NHSDigital · jamesthompson26-nhs · Mar 17, 2026 · May 5, 2026 · May 5, 2026 · May 5, 2026
@@ -1,6 +1,8 @@
 # SEE: https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore
 
-9469a5a10e20b5c3275ba055e65ba98e7d11e9d2:infrastructure/terraform/components/reporting/README.md:ipv4:16
-9469a5a10e20b5c3275ba055e65ba98e7d11e9d2:infrastructure/terraform/components/reporting/variables.tf:ipv4:109
+39565cc5ab1245e4e6a6368c19fd0aa9a187733a:infrastructure/terraform/components/reporting/README.md:ipv4:16
+39565cc5ab1245e4e6a6368c19fd0aa9a187733a:infrastructure/terraform/components/reporting/variables.tf:ipv4:109
 ca243cb73d3804a14f3eeefa8073c96802420c52:infrastructure/terraform/etc/env_eu-west-2_int.tfvars:generic-api-key:29
 ca243cb73d3804a14f3eeefa8073c96802420c52:infrastructure/terraform/etc/env_eu-west-2_prod.tfvars:generic-api-key:43
+d38af4e4f6c36ca9c3d843193b434386a9bad5ee:infrastructure/terraform/etc/env_eu-west-2_int.tfvars:generic-api-key:29
+d38af4e4f6c36ca9c3d843193b434386a9bad5ee:infrastructure/terraform/etc/env_eu-west-2_prod.tfvars:generic-api-key:43
@@ -13,6 +13,7 @@ No requirements.
 | <a name="input_account_name"></a> [account\_name](#input\_account\_name) | The name of the AWS Account to deploy into (see globals.tfvars) | `string` | n/a | yes |
 | <a name="input_app_deployer_role_name"></a> [app\_deployer\_role\_name](#input\_app\_deployer\_role\_name) | Name of the app deployer role that is allowed to deploy Comms Mgr applications but not create other IAM roles | `string` | n/a | yes |
 | <a name="input_app_deployer_role_permission_account_ids"></a> [app\_deployer\_role\_permission\_account\_ids](#input\_app\_deployer\_role\_permission\_account\_ids) | All AWS Account IDs for this project that have the AppDeployer role created | `map(string)` | `{}` | no |
+| <a name="input_athena_driver_url"></a> [athena\_driver\_url](#input\_athena\_driver\_url) | Amazon Athena ODBC MSI download URL for PowerBI gateway bootstrap | `string` | `"https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi"` | no |
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
 | <a name="input_batch_client_ids"></a> [batch\_client\_ids](#input\_batch\_client\_ids) | List of client ids that require additional batch identifier dimensions when aggregating data | `list(string)` | <pre>[<br/>  "NULL"<br/>]</pre> | no |
 | <a name="input_cloudtrail_log_group_name"></a> [cloudtrail\_log\_group\_name](#input\_cloudtrail\_log\_group\_name) | The name of the Cloudtrail log group name on the account (see globals.tfvars) | `string` | n/a | yes |

@@ -8,6 +8,7 @@ resource "aws_instance" "powerbi_gateway_standalone" {
   }
 
   tags = {
-    Name = format("%s-powerbi-gateway-standalone-%02d", local.csi, count.index + 1)
+    "Name"        = format("%s-powerbi-gateway-standalone-%02d", local.csi, count.index + 1)
+    "Patch Group" = aws_ssm_patch_group.windows_patch_group[0].patch_group
   }
 }
@@ -223,22 +223,4 @@ data "aws_iam_policy_document" "powerbi_gateway_permissions_policy" {
       aws_kms_key.s3.arn
     ]
   }
-
-  statement {
-    sid    = "AllowSSMAccess"
-    effect = "Allow"
-
-    actions = [
-      "ssm:GetParameter",
-      "ssm:GetParameters",
-      "ssm:GetParameterHistory",
-    ]
-
-    resources = [
-      aws_ssm_parameter.powerbi_gateway_recovery_key[0].arn,
-      aws_ssm_parameter.powerbi_gateway_client_id[0].arn,
-      aws_ssm_parameter.powerbi_gateway_client_secret[0].arn,
-      aws_ssm_parameter.powerbi_gateway_tenant_id[0].arn
-    ]
-  }
 }
@@ -4,7 +4,7 @@ resource "aws_launch_template" "powerbi_gateway_standalone" {
   name                                 = "${local.csi}-standalone"
   description                          = "Template for the Power BI On-Premises Gateway (standalone instances)"
   update_default_version               = true
-  image_id                             = "resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base"
+  image_id                             = "resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2025-English-Full-Base"
   instance_type                        = var.instance_type
   user_data                            = data.cloudinit_config.powerbi_gateway[0].rendered
   instance_initiated_shutdown_behavior = var.enable_spot ? "terminate" : "stop"

