NHSDigital · patrickmoore-nc · Oct 28, 2025 · Oct 27, 2025
diff --git a/.azuredevops/pipelines/hub-infrastructure-dev.yaml b/.azuredevops/pipelines/hub-infrastructure-dev.yaml
@@ -12,7 +12,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: e268cfebf98a1769d929cf59ea6d278a686e9b97
+      ref: b7a19150add5bc4945958c180cc4cb7eca72696f
       endpoint: NHSDigital
 
 variables:

diff --git a/.azuredevops/pipelines/hub-infrastructure-prod.yaml b/.azuredevops/pipelines/hub-infrastructure-prod.yaml
@@ -13,7 +13,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: e268cfebf98a1769d929cf59ea6d278a686e9b97
+      ref: b7a19150add5bc4945958c180cc4cb7eca72696f
       endpoint: NHSDigital
 
 variables:

diff --git a/.azuredevops/pipelines/taint-avd-hosts-dev.yaml b/.azuredevops/pipelines/taint-avd-hosts-dev.yaml
@@ -9,7 +9,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 0d9c325e45b6e90c7849b957f11d41f7f58316d2
+      ref: b7a19150add5bc4945958c180cc4cb7eca72696f
       endpoint: NHSDigital
 
 variables:

diff --git a/.azuredevops/pipelines/taint-avd-hosts-prod.yaml b/.azuredevops/pipelines/taint-avd-hosts-prod.yaml
@@ -9,7 +9,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 0d9c325e45b6e90c7849b957f11d41f7f58316d2
+      ref: b7a19150add5bc4945958c180cc4cb7eca72696f
       endpoint: NHSDigital
 
 variables:

diff --git a/.azuredevops/pipelines/update-acr-public-ips.yaml b/.azuredevops/pipelines/update-acr-public-ips.yaml
@@ -17,7 +17,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: e268cfebf98a1769d929cf59ea6d278a686e9b97
+      ref: b7a19150add5bc4945958c180cc4cb7eca72696f
       endpoint: NHSDigital
 
 variables:

diff --git a/infrastructure/application_gateway.tf b/infrastructure/application_gateway.tf
@@ -104,6 +104,22 @@ locals {
         },
         try(var.application_gateway_additional.request_routing_rule, {})
       )
+
+      # Insert an identifying header so APIM policy can use it to filter incoming requests
+      # This is analogous to the "X-Azure-FDID" header added by Azure Front Door
+      rewrite_rule_set = {
+        migration_test = {
+          rewrite_rule = {
+            add_custom_header = {
+              rule_sequence = 100
+              request_header_configuration = {
+                # We cannot use any real resource ID here since it would become a circular dependency
+                ("X-Azure-AGID") = random_uuid.appgw_header_id[region].result
+              }
+            }
+          }
+        }
+      }
     }
   }
 }
@@ -125,6 +141,10 @@ module "application-gateway-pip" {
   tags = var.tags
 }
 
+resource "random_uuid" "appgw_header_id" {
+  for_each = var.regions
+}
+
 module "application-gateway" {
   for_each = local.appgw_config
 
@@ -144,6 +164,7 @@ module "application-gateway" {
   gateway_subnet            = module.subnets_hub["${module.config[each.key].names.subnet}-app-gateway"]
   probe                     = each.value.probe
   request_routing_rule      = each.value.request_routing_rule
+  rewrite_rule_set          = each.value.rewrite_rule_set
   sku                       = "WAF_v2"
   ssl_certificate           = each.value.ssl_certificate
   zones                     = var.regions[each.key].is_primary_region ? ["1", "2", "3"] : null

diff --git a/infrastructure/environments/development.tfvars b/infrastructure/environments/development.tfvars
@@ -104,58 +104,60 @@ regions = {
   }
 }
 
