
+  plan-preprod-prod:
+    strategy:
+      matrix:
+        include:
+          - environment: preproduction
+          - environment: production
+    name: Plan - ${{  matrix.environment }}
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    env:
+      TF_ENV: ${{ matrix.environment }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+      - name: Set Account Number
+        run: echo "ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${GITHUB_WORKFLOW}-${TF_ENV}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0
+        with:
+          role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions"
+          role-session-name: githubactionsrolesession
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Load and Configure Terraform
+        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
+        with:
+          terraform_version: "~1"
+          terraform_wrapper: false
+      - name: Plan - ${{ matrix.environment }}
+        run: |
+          terraform --version
+          echo "Terraform plan - ${TF_ENV}"
+          bash scripts/terraform-init.sh terraform/environments/$GITHUB_WORKFLOW
+          terraform -chdir="terraform/environments/${GITHUB_WORKFLOW}" workspace select "${GITHUB_WORKFLOW}-${TF_ENV}"
+          bash scripts/terraform-plan.sh terraform/environments/$GITHUB_WORKFLOW
+  # These jobs run when creating a pull request
+  deploy-preprod-prod:
+    needs: plan-preprod-prod
+    if: success()
+    strategy:
+      matrix:
+        include:
+          - environment: preproduction
+          - environment: production
+    name: Apply - ${{  matrix.environment }}
+    runs-on: ubuntu-latest
+    env:
+      TF_ENV: ${{ matrix.environment }}
+    environment:
+      name: ${{ github.workflow }}-${{ matrix.environment }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+      - name: Set Account Number
+        run: echo "ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${GITHUB_WORKFLOW}-${TF_ENV}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0
+        with:
+          role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions"
+          role-session-name: githubactionsrolesession
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Load and Configure Terraform
+        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
+        with:
+          terraform_version: "~1"
+          terraform_wrapper: false
+      - name: Apply - ${{ matrix.environment }}
+        run: |
+          terraform --version
+          echo "Terraform apply - ${TF_ENV}"
+          bash scripts/terraform-init.sh terraform/environments/$GITHUB_WORKFLOW
+          terraform -chdir="terraform/environments/${GITHUB_WORKFLOW}" workspace select "${GITHUB_WORKFLOW}-${TF_ENV}"
+          bash scripts/terraform-apply.sh terraform/environments/$GITHUB_WORKFLOW
diff --git a/terraform/environments/apex/networking.auto.tfvars.json b/terraform/environments/apex/networking.auto.tfvars.json
index bea162bc36e..feabefec712 100644
--- a/terraform/environments/apex/networking.auto.tfvars.json
+++ b/terraform/environments/apex/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "laa",
+      "business-unit": "core",
       "set": "general",
       "application": "apex"
     }
diff --git a/terraform/environments/ccms-ebs/networking.auto.tfvars.json b/terraform/environments/ccms-ebs/networking.auto.tfvars.json
index 1825d7f68e9..81a30ba2ba2 100644
--- a/terraform/environments/ccms-ebs/networking.auto.tfvars.json
+++ b/terraform/environments/ccms-ebs/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "laa",
+      "business-unit": "core",
       "set": "general",
       "application": "ccms-ebs"
     }
diff --git a/terraform/environments/cooker/networking.auto.tfvars.json b/terraform/environments/cooker/networking.auto.tfvars.json
index 8c7c304ddb9..48c4dd4e8f9 100644
--- a/terraform/environments/cooker/networking.auto.tfvars.json
+++ b/terraform/environments/cooker/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "house",
+      "business-unit": "core",
       "set": "general",
       "application": "cooker"
     }
diff --git a/terraform/environments/data-and-insights-wepi/networking.auto.tfvars.json b/terraform/environments/data-and-insights-wepi/networking.auto.tfvars.json
index fcac8bc3aaa..2afcdaf645d 100644
--- a/terraform/environments/data-and-insights-wepi/networking.auto.tfvars.json
+++ b/terraform/environments/data-and-insights-wepi/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "hq",
+      "business-unit": "core",
       "set": "general",