@@ -54,26 +54,17 @@ locals {
 
   this_account = local.base_parameter_bundle.account_ids[local.base_parameter_bundle.account_name]
 
-  # Check if each required SSM parameter exists individually
-  recovery_key  = length(aws_ssm_parameter.powerbi_gateway_recovery_key) > 0 ? aws_ssm_parameter.powerbi_gateway_recovery_key[0].name : null
-  client_secret = length(aws_ssm_parameter.powerbi_gateway_client_secret) > 0 ? aws_ssm_parameter.powerbi_gateway_client_secret[0].name : null
-  client_id     = length(aws_ssm_parameter.powerbi_gateway_client_id) > 0 ? aws_ssm_parameter.powerbi_gateway_client_id[0].name : null
-  tenant_id     = length(aws_ssm_parameter.powerbi_gateway_tenant_id) > 0 ? aws_ssm_parameter.powerbi_gateway_tenant_id[0].name : null
-
   # Create the powerbi_gateway_script only if var.enable_powerbi_gateway is true
   powerbi_gateway_script = var.enable_powerbi_gateway ? templatefile("${path.module}/templates/cloudinit_config.tmpl", {
     odbc_dsn_name       = "${local.csi}-dsn"
     odbc_description    = "AWS Simba Athena ODBC Connection for ${local.csi}"
+    athena_driver_url   = var.athena_driver_url
     region              = var.region
     catalog             = "AWSDataCatalog"
     database            = aws_glue_catalog_database.reporting.name
     workgroup           = aws_athena_workgroup.user.name
     authentication_type = "Instance Profile"
     gateway_name        = "${local.csi}-gateway"
-    recovery_key        = local.recovery_key
-    client_secret       = local.client_secret
-    client_id           = local.client_id
-    tenant_id           = local.tenant_id
   }) : null
 
   use_core_glue_catalog_resources = length(var.core_account_ids) > 0 ? true : false

@@ -2,7 +2,7 @@ resource "aws_ssm_maintenance_window" "patch_window_sunday" {
   count = var.enable_powerbi_gateway ? 1 : 0
 
   name                       = "${local.csi}-windows-patch-window-sun"
-  description                = "Windows Server 2022 Sunday Patch Window"
+  description                = "Windows Server 2025 Sunday Patch Window"
   schedule                   = "cron(0 3 ? * SUN *)" # Every Sunday at 3 AM
   duration                   = 4
   cutoff                     = 1
@@ -13,21 +13,9 @@ resource "aws_ssm_maintenance_window" "patch_window_wednesday" {
   count = var.enable_powerbi_gateway ? 1 : 0
 
   name                       = "${local.csi}-windows-patch-window-wed"
-  description                = "Windows Server 2022 Wednesday Patch Window"
+  description                = "Windows Server 2025 Wednesday Patch Window"
   schedule                   = "cron(0 3 ? * WED *)" # Every Wednesday at 3 AM
   duration                   = 4
   cutoff                     = 1
   allow_unassociated_targets = true
 }
-
-## Remove me later - replaced by above two windows
-resource "aws_ssm_maintenance_window" "patch_window" {
-  count = var.enable_powerbi_gateway ? 1 : 0
-
-  name                       = "${local.csi}-windows-patch-window"
-  description                = "Windows Server 2022 Patch Window"
-  schedule                   = "cron(0 3 ? * SUN *)" # Every Sunday at 3 AM
-  duration                   = 4
-  cutoff                     = 1
-  allow_unassociated_targets = true
-}
@@ -1,7 +1,7 @@
 resource "aws_ssm_maintenance_window_target" "windows_instances_sunday" {
   count = var.enable_powerbi_gateway && var.powerbi_gateway_instance_count >= 1 ? 1 : 0
 
-  description   = "Windows Server 2022 Sunday Maintenance Window Target "
+  description   = "Windows Server 2025 Sunday Maintenance Window Target "
   window_id     = aws_ssm_maintenance_window.patch_window_sunday[0].id
   resource_type = "INSTANCE"
   name          = "${local.csi}-maintenance-window-target-sun"
@@ -15,7 +15,7 @@ resource "aws_ssm_maintenance_window_target" "windows_instances_sunday" {
 resource "aws_ssm_maintenance_window_target" "windows_instances_wednesday" {
   count = var.enable_powerbi_gateway && var.powerbi_gateway_instance_count >= 2 ? 1 : 0
 
