Rename references to old github organisation

.devcontainer/devcontainer.json

@@ -26,7 +26,7 @@
 		"ghcr.io/devcontainers/features/azure-cli:1.0.8": {
 			"version": "2.47.0",
 			"extensions": "ml" 
-			// extensions do not currently install, investigating in separate issue: https://github.com/UCLH-Foundry/FlowEHR/issues/286
+			// extensions do not currently install, investigating in separate issue: https://github.com/SAFEHR-data/FlowEHR/issues/286
 		},
 		"ghcr.io/devcontainers/features/node:1": {},
 		"ghcr.io/devcontainers/features/github-cli:1": {

CIS-Adherence.md

@@ -36,9 +36,9 @@ This layer deploys the core components required for other layers, including a nu
 | Azure Resource | CIS Reference | Adherence | Notes |
 |--|--|--|--|
 | Core Virtual Network: <br/>`vnet-<suffix>` | `CIS 6` | [network.tf](./infrastructure/core/network.tf) | Allows other resources to remain non-internet-accessible |
-| | `CIS 5.1.6`: Ensure NSG Flow Logs are captured and sent to Log Analytics | Y | https://github.com/UCLH-Foundry/FlowEHR/issues/187 |
-| | `CIS 6.6`: Ensure 'Network Watcher' is enabled for all networks | Y | https://github.com/UCLH-Foundry/FlowEHR/issues/187 |
-| Azure Storage Account for FlowEHR management: <br/>`strg<suffix>` | `CIS 3` | [main.tf](./infrastructure/core/main.tf) | Issues summarised https://github.com/UCLH-Foundry/FlowEHR/issues/176 |
+| | `CIS 5.1.6`: Ensure NSG Flow Logs are captured and sent to Log Analytics | Y | https://github.com/SAFEHR-data/FlowEHR/issues/187 |
+| | `CIS 6.6`: Ensure 'Network Watcher' is enabled for all networks | Y | https://github.com/SAFEHR-data/FlowEHR/issues/187 |
+| Azure Storage Account for FlowEHR management: <br/>`strg<suffix>` | `CIS 3` | [main.tf](./infrastructure/core/main.tf) | Issues summarised https://github.com/SAFEHR-data/FlowEHR/issues/176 |
 | | `CIS 3.1`: Ensure 'Secure Transfer Required' set to 'Enabled' | Y | |
 | | `CIS 3.2`: Ensure 'Enable Infrastructure Encryption' set to 'Enabled' | Y |  |
 | | `CIS 3.3`: Enable key rotation reminders for each storage account | N | Storage keys are not used for authentication |
@@ -55,16 +55,16 @@ This layer deploys the core components required for other layers, including a nu
 | | `CIS 8.5`: Ensure the key vault is recoverable | Y | Purge protection enabled for prod environments | 
 | | `CIS 8.6`: Ensure RBAC enabled for Azure Key Vault | Y | | 
 | | `CIS 8.7`: Ensure Private Endpoints are used for Azure Key Vault | Y | Public internet access disabled, PE into VNET |
-| | `CIS 10.1`: Ensure that resource locks are set for critical resources | TODO | https://github.com/UCLH-Foundry/FlowEHR/issues/124 |
-| Microsoft Defender for Cloud | `CIS 2.1` | N | TODO: Enable MS Defender for Cloud for the Prod subscription: https://github.com/UCLH-Foundry/FlowEHR/issues/174 . This is an 'org' level feature, and should be applied and managed at a subscription / management group level, by Subscription Owners. | 
+| | `CIS 10.1`: Ensure that resource locks are set for critical resources | TODO | https://github.com/SAFEHR-data/FlowEHR/issues/124 |
+| Microsoft Defender for Cloud | `CIS 2.1` | N | TODO: Enable MS Defender for Cloud for the Prod subscription: https://github.com/SAFEHR-data/FlowEHR/issues/174 . This is an 'org' level feature, and should be applied and managed at a subscription / management group level, by Subscription Owners. | 
