NHSDigital · mattdean3-nhs · Jul 3, 2025 · Jul 3, 2025 · Jul 3, 2025
@@ -136,35 +136,20 @@ To disable reporting resources for the account, do the following:
 1. Set the `enable_reporting` variable to `true` in `./ACCOUNT_NAME/vars.tf`
 2. Deploy the account-wide infrastructure to the account
 
-#### Deploying the PowerBI Gateway
+#### Deploy the PowerBI Gateway
 
-The first time you deploy the PowerBI Gateway set up to a new account, these steps need to be followed:
+The first time you deploy the PowerBI Gateway to an AWS account you need to create, install and configure a gateway image. Instruction on how to do this can be found in [KOP-NRLF-012](https://nhsd-confluence.digital.nhs.uk/x/8BXXQg).
 
-1. Set the `enable_powerbi_auto_push` variable to `true` in `./ACCOUNT_NAME/vars.tf`
-2. Set the `use_powerbi_gw_custom_ami` variable to `false` in `./ACCOUNT_NAME/vars.tf`
-3. Deploy the account-wide infrastructure for the account
-4. Run the below CLI command, and RDP into the newly created EC2 instance (localhost:13389)
-
-```
-aws ssm start-session --target <AMI> --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=13389,portNumber=3389"
-```
+To enable the PowerBI Gateway in the account:
 
-5. Install Athena ODBC driver and Power BI standard on premises gateway
-6. Configure ODBC driver to connect to relevant Athena instance
-7. Log in to the gateway using NHS email, name the cluster to nhsd-nrlf-{env}--reporting-gw
-8. Log on to power bi, navigate to Manage Connections and Gateways in settings and set up Athena connector with authentication method: Anonymous and privacy level: Private
-9. Set dataset to point to this gateway, define schedule as needed
-10. In the AWS Console, create an AMI from the instance called `PowerBI_GW`
-11. Set the `use_powerbi_gw_custom_ami` variable to `true`
-12. Deploy the account-wide infrastructure for the account
-13. Run the below CLI command, and RDP into the newly created EC2 instance (localhost:13389)
+1. Set the `enable_powerbi_auto_push` variable to `true` in `./ACCOUNT_NAME/vars.tf`
+2. Deploy the account-wide infrastructure to the account
+3. Access the EC2 Serial Console for the instance and run this command to start the PowerBI Gateway:
 
 ```
-aws ssm start-session --target <AMI> --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=13389,portNumber=3389"
+Start-Service -Name "PBIEgwService"
 ```
 
-14. Start the PowerBI Gateway service on the instance
-
 To disable the PowerBI Gateway from the account:
 
 1. Set the `enable_powerbi_auto_push` variable to `false` in `./ACCOUNT_NAME/vars.tf`

@@ -3,5 +3,6 @@ module "dev-athena" {
   source             = "../modules/athena"
   name_prefix        = "nhsd-nrlf--dev"
   target_bucket_name = module.dev-glue.target_bucket_name
+  bucket_region      = data.aws_region.current.region
   glue_database      = module.dev-glue.glue_database
 }
@@ -1,3 +1,5 @@
+data "aws_region" "current" {}
+
 data "aws_secretsmanager_secret_version" "identities_account_id" {
   secret_id = aws_secretsmanager_secret.identities_account_id.name
 }

@@ -29,4 +29,12 @@ terraform {
     key                  = "terraform-state-account-wide-infrastructure"
     workspace_key_prefix = "nhsd-nrlf"
   }
+
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
 }
@@ -0,0 +1,24 @@
+output "powerbi_gw_instance_id" {
+  description = "The ID of the PowerBI Gateway EC2 instance."
+  value       = var.enable_powerbi_auto_push ? module.powerbi_gw_instance[0].instance_id : null
+}
+
+output "reporting_database_name" {
+  description = "Name of the reporting Athena database"
+  value       = var.enable_reporting ? module.dev-glue.glue_database : null
+}
+
+output "athena_workgroup_name" {
+  description = "Name of the Athena workgroup"
+  value       = var.enable_reporting ? module.dev-athena[0].workgroup_name : null
+}
+
+output "athena_s3_output_location" {
+  description = "S3 output location for Athena queries"
+  value       = var.enable_reporting ? "s3://${module.dev-athena[0].bucket.id}/" : null
+}
+
+output "athena_kms_key_arn" {
+  description = "KMS key ARN for Athena encryption"
+  value       = var.enable_reporting ? module.dev-athena[0].kms_key_arn : null
+}
@@ -41,3 +41,13 @@ resource "aws_secretsmanager_secret" "devsandbox_environment_configuration" {
   name        = "${local.project}--dev-sandbox--env-config"
   description = "The environment configuration for the Dev Sandbox environment"
 }
+
+resource "aws_secretsmanager_secret" "powerbi_gw_instance_admin_pwd" {
+  count       = var.enable_reporting && var.enable_powerbi_auto_push ? 1 : 0
+  name        = "${local.project}--dev-powerbi-gw-instance-admin-pwd"
+  description = "Admin password for the PowerBI Gateway EC2 instance"
+}
+resource "aws_secretsmanager_secret" "powerbi_gw_recovery_key" {
+  name        = "${local.project}--dev-powerbi-gw-recovery-key"
+  description = "Recovery key for the PowerBI Gateway EC2 instance"
+}
@@ -56,7 +56,7 @@ data "aws_iam_policy_document" "codebuild_policy" {
       "secretsmanager:ListSecretVersionIds"
     ]
     resources = [
-      "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:${local.project}--codebuild-github-pat-*",
+      "arn:aws:secretsmanager:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:secret:${local.project}--codebuild-github-pat-*",
     ]
   }
 

