Repository Inventory
Last Updated: 2026-03-06 Source: co-cddo GitHub Organisation Total Repositories: 14
Executive Summary
The NDX (National Digital Exchange) Innovation Sandbox ecosystem spans 14 repositories under the co-cddo GitHub organisation. These repositories collectively implement a multi-account AWS sandbox platform for UK local government experimentation, comprising a forked upstream AWS Solution, custom satellite Lambda services, an OU metrics stop-gap service, a Terraform-managed cost defence layer, Landing Zone Accelerator configuration, scenario content platforms, and supporting utilities.
Summary Table
| Repository | Language | IaC | Archived | Last Push | Role |
|---|---|---|---|---|---|
| innovation-sandbox-on-aws | TypeScript | CDK + CFN | No | 2026-02-28 | Core ISB platform (fork) |
| innovation-sandbox-on-aws-approver | TypeScript | CDK | No | 2026-03-06 | Lease approval scoring |
| innovation-sandbox-on-aws-billing-seperator | TypeScript | CDK | No | 2026-03-03 | 72h billing cooldown |
| innovation-sandbox-on-aws-client | TypeScript | -- | No | 2026-03-06 | ISB API client library |
| innovation-sandbox-on-aws-costs | TypeScript | CDK | No | 2026-03-03 | Lease cost collection |
| innovation-sandbox-on-aws-deployer | TypeScript | CDK | Yes | 2026-02-28 | Scenario deployer (archived) |
| innovation-sandbox-on-aws-ou-metrics | TypeScript | CDK | No | 2026-03-04 | OU account count metrics (stop-gap) |
| innovation-sandbox-on-aws-utils | Python | Scripts | No | 2026-03-03 | Pool account tooling |
| ndx | TypeScript | CDK + Eleventy | No | 2026-03-06 | NDX public website |
| ndx_try_aws_scenarios | TypeScript | CFN + Eleventy | No | 2026-03-06 | Scenario microsite + CFN |
| ndx-try-aws-isb | -- | -- | No | 2025-11-21 | Placeholder (empty) |
| ndx-try-aws-lza | YAML | LZA | No | 2025-12-19 | Landing Zone config |
| ndx-try-aws-scp | Terraform | Terraform | No | 2026-03-06 | Cost defence SCPs + budgets + OU alarms |
| ndx-try-aws-terraform | Terraform | Terraform | No | 2026-03-03 | Org-level Terraform glue |
Detailed Repository Profiles
1. innovation-sandbox-on-aws
| Property | Value |
|---|---|
| SHA | cf75b87 |
| Origin | Fork of aws-solutions/innovation-sandbox-on-aws |
| Description | Core Innovation Sandbox on AWS solution -- manages temporary sandbox environments with automated security, governance, spend controls, and account recycling via a web UI |
| Language | TypeScript (98.6%) |
| IaC | AWS CDK synthesised to CloudFormation |
| Workflows | None |
Key Files: source/infrastructure/lib/ (CDK stacks: AccountPool, IDC, Data, Compute, SandboxAccount), source/frontend/ (Vite web UI), source/lambdas/ (API handlers), deployment/ (build scripts), docs/openapi/ (API spec v1.1.4).
Architecture: Four CloudFormation stacks -- AccountPool (org management account, OU/SCP lifecycle), IDC (IAM Identity Center integration), Data (DynamoDB tables, AppConfig), Compute (Lambda functions, API Gateway, Step Functions, EventBridge, CloudFront frontend).
2. innovation-sandbox-on-aws-approver
| Property | Value |
|---|---|
| SHA | cb27fa3 |
| Description | Score-based lease approval system with Identity Center pre-approval |
| Language | TypeScript |
| IaC | AWS CDK (cdk/) |
| Workflows | deploy.yml |
Purpose: Listens for LeaseRequested EventBridge events and automatically approves or escalates lease requests. Implements Identity Center group-based pre-approval (replacing hardcoded allow-lists), domain verification for UK local government email addresses, AI-powered email analysis via Amazon Bedrock (Nova Micro), and Slack Workflow notifications for manual escalation. Targets 80%+ instant approval with less than 5% false negative rate.
Key Files: src/ (Lambda handler), cdk/ (CDK stack), docs/runbooks/ (operational procedures).
3. innovation-sandbox-on-aws-billing-seperator
| Property | Value |
|---|---|
| SHA | 47ae71d |
| Description | Quarantines sandbox accounts for 72 hours after cleanup to ensure billing separation |
| Language | TypeScript |
| IaC | AWS CDK (lib/hub-stack.ts, lib/org-mgmt-stack.ts) |
| Workflows | deploy.yml, pr-check.yml |
Purpose: Temporary workaround for billing attribution issues. Enforces a 72-hour hard cooldown on sandbox accounts via CloudTrail-triggered quarantine. Cross-account EventBridge routing from org management to hub account. Should be archived once ISB issue #70 is resolved.