-  description   = "Windows Server 2022 Wednesday Maintenance Window Target"
+  description   = "Windows Server 2025 Wednesday Maintenance Window Target"
   window_id     = aws_ssm_maintenance_window.patch_window_wednesday[0].id
   resource_type = "INSTANCE"
   name          = "${local.csi}-maintenance-window-target-wed"
@@ -25,18 +25,3 @@ resource "aws_ssm_maintenance_window_target" "windows_instances_wednesday" {
     values = [aws_instance.powerbi_gateway_standalone[1].id]
   }
 }
-
-## Remove me later - replaced by above two targets
-resource "aws_ssm_maintenance_window_target" "windows_instances" {
-  count = var.enable_powerbi_gateway ? 1 : 0
-
-  description   = "Windows Server 2022 Maintenance Window Target"
-  window_id     = aws_ssm_maintenance_window.patch_window[0].id
-  resource_type = "INSTANCE"
-  name          = "${local.csi}-maintenance-window-target"
-
-  targets {
-    key    = "tag:Patch Group"
-    values = ["${local.csi}-windows-group"]
-  }
-}
@@ -1,7 +1,7 @@
 resource "aws_ssm_maintenance_window_task" "patch_task_sunday" {
   count = var.enable_powerbi_gateway ? 1 : 0
 
-  description = "Windows Server 2022 Sunday Patch Task"
+  description = "Windows Server 2025 Sunday Patch Task"
   window_id   = aws_ssm_maintenance_window.patch_window_sunday[0].id
   task_arn    = "AWS-RunPatchBaseline"
   task_type   = "RUN_COMMAND"
@@ -33,7 +33,7 @@ resource "aws_ssm_maintenance_window_task" "patch_task_sunday" {
 resource "aws_ssm_maintenance_window_task" "patch_task_wednesday" {
   count = var.enable_powerbi_gateway && var.powerbi_gateway_instance_count >= 2 ? 1 : 0
 
-  description = "Windows Server 2022 Wednesday Patch Task"
+  description = "Windows Server 2025 Wednesday Patch Task"
   window_id   = aws_ssm_maintenance_window.patch_window_wednesday[0].id
   task_arn    = "AWS-RunPatchBaseline"
   task_type   = "RUN_COMMAND"
@@ -61,32 +61,3 @@ resource "aws_ssm_maintenance_window_task" "patch_task_wednesday" {
   max_concurrency = "1"
   max_errors      = "1"
 }
-
-## Remove me later - replaced by above two tasks
-resource "aws_ssm_maintenance_window_task" "patch_task" {
-  count = var.enable_powerbi_gateway ? 1 : 0
-
-  description = "Windows Server 2022 Patch Task"
-  window_id   = aws_ssm_maintenance_window.patch_window[0].id
-  task_arn    = "AWS-RunPatchBaseline"
-  task_type   = "RUN_COMMAND"
-
-  targets {
-    key    = "WindowTargetIds"
-    values = [aws_ssm_maintenance_window_target.windows_instances[0].id]
-  }
-
-  task_invocation_parameters {
-    run_command_parameters {
-      comment = "Patching Windows Instances"
-      parameter {
-        name   = "Operation"
-        values = ["Install"]
-      }
-    }
-  }
-
-  priority        = 1
-  max_concurrency = "2"
-  max_errors      = "1"
-}
@@ -2,7 +2,7 @@ resource "aws_ssm_parameter" "powerbi_gateway_recovery_key" {
   count = var.enable_powerbi_gateway ? 1 : 0
 
   name        = "/${local.csi}/powerbi-gateway-recovery-key"
-  description = "The Recovery Key for the On-Premises Gateway"
+  description = "The Recovery Key for the On-Premises Gateway - Updated manually with the actual key value after deployment"
   type        = "SecureString"
   value       = "RECOVERY_KEY_PLACEHOLDER"
 

@@ -2,12 +2,12 @@ resource "aws_ssm_patch_baseline" "windows_patch_baseline" {
   count = var.enable_powerbi_gateway ? 1 : 0
 
   name             = "${local.csi}-windows-patch-baseline"
-  description      = "Windows Server 2022 Patch Baseline"
+  description      = "Windows Server 2025 Patch Baseline"
   operating_system = "WINDOWS"
   approval_rule {
     patch_filter {
       key    = "PRODUCT"
-      values = ["WindowsServer2022"]
+      values = ["WindowsServer2025"]
     }
     patch_filter {
       key    = "CLASSIFICATION"