 | | `CIS 2.1.2`: Ensure Microsoft Defender for App Services is set to 'On' | n/a | Set at org level |
 | | `CIS 2.1.4`: Ensure Microsoft Defender for Azure SQL Databases is set to 'On' | n/a | Set at org level |
 | | `CIS 2.1.5`: Ensure Microsoft Defender for Azure SQL Servers is set to 'On' | n/a | Set at org level |
 | | `CIS 2.1.7`: Ensure Microsoft Defender for Storage is set to 'On' | n/a | Set at org level |
 | | `CIS 2.1.8`: Ensure Microsoft Defender for Containers is set to 'On' | n/a | Set at org level |
 | | `CIS 2.1.9`: Ensure Microsoft Defender for Azure Cosmos DB is set to 'On' | n/a | Set at org level |
 | | `CIS 2.1.10`: Ensure Microsoft Defender for Key Vault is set to 'On' | n/a | Set at org level |
-| Azure Log Analytics: <br/>`log-<suffix>` | `CIS 5` | TODO | https://github.com/UCLH-Foundry/FlowEHR/issues/187 |
+| Azure Log Analytics: <br/>`log-<suffix>` | `CIS 5` | TODO | https://github.com/SAFEHR-data/FlowEHR/issues/187 |
 | | `CIS 5.1.1`: Ensure Diagnostic setting exists (per resource) | TODO | |
 | | `CIS 5.1.2`: Ensure Diagnostic setting captures appropriate categories | TODO | |
 | | `CIS 5.1.4`: Ensure Diagnostic log storage container is encrypted with Customer Managed Key | N | System managed keys chosen to reduce management burden |
@@ -78,19 +78,19 @@ This layer deploys components required to ingest data, transform data, and save
 | Azure Resource | CIS Reference | Adherence | Notes |
 |--|--|--|--|
 | Azure SQL Server:<br/> `sql-server-features-suffix` | [feature-data-store.tf](./infrastructure/core/feature-data-store.tf) | |
-| | `CIS 4.1.1`: Ensure auditing is set to 'on' | Y | https://github.com/UCLH-Foundry/FlowEHR/issues/172 |
+| | `CIS 4.1.1`: Ensure auditing is set to 'on' | Y | https://github.com/SAFEHR-data/FlowEHR/issues/172 |
 | | `CIS 4.1.2`: Ensure no SQL databases allow ingress from 0.0.0.0/0 (any IP) | Y | All public access disabled |
 | | `CIS 4.1.3`: Ensure SQL uses Transparent Data Encryption with customer managed key | N | Decision was made to use Service Managed Key to decrease management overhead |
 | | `CIS 4.1.4`: Ensure AAD admin is configured | Y | Owner is an auto-created Service Principal account, with credentials saved in key vault | 
 | | `CIS 4.1.5`: Ensure 'Data encryption' is set to 'on' | Y | Service Managed Key |
-| | `CIS 4.1.6`: Ensure that 'Auditing Retention' is set to 'Greater than 90 days' | Y | https://github.com/UCLH-Foundry/FlowEHR/issues/172 |
-| | `CIS 4.2.1`: Ensure Microsoft Defender for SQL is set to 'on' | TODO | https://github.com/UCLH-Foundry/FlowEHR/issues/174 |
+| | `CIS 4.1.6`: Ensure that 'Auditing Retention' is set to 'Greater than 90 days' | Y | https://github.com/SAFEHR-data/FlowEHR/issues/172 |
+| | `CIS 4.2.1`: Ensure Microsoft Defender for SQL is set to 'on' | TODO | https://github.com/SAFEHR-data/FlowEHR/issues/174 |
 | | `CIS 4.2.2 -> CIS 4.2.5`: Ensure Vulnerability Assessment is enabled by setting a storage account | Y |  | 
-| | `CIS 10.1`: Ensure that resource locks are set for critical resources | TODO | https://github.com/UCLH-Foundry/FlowEHR/issues/124 |
