NHSDigital · jamesthompson26-nhs · Mar 17, 2026 · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026
@@ -12,3 +12,8 @@ bb20e9d078e09d242ade5deaa6dcb84f1755b347:infrastructure/terraform/components/rep
 82e47104e889b81a3c5fb27355072229eb671181:infrastructure/terraform/components/reporting/variables.tf:ipv4:109
 9ffd6b1c4e6a8723e4fbc84d33e797f14a0504c1:infrastructure/terraform/components/reporting/README.md:ipv4:16
 9ffd6b1c4e6a8723e4fbc84d33e797f14a0504c1:infrastructure/terraform/components/reporting/variables.tf:ipv4:109
+056d713eefe2305444059e99d707bd902ed6f532:infrastructure/terraform/components/reporting/variables.tf:ipv4:109
+056d713eefe2305444059e99d707bd902ed6f532:infrastructure/terraform/components/reporting/README.md:ipv4:16
+66380f86140cd9c23e5a3e61044488872e632bf7:infrastructure/terraform/components/reporting/variables.tf:ipv4:109
+66380f86140cd9c23e5a3e61044488872e632bf7:infrastructure/terraform/components/reporting/variables.tf:ipv4:109
+e44436c05bb859820c89b241df2e589ab760595b:infrastructure/terraform/components/reporting/README.md:ipv4:16
@@ -13,6 +13,7 @@ No requirements.
 | <a name="input_account_name"></a> [account\_name](#input\_account\_name) | The name of the AWS Account to deploy into (see globals.tfvars) | `string` | n/a | yes |
 | <a name="input_app_deployer_role_name"></a> [app\_deployer\_role\_name](#input\_app\_deployer\_role\_name) | Name of the app deployer role that is allowed to deploy Comms Mgr applications but not create other IAM roles | `string` | n/a | yes |
 | <a name="input_app_deployer_role_permission_account_ids"></a> [app\_deployer\_role\_permission\_account\_ids](#input\_app\_deployer\_role\_permission\_account\_ids) | All AWS Account IDs for this project that have the AppDeployer role created | `map(string)` | `{}` | no |
+| <a name="input_athena_driver_url"></a> [athena\_driver\_url](#input\_athena\_driver\_url) | Amazon Athena ODBC MSI download URL for PowerBI gateway bootstrap | `string` | `"https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi"` | no |
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
 | <a name="input_batch_client_ids"></a> [batch\_client\_ids](#input\_batch\_client\_ids) | List of client ids that require additional batch identifier dimensions when aggregating data | `list(string)` | <pre>[<br/>  "NULL"<br/>]</pre> | no |
 | <a name="input_cloudtrail_log_group_name"></a> [cloudtrail\_log\_group\_name](#input\_cloudtrail\_log\_group\_name) | The name of the Cloudtrail log group name on the account (see globals.tfvars) | `string` | n/a | yes |

@@ -8,6 +8,7 @@ resource "aws_instance" "powerbi_gateway_standalone" {
   }
 
   tags = {
-    Name = format("%s-powerbi-gateway-standalone-%02d", local.csi, count.index + 1)
+    "Name"        = format("%s-powerbi-gateway-standalone-%02d", local.csi, count.index + 1)
+    "Patch Group" = aws_ssm_patch_group.windows_patch_group[0].patch_group
   }
 }
@@ -223,22 +223,4 @@ data "aws_iam_policy_document" "powerbi_gateway_permissions_policy" {
       aws_kms_key.s3.arn
     ]
   }
-
-  statement {
-    sid    = "AllowSSMAccess"
-    effect = "Allow"
-
-    actions = [
-      "ssm:GetParameter",
-      "ssm:GetParameters",
-      "ssm:GetParameterHistory",
-    ]
-
-    resources = [
-      aws_ssm_parameter.powerbi_gateway_recovery_key[0].arn,
-      aws_ssm_parameter.powerbi_gateway_client_id[0].arn,
-      aws_ssm_parameter.powerbi_gateway_client_secret[0].arn,
-      aws_ssm_parameter.powerbi_gateway_tenant_id[0].arn
-    ]
-  }
 }
@@ -54,26 +54,17 @@ locals {
 
   this_account = local.base_parameter_bundle.account_ids[local.base_parameter_bundle.account_name]
 