       "application": "data-and-insights-wepi"
     }
diff --git a/terraform/environments/delius-iaps/networking.auto.tfvars.json b/terraform/environments/delius-iaps/networking.auto.tfvars.json
index 97b218daa05..03386876242 100644
--- a/terraform/environments/delius-iaps/networking.auto.tfvars.json
+++ b/terraform/environments/delius-iaps/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "hmpps",
+      "business-unit": "core",
       "set": "general",
       "application": "delius-iaps"
     }
diff --git a/terraform/environments/delius-jitbit/networking.auto.tfvars.json b/terraform/environments/delius-jitbit/networking.auto.tfvars.json
index a98c4a1e212..45f8d776295 100644
--- a/terraform/environments/delius-jitbit/networking.auto.tfvars.json
+++ b/terraform/environments/delius-jitbit/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "hmpps",
+      "business-unit": "core",
       "set": "general",
       "application": "delius-jitbit"
     }
diff --git a/terraform/environments/digital-prison-reporting/networking.auto.tfvars.json b/terraform/environments/digital-prison-reporting/networking.auto.tfvars.json
index 3cdbb32b861..35279b0f63c 100644
--- a/terraform/environments/digital-prison-reporting/networking.auto.tfvars.json
+++ b/terraform/environments/digital-prison-reporting/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "hmpps",
+      "business-unit": "core",
       "set": "general",
       "application": "digital-prison-reporting"
     }
diff --git a/terraform/environments/equip/networking.auto.tfvars.json b/terraform/environments/equip/networking.auto.tfvars.json
index 56648f0cd6e..666b404c731 100644
--- a/terraform/environments/equip/networking.auto.tfvars.json
+++ b/terraform/environments/equip/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "hmpps",
+      "business-unit": "core",
       "set": "general",
       "application": "equip"
     }
diff --git a/terraform/environments/example/networking.auto.tfvars.json b/terraform/environments/example/networking.auto.tfvars.json
index 8b99992a5dd..f99221971bb 100644
--- a/terraform/environments/example/networking.auto.tfvars.json
+++ b/terraform/environments/example/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "platforms",
+      "business-unit": "core",
       "set": "general",
       "application": "example"
     }
diff --git a/terraform/environments/laa-oem/networking.auto.tfvars.json b/terraform/environments/laa-oem/networking.auto.tfvars.json
index 9d2865ea770..c97bcc67c1b 100644
--- a/terraform/environments/laa-oem/networking.auto.tfvars.json
+++ b/terraform/environments/laa-oem/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "laa",
+      "business-unit": "core",
       "set": "general",
       "application": "laa-oem"
     }
diff --git a/terraform/environments/long-term-storage/networking.auto.tfvars.json b/terraform/environments/long-term-storage/networking.auto.tfvars.json
index cfdd58c8f6c..9239a379d72 100644
--- a/terraform/environments/long-term-storage/networking.auto.tfvars.json
+++ b/terraform/environments/long-term-storage/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "platforms",
+      "business-unit": "core",
       "set": "general",
       "application": "long-term-storage"
     }
diff --git a/terraform/environments/maatdb/networking.auto.tfvars.json b/terraform/environments/maatdb/networking.auto.tfvars.json
index 6c950cfb96e..54e2810c1b9 100644
--- a/terraform/environments/maatdb/networking.auto.tfvars.json
+++ b/terraform/environments/maatdb/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "laa",
+      "business-unit": "core",
       "set": "general",
       "application": "maatdb"
     }
diff --git a/terraform/environments/mlra/networking.auto.tfvars.json b/terraform/environments/mlra/networking.auto.tfvars.json
index 751174fd689..b8eb7f64279 100644
--- a/terraform/environments/mlra/networking.auto.tfvars.json
+++ b/terraform/environments/mlra/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "laa",
+      "business-unit": "core",
       "set": "general",
       "application": "mlra"
     }
diff --git a/terraform/environments/nomis-combined-reporting/README.md b/terraform/environments/nomis-combined-reporting/README.md
new file mode 100644
index 00000000000..9aa2658704c
--- /dev/null
+++ b/terraform/environments/nomis-combined-reporting/README.md
@@ -0,0 +1,76 @@
+# Service Runbook
+
+<!-- This is a template that should be populated by the development team when moving to the modernisation platform, but also reviewed and kept up to date.