+| | `CIS 10.1`: Ensure that resource locks are set for critical resources | TODO | https://github.com/SAFEHR-data/FlowEHR/issues/124 |
 | Azure Key Vault Secrets | | [secrets.tf](./infrastructure/transform/secrets.tf) |
 | | `CIS 8.3`: Ensure expiration is set for all secrets in RBAC vaults | N | No automated secret rotation in place as of yet. Will be taken care of as a manual background task. | 
 | Azure Databricks | Databricks is not referenced in the CIS benchmark | | Below are some relevant security settings |
-| | Network Isolation | Partial | - Databricks nodes are network isolated <br/>- Databricks control plane is internet accessible. This can and should be switched off when internal routing is in place: https://github.com/UCLH-Foundry/FlowEHR/issues/201 |
+| | Network Isolation | Partial | - Databricks nodes are network isolated <br/>- Databricks control plane is internet accessible. This can and should be switched off when internal routing is in place: https://github.com/SAFEHR-data/FlowEHR/issues/201 |
 | | Secret management | Y | Secrets are stored in Databricks private secret scopes. Due to API limitation, it was not possible to use Key Vault backed vaults |
 | Azure Key Vault for Apps: <br/>`kv-<suffix>-serve` | `CIS 8` | [keyvault.tf](./infrastructure/serve/keyvault.tf)  | |
 | | `CIS 8.5`: Ensure the key vault is recoverable | Y | Purge protection enabled for prod environments | 
@@ -119,7 +119,7 @@ This layer deploys components required to ingest data, transform data, and save
 | | `CIS 9.2`: Ensure all HTTP traffic is redirected to HTTPS | Y | | 
 | | `CIS 9.3`: Ensure web apps are using latest version of TLS | Y | |
 | | `CIS 9.4`: Ensure web apps have 'Incoming Client Certificates' set to 'On' | N | Choice made not to use client cert auth due to a number of overheads |
-| | `CIS 6.4`: Ensure HTTPS access from the internet is evaluated and restricted | TODO | https://github.com/UCLH-Foundry/FlowEHR/issues/109 |
+| | `CIS 6.4`: Ensure HTTPS access from the internet is evaluated and restricted | TODO | https://github.com/SAFEHR-data/FlowEHR/issues/109 |
 | | `CIS 9.5`: Ensure that 'Registed with AAD' is 'On' | Y | MSI used for container registry |
 | | `CIS 9.10`: Ensure that FTP is disabled | Y | |
 | | `CIS 9.11`: Ensure Key Vaults are used to store secrets | Y | |
@@ -129,7 +129,7 @@ This layer deploys components required to ingest data, transform data, and save
 | | `CIS 4.5.3`: Ensure AAD Client Auth & RBAC are used where possible | Y | |
 | App Insights: <br/>`ai-<suffix>` | | | |
 | | `CIS 5.3.1`: Ensure App Insights are configured | Y | |
-| Background Storage Account for AML Registry | `CIS 3` | | [aml.tf](./infrastructure/serve/aml.tf). [Issue to track here](https://github.com/UCLH-Foundry/FlowEHR/issues/285) |
+| Background Storage Account for AML Registry | `CIS 3` | | [aml.tf](./infrastructure/serve/aml.tf). [Issue to track here](https://github.com/SAFEHR-data/FlowEHR/issues/285) |
 | | `CIS 3.1`: Ensure 'Secure Transfer Required' set to 'Enabled' | Y | |
 | | `CIS 3.2`: Ensure 'Enable Infrastructure Encryption' set to 'Enabled' | Y |  |
 | | `CIS 3.3`: Enable key rotation reminders for each storage account | N | Storage keys are not used for authentication |

