NHSDigital · axelkrastek1-nhs · Nov 11, 2025 · Nov 4, 2025 · Nov 5, 2025 · Nov 5, 2025
@@ -65,7 +65,7 @@ In order to do this, make sure you have AWS CLI installed and configured, then r
 make ENV=env truststore-pull-all
 ```
 
-Where `env` is one of `dev`, `qa` , `int`, `ref` or `prod`.
+Where `env` is one of `dev`, `qa` , `int`, `perftest`, `ref` or `prod`.
 
 ## Getting Started
 
@@ -414,7 +414,7 @@ If the Producer API has changed, or the documentation for that API has changed,
 
 Once you have a new release version ready, you can deploy it through our environments as follows:
 
-1. Use the "Persistent Environment Deploy" Github Action workflow to deploy the release tag to `dev`, `dev-sandbox`, `qa`, `qa-sandbox`, `int` and `int-sandbox` environments.
+1. Use the "Persistent Environment Deploy" Github Action workflow to deploy the release tag to `dev`, `dev-sandbox`, `qa`, `qa-sandbox`, `int`, `int-sandbox` and `perftest` environments.
 2. If any issues arise in the deployment, fix the issues, create a new release version and start this process again.
 3. Once the deployments are complete, use the "Persistent Environment Deploy" Github Action workflow to deploy the release version to `ref`.
 4. Once that is complete, use the "Persistent Environment Deploy" workflow to deploy the release version to `prod`.

@@ -13,6 +13,8 @@
     "qa-sandbox-2",
     "ref-1",
     "ref-2",
+    "perftest-1",
+    "perftest-2",
     "int-1",
     "int-2",
     "int-sandbox-1",

@@ -7,6 +7,7 @@
     "qa": "test",
     "qa-sandbox": "test",
     "ref": "test",
+    "perftest": "test",
     "int": "test",
     "int-sandbox": "test",
     "prod": "prod",

@@ -13,7 +13,7 @@ case "${env}" in
     dev|dev-sandbox)
         echo "dev"
         ;;
-    qa|qa-sandbox|ref|int|int-sandbox)
+    qa|qa-sandbox|perftest|ref|int|int-sandbox)
         echo "test"
         ;;
     prod)

@@ -246,17 +246,19 @@ function _restore_archived_cert() {
 }
 
 function _truststore_build_all() {
-    _truststore_build_ca "prod" "record-locator.national.nhs.uk_CA2"
-    _truststore_build_ca "int"  "record-locator.int.national.nhs.uk_CA2"
-    _truststore_build_ca "ref"  "record-locator.ref.national.nhs.uk_CA2"
-    _truststore_build_ca "qa"   "qa.record-locator.national.nhs.uk_CA2"
-    _truststore_build_ca "dev"  "record-locator.dev.national.nhs.uk_CA2"
-
-    _truststore_build_cert "prod" "prod" "api.record-locator.national.nhs.uk"
-    _truststore_build_cert "int"  "int"  "int.api.record-locator.int.national.nhs.uk"
-    _truststore_build_cert "ref"  "ref"  "ref.api.record-locator.ref.national.nhs.uk"
-    _truststore_build_cert "qa"   "qa"   "api.qa.record-locator.national.nhs.uk"
-    _truststore_build_cert "dev"  "dev"  "dev.api.record-locator.dev.national.nhs.uk"
+    _truststore_build_ca "prod"     "record-locator.national.nhs.uk_CA2"
+    _truststore_build_ca "int"      "record-locator.int.national.nhs.uk_CA2"
+    _truststore_build_ca "ref"      "record-locator.ref.national.nhs.uk_CA2"
+    _truststore_build_ca "perftest" "perftest.record-locator.national.nhs.uk_CA2"
+    _truststore_build_ca "qa"       "qa.record-locator.national.nhs.uk_CA2"
+    _truststore_build_ca "dev"      "record-locator.dev.national.nhs.uk_CA2"
+
+    _truststore_build_cert "prod"     "prod" "api.record-locator.national.nhs.uk"