-  # Check if each required SSM parameter exists individually
-  recovery_key  = length(aws_ssm_parameter.powerbi_gateway_recovery_key) > 0 ? aws_ssm_parameter.powerbi_gateway_recovery_key[0].name : null
-  client_secret = length(aws_ssm_parameter.powerbi_gateway_client_secret) > 0 ? aws_ssm_parameter.powerbi_gateway_client_secret[0].name : null
-  client_id     = length(aws_ssm_parameter.powerbi_gateway_client_id) > 0 ? aws_ssm_parameter.powerbi_gateway_client_id[0].name : null
-  tenant_id     = length(aws_ssm_parameter.powerbi_gateway_tenant_id) > 0 ? aws_ssm_parameter.powerbi_gateway_tenant_id[0].name : null
-
   # Create the powerbi_gateway_script only if var.enable_powerbi_gateway is true
   powerbi_gateway_script = var.enable_powerbi_gateway ? templatefile("${path.module}/templates/cloudinit_config.tmpl", {
     odbc_dsn_name       = "${local.csi}-dsn"
     odbc_description    = "AWS Simba Athena ODBC Connection for ${local.csi}"
+    athena_driver_url   = var.athena_driver_url
     region              = var.region
     catalog             = "AWSDataCatalog"
     database            = aws_glue_catalog_database.reporting.name
     workgroup           = aws_athena_workgroup.user.name
     authentication_type = "Instance Profile"
     gateway_name        = "${local.csi}-gateway"
-    recovery_key        = local.recovery_key
-    client_secret       = local.client_secret
-    client_id           = local.client_id
-    tenant_id           = local.tenant_id
   }) : null
 
   use_core_glue_catalog_resources = length(var.core_account_ids) > 0 ? true : false

@@ -19,15 +19,3 @@ resource "aws_ssm_maintenance_window" "patch_window_wednesday" {
   cutoff                     = 1
   allow_unassociated_targets = true
 }
-
-## Remove me later - replaced by above two windows
-resource "aws_ssm_maintenance_window" "patch_window" {
-  count = var.enable_powerbi_gateway ? 1 : 0
-
-  name                       = "${local.csi}-windows-patch-window"
-  description                = "Windows Server 2022 Patch Window"
-  schedule                   = "cron(0 3 ? * SUN *)" # Every Sunday at 3 AM
-  duration                   = 4
-  cutoff                     = 1
-  allow_unassociated_targets = true
-}
@@ -25,18 +25,3 @@ resource "aws_ssm_maintenance_window_target" "windows_instances_wednesday" {
     values = [aws_instance.powerbi_gateway_standalone[1].id]
   }
 }
-
-## Remove me later - replaced by above two targets
-resource "aws_ssm_maintenance_window_target" "windows_instances" {
-  count = var.enable_powerbi_gateway ? 1 : 0
-
-  description   = "Windows Server 2022 Maintenance Window Target"
-  window_id     = aws_ssm_maintenance_window.patch_window[0].id
-  resource_type = "INSTANCE"
-  name          = "${local.csi}-maintenance-window-target"
-
-  targets {
-    key    = "tag:Patch Group"
-    values = ["${local.csi}-windows-group"]
-  }
-}
@@ -61,32 +61,3 @@ resource "aws_ssm_maintenance_window_task" "patch_task_wednesday" {
   max_concurrency = "1"
   max_errors      = "1"
 }
-
-## Remove me later - replaced by above two tasks
-resource "aws_ssm_maintenance_window_task" "patch_task" {
-  count = var.enable_powerbi_gateway ? 1 : 0
-
-  description = "Windows Server 2022 Patch Task"
-  window_id   = aws_ssm_maintenance_window.patch_window[0].id
-  task_arn    = "AWS-RunPatchBaseline"
-  task_type   = "RUN_COMMAND"
-
-  targets {
-    key    = "WindowTargetIds"
-    values = [aws_ssm_maintenance_window_target.windows_instances[0].id]
-  }
-
-  task_invocation_parameters {
-    run_command_parameters {
-      comment = "Patching Windows Instances"
-      parameter {
-        name   = "Operation"
-        values = ["Install"]
-      }
-    }
-  }
-
-  priority        = 1
-  max_concurrency = "2"
-  max_errors      = "1"
-}
@@ -2,7 +2,7 @@ resource "aws_ssm_parameter" "powerbi_gateway_recovery_key" {
   count = var.enable_powerbi_gateway ? 1 : 0
 
   name        = "/${local.csi}/powerbi-gateway-recovery-key"
-  description = "The Recovery Key for the On-Premises Gateway"
+  description = "The Recovery Key for the On-Premises Gateway - Updated manually with the actual key value after deployment"
   type        = "SecureString"
   value       = "RECOVERY_KEY_PLACEHOLDER"
 