4. innovation-sandbox-on-aws-client
| Property | Value |
|---|---|
| SHA | 365668c |
| Description | Lightweight HTTP client for the ISB API |
| Language | TypeScript |
| IaC | None (library package) |
| Workflows | None |
Purpose: Provides typed methods for ISB API operations (leases, accounts, templates) with JWT authentication, token caching, and automatic renewal. Distributed as a tarball via GitHub Releases (@co-cddo/isb-client). Used by satellite services (approver, costs, billing-separator) to interact with the ISB API.
5. innovation-sandbox-on-aws-costs
| Property | Value |
|---|---|
| SHA | c8f0523 |
| Description | Event-driven lease cost collection service |
| Language | TypeScript |
| IaC | CDK (infra/) |
| Workflows | ci.yml, deploy.yml |
Purpose: Triggered by LeaseTerminated EventBridge events. Waits 24 hours for billing data settlement, then queries Cost Explorer via cross-account role assumption in the org management account. Generates CSV cost reports stored in S3 with 3-year retention and 7-day presigned URL access. Uses JWT authentication for Lambda-to-Lambda API calls.
Key Files: src/ (Lambda handlers), infra/ (CDK stacks), docs/api-contracts.md (event schemas).
6. innovation-sandbox-on-aws-deployer
| Property | Value |
|---|---|
| SHA | c2a85a0 |
| Description | Lambda that deploys CloudFormation templates to sandbox sub-accounts when leases are approved |
| Language | TypeScript |
| IaC | CDK (infrastructure/) |
| Workflows | ci.yml |
| Status | ARCHIVED -- superseded by ISB blueprint pattern |
Purpose: Event-driven deployment triggered on LeaseApproved events. Supported both CDK (auto-detection via cdk.json) and CloudFormation templates. Used sparse GitHub cloning for bandwidth efficiency. Now archived in favour of native ISB blueprint deployment.
7. innovation-sandbox-on-aws-ou-metrics
| Property | Value |
|---|---|
| SHA | ae49b62 |
| Description | Stop-gap CloudWatch metrics for ISB OU account counts |
| Language | TypeScript |
| IaC | AWS CDK |
| Workflows | None |
Purpose: Publishes CloudWatch custom metrics under the InnovationSandbox/OUMetrics namespace for account counts across all 7 ISB pool OUs (Available, Active, Frozen, CleanUp, Quarantine, Entry, Exit). Lambda runs in the org management account, triggered by EventBridge (CloudTrail account moves, native Org events, 15-minute schedule). Stop-gap until upstream issue #110 adds native support.
Key Files: lambda/handler.ts (count & publish logic), lib/ou-metrics-stack.ts (CDK stack), cdk.json (OU ID configuration).
8. innovation-sandbox-on-aws-utils
| Property | Value |
|---|---|
| SHA | af98d4b |
| Description | Python utilities for managing Innovation Sandbox pool accounts |
| Language | Python |
| IaC | None (scripts) |
| Workflows | CI workflow |
Purpose: Operational scripts for pool account lifecycle: create_sandbox_pool_account.py (batch account creation with configurable count), assign_lease.py (enhanced with optional template/duration), terminate_lease.py, force_release_account.py, create_user.py, clean_console_state.py. Uses boto3 with SSO profiles.
9. ndx
| Property | Value |
|---|---|
| SHA | b846188 |
| Description | National Digital Exchange public website |
| Language | TypeScript / Eleventy v3.x |
| IaC | CDK (infra/) |
| Workflows | ci.yaml, infra.yaml, test.yml, accessibility.yml, scorecard.yml |
Purpose: Static GOV.UK Design System website describing the NDX initiative. Includes Discover section (news, events, case studies), cloud services catalogue, access request system, Cloud Maturity Model and Assessment Tool. WCAG 2.2 AA compliant with Pa11y, Playwright, Lighthouse CI testing.
Key Files: src/ (templates, assets), infra/ (CDK stack for CloudFront/S3 hosting), docs/adr/ (Architecture Decision Records).