+    _truststore_build_cert "int"      "int"  "int.api.record-locator.int.national.nhs.uk"
+    _truststore_build_cert "ref"      "ref"  "ref.api.record-locator.ref.national.nhs.uk"
+    _truststore_build_cert "perftest" "perftest"  "api.perftest.record-locator.national.nhs.uk"
+    _truststore_build_cert "qa"       "qa"   "api.qa.record-locator.national.nhs.uk"
+    _truststore_build_cert "dev"      "dev"  "dev.api.record-locator.dev.national.nhs.uk"
 
     echo -e "✅ Successfully built all truststore files"
     return 0

@@ -5,6 +5,7 @@ module "dev-custom-domain-name" {
   domain_zone                   = aws_route53_zone.dev-ns.name
   mtls_certificate_file         = "s3://${module.dev-truststore-bucket.bucket_name}/${module.dev-truststore-bucket.certificates_object_key}"
   mtls_certificate_file_version = module.dev-truststore-bucket.certificates_object_version
+  depends_on                    = [aws_route53_zone.dev-ns]
 }
 
 module "devsandbox-custom-domain-name" {
@@ -13,4 +14,5 @@ module "devsandbox-custom-domain-name" {
   domain_zone                   = aws_route53_zone.dev-ns.name
   mtls_certificate_file         = "s3://${module.dev-truststore-bucket.bucket_name}/${module.dev-truststore-bucket.certificates_object_key}"
   mtls_certificate_file_version = module.dev-truststore-bucket.certificates_object_version
+  depends_on                    = [aws_route53_zone.dev-ns]
 }
@@ -38,6 +38,10 @@ data "aws_secretsmanager_secret" "test_backup_account_id" {
   name = "${local.project}--mgmt--test-backup-account-id"
 }
 
+data "aws_secretsmanager_secret" "test_restore_account_id" {
+  name = "${local.project}--mgmt--test-restore-account-id"
+}
+
 data "aws_secretsmanager_secret_version" "dev_account_id" {
   secret_id = data.aws_secretsmanager_secret.dev_account_id.name
 }
@@ -49,3 +53,7 @@ data "aws_secretsmanager_secret_version" "test_account_id" {
 data "aws_secretsmanager_secret_version" "test_backup_account_id" {
   secret_id = data.aws_secretsmanager_secret.test_backup_account_id.name
 }
+
+data "aws_secretsmanager_secret_version" "test_restore_account_id" {
+  secret_id = data.aws_secretsmanager_secret.test_restore_account_id.name
+}
@@ -63,7 +63,8 @@ module "developer_policy" {
       Resource = [
         "arn:aws:iam::${data.aws_secretsmanager_secret_version.dev_account_id.secret_string}:role/terraform",
         "arn:aws:iam::${data.aws_secretsmanager_secret_version.test_account_id.secret_string}:role/terraform",
-        "arn:aws:iam::${data.aws_secretsmanager_secret_version.test_backup_account_id.secret_string}:role/terraform"
+        "arn:aws:iam::${data.aws_secretsmanager_secret_version.test_backup_account_id.secret_string}:role/terraform",
+        "arn:aws:iam::${data.aws_secretsmanager_secret_version.test_restore_account_id.secret_string}:role/terraform"
       ]
     },
     {

@@ -136,3 +136,16 @@ resource "aws_route53_record" "NEW_qa_zone_delegation" {
   ttl  = 300
   type = "NS"
 }
+
+resource "aws_route53_record" "perftest_zone_delegation" {
+  zone_id = aws_route53_zone.prod_zone.zone_id
+  name    = "perftest.record-locator.national.nhs.uk"
+  records = [
+    "ns-885.awsdns-46.net.",
+    "ns-1995.awsdns-57.co.uk.",
+    "ns-239.awsdns-29.com.",
+    "ns-1424.awsdns-50.org."
