From e24c4dcd26c381e138f1f128798e572da3f77d13 Mon Sep 17 00:00:00 2001
From: Matt Dean <matt.dean3@nhs.net>
Date: Thu, 9 Apr 2026 17:34:56 +0100
Subject: [PATCH] [NRL-1935] Update CI image build to Ubuntu 24.04 and to use
 date version tags

---
 Dockerfile.ci-build                                |  3 +--
 Makefile                                           | 14 +++++++++-----
 terraform/account-wide-infrastructure/README.md    |  6 ++++--
 .../account-wide-infrastructure/mgmt/codebuild.tf  |  2 +-
 terraform/account-wide-infrastructure/mgmt/vars.tf |  6 ++++++
 5 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/Dockerfile.ci-build b/Dockerfile.ci-build
index a6d9d66c6..d2a79a6de 100644
--- a/Dockerfile.ci-build
+++ b/Dockerfile.ci-build
@@ -1,4 +1,4 @@
-FROM ubuntu:22.04
+FROM ubuntu:24.04
 
 
 RUN apt update && \
@@ -11,7 +11,6 @@ RUN apt update && \
         gnupg \
         libbz2-dev \
         libffi-dev \
-        libicu70 \
         liblzma-dev \
         libncursesw5-dev \
         libreadline-dev \
diff --git a/Makefile b/Makefile
index 9e7825f09..59f353180 100644
--- a/Makefile
+++ b/Makefile
@@ -23,6 +23,9 @@ PERFTEST_TYPE_DIST_PROFILE ?= default
 PERFTEST_CUSTODIAN_DIST_PROFILE ?= default
 PERFTEST_TOKEN_REFRESH_PORT ?= 8765
 
+CI_BUILD_ARGS ?=
+CI_IMAGE_TAG ?= $(shell date +%Y-%m-%d)
+
 export PATH := $(PATH):$(PWD)/.venv/bin
 export USE_SHARED_RESOURCES := $(shell poetry run python scripts/are_resources_shared_for_stack.py $(TF_WORKSPACE_NAME))
 
@@ -88,8 +91,9 @@ build-api-packages: ./api/consumer/* ./api/producer/*
 build-ci-image: ## Build the CI image
 	@echo "Building the CI image"
 	docker build \
-		-t nhsd-nrlf-ci-build:latest \
-		-f Dockerfile.ci-build
+		-t localhost/nhsd-nrlf-ci-build:${CI_IMAGE_TAG} \
+		-f Dockerfile.ci-build \
+		${CI_BUILD_ARGS}
 
 ecr-login: ## Login to NRLF ECR repo
 	@echo "Logging into ECR"
@@ -103,9 +107,9 @@ publish-ci-image: ## Publish the CI image
 	@echo "Publishing the CI image"
 	$(eval AWS_REGION := $(shell aws configure get region))
 	$(eval AWS_ACCOUNT_ID := $(shell aws sts get-caller-identity | jq -r .Account))
-	@docker tag nhsd-nrlf-ci-build:latest \
-		$(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/nhsd-nrlf-ci-build:latest
-	@docker push $(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/nhsd-nrlf-ci-build:latest
+	@docker tag localhost/nhsd-nrlf-ci-build:${CI_IMAGE_TAG} \
+		$(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/nhsd-nrlf-ci-build:${CI_IMAGE_TAG}
+	@docker push $(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/nhsd-nrlf-ci-build:${CI_IMAGE_TAG}
 
 test: check-warn ## Run the unit tests
 	@echo "Running unit tests"
diff --git a/terraform/account-wide-infrastructure/README.md b/terraform/account-wide-infrastructure/README.md
index 8d7371d29..538841694 100644
--- a/terraform/account-wide-infrastructure/README.md
+++ b/terraform/account-wide-infrastructure/README.md
@@ -69,9 +69,9 @@ If that has worked, you should see: "Your account is successfully connected thro
 
 ### Build and publish the container image for CI build
 
-Once all the mgmt infra has been deployed, you need to build and publish the CI image to the ECR repo.
+Once all the mgmt infra has been deployed, you need to build and publish the CI image to the ECR repo. Also follow these steps to update the CI build image.
 
-To do this, first build the image as follows:
+To do this, from the top-level of the repo, build the image as follows:
 
 ```
 make build-ci-image
@@ -89,6 +89,8 @@ and push the image:
 make publish-ci-image
 ```
 
+This will create an image with a YYYY-MM-DD tag. You can then update the CI_IMAGE_TAG variable in `mgmt/vars.tf" and redeploy the mgmt resources to update codebuild to use the tagged image.
+
 ## Deploy account wide resources
 
 > Run the [Deploy Account-wide infrastructure](https://github.com/NHSDigital/NRLF/actions/workflows/deploy-account-wide-infra.yml) github workflow to deploy account wide infrastructure. Select your branch/tag and `account-dev`, `account-test`, or `account-prod` to deploy infra to the corresponding account.
diff --git a/terraform/account-wide-infrastructure/mgmt/codebuild.tf b/terraform/account-wide-infrastructure/mgmt/codebuild.tf
index d6c6ce925..5371d2bb5 100644
--- a/terraform/account-wide-infrastructure/mgmt/codebuild.tf
+++ b/terraform/account-wide-infrastructure/mgmt/codebuild.tf
@@ -90,7 +90,7 @@ resource "aws_codebuild_project" "project" {
 
   environment {
     compute_type                = "BUILD_GENERAL1_SMALL"
-    image                       = "${aws_ecr_repository.repository.repository_url}:latest"
+    image                       = "${aws_ecr_repository.repository.repository_url}:${var.ci_image_tag}"
     type                        = "LINUX_CONTAINER"
     image_pull_credentials_type = "CODEBUILD"
   }
diff --git a/terraform/account-wide-infrastructure/mgmt/vars.tf b/terraform/account-wide-infrastructure/mgmt/vars.tf
index a05502b52..8ccff7df5 100644
--- a/terraform/account-wide-infrastructure/mgmt/vars.tf
+++ b/terraform/account-wide-infrastructure/mgmt/vars.tf
@@ -28,3 +28,9 @@ variable "vpc_cidr_block" {
   type        = string
   default     = "10.0.0.0/16"
 }
+
+variable "ci_image_tag" {
+  description = "Tag for the CI image in ECR"
+  type        = string
+  default     = "2026-04-09"
+}