@@ -1,5 +1,5 @@
-output "workgroup" {
-  value = aws_athena_workgroup.athena
+output "workgroup_name" {
+  value = aws_athena_workgroup.athena.name
 }
 
 output "bucket" {

@@ -3,6 +3,11 @@ variable "name_prefix" {
   description = "The prefix to apply to all resources in the module."
 }
 
+variable "bucket_region" {
+  type        = string
+  description = "The AWS region where the S3 bucket will be created."
+}
+
 variable "target_bucket_name" {
   type = string
 }

@@ -1,3 +1,3 @@
 locals {
-  resource_name_prefix = "${data.aws_region.current.name}-${data.aws_caller_identity.current.account_id}-backup"
+  resource_name_prefix = "${data.aws_region.current.region}-${data.aws_caller_identity.current.account_id}-backup"
 }
@@ -8,6 +8,7 @@ data "aws_ami" "windows-2019" {
 }
 
 data "aws_ami" "PowerBI_Gateway" {
+  count       = var.use_custom_ami ? 1 : 0
   most_recent = true
   owners      = ["self"]
   filter {

@@ -1,3 +1,3 @@
 locals {
-  selected_ami_id = var.use_custom_ami ? data.aws_ami.PowerBI_Gateway.id : data.aws_ami.windows-2019.id
+  selected_ami_id = var.use_custom_ami ? data.aws_ami.PowerBI_Gateway[0].id : data.aws_ami.windows-2019.id
 }
@@ -0,0 +1,4 @@
+output "instance_id" {
+  description = "The ID of the PowerBI Gateway EC2 instance."
+  value       = aws_instance.powerbi_gw.id
+}
@@ -3,5 +3,6 @@ module "prod-athena" {
   source             = "../modules/athena"
   name_prefix        = "nhsd-nrlf--prod"
   target_bucket_name = module.prod-glue.target_bucket_name
+  bucket_region      = data.aws_region.current.region
   glue_database      = module.prod-glue.glue_database
 }
@@ -22,4 +22,12 @@ terraform {
     key                  = "terraform-state-account-wide-infrastructure"
     workspace_key_prefix = "nhsd-nrlf"
   }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+
 }
@@ -0,0 +1,24 @@
+output "powerbi_gw_instance_id" {
+  description = "The ID of the PowerBI Gateway EC2 instance."
+  value       = var.enable_powerbi_auto_push ? module.powerbi_gw_instance[0].instance_id : null
+}
+
+output "reporting_database_name" {
+  description = "Name of the reporting Athena database"
+  value       = var.enable_reporting ? module.prod-glue.glue_database : null
+}
+
+output "athena_workgroup_name" {
+  description = "Name of the Athena workgroup"
+  value       = var.enable_reporting ? module.prod-athena[0].workgroup_name : null
+}
+
+output "athena_s3_output_location" {
+  description = "S3 output location for Athena queries"
+  value       = var.enable_reporting ? "s3://${module.prod-athena[0].bucket.id}/" : null
+}
+
+output "athena_kms_key_arn" {
+  description = "KMS key ARN for Athena encryption"
+  value       = var.enable_reporting ? module.prod-athena[0].kms_key_arn : null
+}
@@ -21,3 +21,13 @@ resource "aws_secretsmanager_secret" "prod_environment_configuration" {
   name        = "${local.project}--prod--env-config"
   description = "The environment configuration for the Prod environment"
 }
+
+resource "aws_secretsmanager_secret" "powerbi_gw_instance_admin_pwd" {
+  count       = var.enable_reporting && var.enable_powerbi_auto_push ? 1 : 0
+  name        = "${local.project}--prod-powerbi-gw-instance-admin-pwd"
+  description = "Admin password for the PowerBI Gateway EC2 instance"
+}
+resource "aws_secretsmanager_secret" "powerbi_gw_recovery_key" {
+  name        = "${local.project}--prod-powerbi-gw-recovery-key"
+  description = "Recovery key for the PowerBI Gateway EC2 instance"
+}
@@ -3,5 +3,6 @@ module "test-athena" {
   source             = "../modules/athena"
   name_prefix        = "nhsd-nrlf--test"
   target_bucket_name = module.test-glue.target_bucket_name
+  bucket_region      = data.aws_region.current.region
   glue_database      = module.test-glue.glue_database
 }
@@ -1,3 +1,5 @@
+data "aws_region" "current" {}
+
 data "aws_secretsmanager_secret_version" "identities_account_id" {
   secret_id = aws_secretsmanager_secret.identities_account_id.name
 }

