NHSDigital · josielsouzanordcloud · Feb 20, 2026 · Feb 19, 2026
diff --git a/infrastructure/modules/application-insights-availability-test/tfdocs.md b/infrastructure/modules/application-insights-availability-test/tfdocs.md
@@ -38,6 +38,23 @@ Type: `string`
 
 The following input variables are optional (have default values):
 
+### <a name="input_alert"></a> [alert](#input\_alert)
+
+Description: n/a
+
+Type:
+
+```hcl
+object({
+    description   = optional(string, "Availability test alert")
+    frequency     = optional(string, "PT1M")
+    window_size   = optional(string, "PT5M")
+    auto_mitigate = optional(bool, true)
+  })
+```
+
+Default: `{}`
+
 ### <a name="input_frequency"></a> [frequency](#input\_frequency)
 
 Description: Frequency of test in seconds, defaults to 300.
@@ -62,77 +79,53 @@ Default:
 ]
 ```
 
-### <a name="input_location"></a> [location](#input\_location)
-
-Description: The location/region where the availability test is deployed (must match App Insights location)
-
-Type: `string`
-
-Default: `"UK South"`
-
-### <a name="input_timeout"></a> [timeout](#input\_timeout)
+### <a name="input_headers"></a> [headers](#input\_headers)
 
-Description: Timeout in seconds, defaults to 30.
+Description: Map of request headers to send (name => value)
 
-Type: `number`
+Type: `map(string)`
 
-Default: `30`
+Default: `{}`
 
-### <a name="input_http_verb"></a> [http_verb](#input\_http\_verb)
+### <a name="input_http_verb"></a> [http\_verb](#input\_http\_verb)
 
-Description: The HTTP verb used for the request.
+Description: HTTP verb (GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS)
 
 Type: `string`
 
-Allowed values: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
+Default: `"GET"`
 
-Default: GET
-
-### <a name="input_headers"></a> [headers](#input\_headers)
+### <a name="input_location"></a> [location](#input\_location)
 
-Description: A map of HTTP request headers (name => value).
+Description: The location/region where the availability test is deployed (must match App Insights location)
 
-Type: `map(string)`
+Type: `string`
 
-Default: {}
+Default: `"UK South"`
 
-### <a name="input_ssl_validation"></a> [ssl_validation](#input\_ssl\_validation)
+### <a name="input_ssl_validation"></a> [ssl\_validation](#input\_ssl\_validation)
 
 Description: SSL validation configuration for the availability test.
 
 Type:
+
 ```hcl
 object({
-  expected_status_code        = optional(number, null)
-  ssl_cert_remaining_lifetime = optional(number, null)
-})
+    expected_status_code        = optional(number, null)
+    ssl_cert_remaining_lifetime = optional(number, null)
+  })
 ```
 
-Default: null
+Default: `null`
 
-Validations:
-- expected_status_code must be 0 ('0' means 'response code < 400') or a valid HTTP status code (100–599)
-- ssl_cert_remaining_lifetime must be null or between 1–365
-
-### <a name="input_alert"></a> [alert](#input\_alert)
+### <a name="input_timeout"></a> [timeout](#input\_timeout)
 
-Description: Configuration for the availability alert rule.
+Description: Timeout in seconds, defaults to 30.
 
-Type:
-```hcl
-object({
-  description           = optional(string, "Availability test alert")
-  frequency             = optional(string, "PT1M")
-  window_size           = optional(string, "PT5M")
-  auto_mitigate         = optional(bool, true)
-})
-```
+Type: `number`
 
-Defaults: {}
+Default: `30`
 
-Validations:
-- frequency must be one of: PT1M, PT5M, PT15M, PT30M, PT1H
-- window_size must be one of: PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H, P1D
 
 ## Resources
 

diff --git a/infrastructure/modules/cdn-frontdoor-endpoint/data.tf b/infrastructure/modules/cdn-frontdoor-endpoint/data.tf
@@ -8,7 +8,7 @@ data "azurerm_dns_zone" "custom" {
 }
 
 data "azurerm_cdn_frontdoor_firewall_policy" "waf" {
-  for_each = var.security_policies
+  for_each = { for k, v in var.security_policies : k => v if v.cdn_frontdoor_firewall_policy_name != null }
 
   name                = each.value.cdn_frontdoor_firewall_policy_name
   resource_group_name = each.value.cdn_frontdoor_firewall_policy_rg_name

diff --git a/infrastructure/modules/cdn-frontdoor-endpoint/main.tf b/infrastructure/modules/cdn-frontdoor-endpoint/main.tf
@@ -112,7 +112,7 @@ resource "azurerm_cdn_frontdoor_security_policy" "this" {
 
   security_policies {
     firewall {
-      cdn_frontdoor_firewall_policy_id = data.azurerm_cdn_frontdoor_firewall_policy.waf[each.key].id
+      cdn_frontdoor_firewall_policy_id = each.value.cdn_frontdoor_firewall_policy_id != null ? each.value.cdn_frontdoor_firewall_policy_id : data.azurerm_cdn_frontdoor_firewall_policy.waf[each.key].id
 
       association {