+  ]
+  ttl  = 300
+  type = "NS"
+}
@@ -6,4 +6,5 @@ module "dev-custom-domain-name" {
   domain_zone                   = aws_route53_zone.prod-ns.name
   mtls_certificate_file         = "s3://${module.prod-truststore-bucket.bucket_name}/${module.prod-truststore-bucket.certificates_object_key}"
   mtls_certificate_file_version = module.prod-truststore-bucket.certificates_object_version
+  depends_on                    = [aws_route53_zone.prod-ns]
 }
@@ -5,6 +5,7 @@ module "qa-custom-domain-name" {
   domain_zone                   = aws_route53_zone.test-qa-ns.name
   mtls_certificate_file         = "s3://${module.qa-truststore-bucket.bucket_name}/${module.qa-truststore-bucket.certificates_object_key}"
   mtls_certificate_file_version = module.qa-truststore-bucket.certificates_object_version
+  depends_on                    = [aws_route53_zone.test-qa-ns]
 }
 
 module "qasandbox-custom-domain-name" {
@@ -13,6 +14,7 @@ module "qasandbox-custom-domain-name" {
   domain_zone                   = aws_route53_zone.test-qa-ns.name
   mtls_certificate_file         = "s3://${module.qa-truststore-bucket.bucket_name}/${module.qa-truststore-bucket.certificates_object_key}"
   mtls_certificate_file_version = module.qa-truststore-bucket.certificates_object_version
+  depends_on                    = [aws_route53_zone.test-qa-ns]
 }
 
 module "int-custom-domain-name" {
@@ -21,6 +23,7 @@ module "int-custom-domain-name" {
   domain_zone                   = aws_route53_zone.test-int-ns.name
   mtls_certificate_file         = "s3://${module.int-truststore-bucket.bucket_name}/${module.int-truststore-bucket.certificates_object_key}"
   mtls_certificate_file_version = module.int-truststore-bucket.certificates_object_version
+  depends_on                    = [aws_route53_zone.test-int-ns]
 }
 
 module "intsandbox-custom-domain-name" {
@@ -29,6 +32,7 @@ module "intsandbox-custom-domain-name" {
   domain_zone                   = aws_route53_zone.test-int-ns.name
   mtls_certificate_file         = "s3://${module.int-truststore-bucket.bucket_name}/${module.int-truststore-bucket.certificates_object_key}"
   mtls_certificate_file_version = module.int-truststore-bucket.certificates_object_version
+  depends_on                    = [aws_route53_zone.test-int-ns]
 }
 
 module "ref-custom-domain-name" {
@@ -37,4 +41,14 @@ module "ref-custom-domain-name" {
   domain_zone                   = aws_route53_zone.test-ref-ns.name
   mtls_certificate_file         = "s3://${module.ref-truststore-bucket.bucket_name}/${module.ref-truststore-bucket.certificates_object_key}"
   mtls_certificate_file_version = module.ref-truststore-bucket.certificates_object_version
+  depends_on                    = [aws_route53_zone.test-ref-ns]
+}
+
+module "perftest-custom-domain-name" {
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.perftest_api_domain_name
+  domain_zone                   = aws_route53_zone.test-perftest-ns.name
+  mtls_certificate_file         = "s3://${module.perftest-truststore-bucket.bucket_name}/${module.perftest-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.perftest-truststore-bucket.certificates_object_version
+  depends_on                    = [aws_route53_zone.test-perftest-ns]
 }
@@ -30,3 +30,11 @@ module "ref-pointers-table" {
   enable_pitr                 = true
   kms_deletion_window_in_days = 30
 }
+
+module "perftest-pointers-table" {
+  source                      = "../modules/pointers-table"
+  name_prefix                 = "nhsd-nrlf--perftest"
+  enable_deletion_protection  = true
+  enable_pitr                 = true
+  kms_deletion_window_in_days = 30
+}
@@ -17,3 +17,7 @@ resource "aws_route53_zone" "NEW_test-ref-ns" {
 resource "aws_route53_zone" "test-ref-ns" {
   name = "api.record-locator.ref.national.nhs.uk"
 }
+
+resource "aws_route53_zone" "test-perftest-ns" {
+  name = "perftest.record-locator.national.nhs.uk"
+}
@@ -24,6 +24,11 @@ module "ref-permissions-store-bucket" {
   name_prefix = "nhsd-nrlf--ref"
 }
 
+module "perftest-permissions-store-bucket" {
+  source      = "../modules/permissions-store-bucket"
+  name_prefix = "nhsd-nrlf--perftest"
+}
+
 module "qa-truststore-bucket" {
   source                  = "../modules/truststore-bucket"
   name_prefix             = "nhsd-nrlf--qa"
@@ -53,3 +58,9 @@ module "ref-truststore-bucket" {
   name_prefix             = "nhsd-nrlf--ref"
   server_certificate_file = "../../../truststore/server/ref.pem"