-# application_gateway_additional = {
-#   probe = {
-#     parman_www_dev = {
-#       host                = "www-dev.non-live.screening.nhs.uk" # the hostname which will be passed to the backend pool, not used for connectivity
-#       interval            = 30
-#       path                = "/"
-#       protocol            = "Https"
-#       timeout             = 30
-#       unhealthy_threshold = 3
-#       match = {
-#         status_code = ["200-399"] # not strictly needed, but this stops Terraform detecting a change every time
-#       }
-#     }
-#   }
-#   backend_http_settings = {
-#     parman_www_dev = {
-#       cookie_based_affinity = "Disabled"
-#       port                  = 443
-#       probe_key             = "parman_www_dev"
-#       protocol              = "Https"
-#       request_timeout       = 20
-#     }
-#   }
-#   http_listener = {
-#     parman_www_dev_public = {
-#       frontend_ip_configuration_key = "public"
-#       frontend_port_key             = "https"
-#       host_name                     = "www-dev.non-live.screening.nhs.uk"
-#       protocol                      = "Https"
-#       require_sni                   = true
-#       ssl_certificate_key           = "screening_wildcard"
-#       firewall_policy_id            = "/subscriptions/ecef17e1-613b-40b6-83d8-b93e8b5556bf/resourceGroups/rg-hub-dev-uks-hub-networking/providers/Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/waf-hub-nonlive-uks-agw-parman-www"
-#     }
-#   }
-#   request_routing_rule = {
-#     parman_www_dev_public = {
-#       backend_address_pool_key  = "parman_www_dev"
-#       backend_http_settings_key = "parman_www_dev"
-#       http_listener_key         = "parman_www_dev_public"
-#       priority                  = 950
-#       rule_type                 = "Basic"
-#     }
-#   }
-# }
+application_gateway_additional = {
+  probe = {
+    migration_test = {
+      interval                                  = 30
+      path                                      = "/"
+      pick_host_name_from_backend_http_settings = true
+      protocol                                  = "Https"
+      timeout                                   = 30
+      unhealthy_threshold                       = 3
+      match = {
+        status_code = ["200-399"] # not strictly needed, but this stops Terraform detecting a change every time
+      }
+    }
+  }
+  backend_http_settings = {
+    migration_test = {
+      cookie_based_affinity               = "Disabled"
+      pick_host_name_from_backend_address = true
+      port                                = 443
+      probe_key                           = "migration_test"
+      protocol                            = "Https"
+      request_timeout                     = 20
+    }
+  }
+  http_listener = {
+    migration_test_public = {
+      frontend_ip_configuration_key = "public"
+      frontend_port_key             = "https"
+      host_name                     = "migration-test.non-live.nationalscreening.nhs.uk"
+      protocol                      = "Https"
+      require_sni                   = true
+      ssl_certificate_key           = "nationalscreening_wildcard"
+      # firewall_policy_id            = null
+    }
+  }
+  request_routing_rule = {
+    migration_test_public = {
+      backend_address_pool_key  = "migration_test"
+      backend_http_settings_key = "migration_test"
+      http_listener_key         = "migration_test_public"
+      priority                  = 950
+      rewrite_rule_set_key      = "migration_test"
+      rule_type                 = "Basic"
+    }
+  }
+}
 
-# application_gateway_additional_backend_address_pool_by_region = {
-#   uksouth = {
-#     parman_www_dev = {
-#       fqdns = ["dev-uks-nextjs-frontend.azurewebsites.net"]
-#     }
-#   }
-# }
+application_gateway_additional_backend_address_pool_by_region = {
+  uksouth = {
+    migration_test = {
+      fqdns = ["apim-pamo16test.developer.azure-api.net"]
+    }
+  }
+}
 
 apim_config = {
   sku_name                    = "Developer"
@@ -287,6 +289,17 @@ network_security_group_rules = {
       source_address_prefix      = "ApiManagement"
       destination_address_prefix = "VirtualNetwork"
     },
+    # {
+    #   name                       = "AllowAzureFrontDoor"
+    #   priority                   = 1500
+    #   direction                  = "Inbound"
+    #   access                     = "Allow"
+    #   protocol                   = "Tcp"
+    #   source_port_range          = "*"
+    #   destination_port_range     = "443"
+    #   source_address_prefix      = "AzureFrontDoor.Backend"
+    #   destination_address_prefix = "VirtualNetwork"
+    # },
     {
       name                       = "AzureInfrastructureLoadBalancer"
       priority                   = 1400

diff --git a/infrastructure/environments/production.tfvars b/infrastructure/environments/production.tfvars
@@ -305,6 +305,17 @@ network_security_group_rules = {
       source_address_prefix      = "ApiManagement"
       destination_address_prefix = "VirtualNetwork"
     },
+    # {
+    #   name                       = "AllowAzureFrontDoor"
+    #   priority                   = 1500
+    #   direction                  = "Inbound"
+    #   access                     = "Allow"
+    #   protocol                   = "Tcp"
+    #   source_port_range          = "*"
+    #   destination_port_range     = "443"
+    #   source_address_prefix      = "AzureFrontDoor.Backend"
+    #   destination_address_prefix = "VirtualNetwork"
+    # },
     {
       name                       = "AzureInfrastructureLoadBalancer"
       priority                   = 1400

diff --git a/infrastructure/variables.tf b/infrastructure/variables.tf
@@ -123,6 +123,7 @@ variable "application_gateway_additional" {
       backend_http_settings_key = string
       http_listener_key         = string
       priority                  = number
+      rewrite_rule_set_key      = optional(string)
       rule_type                 = string
     })))
   })