diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml index f8fb0024..30593c4b 100644 --- a/.github/workflows/cicd-1-pull-request.yaml +++ b/.github/workflows/cicd-1-pull-request.yaml @@ -40,9 +40,9 @@ jobs: echo "build_datetime=$datetime" >> $GITHUB_OUTPUT echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT - echo "nodejs_version=$(grep "^nodejs " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT - echo "python_version=$(grep "^python " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT - echo "terraform_version=$(grep "^terraform " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT - name: "Check if pull request exists for this branch" id: pr_exists diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml index 94e6180b..5ee74cf2 100644 --- a/.github/workflows/cicd-2-publish.yaml +++ b/.github/workflows/cicd-2-publish.yaml @@ -30,9 +30,9 @@ jobs: echo "build_datetime=$datetime" >> $GITHUB_OUTPUT echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT - echo "nodejs_version=$(grep "^nodejs " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT - echo "python_version=$(grep "^python " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT - echo "terraform_version=$(grep "^terraform " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT # TODO: Get the version, but it may not be the .version file as this should come from the CI/CD Pull Request Workflow echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT - name: "List variables" diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index a227b0df..83a6b01f 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -66,9 +66,9 @@ jobs: echo "build_datetime=$datetime" >> $GITHUB_OUTPUT echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT - echo "nodejs_version=$(grep "^nodejs " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT - echo "python_version=$(grep "^python " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT - echo "terraform_version=$(grep "^terraform " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT # TODO: Get the version, but it may not be the .version file as this should come from the CI/CD Pull Request Workflow echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT diff --git a/infrastructure/environments/dev/.gitkeep b/infrastructure/environments/dev/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/infrastructure/images/.gitkeep b/infrastructure/images/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/infrastructure/modules/.gitkeep b/infrastructure/modules/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/infrastructure/terraform/bootstrap/s3_bucket.tf b/infrastructure/terraform/bootstrap/s3_bucket.tf index 5d5e092f..27f4cd7d 100644 --- a/infrastructure/terraform/bootstrap/s3_bucket.tf +++ b/infrastructure/terraform/bootstrap/s3_bucket.tf @@ -1,3 +1,4 @@ +#tfsec:ignore:aws-s3-enable-bucket-logging Bucket exists before anyother bucket can exist resource "aws_s3_bucket" "bucket" { bucket = var.bucket_name diff --git a/infrastructure/terraform/components/acct/cloudwatch_event_rule_aws_backup_errors.tf b/infrastructure/terraform/components/acct/cloudwatch_event_rule_aws_backup_errors.tf index f114ddd7..7c56a72e 100644 --- a/infrastructure/terraform/components/acct/cloudwatch_event_rule_aws_backup_errors.tf +++ b/infrastructure/terraform/components/acct/cloudwatch_event_rule_aws_backup_errors.tf @@ -1,9 +1,9 @@ resource "aws_cloudwatch_event_rule" "aws_backup_errors" { - name = "${local.csi}-aws-backup-errors" + name = "${local.csi}-aws-backup-errors" description = "Forwards AWS Backup state changes to Custom Event Bus in Observability Account" event_pattern = jsonencode({ - source = ["aws.backup"], + source = ["aws.backup"], "detail-type" = ["Backup Job State Change", "Restore Job State Change", "Copy Job State Change"], detail = { state = ["FAILED", "ABORTED"] diff --git a/infrastructure/terraform/components/acct/data_iam_policy_document_sso_read_only_table_access.tf b/infrastructure/terraform/components/acct/data_iam_policy_document_sso_read_only_table_access.tf index 66b1c118..a3e9b101 100644 --- a/infrastructure/terraform/components/acct/data_iam_policy_document_sso_read_only_table_access.tf +++ b/infrastructure/terraform/components/acct/data_iam_policy_document_sso_read_only_table_access.tf @@ -74,6 +74,7 @@ data "aws_iam_policy_document" "sso_read_only_table_access" { ] } + #tfsec:ignore:aws-iam-no-policy-wildcards Policy voilation expected for CI user role statement { sid = "AllowAthenaAccess3" effect = "Allow" @@ -85,7 +86,7 @@ data "aws_iam_policy_document" "sso_read_only_table_access" { "athena:ListWorkGroups" ] - resources = [ "*" ] # Access to List all above is required. Condition keys not supported for these resources. + resources = ["*"] # Access to List all above is required. Condition keys not supported for these resources. } statement { @@ -105,7 +106,7 @@ data "aws_iam_policy_document" "sso_read_only_table_access" { ] condition { - test = "ForAnyValue:StringLike" + test = "ForAnyValue:StringLike" variable = "kms:ResourceAliases" values = [ "alias/${var.project}-*-reporting-s3" diff --git a/infrastructure/terraform/components/acct/locals_tfscaffold.tf b/infrastructure/terraform/components/acct/locals_tfscaffold.tf index 91edd840..b7cf3217 100644 --- a/infrastructure/terraform/components/acct/locals_tfscaffold.tf +++ b/infrastructure/terraform/components/acct/locals_tfscaffold.tf @@ -34,11 +34,11 @@ locals { default_tags = merge( var.default_tags, { - Project = var.project - Environment = var.environment - Component = var.component - Group = var.group - Name = local.csi + Project = var.project + Environment = var.environment + Component = var.component + Group = var.group + Name = local.csi }, ) } diff --git a/infrastructure/terraform/components/acct/provider_aws.tf b/infrastructure/terraform/components/acct/provider_aws.tf index fa39221a..e66f2255 100644 --- a/infrastructure/terraform/components/acct/provider_aws.tf +++ b/infrastructure/terraform/components/acct/provider_aws.tf @@ -7,11 +7,11 @@ provider "aws" { default_tags { tags = { - Project = var.project - Environment = var.environment - Component = var.component - Group = var.group - Name = local.csi + Project = var.project + Environment = var.environment + Component = var.component + Group = var.group + Name = local.csi } } } diff --git a/infrastructure/terraform/components/reporting/athena_workgroup_core.tf b/infrastructure/terraform/components/reporting/athena_workgroup_core.tf index 3abe66dd..178d5439 100644 --- a/infrastructure/terraform/components/reporting/athena_workgroup_core.tf +++ b/infrastructure/terraform/components/reporting/athena_workgroup_core.tf @@ -1,10 +1,14 @@ +# From Support ticket: Where the client is looking to enable bucket keys on the target S3 bucket, the recommended approach would be: +# 1. Remove the KMS key from the Athena workgroup's encryption configuration: Since the bucket keys will be handling the encryption, you don't need the additional layer of encryption from the workgroup-level KMS key. Removing it will simplify the configuration. +# 2. Rely solely on the bucket keys for encryption: With the bucket keys enabled on the S3 bucket, Athena will automatically use that for encrypting and decrypting the query results. This will reduce the no of API calls. +#tfsec:ignore:aws-athena-enable-at-rest-encryption resource "aws_athena_workgroup" "core" { name = "${local.csi}-core" description = "Athena Workgroup for core egress queries in ${local.parameter_bundle.environment} environment" force_destroy = true configuration { - enforce_workgroup_configuration = false + enforce_workgroup_configuration = true result_configuration { expected_bucket_owner = var.core_account_id diff --git a/infrastructure/terraform/components/reporting/athena_workgroup_housekeeping.tf b/infrastructure/terraform/components/reporting/athena_workgroup_housekeeping.tf index 7837cfea..1d242785 100644 --- a/infrastructure/terraform/components/reporting/athena_workgroup_housekeeping.tf +++ b/infrastructure/terraform/components/reporting/athena_workgroup_housekeeping.tf @@ -1,10 +1,15 @@ +# From Support ticket: Where the client is looking to enable bucket keys on the target S3 bucket, the recommended approach would be: +# 1. Remove the KMS key from the Athena workgroup's encryption configuration: Since the bucket keys will be handling the encryption, you don't need the additional layer of encryption from the workgroup-level KMS key. Removing it will simplify the configuration. +# 2. Rely solely on the bucket keys for encryption: With the bucket keys enabled on the S3 bucket, Athena will automatically use that for encrypting and decrypting the query results. This will reduce the no of API calls. +#tfsec:ignore:aws-athena-enable-at-rest-encryption resource "aws_athena_workgroup" "housekeeping" { name = "${local.csi}-housekeeping" description = "Athena Workgroup for housekeeping queries in ${local.parameter_bundle.environment} environment" force_destroy = true + #tfsec:ignore:aws-athena-no-encryption-override At AWS Support suggestion configuration { - enforce_workgroup_configuration = true + enforce_workgroup_configuration = false result_configuration { expected_bucket_owner = local.this_account diff --git a/infrastructure/terraform/components/reporting/athena_workgroup_ingestion.tf b/infrastructure/terraform/components/reporting/athena_workgroup_ingestion.tf index 091b1980..7189976a 100644 --- a/infrastructure/terraform/components/reporting/athena_workgroup_ingestion.tf +++ b/infrastructure/terraform/components/reporting/athena_workgroup_ingestion.tf @@ -1,3 +1,7 @@ +# From Support ticket: Where the client is looking to enable bucket keys on the target S3 bucket, the recommended approach would be: +# 1. Remove the KMS key from the Athena workgroup's encryption configuration: Since the