Skip to main content

Deployment Flows

Last Updated: 2026-03-06 Sources: GitHub Actions workflow files, README files, deployment scripts across all repositories

Executive Summary

The NDX:Try ecosystem uses a combination of automated CI/CD pipelines and manual deployment procedures across 15 repositories. Automated deployments use GitHub Actions with OIDC authentication, deploying to AWS via CDK, Terraform, S3 sync, and CloudFormation. The ISB core (upstream AWS solution) is deployed manually via CDK from a developer workstation, while the Landing Zone Accelerator configuration is managed through AWS's own CodePipeline. All deployments target us-east-1 and us-west-2 exclusively.

Deployment Architecture Overview

Flow 1: NDX Website Deployment

The NDX website (ndx repo) has the most sophisticated pipeline with separate content and infrastructure tracks.

Content Deployment (ci.yaml)

Key details:

  • Path filtering: Skips build/deploy if only infra/ or docs/ files changed
  • Deployment target: s3://ndx-static-prod/ in us-west-2
  • CloudFront distribution: E3THG4UHYDHVWP
  • Cache control: public, max-age=3600
  • Post-deploy validation: File count comparison and index.html smoke test

Source: repos/ndx/.github/workflows/ci.yaml

Infrastructure Deployment (infra.yaml)

The infrastructure pipeline also handles signup infrastructure and cross-account role deployment:

  • Signup CDK Deploy: Deploys to Hub account (568672915267) using GitHubActions-NDX-InfraDeploy
  • ISB Cross-Account Role: Deploys CloudFormation template to ISB account (955063685555) using GitHubActions-ISB-InfraDeploy

Source: repos/ndx/.github/workflows/infra.yaml

Flow 2: ISB Core Deployment (Manual)

The upstream Innovation Sandbox on AWS solution is deployed manually from a developer workstation. There is no GitHub Actions CI/CD for the core ISB.

Stacks deployed (multi-account):

StackAccountDescription
InnovationSandbox-AccountPoolOrg ManagementAWS Organizations OUs, account pool
InnovationSandbox-IDCHubIAM Identity Center configuration
InnovationSandbox-DataHubDynamoDB tables, S3 buckets
InnovationSandbox-ComputeHubLambda functions, API Gateway, Step Functions

Prerequisites:

  • AWS CLI with appropriate credentials for both accounts
  • Node.js 22
  • Docker (for ECR image management)

Source: repos/innovation-sandbox-on-aws/README.md

Flow 3: ISB Satellite Deployments

Approver (Auto-deploy)

Automatically deploys on every push to main. No manual gate.

Source: repos/innovation-sandbox-on-aws-approver/.github/workflows/deploy.yml

Billing Separator (Manual deploy)

Deploy requires manual workflow_dispatch trigger with environment selection (dev/prod). Push to main only runs validation.

Source: repos/innovation-sandbox-on-aws-billing-seperator/.github/workflows/deploy.yml

Cost Collection (Manual deploy)

Deploy is workflow_dispatch only, with production environment protection. Requires multiple context variables passed to CDK.

Source: repos/innovation-sandbox-on-aws-costs/.github/workflows/deploy.yml

Deployer (Auto-deploy with Docker)

This is the most complex pipeline: builds an ARM64 Docker image, pushes to ECR, then deploys via CDK. The Lambda waits for the new image to be active.

Source: repos/innovation-sandbox-on-aws-deployer/.github/workflows/ci.yml

Client Library (Release on tag)

No AWS deployment. Produces a GitHub Release with an npm tarball.

Source: repos/innovation-sandbox-on-aws-client/.github/workflows/release.yml

Flow 4: Scenarios Microsite Deployment

Static Site (GitHub Pages)

Deployment target: GitHub Pages at https://aws.try.ndx.digital.cabinet-office.gov.uk

Source: repos/ndx_try_aws_scenarios/.github/workflows/build-deploy.yml

ISB Blueprints (CDK to Hub)

Path-filtered to only trigger on changes to cloudformation/scenarios/*/template.yaml, cloudformation/scenarios/localgov-drupal/cdk/**, or cloudformation/isb-hub/**.