 }
+
+module "perftest-truststore-bucket" {
+  source                  = "../modules/truststore-bucket"
+  name_prefix             = "nhsd-nrlf--perftest"
+  server_certificate_file = "../../../truststore/server/perftest.pem"
+}
@@ -17,6 +17,11 @@ resource "aws_secretsmanager_secret" "ref_smoke_test_apigee_app" {
   description = "APIGEE App used to run Smoke Tests against the REF environment"
 }
 
+resource "aws_secretsmanager_secret" "perftest_smoke_test_apigee_app" {
+  name        = "${local.prefix}--perftest--apigee-app--smoke-test"
+  description = "APIGEE App used to run Smoke Tests against the perftest environment"
+}
+
 resource "aws_secretsmanager_secret" "backup_destination_parameters" {
   name        = "${local.prefix}--backup-destination-parameters"
   description = "Parameters used to configure the backup destination"
@@ -50,6 +55,11 @@ resource "aws_secretsmanager_secret" "ref_smoke_test_parameters" {
   description = "Parameters used to run Smoke Tests against the ref environment"
 }
 
+resource "aws_secretsmanager_secret" "perftest_smoke_test_parameters" {
+  name        = "${local.project}--perftest--smoke-test-parameters"
+  description = "Parameters used to run Smoke Tests against the perftest environment"
+}
+
 
 #
 # Splunk Configuration secrets
@@ -107,6 +117,11 @@ resource "aws_secretsmanager_secret" "ref_environment_configuration" {
   description = "The environment configuration for the Ref environment"
 }
 
+resource "aws_secretsmanager_secret" "perftest_environment_configuration" {
+  name        = "${local.project}--perftest--env-config"
+  description = "The environment configuration for the Perftest environment"
+}
+
 #
 # PowerBI secrets
 #

@@ -29,6 +29,11 @@ variable "ref_api_domain_name" {
   default     = "ref.api.record-locator.ref.national.nhs.uk"
 }
 
+variable "perftest_api_domain_name" {
+  description = "The internal DNS name of the API Gateway for the perftest environment"
+  default     = "api.perftest.record-locator.national.nhs.uk"
+}
+
 variable "enable_reporting" {
   type        = bool
   description = "Enable account-wide reporting processes in the test account"

@@ -8,16 +8,17 @@ Each developer/QA can create their own ephemeral instance of the NRLF infrastruc
 
 This project has a number of "persistent environments", similar to traditional dev, ref and prod environments. Each of these environments will typically contain multiple NRLF stacks, allowing for blue/green style deployment, and have shared storage infrastructure like DynamoDB tables and S3 buckets. The persistent environments are deployed as follows:
 
-| Environment  | TF Workspace  | TF Config         | AWS Account | Internal Domain                      | Public Domain                             |
-| ------------ | ------------- | ----------------- | ----------- | ------------------------------------ | ----------------------------------------- |
-| internal-dev | dev-N         | `etc/dev.tfvars`  | dev         | `record-locator.dev.national.nhs.uk` | `internal-dev.api.service.nhs.uk`         |
-| dev-sandbox  | dev-sandbox-N | `etc/dev.tfvars`  | dev         | `record-locator.dev.national.nhs.uk` | `internal-dev-sandbox.api.service.nhs.uk` |
-| internal-qa  | qa-N          | `etc/qa.tfvars`   | test        | `qa.record-locator.national.nhs.uk`  | `internal-qa.api.service.nhs.uk`          |
-| qa-sandbox   | qa-sandbox-N  | `etc/qa.tfvars`   | test        | `qa.record-locator.national.nhs.uk`  | `internal-qa-sandbox.api.service.nhs.uk`  |
-| int          | int-N         | `etc/int.tfvars`  | test        | `record-locator.int.national.nhs.uk` | `int.api.service.nhs.uk`                  |
-| sandbox      | int-sandbox-N | `etc/int.tfvars`  | test        | `record-locator.int.national.nhs.uk` | `sandbox.api.service.nhs.uk`              |
-| ref          | ref-N         | `etc/ref.tfvars`  | test        | `record-locator.ref.national.nhs.uk` | `ref.api.service.nhs.uk`                  |
-| prod         | prod-N        | `etc/prod.tfvars` | prod        | `record-locator.national.nhs.uk`     | `api.service.nhs.uk`                      |
+| Environment  | TF Workspace  | TF Config             | AWS Account | Internal Domain                           | Public Domain                             |
+| ------------ | ------------- | --------------------- | ----------- | ----------------------------------------- | ----------------------------------------- |