+To ensure that people looking at your runbook can get the information they need quickly, your runbook should be short but clear. Throughout, only use acronyms if you’re confident that someone who has just been woken up at 3am would understand them. -->
+
+_If you have any questions surrounding this page please post in the `#team-name` channel._
+
+## Mandatory Information
+
+### **Last review date:**
+
+<!-- Adding the last date this page was reviewed, with any accompanying information -->
+
+### **Description:**
+
+<!-- A short (less than 50 word) description of what your service does, and who it’s for.-->
+
+### **Service URLs:**
+
+<!--  The URL(s) of the service’s production environment, and test environments if possible-->
+
+### **Incident response hours:**
+
+<!-- When your service receives support for urgent issues. This should be written in a clear, unambiguous way. For example: 24/7/365, Office hours, usually 9am-6pm on working days, or 7am-10pm, 365 days a year. -->
+
+### **Incident contact details:**
+
+<!-- How people can raise an urgent issue with your service. This must not be the email address or phone number of an individual on your team, it should be a shared email address, phone number, or website that allows someone with an urgent issue to raise it quickly. -->
+
+### **Service team contact:**
+
+<!-- How people with non-urgent issues or questions can get in touch with your team. As with incident contact details, this must not be the email address or phone number of an individual on the team, it should be a shared email address or a ticket tracking system.-->
+
+### **Hosting environment:**
+
+Modernisation Platform
+
+<!-- If your service is hosted on another MOJ team’s infrastructure, link to their runbook. If your service has another arrangement or runs its own infrastructure, you should list the supplier of that infrastructure (ideally linking to your account’s login page) and describe, simply and briefly, how to raise an issue with them. -->
+
+## Optional
+
+### **Other URLs:**
+
+<!--  If you can, provide links to the service’s monitoring dashboard(s), health checks, documentation (ideally describing how to run/work with the service), and main GitHub repository. -->
+
+### **Expected speed and frequency of releases:**
+
+<!-- How often are you able to release changes to your service, and how long do those changes take? -->
+
+### **Automatic alerts:**
+
+<!-- List, briefly, problems (or types of problem) that will automatically alert your team when they occur. -->
+
+### **Impact of an outage:**
+
+<!-- A short description of the risks if your service is down for an extended period of time. -->
+
+### **Out of hours response types:**
+
+<!-- Describe how incidents that page a person on call are responded to. How long are out-of-hours responders expected to spend trying to resolve issues before they stop working, put the service into maintenance mode, and hand the issue to in-hours support? -->
+
+### **Consumers of this service:**
+
+<!-- List which other services (with links to their runbooks) rely on this service. If your service is considered a platform, these may be too numerous to reasonably list. -->
+
+### **Services consumed by this:**
+
+<!-- List which other services (with links to their runbooks) this service relies on. -->
+
+### **Restrictions on access:**
+
+<!-- Describe any conditions which restrict access to the service, such as if it’s IP-restricted or only accessible from a private network.-->
+
+### **How to resolve specific issues:**
+
+<!-- Describe the steps someone might take to resolve a specific issue or incident, often for use when on call. This may be a large amount of information, so may need to be split out into multiple pages, or link to other documents.-->
diff --git a/terraform/environments/nomis-combined-reporting/application_variables.json b/terraform/environments/nomis-combined-reporting/application_variables.json
new file mode 100644
index 00000000000..6b52bfe9b30
--- /dev/null
+++ b/terraform/environments/nomis-combined-reporting/application_variables.json
@@ -0,0 +1,16 @@
+{
+  "accounts": {
+    "development": {
+      "example_var": "dev-data"
+    },
+    "test": {
+      "example_var": "test-data"
+    },
+    "preproduction": {
+      "example_var": "preproduction-data"
+    },
+    "production": {
+      "example_var": "production-data"
+    }
+  }
+}
diff --git a/terraform/environments/nomis-combined-reporting/data.tf b/terraform/environments/nomis-combined-reporting/data.tf
new file mode 100644
index 00000000000..96a2521d17e
--- /dev/null
+++ b/terraform/environments/nomis-combined-reporting/data.tf
@@ -0,0 +1 @@
+#### This file can be used to store data specific to the member account ####
diff --git a/terraform/environments/nomis-combined-reporting/member_locals.tf b/terraform/environments/nomis-combined-reporting/member_locals.tf
new file mode 100644
index 00000000000..a7454414911