Source: repos/ndx_try_aws_scenarios/.github/workflows/deploy-blueprints.yml

Docker Image (GHCR)

Tags: latest (main only) and sha-<commit>.

Source: repos/ndx_try_aws_scenarios/.github/workflows/docker-build.yml

Flow 5: Infrastructure (Terraform) Deployments

SCP Management (ndx-try-aws-scp)

Key points:

  • Apply never runs automatically on merge -- always requires manual workflow_dispatch with apply action
  • production environment with required reviewer approval
  • Terraform state in S3 bucket ndx-terraform-state-955063685555 with DynamoDB locking
  • Working directory: environments/ndx-production
  • Region: eu-west-2 (for state storage), SCPs are global

Source: repos/ndx-try-aws-scp/.github/workflows/terraform.yaml

Terraform Validate (ndx-try-aws-terraform)

Validation only -- no deployment pipeline. Runs terraform fmt -check, terraform init -backend=false, and terraform validate. Actual changes to the org management account Terraform (billing roles, S3 state bucket) are applied manually.

Source: repos/ndx-try-aws-terraform/.github/workflows/ci.yaml

Flow 6: Landing Zone Accelerator (LZA) Deployment

The LZA configuration is not deployed via GitHub Actions. Instead, it uses the AWS-native LZA CodePipeline:

Configuration files include: accounts-config.yaml, global-config.yaml, iam-config.yaml, network-config.yaml, organization-config.yaml, security-config.yaml, and various policy JSON files.

The LZA repo README notes that the directory was restructured in December 2025 for the transition from S3/CodeCommit to GitHub as the configuration source.

Source: repos/ndx-try-aws-lza/README.md

Flow 7: Legacy/Sandbox Deployments

AWS Nuke (Scheduled)

Cleans up the legacy sandbox account weekly using the nuke/config.yml configuration.

Source: repos/aws-sandbox/.github/workflows/aws-nuke.yml

Access Lambda and IAM (Terraform)

Both use Terraform with auto-approve and deploy on push to main when relevant paths change. These target the legacy sandbox account.

Source: repos/aws-sandbox/.github/workflows/deploy-access-lambda.yml, repos/aws-sandbox/.github/workflows/update-iam.yml

Deployment Summary Matrix

ComponentMethodTriggerRegionAutomated?
NDX Website (content)S3 sync + CloudFrontPush to mainus-west-2Yes
NDX Website (infra)CDKPush to mainus-west-2Yes
NDX Signup (infra)CDKPush to mainus-west-2Yes
NDX Cross-Account RoleCloudFormationPush to mainus-west-2Yes
ISB CoreCDK (manual)Manualus-east-1 / us-west-2No
ISB ApproverCDKPush to mainus-west-2Yes
ISB Billing SeparatorCDKworkflow_dispatchConfigurableManual trigger
ISB Cost CollectionCDKworkflow_dispatchus-west-2Manual trigger
ISB DeployerECR + CDKPush to mainus-west-2Yes
ISB Client Librarynpm pack + GH ReleaseTag pushN/AYes
Scenarios MicrositeGitHub PagesPush to mainN/AYes
Scenarios BlueprintsCDKPush to main (path-filtered)us-west-2Yes
LocalGov Drupal ImageGHCRPush to main (path-filtered)N/AYes
SCP ManagementTerraformManual (apply)eu-west-2 (state)Plan auto, apply manual
Terraform Org ConfigTerraform (manual)Manualus-west-2No
LZA ConfigurationAWS CodePipelinePipeline triggerMultipleYes (AWS-managed)
AWS Sandbox Nukeaws-nukeFriday 21:00 UTCConfigurableYes (scheduled)

Generated from source analysis. See 50-github-actions-inventory.md for workflow details and 51-oidc-configuration.md for authentication configuration.