10. ndx_try_aws_scenarios
| Property | Value |
|---|---|
| SHA | 27b3a06 |
| Description | Zero-cost AWS evaluation platform for UK local government |
| Language | TypeScript / Eleventy |
| IaC | CloudFormation (275+ templates in cloudformation/scenarios/) |
| Workflows | build-deploy.yml, docker-build.yml |
Purpose: Provides 7 pre-built scenarios for hands-on cloud exploration: Council Chatbot, Planning AI, FOI Redaction, Smart Car Park, Text to Speech, QuickSight Dashboard, LocalGov Drupal. Each scenario has one-click CloudFormation deployment and evidence pack generation (committee-ready PDFs with ROI analysis).
11. ndx-try-aws-isb
| Property | Value |
|---|---|
| SHA | 70bb7ec |
| Description | Empty placeholder repository |
| Status | Contains only .git/, .gitignore, LICENSE |
12. ndx-try-aws-lza
| Property | Value |
|---|---|
| SHA | 6d70ae3 |
| Description | Landing Zone Accelerator v1.1.0 configuration for NDX:Try AWS |
| Language | YAML |
| IaC | AWS LZA |
| Workflows | None |
Purpose: Defines the entire AWS Organization structure, OU hierarchy, account definitions, IAM policies, network config, security settings, service control policies, and backup policies. Seven core YAML config files plus policy directories.
Key Files: accounts-config.yaml, organization-config.yaml, security-config.yaml, global-config.yaml, iam-config.yaml, network-config.yaml, service-control-policies/.
13. ndx-try-aws-scp
| Property | Value |
|---|---|
| SHA | 3443cac |
| Description | 5-layer cost defence system for Innovation Sandbox + OU metrics alarms |
| Language | Terraform + Python (Lambda) |
| IaC | Terraform |
| Workflows | terraform.yaml |
Purpose: Implements defence-in-depth cost protection: SCPs (service/compute restrictions), AWS Budgets (per-account daily/monthly limits), DynamoDB billing mode enforcement (auto-delete On-Demand tables), and OU account count alarm management. Four Terraform modules: scp-manager, budgets-manager, dynamodb-billing-enforcer, ou-metrics-alarms.
Key Files: environments/ndx-production/main.tf, modules/scp-manager/, modules/budgets-manager/, modules/dynamodb-billing-enforcer/, modules/ou-metrics-alarms/.
14. ndx-try-aws-terraform
| Property | Value |
|---|---|
| SHA | 4df9750 |
| Description | General Terraform configuration for org-level resources |
| Language | Terraform |
| IaC | Terraform |
| Workflows | CI workflow |
Purpose: Minimal glue repository for org-level Terraform state management (S3 backend) and billing view configuration. Contains main.tf, terraform.tf.
Repository Relationship Diagram
Technology Distribution
| Technology | Count | Repositories |
|---|---|---|
| TypeScript CDK | 7 | ISB core, approver, billing-separator, costs, deployer, ou-metrics, ndx |
| CloudFormation | 2 | ISB core, ndx_try_aws_scenarios |
| Terraform | 2 | ndx-try-aws-scp, ndx-try-aws-terraform |
| AWS LZA (YAML) | 1 | ndx-try-aws-lza |
| Python Scripts | 1 | innovation-sandbox-on-aws-utils |
| Eleventy SSG | 2 | ndx, ndx_try_aws_scenarios |
Workflow Coverage
| Category | Repos |
|---|---|
| CI/CD Pipelines | approver, billing-separator, costs, deployer, ndx, ndx_try_aws_scenarios, ndx-try-aws-scp, ndx-try-aws-terraform, innovation-sandbox-on-aws-utils |
| No Workflows | innovation-sandbox-on-aws, innovation-sandbox-on-aws-client, ndx-try-aws-isb, ndx-try-aws-lza |
Key Observations
-
Extension Architecture: CDDO extends ISB through external satellite Lambda services rather than modifying the upstream fork, preserving upgrade compatibility.
-
Event-Driven Integration: Satellites communicate with the core ISB via Amazon EventBridge events (
LeaseRequested,LeaseApproved,LeaseTerminated). -
Shared Client Library: The
@co-cddo/isb-clientpackage provides a typed API client used by multiple satellite services. -
Dual SCP Management: SCPs are managed by both LZA (YAML) and Terraform (
ndx-try-aws-scp), requiring careful coordination to avoid drift. -
Archived Repository:
innovation-sandbox-on-aws-deployeris archived (superseded by ISB blueprint pattern). -
Scale: 240 pool accounts across 247 total AWS accounts, with OU-based lifecycle management and CloudWatch metrics for operational visibility.
-
Observability: The
innovation-sandbox-on-aws-ou-metricsstop-gap service provides CloudWatch metrics for account pool health, consumed by Terraform-managed alarms inndx-try-aws-scp.
Generated from source analysis on 2026-03-06. See 01-upstream-analysis.md for fork divergence details.