NHSDigital · aidenvaines-cgi · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026
@@ -7,15 +7,16 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - name: "Install Terraform binary"
+      shell: bash
+      run: |
+        asdf plugin add terraform || true
+        asdf install terraform || true
     - name: "Check Terraform format"
       shell: bash
       run: |
         check_only=true scripts/githooks/check-terraform-format.sh
     - name: "Validate Terraform"
       shell: bash
       run: |
-        stacks=${{ inputs.root-modules }}
-        for dir in $(find infrastructure/environments -maxdepth 1 -mindepth 1 -type d; echo ${stacks//,/$'\n'}); do
-          dir=$dir opts='-backend=false' make terraform-init
-          dir=$dir make terraform-validate
-        done
+        make terraform-validate-all
@@ -148,6 +148,8 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5.0.0
+      - name: "Setup ASDF"
+        uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
       - name: "Lint Terraform"
         uses: ./.github/actions/lint-terraform
   trivy-iac:

@@ -1,10 +1,10 @@
 resource "aws_cloudwatch_event_rule" "env_destroy" {
-  count = var.enable_env_destroy_event_rule ? 1 : 0
+  count       = var.enable_env_destroy_event_rule ? 1 : 0
   name        = "${local.csi}-env-destroy"
   description = "Forwards Environment Destroy Failed events to Custom Event Bus in Observability Account"
 
   event_pattern = jsonencode({
-    "source"      = ["notify.envDestroyFailed"],
+    "source" = ["notify.envDestroyFailed"],
   })
 }
 
@@ -16,8 +16,8 @@ resource "aws_cloudwatch_event_target" "env_destroy" {
 }
 
 resource "aws_iam_role" "env_destroy" {
-  count  = var.enable_env_destroy_event_rule ? 1 : 0
-  name = "${local.csi}-env-destroy"
+  count = var.enable_env_destroy_event_rule ? 1 : 0
+  name  = "${local.csi}-env-destroy"
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
@@ -32,8 +32,8 @@ resource "aws_iam_role" "env_destroy" {
 }
 
 resource "aws_iam_policy" "env_destroy" {
-  count  = var.enable_env_destroy_event_rule ? 1 : 0
-  name = "${local.csi}-env-destroy"
+  count = var.enable_env_destroy_event_rule ? 1 : 0
+  name  = "${local.csi}-env-destroy"
 
   policy = jsonencode({
     Version = "2012-10-17",

@@ -1,10 +1,10 @@
 resource "aws_ecr_repository" "main" {
-  name                 = "${local.csi}"
+  name                 = local.csi
   image_tag_mutability = "MUTABLE"
 
   encryption_configuration {
     encryption_type = "KMS"
-    kms_key = module.kms_ecr.key_arn
+    kms_key         = module.kms_ecr.key_arn
   }
 
   image_scanning_configuration {

@@ -51,7 +51,7 @@ data "aws_iam_policy_document" "kms_ecr" {
       variable = "kms:EncryptionContext:aws:ecr:repositoryArn"
 
       values = [
-        "arn:aws:ecr:${var.region}:${var.aws_account_id}:repository/${local.csi}-ecr",      ]
+      "arn:aws:ecr:${var.region}:${var.aws_account_id}:repository/${local.csi}-ecr", ]
     }
   }
 }
@@ -1,7 +1,7 @@
 {
   "dependencies": {
     "@hey-api/openapi-ts": "^0.90.4",
-    "axios": "^1.8.4",
+    "axios": "^1.13.5",
     "axios-retry": "^4.5.0",
     "zod": "^4.0.17"
   },

@@ -29,11 +29,11 @@ function main() {
 #   check_only=[do not format, run check only]
 function terraform-fmt() {
 
-  local opts=
   if is-arg-true "$check_only"; then
-    opts="-check"
+    make terraform-fmt-check
+  else
+    make terraform-fmt
   fi
-  opts=$opts make terraform-fmt
 }
 
 # ==============================================================================

@@ -47,7 +47,7 @@ _install-dependency: # Install asdf dependency - mandatory: name=[listed in the
 
 _install-dependencies: # Install all the dependencies listed in .tool-versions
 	for plugin in $$(grep ^[a-z] .tool-versions | sed 's/[[:space:]].*//'); do
-		make _install-dependency name="$${plugin}"
+		$(MAKE) _install-dependency name=$${plugin}; \
 	done
 
 clean:: # Remove all generated and temporary files (common) @Operations