--- /dev/null
+++ b/terraform/environments/nomis-combined-reporting/member_locals.tf
@@ -0,0 +1 @@
+#### This file can be used to store locals specific to the member account ####
diff --git a/terraform/environments/nomis-combined-reporting/member_secrets.tf b/terraform/environments/nomis-combined-reporting/member_secrets.tf
new file mode 100644
index 00000000000..a6a94d9c098
--- /dev/null
+++ b/terraform/environments/nomis-combined-reporting/member_secrets.tf
@@ -0,0 +1 @@
+#### This file can be used to store secrets specific to the member account ####
diff --git a/terraform/environments/nomis-combined-reporting/networking.auto.tfvars.json b/terraform/environments/nomis-combined-reporting/networking.auto.tfvars.json
new file mode 100644
index 00000000000..a9713e63c9b
--- /dev/null
+++ b/terraform/environments/nomis-combined-reporting/networking.auto.tfvars.json
@@ -0,0 +1,9 @@
+{
+  "networking": [
+    {
+      "business-unit": "",
+      "set": "",
+      "application": "nomis-combined-reporting"
+    }
+  ]
+}
diff --git a/terraform/environments/nomis-combined-reporting/platform_backend.tf b/terraform/environments/nomis-combined-reporting/platform_backend.tf
new file mode 100644
index 00000000000..66e1c7d1d9b
--- /dev/null
+++ b/terraform/environments/nomis-combined-reporting/platform_backend.tf
@@ -0,0 +1,13 @@
+# Backend
+terraform {
+  # `backend` blocks do not support variables, so the following are hard-coded here:
+  # - S3 bucket name, which is created in modernisation-platform-account/s3.tf
+  backend "s3" {
+    acl                  = "bucket-owner-full-control"
+    bucket               = "modernisation-platform-terraform-state"
+    encrypt              = true
+    key                  = "terraform.tfstate"
+    region               = "eu-west-2"
+    workspace_key_prefix = "environments/members/nomis-combined-reporting" # This will store the object as environments/members/nomis-combined-reporting/${workspace}/terraform.tfstate
+  }
+}
diff --git a/terraform/environments/nomis-combined-reporting/platform_base_variables.tf b/terraform/environments/nomis-combined-reporting/platform_base_variables.tf
new file mode 100644
index 00000000000..d196e7a5f26
--- /dev/null
+++ b/terraform/environments/nomis-combined-reporting/platform_base_variables.tf
@@ -0,0 +1,5 @@
+variable "networking" {
+
+  type = list(any)
+
+}
\ No newline at end of file
diff --git a/terraform/environments/nomis-combined-reporting/platform_data.tf b/terraform/environments/nomis-combined-reporting/platform_data.tf
new file mode 100644
index 00000000000..8e14a10510b
--- /dev/null
+++ b/terraform/environments/nomis-combined-reporting/platform_data.tf
@@ -0,0 +1,173 @@
+# Current account data
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}
+
+# VPC and subnet data
+data "aws_vpc" "shared" {
+  tags = {
+    "Name" = "${var.networking[0].business-unit}-${local.environment}"
+  }
+}
+
+data "aws_subnets" "shared-data" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.shared.id]
+  }
+  tags = {
+    Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data*"
+  }
+}
+
+data "aws_subnets" "private-public" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.shared.id]
+  }
+  tags = {
+    Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private*"
+  }
+}
+
+data "aws_subnets" "shared-public" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.shared.id]
+  }
+  tags = {
+    Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public*"
+  }
+}
+
+data "aws_subnet" "data_subnets_a" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}a"
+  }
+}
+
+data "aws_subnet" "data_subnets_b" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}b"
+  }
+}
+
+data "aws_subnet" "data_subnets_c" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}c"
+  }
+}
+
+data "aws_subnet" "private_subnets_a" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}a"
+  }
+}
+
+data "aws_subnet" "private_subnets_b" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}b"
+  }
+}
+
+data "aws_subnet" "private_subnets_c" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}c"
+  }
+}
+
+data "aws_subnet" "public_subnets_a" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}a"
+  }
+}
+
+data "aws_subnet" "public_subnets_b" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}b"
+  }
+}
+
+data "aws_subnet" "public_subnets_c" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}c"
+  }
+}
+
+# Route53 DNS data
+data "aws_route53_zone" "external" {
+  provider = aws.core-vpc
+
+  name         = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk."
+  private_zone = false
+}
+
+data "aws_route53_zone" "inner" {
+  provider = aws.core-vpc
+
+  name         = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.internal."
+  private_zone = true
+}
+
+data "aws_route53_zone" "network-services" {
+  provider = aws.core-network-services
+
+  name         = "modernisation-platform.service.justice.gov.uk."