@@ -26,7 +26,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = "~> 6.0"
     }
   }
 }
@@ -0,0 +1,24 @@
+output "powerbi_gw_instance_id" {
+  description = "The ID of the PowerBI Gateway EC2 instance."
+  value       = var.enable_powerbi_auto_push ? module.powerbi_gw_instance[0].instance_id : null
+}
+
+output "reporting_database_name" {
+  description = "Name of the reporting Athena database"
+  value       = var.enable_reporting ? module.test-glue.glue_database : null
+}
+
+output "athena_workgroup_name" {
+  description = "Name of the Athena workgroup"
+  value       = var.enable_reporting ? module.test-athena[0].workgroup_name : null
+}
+
+output "athena_s3_output_location" {
+  description = "S3 output location for Athena queries"
+  value       = var.enable_reporting ? "s3://${module.test-athena[0].bucket.id}/" : null
+}
+
+output "athena_kms_key_arn" {
+  description = "KMS key ARN for Athena encryption"
+  value       = var.enable_reporting ? module.test-athena[0].kms_key_arn : null
+}
@@ -103,3 +103,16 @@ resource "aws_secretsmanager_secret" "ref_environment_configuration" {
   name        = "${local.project}--ref--env-config"
   description = "The environment configuration for the Ref environment"
 }
+
+#
+# PowerBI secrets
+#
+resource "aws_secretsmanager_secret" "powerbi_gw_instance_admin_pwd" {
+  count       = var.enable_reporting && var.enable_powerbi_auto_push ? 1 : 0
+  name        = "${local.project}--test-powerbi-gw-instance-admin-pwd"
+  description = "Admin password for the PowerBI Gateway EC2 instance"
+}
+resource "aws_secretsmanager_secret" "powerbi_gw_recovery_key" {
+  name        = "${local.project}--test-powerbi-gw-recovery-key"
+  description = "Recovery key for the PowerBI Gateway EC2 instance"
+}
@@ -32,7 +32,7 @@ variable "ref_api_domain_name" {
 variable "enable_reporting" {
   type        = bool
   description = "Enable account-wide reporting processes in the test account"
-  default     = false
+  default     = true
 }
 
 variable "aws_azs" {
@@ -68,7 +68,7 @@ variable "vpc_private_subnets_cidr_block" {
 variable "enable_powerbi_auto_push" {
   type        = bool
   description = "Enable automatic pushing of info into PowerBI"
-  default     = false
+  default     = true
 }
 
 variable "powerbi_gw_instance_type" {

@@ -5,4 +5,4 @@ domain                = "api.record-locator.dev.national.nhs.uk"
 public_domain         = "internal-dev.api.service.nhs.uk"
 public_sandbox_domain = "internal-dev-sandbox.api.service.nhs.uk"
 log_retention_period  = 90
-enable_reporting      = true
+enable_reporting      = false
@@ -7,4 +7,4 @@ deletion_protection = true
 public_domain         = "int.api.service.nhs.uk"
 public_sandbox_domain = "sandbox.api.service.nhs.uk"
 log_retention_period  = 90
-enable_reporting      = false
+enable_reporting      = true
@@ -5,4 +5,4 @@ domain               = "api.record-locator.national.nhs.uk"
 public_domain        = "api.service.nhs.uk"
 deletion_protection  = true
 log_retention_period = 2192
-enable_reporting     = false
+enable_reporting     = true