README.md

@@ -137,7 +137,7 @@ This step will create an AAD Application and Service Principal in the specified
 
     For CI deployments, due to certain resources being deployed within a Virtual Network with public access disabled, we need to use private build agents (also called self-hosted GitHub runners) to run our CI pipelines. We also need somewhere to store the associated container images and Terraform state within a vnet.
 
-    You can use [the Azure Bootstrap template](https://github.com/UCLH-Foundry/Azure-Bootstrap) to deploy all these resources, or alternatively, you can reference pre-existing resources in the following steps.
+    You can use [the Azure Bootstrap template](https://github.com/SAFEHR-data/Azure-Bootstrap) to deploy all these resources, or alternatively, you can reference pre-existing resources in the following steps.
 
 5. Create a deployer identity (AAD App Registration/Service Principal) with required AAD permissions: 
 
@@ -181,7 +181,7 @@ This step will create an AAD Application and Service Principal in the specified
 
 ### Next steps
 
-- [Deploy a data transformation pipeline](https://github.com/UCLH-Foundry/FlowEHR-Data-Pot/blob/main/README.md)
+- [Deploy a data transformation pipeline](https://github.com/SAFEHR-data/FlowEHR-Data-Pot/blob/main/README.md)
 - [Configure and deploy a FlowEHR app](./apps/README.md)
 
 

apps/README.md

@@ -45,7 +45,7 @@ Once created, you need to the install the app to the organization. [Follow these
 After installation, stay on the same page and check the URL. It should look like this:
 
 ```
-https://github.com/organizations/UCLH-Foundry/settings/installations/123456789
+https://github.com/organizations/SAFEHR-data/settings/installations/123456789
 ```
 
 At the end of the URL after `installations/`, you'll see a number. Record this down - it is your `GitHub App Installation Id`. (Believe it or not this is the easiest way to find it!)

apps/apps.infra-test.yaml

@@ -3,6 +3,6 @@ flowehr_cicd_test:
   add_testing_slot: false
   managed_repo:
     private: false
-    template: UCLH-Foundry/Dash-Seedling
+    template: SAFEHR-data/Dash-Seedling
   auth:
     easy_auth: true

apps/apps.sample.yaml

@@ -26,7 +26,7 @@ dash_seedling:  # unique ID for the app
     octokitten: an_aad_user@mycompany.com
   managed_repo:  # details for repo to create/manage
     private: false  # repo visibility
-    template: UCLH-Foundry/Dash-Seedling  # template to use in format GH_ORG/TEMPLATE_NAME
+    template: SAFEHR-data/Dash-Seedling  # template to use in format GH_ORG/TEMPLATE_NAME
   branch:  # details of the branch created with a name: <environment>
     num_of_approvals: 1
   env:  # any env vars to pass to the app container

config.infra-test.yaml

@@ -7,7 +7,7 @@ private_dns_zones_rg: rg-bootstrap-uclh-ci-dev
 transform:
   spark_version: 3.4
   repositories:
-    - url: https://github.com/UCLH-Foundry/FlowEHR-Data-Pot
+    - url: https://github.com/SAFEHR-data/FlowEHR-Data-Pot
   datalake:
     zones:
       - Bronze

infrastructure/transform/feature-data-store.tf

@@ -82,7 +82,7 @@ resource "azurerm_mssql_server_transparent_data_encryption" "sql_server_features
 }
 
 # Azure SQL database, basic + small for dev
-# TODO: Rightsize for prod -> https://github.com/UCLH-Foundry/FlowEHR/issues/63
+# TODO: Rightsize for prod -> https://github.com/SAFEHR-data/FlowEHR/issues/63
 resource "azurerm_mssql_database" "feature_database" {
   name         = "sql-db-features"
   server_id    = azurerm_mssql_server.sql_server_features.id

shared.hcl

@@ -68,7 +68,7 @@ inputs = merge(
     }
 })
 
-# Databricks cluster deployment failures are transient. https://github.com/UCLH-Foundry/FlowEHR/issues/141
+# Databricks cluster deployment failures are transient. https://github.com/SAFEHR-data/FlowEHR/issues/141
 retryable_errors = [
   "cannot create cluster",              # databricks
   "Waiting for deletion of application" # AD application