+  private_zone = false
+}
+
+# Shared KMS keys (per business unit)
+data "aws_kms_key" "general_shared" {
+  key_id = "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["core-shared-services-production"]}:alias/general-${var.networking[0].business-unit}"
+}
+
+data "aws_kms_key" "ebs_shared" {
+  key_id = "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["core-shared-services-production"]}:alias/ebs-${var.networking[0].business-unit}"
+}
+
+data "aws_kms_key" "rds_shared" {
+  key_id = "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["core-shared-services-production"]}:alias/rds-${var.networking[0].business-unit}"
+}
+
+# State for core-network-services resource information
+data "terraform_remote_state" "core_network_services" {
+  backend = "s3"
+  config = {
+    acl     = "bucket-owner-full-control"
+    bucket  = "modernisation-platform-terraform-state"
+    key     = "environments/accounts/core-network-services/core-network-services-production/terraform.tfstate"
+    region  = "eu-west-2"
+    encrypt = "true"
+  }
+}
+
+data "aws_organizations_organization" "root_account" {}
+
+# Retrieve information about the modernisation platform account
+data "aws_caller_identity" "modernisation_platform" {
+  provider = aws.modernisation-platform
+}
+
+# caller account information to instantiate aws.oidc provider
+data "aws_caller_identity" "original_session" {
+  provider = aws.original-session
+}
+
+data "aws_iam_session_context" "whoami" {
+  provider = aws.original-session
+  arn      = data.aws_caller_identity.original_session.arn
+}
+
+# Get the environments file from the main repository
+data "http" "environments_file" {
+  url = "https://raw.githubusercontent.com/ministryofjustice/modernisation-platform/main/environments/${local.application_name}.json"
+}
diff --git a/terraform/environments/nomis-combined-reporting/platform_locals.tf b/terraform/environments/nomis-combined-reporting/platform_locals.tf
new file mode 100644
index 00000000000..46172bf3d5b
--- /dev/null
+++ b/terraform/environments/nomis-combined-reporting/platform_locals.tf
@@ -0,0 +1,38 @@
+locals {
+
+  application_name = "nomis-combined-reporting"
+
+  environment_management = jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)
+
+  # Stores modernisation platform account id for setting up the modernisation-platform provider
+  modernisation_platform_account_id = data.aws_ssm_parameter.modernisation_platform_account_id.value
+
+  # This takes the name of the Terraform workspace (e.g. core-vpc-production), strips out the application name (e.g. core-vpc), and checks if
+  # the string leftover is `-production`, if it isn't (e.g. core-vpc-non-production => -non-production) then it sets the var to false.
+  is-production    = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production"
+  is-preproduction = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction"
+  is-test          = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-test"
+  is-development   = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-development"
+
+  # Merge tags from the environment json file with additional ones
+  tags = merge(
+    jsondecode(data.http.environments_file.response_body).tags,
+    { "is-production" = local.is-production },
+    { "environment-name" = terraform.workspace },
+    { "source-code" = "https://github.com/ministryofjustice/modernisation-platform-environments" }
+  )
+
+  environment     = trimprefix(terraform.workspace, "${var.networking[0].application}-")
+  vpc_name        = var.networking[0].business-unit
+  subnet_set      = var.networking[0].set
+  vpc_all         = "${local.vpc_name}-${local.environment}"
+  subnet_set_name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}"
+
+  is_live       = [substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production" || substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction" ? "live" : "non-live"]
+  provider_name = "core-vpc-${local.environment}"
+
+  # environment specfic variables
+  # example usage:
+  # example_data = local.application_data.accounts[local.environment].example_var
+  application_data = fileexists("./application_variables.json") ? jsondecode(file("./application_variables.json")) : {}
+}
diff --git a/terraform/environments/nomis-combined-reporting/platform_providers.tf b/terraform/environments/nomis-combined-reporting/platform_providers.tf
new file mode 100644
index 00000000000..ac5370a87d6
--- /dev/null
+++ b/terraform/environments/nomis-combined-reporting/platform_providers.tf
