NHSDigital · mrlockstar · Dec 9, 2025 · Dec 3, 2025
diff --git a/infrastructure/modules/container-app/README.md b/infrastructure/modules/container-app/README.md
@@ -122,3 +122,9 @@ module "container-app" {
   replica_restart_alert_threshold = 1 (already defaults to this)
 }
 ```
+
+## Container Probes
+
+To enable container probs on webapps:
+- Set `probe_path = "/healthcheck"` (by convention).
+- Ensure the application accepts requests from `127.0.0.1` and `localhost` so the probe running inside the container can access the health endpoint.
diff --git a/infrastructure/modules/container-app/main.tf b/infrastructure/modules/container-app/main.tf
@@ -103,6 +103,32 @@ resource "azurerm_container_app" "main" {
           secret_name = lower(env.value.name)
         }
       }
+
+      dynamic "startup_probe" {
+        for_each = local.probe_enabled ? [1] : []
+
+        content {
+          transport               = "HTTP"
+          path                    = var.probe_path
+          port                    = var.port
+          interval_seconds        = 5
+          timeout                 = 2
+          failure_count_threshold = 30
+        }
+      }
+
+      dynamic "liveness_probe" {
+        for_each = local.probe_enabled ? [1] : []
+
+        content {
+          transport               = "HTTP"
+          path                    = var.probe_path
+          port                    = var.port
+          interval_seconds        = 5
+          timeout                 = 2
+          failure_count_threshold = 2
+        }
+      }
     }
     min_replicas = var.min_replicas
   }
@@ -145,6 +171,7 @@ resource "azurerm_container_app" "main" {
       }
     }
   }
+
 }
 
 # Enable Microsoft Entra ID authentication if specified

diff --git a/infrastructure/modules/container-app/tfdocs.md b/infrastructure/modules/container-app/tfdocs.md
@@ -210,6 +210,14 @@ Type: `number`
 
 Default: `8080`
 
+### <a name="input_probe_path"></a> [probe\_path](#input\_probe\_path)
+
+Description: Path for the HTTP health probe. If null, HTTP health probe is disabled. Note /healthcheck is the normal convention.
+
+Type: `string`
+
+Default: `null`
+
 ### <a name="input_replica_restart_alert_threshold"></a> [replica\_restart\_alert\_threshold](#input\_replica\_restart\_alert\_threshold)
 
 Description: The replica restart alert threshold, default will be 1.

diff --git a/infrastructure/modules/container-app/variables.tf b/infrastructure/modules/container-app/variables.tf
@@ -190,6 +190,12 @@ variable "replica_restart_alert_threshold" {
   default     = 1
 }
 
+variable "probe_path" {
+  description = "Path for the HTTP health probe. If null, HTTP health probe is disabled. Note /healthcheck is the normal convention."
+  type        = string
+  default     = null
+}
+
 locals {
   memory = "${var.memory}Gi"
   cpu    = var.memory / 2
@@ -203,4 +209,5 @@ locals {
     PT12H = "PT5M"
   }
   alert_frequency = local.alert_frequency_map[var.alert_window_size]
+  probe_enabled   = var.probe_path != null && var.is_web_app
 }
diff --git a/infrastructure/modules/dashboard/variables.tf b/infrastructure/modules/dashboard/variables.tf
@@ -24,7 +24,7 @@ variable "tags" {
 }
 
 variable "dashboard_properties" {
-  type = string
-  default = "{}"
+  type        = string
+  default     = "{}"
   description = "JSON data representing dashboard body. See above for details on how to obtain this from the Portal."
 }
diff --git a/infrastructure/modules/sql-server/tfdocs.md b/infrastructure/modules/sql-server/tfdocs.md
@@ -132,6 +132,30 @@ Type: `string`
 
 The following input variables are optional (have default values):
 
+### <a name="input_action_group_id"></a> [action\_group\_id](#input\_action\_group\_id)
+
+Description: ID of the action group to notify.
+
+Type: `string`
+
+Default: `null`
+
+### <a name="input_alert_cpu_threshold"></a> [alert\_cpu\_threshold](#input\_alert\_cpu\_threshold)
+
+Description: If alerting is enabled this will control what the cpu threshold will be, default will be 90.
+
+Type: `number`
+
+Default: `90`
+
+### <a name="input_alert_window_size"></a> [alert\_window\_size](#input\_alert\_window\_size)
+
+Description: The period of time that is used to monitor alert activity e.g. PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H. The interval between checks is adjusted accordingly.
+
+Type: `string`
+
+Default: `"PT5M"`
+
 ### <a name="input_auditing_policy_retention_in_days"></a> [auditing\_policy\_retention\_in\_days](#input\_auditing\_policy\_retention\_in\_days)
 
 Description: number of days for audit log policies
@@ -164,6 +188,14 @@ Type: `string`
 
 Default: `"baseline"`
 
+### <a name="input_enable_alerting"></a> [enable\_alerting](#input\_enable\_alerting)
+
+Description: Whether monitoring and alerting is enabled for the Azure SQL Server.
+
+Type: `bool`
+
+Default: `false`
+
 ### <a name="input_firewall_rules"></a> [firewall\_rules](#input\_firewall\_rules)
 
 Description: If the FW rule enabling Azure Services Passthrough should be deployed.
@@ -345,6 +377,7 @@ Description: The ID of the SQL Server.
 
 The following resources are used by this module:
 
+- [azurerm_monitor_metric_alert.cpu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) (resource)
 - [azurerm_mssql_database.defaultdb](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_database) (resource)
 - [azurerm_mssql_database_extended_auditing_policy.database_auditing_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_database_extended_auditing_policy) (resource)
 - [azurerm_mssql_firewall_rule.firewall_rule](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_firewall_rule) (resource)

diff --git a/infrastructure/modules/storage/tfdocs.md b/infrastructure/modules/storage/tfdocs.md
@@ -81,6 +81,14 @@ Type: `string`
 
 The following input variables are optional (have default values):
 
+### <a name="input_access_tier"></a> [access\_tier](#input\_access\_tier)
+
+Description: Defines the access tier for BlobStorage, FileStorage and StorageV2 accounts. Valid options are Hot, Cool, Cold and Premium.
+
+Type: `string`
+
+Default: `"Hot"`
+
 ### <a name="input_account_replication_type"></a> [account\_replication\_type](#input\_account\_replication\_type)
 
 Description: The type of replication to use for this Storage Account. Can be either LRS, GRS, RAGRS or ZRS.
@@ -97,14 +105,6 @@ Type: `string`
 
 Default: `"Standard"`
 
-### <a name="input_access_tier"></a> [access\_tier](#input\_access\_tier)
-
-Description: Defines the access tier for BlobStorage, FileStorage and StorageV2 accounts. Valid options are Hot, Cool, Cold and Premium. Defaults to Hot.
-
-Type: `string`
-
-Default: `"Hot"`
-
 ### <a name="input_action_group_id"></a> [action\_group\_id](#input\_action\_group\_id)
 
 Description: ID of the action group to notify.