@@ -19,18 +19,14 @@ if (-not (Get-Command choco -ErrorAction SilentlyContinue)) {
 }
 
 # Install PowerBI On-Premises Gateway and Desktop
-choco install -y powerbigateway --version=3000.298.8 --ignore-checksums
-choco install -y powerbi --ignore-checksums
-
-# Install vim
-choco install -y vim
+choco install -y powerbigateway --ignore-checksums
 
 # Install Powershell 7
 choco install -y powershell-core
 
 # Install Amazon Athena ODBC 2.x Driver
-`$athenaDriverUrl = "https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.0.6.0/Windows/AmazonAthenaODBC-2.0.6.0.msi"
-`$athenaDriverInstaller = "C:\scripts\SimbaAthenaODBC.msi"
+`$athenaDriverUrl = "${athena_driver_url}"
+`$athenaDriverInstaller = "C:\scripts\AmazonAthenaODBC.msi"
 Invoke-WebRequest -Uri `$athenaDriverUrl -OutFile `$athenaDriverInstaller
 
 # Silent installation of Amazon Athena ODBC driver
@@ -85,23 +81,6 @@ if (Test-Path `$pwshPath) {
             Write-Output "AWS CLI installation failed or not found in PATH."
             exit 1
         }
-
-        # Get the client (application) and tenant id's
-        `$clientId = aws ssm get-parameter --name ${client_id} --with-decryption --query Parameter.Value --output text
-        `$tenantId = aws ssm get-parameter --name ${tenant_id} --with-decryption --query Parameter.Value --output text
-
-        # Get and convert the client secret and recovery key to SecureStrings
-        `$clientSecretPlainText = aws ssm get-parameter --name ${client_secret} --with-decryption --query Parameter.Value --output text
-        `$clientSecret = `$clientSecretPlainText | ConvertTo-SecureString -AsPlainText -Force
-        `$recoveryKeyPlainText = aws ssm get-parameter --name ${recovery_key} --with-decryption --query Parameter.Value --output text
-        `$recoveryKey = `$recoveryKeyPlainText | ConvertTo-SecureString -AsPlainText -Force
-
-        # Login to the PowerBI Service using the Service Principal (proposed, untested) https://learn.microsoft.com/en-us/powershell/module/datagateway.profile/connect-datagatewayserviceaccount?view=datagateway-ps
-        # Connect-DataGatewayServiceAccount -ApplicationId `$clientId -ClientSecret `$clientSecret -Tenant `$tenantId
-        # Install the gateway
-        # Install-DataGateway -AcceptConditions
-        # Register the Gateway (proposed, untested) https://learn.microsoft.com/en-us/powershell/module/datagateway/add-datagatewaycluster?view=datagateway-ps
-        # Add-DataGatewayCluster -RecoveryKey `$recoveryKey -Name ${gateway_name} -RegionKey uksouth
     }
 }
 else {

@@ -103,6 +103,12 @@ variable "enable_powerbi_gateway" {
   default     = true
 }
 
+variable "athena_driver_url" {
+  type        = string
+  description = "Amazon Athena ODBC MSI download URL for PowerBI gateway bootstrap"
+  default     = "https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi"
+}
+
 variable "powerbi_gateway_instance_count" {
   description = "Number of standalone Power BI On-Premises Gateway instances created directly from the launch template."
   type        = number

@@ -15,6 +15,8 @@ core_account_ids = [
 
 # PowerBI On-Premises Gateway variables:
 enable_powerbi_gateway = true
+instance_type          = "t3.xlarge"
+root_volume_size       = 200
 
 public_subnet_cidrs = [
   "10.0.1.0/24",