@@ -0,0 +1,84 @@
+# ######################### Run Terraform via CICD ##################################
+# AWS provider for the workspace you're working in (every resource will default to using this, unless otherwise specified)
+provider "aws" {
+  alias  = "original-session"
+  region = "eu-west-2"
+}
+
+provider "aws" {
+  region = "eu-west-2"
+  assume_role {
+    role_arn = "arn:aws:iam::${data.aws_caller_identity.original_session.id}:role/MemberInfrastructureAccess"
+  }
+}
+
+# AWS provider for the Modernisation Platform, to get things from there if required
+provider "aws" {
+  alias  = "modernisation-platform"
+  region = "eu-west-2"
+  assume_role {
+    role_arn = "arn:aws:iam::${local.modernisation_platform_account_id}:role/modernisation-account-limited-read-member-access"
+  }
+}
+
+# AWS provider for core-vpc-<environment>, to share VPCs into this account
+provider "aws" {
+  alias  = "core-vpc"
+  region = "eu-west-2"
+  assume_role {
+    role_arn = "arn:aws:iam::${local.environment_management.account_ids[local.provider_name]}:role/member-delegation-${local.vpc_name}-${local.environment}"
+  }
+}
+
+# AWS provider for network services to enable dns entries for certificate validation to be created
+provider "aws" {
+  alias  = "core-network-services"
+  region = "eu-west-2"
+  assume_role {
+    role_arn = "arn:aws:iam::${local.environment_management.account_ids["core-network-services-production"]}:role/modify-dns-records"
+  }
+}
+######################### Run Terraform via CICD ##################################
+
+
+######################### Run Terraform Plan Locally Only ##################################
+# # To run a Terraform Plan locally, uncomment this bottom section of code and comment out the top section
+
+# provider "aws" {
+#   region = "eu-west-2"
+# }
+
+# provider "aws" {
+#   alias  = "original-session"
+#   region = "eu-west-2"
+# }
+
+# # AWS provider for the Modernisation Platform, to get things from there if required
+# provider "aws" {
+#   alias                  = "modernisation-platform"
+#   region                 = "eu-west-2"
+#   assume_role {
+#     role_arn = "arn:aws:iam::${local.modernisation_platform_account_id}:role/modernisation-account-limited-read-member-access"
+#   }
+# }
+
+# # AWS provider for core-vpc-<environment>, to share VPCs into this account
+# provider "aws" {
+#   alias  = "core-vpc"
+#   region = "eu-west-2"
+
+#   assume_role {
+#     role_arn = "arn:aws:iam::${local.environment_management.account_ids[local.provider_name]}:role/member-delegation-read-only"
+#   }
+# }
+
+# # AWS provider for network services to enable dns entries for certificate validation to be created
+# provider "aws" {
+#   alias  = "core-network-services"
+#   region = "eu-west-2"
+
+#   assume_role {
+#     role_arn = "arn:aws:iam::${local.environment_management.account_ids["core-network-services-production"]}:role/read-dns-records"
+#   }
+# }
+######################### Run Terraform Plan Locally Only ##################################
\ No newline at end of file
diff --git a/terraform/environments/nomis-combined-reporting/platform_secrets.tf b/terraform/environments/nomis-combined-reporting/platform_secrets.tf
new file mode 100644
index 00000000000..7ee43f42a13
--- /dev/null
+++ b/terraform/environments/nomis-combined-reporting/platform_secrets.tf
@@ -0,0 +1,16 @@
+# Get modernisation account id from ssm parameter
+data "aws_ssm_parameter" "modernisation_platform_account_id" {
+  name = "modernisation_platform_account_id"
+}
+
+# Get secret by arn for environment management
+data "aws_secretsmanager_secret" "environment_management" {
+  provider = aws.modernisation-platform
+  name     = "environment_management"
+}
+
+# Get latest secret value with ID from above. This secret stores account IDs for the Modernisation Platform sub-accounts
+data "aws_secretsmanager_secret_version" "environment_management" {
+  provider  = aws.modernisation-platform
+  secret_id = data.aws_secretsmanager_secret.environment_management.id
+}
\ No newline at end of file
diff --git a/terraform/environments/nomis-combined-reporting/platform_versions.tf b/terraform/environments/nomis-combined-reporting/platform_versions.tf
new file mode 100644
index 00000000000..d2ff54875b7
--- /dev/null
+++ b/terraform/environments/nomis-combined-reporting/platform_versions.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    aws = {
+      version = ">= 4.0.0, < 5.0.0"
+      source  = "hashicorp/aws"
+    }