+| internal-dev | dev-N         | `etc/dev.tfvars`      | dev         | `record-locator.dev.national.nhs.uk`      | `internal-dev.api.service.nhs.uk`         |
+| dev-sandbox  | dev-sandbox-N | `etc/dev.tfvars`      | dev         | `record-locator.dev.national.nhs.uk`      | `internal-dev-sandbox.api.service.nhs.uk` |
+| internal-qa  | qa-N          | `etc/qa.tfvars`       | test        | `qa.record-locator.national.nhs.uk`       | `internal-qa.api.service.nhs.uk`          |
+| qa-sandbox   | qa-sandbox-N  | `etc/qa.tfvars`       | test        | `qa.record-locator.national.nhs.uk`       | `internal-qa-sandbox.api.service.nhs.uk`  |
+| int          | int-N         | `etc/int.tfvars`      | test        | `record-locator.int.national.nhs.uk`      | `int.api.service.nhs.uk`                  |
+| sandbox      | int-sandbox-N | `etc/int.tfvars`      | test        | `record-locator.int.national.nhs.uk`      | `sandbox.api.service.nhs.uk`              |
+| perftest     | perftest-N    | `etc/perftest.tfvars` | test        | `perftest.record-locator.national.nhs.uk` | `perftest.api.service.nhs.uk`             |
+| ref          | ref-N         | `etc/ref.tfvars`      | test        | `record-locator.ref.national.nhs.uk`      | `ref.api.service.nhs.uk`                  |
+| prod         | prod-N        | `etc/prod.tfvars`     | prod        | `record-locator.national.nhs.uk`          | `api.service.nhs.uk`                      |
 
 The `N` in the TF workspace name repesents the stack id in that environment. So, for example, the internal-dev environment might have two stacks, `dev-1` and `dev-2` with TF workspace names matching their stack names. All resources for the `dev-1` stack will be contained within the `dev-1` TF workspace.
 

@@ -0,0 +1,9 @@
+account_name     = "perftest"
+aws_account_name = "test"
+
+domain                                = "perftest.record-locator.national.nhs.uk"
+public_domain                         = "perftest.api.service.nhs.uk"
+deletion_protection                   = true
+log_retention_period                  = 30
+enable_reporting                      = false
+disable_firehose_lambda_subscriptions = true
@@ -1,5 +1,5 @@
 module "firehose__processor" {
-  count                = var.use_shared_resources ? 1 : 0
+  count                = var.use_shared_resources && !var.disable_firehose_lambda_subscriptions ? 1 : 0
   source               = "./modules/firehose"
   assume_account       = local.aws_account_id
   prefix               = local.prefix

@@ -32,15 +32,15 @@ locals {
 
   reporting_bucket_arn = data.aws_s3_bucket.source-data-bucket.arn
   reporting_kms_arn    = data.aws_kms_key.glue.arn
-  firehose_lambda_subscriptions = var.use_shared_resources ? (
+  firehose_lambda_subscriptions = var.use_shared_resources && !var.disable_firehose_lambda_subscriptions ? (
     var.enable_reporting ? {
       "splunk_subscription"  = module.firehose__processor[0].firehose_subscription,
       "reports_subscription" = module.firehose__processor[0].firehose_reporting_subscription
       } : {
       "splunk_subscription" = module.firehose__processor[0].firehose_subscription
     }
   ) : {}
-  firehost_lambda_splunk_only_subscription = var.use_shared_resources ? {
+  firehost_lambda_splunk_only_subscription = var.use_shared_resources && !var.disable_firehose_lambda_subscriptions ? {
     "splunk_subscription" : module.firehose__processor[0].firehose_subscription
   } : {}
   splunk_environment = local.is_sandbox_env ? "${var.account_name}sandbox" : var.account_name

@@ -61,3 +61,9 @@ variable "enable_reporting" {
   description = "Enable reporting for this environment"
   default     = false
 }
+
+variable "disable_firehose_lambda_subscriptions" {
+  description = "Disable firehose lambda subscriptions (e.g: splunk, reporting) for shared environments (e.g: perftest). This doesn't affect ephemeral environments as the firehose subscriptions are disabled regardless of this setting"
+  type        = bool
+  default     = false
+}
@@ -37,6 +37,7 @@
     "qa": "test",
     "ref": "test",
     "int": "test",
+    "perftest": "test",
     "prod": "prod",
 }
 APIGEE_ENV_FOR_ENV = {
@@ -47,6 +48,7 @@
     "ref": "ref",
     "int": "int",
     "int-sandbox": "sandbox",
+    "perftest": "internal-qa",  # NRL-1802: Hijacking qa to not create a new APIGEE proxy environment.
     "prod": "prod",
 }
 APP_FOR_ALIAS = {