         patterns_to_match = ["/*"]

diff --git a/infrastructure/modules/cdn-frontdoor-endpoint/tfdocs.md b/infrastructure/modules/cdn-frontdoor-endpoint/tfdocs.md
@@ -130,8 +130,9 @@ Type:
 ```hcl
 map(object({
     associated_domain_keys                = list(string) # From var.custom_domains above, use "endpoint" for the default domain
-    cdn_frontdoor_firewall_policy_name    = string
-    cdn_frontdoor_firewall_policy_rg_name = string
+    cdn_frontdoor_firewall_policy_id      = optional(string, null) # Pass ID directly to avoid data source lookup when policy is created in the same apply
+    cdn_frontdoor_firewall_policy_name    = optional(string, null)
+    cdn_frontdoor_firewall_policy_rg_name = optional(string, null)
   }))
 ```
 

diff --git a/infrastructure/modules/cdn-frontdoor-endpoint/variables.tf b/infrastructure/modules/cdn-frontdoor-endpoint/variables.tf
@@ -90,8 +90,9 @@ variable "security_policies" {
   description = "Optional map of security policies to apply. Each must include the WAF policy and domain associations"
   type = map(object({
     associated_domain_keys                = list(string) # From var.custom_domains above, use "endpoint" for the default domain
-    cdn_frontdoor_firewall_policy_name    = string
-    cdn_frontdoor_firewall_policy_rg_name = string
+    cdn_frontdoor_firewall_policy_id      = optional(string, null) # Pass ID directly to avoid data source lookup when policy is created in the same apply
+    cdn_frontdoor_firewall_policy_name    = optional(string, null)
+    cdn_frontdoor_firewall_policy_rg_name = optional(string, null)
   }))
   default = {}
 }

diff --git a/infrastructure/modules/container-app/tfdocs.md b/infrastructure/modules/container-app/tfdocs.md
@@ -306,11 +306,11 @@ Description: URL of the container app. Only available if is\_web\_app is true.
 The following resources are used by this module:
 
 - [azapi_resource.auth](https://registry.terraform.io/providers/azure/azapi/2.5.0/docs/resources/resource) (resource)
-- [azurerm_container_app.main](https://registry.terraform.io/providers/hashicorp/azurerm/4.34.0/docs/resources/container_app) (resource)
-- [azurerm_monitor_metric_alert.cpu](https://registry.terraform.io/providers/hashicorp/azurerm/4.34.0/docs/resources/monitor_metric_alert) (resource)
-- [azurerm_monitor_metric_alert.memory](https://registry.terraform.io/providers/hashicorp/azurerm/4.34.0/docs/resources/monitor_metric_alert) (resource)
-- [azurerm_monitor_metric_alert.replica_restart_alert](https://registry.terraform.io/providers/hashicorp/azurerm/4.34.0/docs/resources/monitor_metric_alert) (resource)
-- [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/4.34.0/docs/data-sources/client_config) (data source)
-- [azurerm_key_vault.infra](https://registry.terraform.io/providers/hashicorp/azurerm/4.34.0/docs/data-sources/key_vault) (data source)
-- [azurerm_key_vault_secret.infra](https://registry.terraform.io/providers/hashicorp/azurerm/4.34.0/docs/data-sources/key_vault_secret) (data source)
-- [azurerm_key_vault_secrets.app](https://registry.terraform.io/providers/hashicorp/azurerm/4.34.0/docs/data-sources/key_vault_secrets) (data source)
+- [azurerm_container_app.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_app) (resource)
+- [azurerm_monitor_metric_alert.cpu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) (resource)
+- [azurerm_monitor_metric_alert.memory](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) (resource)
+- [azurerm_monitor_metric_alert.replica_restart_alert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) (resource)
+- [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) (data source)
+- [azurerm_key_vault.infra](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) (data source)
+- [azurerm_key_vault_secret.infra](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) (data source)
+- [azurerm_key_vault_secrets.app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secrets) (data source)
diff --git a/infrastructure/modules/function-app/tfdocs.md b/infrastructure/modules/function-app/tfdocs.md
@@ -146,6 +146,14 @@ Type: `number`
 
 Default: `10`
 
+### <a name="input_alert_auto_mitigate"></a> [alert\_auto\_mitigate](#input\_alert\_auto\_mitigate)
+
+Description: Enable or disable automatic mitigation of the alert when the issue is resolved.
+
+Type: `bool`
+
+Default: `true`
+
 ### <a name="input_alert_window_size"></a> [alert\_window\_size](#input\_alert\_window\_size)
 
 Description: The period of time that is used to monitor alert activity e.g. PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H. The interval between checks is adjusted accordingly.