+    http = {
+      version = "~> 3.0"
+      source  = "hashicorp/http"
+    }
+  }
+  required_version = "~> 1.0"
+}
diff --git a/terraform/environments/nomis/networking.auto.tfvars.json b/terraform/environments/nomis/networking.auto.tfvars.json
index 32dfba1d8e9..2ad951ae823 100644
--- a/terraform/environments/nomis/networking.auto.tfvars.json
+++ b/terraform/environments/nomis/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "hmpps",
+      "business-unit": "core",
       "set": "general",
       "application": "nomis"
     }
diff --git a/terraform/environments/oas/networking.auto.tfvars.json b/terraform/environments/oas/networking.auto.tfvars.json
index d457c5e6d5a..62523c43b7d 100644
--- a/terraform/environments/oas/networking.auto.tfvars.json
+++ b/terraform/environments/oas/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "laa",
+      "business-unit": "core",
       "set": "general",
       "application": "oas"
     }
diff --git a/terraform/environments/oasys/networking.auto.tfvars.json b/terraform/environments/oasys/networking.auto.tfvars.json
index ec4d350c6ce..7694fe8cebc 100644
--- a/terraform/environments/oasys/networking.auto.tfvars.json
+++ b/terraform/environments/oasys/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "hmpps",
+      "business-unit": "core",
       "set": "general",
       "application": "oasys"
     }
diff --git a/terraform/environments/performance-hub/networking.auto.tfvars.json b/terraform/environments/performance-hub/networking.auto.tfvars.json
index 97f92945613..d2b8f6bea2a 100644
--- a/terraform/environments/performance-hub/networking.auto.tfvars.json
+++ b/terraform/environments/performance-hub/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "hmpps",
+      "business-unit": "core",
       "set": "general",
       "application": "performance-hub"
     }
diff --git a/terraform/environments/ppud/networking.auto.tfvars.json b/terraform/environments/ppud/networking.auto.tfvars.json
index 2eb5bfcc75c..2006992820d 100644
--- a/terraform/environments/ppud/networking.auto.tfvars.json
+++ b/terraform/environments/ppud/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "hmpps",
+      "business-unit": "core",
       "set": "general",
       "application": "ppud"
     }
diff --git a/terraform/environments/refer-monitor/networking.auto.tfvars.json b/terraform/environments/refer-monitor/networking.auto.tfvars.json
index 440120b0527..b50b80f2251 100644
--- a/terraform/environments/refer-monitor/networking.auto.tfvars.json
+++ b/terraform/environments/refer-monitor/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "hmpps",
+      "business-unit": "core",
       "set": "general",
       "application": "refer-monitor"
     }
diff --git a/terraform/environments/sprinkler/networking.auto.tfvars.json b/terraform/environments/sprinkler/networking.auto.tfvars.json
index 6a85b399b5d..a13d3af582a 100644
--- a/terraform/environments/sprinkler/networking.auto.tfvars.json
+++ b/terraform/environments/sprinkler/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "garden",
+      "business-unit": "core",
       "set": "general",
       "application": "sprinkler"
     }
diff --git a/terraform/environments/tariff/networking.auto.tfvars.json b/terraform/environments/tariff/networking.auto.tfvars.json
index 8b2e2607ecc..bd73da4f084 100644
--- a/terraform/environments/tariff/networking.auto.tfvars.json
+++ b/terraform/environments/tariff/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "cica",
+      "business-unit": "core",
       "set": "general",
       "application": "tariff"
     }
diff --git a/terraform/environments/tipstaff/networking.auto.tfvars.json b/terraform/environments/tipstaff/networking.auto.tfvars.json
index 81c98a1264d..e7e7c85138e 100644
--- a/terraform/environments/tipstaff/networking.auto.tfvars.json
+++ b/terraform/environments/tipstaff/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "hmcts",
+      "business-unit": "core",
       "set": "general",
       "application": "tipstaff"
     }
diff --git a/terraform/environments/xhibit-portal/networking.auto.tfvars.json b/terraform/environments/xhibit-portal/networking.auto.tfvars.json
index d059b817472..7b3227d0405 100644
--- a/terraform/environments/xhibit-portal/networking.auto.tfvars.json
+++ b/terraform/environments/xhibit-portal/networking.auto.tfvars.json
@@ -1,7 +1,7 @@
 {
   "networking": [
     {
-      "business-unit": "hmcts",
+      "business-unit": "core",
       "set": "general",
       "application": "xhibit-portal"
     }