IaC Pre-Requisite Infra for NHS-E SecretsManageement

[vgnapskainos]

Description

This change introduces the bootstrap Terraform infrastructure required to enable secure and controlled Infrastructure as Code (IaC) deployments within NHS‑E AWS.

The implementation provisions:

• A secure remote Terraform state backend (S3 with encryption and versioning)
• DynamoDB table for state locking and consistency
• GitHub Actions OIDC integration for federated authentication
• An IAM role with permissions to deploy infrastructure via CI/CD pipelines

This establishes the foundational platform required to support subsequent infrastructure provisioning in a secure, automated, and governed manner.

Reference:
ADR-001 Option 2:
https://nhsd-confluence.digital.nhs.uk/spaces/APCLAG/pages/1328002427/ADR-001+GOM16+Authentication+Architecture+-+Secrets+Management#ADR001GOM16AuthenticationArchitectureSecretsManagement-Option2%3ADoNotStoreSecretsinHCC
Jira Ticket:
https://nhsd-jira.digital.nhs.uk/browse/GOM-95

Context

This change is required to establish a secure and compliant foundation for IaC deployments as part of GOM‑95.

It ensures that:

• Infrastructure is deployed exclusively via controlled CI/CD pipelines
• No long-lived AWS credentials are used (OIDC-based authentication)
• Terraform state is securely stored, encrypted, and protected against corruption or concurrent updates
• Access to AWS is governed through auditable and least-privilege IAM roles

This PR represents the initial bootstrap phase of the NHS‑E infrastructure setup, enabling future implementation of Secrets Manager, KMS, and cross-account access required for InterSystems integration (GOM‑229).

Type of changes

• Refactoring (non-breaking change)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would change existing functionality)
• Bug fix (non-breaking change which fixes an issue)

Checklist

• I am familiar with the contributing guidelines
• I have followed the code style of the project
• I have added tests to cover my changes
• I have updated the documentation accordingly
• This PR is a result of pair or mob programming

---

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

• I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

Additional Notes

This code does not have any credentials or the account numbers. AWS account number is retrieved on the run using STS.

---

Validation Summary

Terraform remote state backend provisioned with secure S3 bucket and DynamoDB locking
GitHub Actions OIDC integration configured with restricted IAM trust policy
CI/CD deployment role created with permissions for infrastructure provisioning
Security baseline applied including encryption, access blocking, and tagging
Lifecycle protections enabled to prevent accidental deletion of critical state resources
Bootstrap infrastructure established to support subsequent IaC deployments