bucket keys will be handling the encryption, you don't need the additional layer of encryption from the workgroup-level KMS key. Removing it will simplify the configuration. +# 2. Rely solely on the bucket keys for encryption: With the bucket keys enabled on the S3 bucket, Athena will automatically use that for encrypting and decrypting the query results. This will reduce the no of API calls. +#tfsec:ignore:aws-athena-enable-at-rest-encryption resource "aws_athena_workgroup" "ingestion" { name = "${local.csi}-ingestion" description = "Athena Workgroup for data ingestion into ${local.parameter_bundle.environment} environment" diff --git a/infrastructure/terraform/components/reporting/athena_workgroup_setup.tf b/infrastructure/terraform/components/reporting/athena_workgroup_setup.tf index d81d0e6f..fae15bdc 100644 --- a/infrastructure/terraform/components/reporting/athena_workgroup_setup.tf +++ b/infrastructure/terraform/components/reporting/athena_workgroup_setup.tf @@ -1,3 +1,7 @@ +# From Support ticket: Where the client is looking to enable bucket keys on the target S3 bucket, the recommended approach would be: +# 1. Remove the KMS key from the Athena workgroup's encryption configuration: Since the bucket keys will be handling the encryption, you don't need the additional layer of encryption from the workgroup-level KMS key. Removing it will simplify the configuration. +# 2. Rely solely on the bucket keys for encryption: With the bucket keys enabled on the S3 bucket, Athena will automatically use that for encrypting and decrypting the query results. This will reduce the no of API calls. +#tfsec:ignore:aws-athena-enable-at-rest-encryption resource "aws_athena_workgroup" "setup" { name = "${local.csi}-setup" description = "Athena Workgroup for setup and data migration in ${local.parameter_bundle.environment} environment" diff --git a/infrastructure/terraform/components/reporting/athena_workgroup_user.tf b/infrastructure/terraform/components/reporting/athena_workgroup_user.tf index 0bbbf1c3..991a57ad 100644 --- a/infrastructure/terraform/components/reporting/athena_workgroup_user.tf +++ b/infrastructure/terraform/components/reporting/athena_workgroup_user.tf @@ -1,3 +1,7 @@ +# From Support ticket: Where the client is looking to enable bucket keys on the target S3 bucket, the recommended approach would be: +# 1. Remove the KMS key from the Athena workgroup's encryption configuration: Since the bucket keys will be handling the encryption, you don't need the additional layer of encryption from the workgroup-level KMS key. Removing it will simplify the configuration. +# 2. Rely solely on the bucket keys for encryption: With the bucket keys enabled on the S3 bucket, Athena will automatically use that for encrypting and decrypting the query results. This will reduce the no of API calls. +#tfsec:ignore:aws-athena-enable-at-rest-encryption resource "aws_athena_workgroup" "user" { name = "${local.csi}-user" description = "Athena Workgroup for user queries in ${local.parameter_bundle.environment} environment" diff --git a/infrastructure/terraform/components/reporting/module_powerbi_gateway_vpc.tf b/infrastructure/terraform/components/reporting/module_powerbi_gateway_vpc.tf index 5a14f022..18c47c0c 100644 --- a/infrastructure/terraform/components/reporting/module_powerbi_gateway_vpc.tf +++ b/infrastructure/terraform/components/reporting/module_powerbi_gateway_vpc.tf @@ -26,6 +26,7 @@ data "aws_availability_zones" "available" { state = "available" } +#tfsec:ignore:aws-ec2-no-public-egress-sgr resource "aws_security_group" "powerbi_gateway" { count = var.enable_powerbi_gateway ? 1 : 0 diff --git a/infrastructure/terraform/components/reporting/s3_bucket_access_logs.tf b/infrastructure/terraform/components/reporting/s3_bucket_access_logs.tf index f3cc4a91..5779268a 100644 --- a/infrastructure/terraform/components/reporting/s3_bucket_access_logs.tf +++ b/infrastructure/terraform/components/reporting/s3_bucket_access_logs.tf @@ -1,3 +1,4 @@ +#tfsec:ignore:aws-s3-enable-bucket-logging Don't log access logs logs resource "aws_s3_bucket" "access_logs" { bucket = "${local.csi_global}-bucket-logs" force_destroy = true @@ -73,6 +74,10 @@ resource "aws_s3_bucket_public_access_block" "access_logs" { restrict_public_buckets = true } +# From Support ticket: Where the client is looking to enable bucket keys on the target S3 bucket, the recommended approach would be: +# 1. Remove the KMS key from the Athena workgroup's encryption configuration: Since the bucket keys will be handling the encryption, you don't need the additional layer of encryption from the workgroup-level KMS key. Removing it will simplify the configuration. +# 2. Rely solely on the bucket keys for encryption: With the bucket keys enabled on the S3 bucket, Athena will automatically use that for encrypting and decrypting the query results. This will reduce the no of API calls. +#tfsec:ignore:aws-s3-encryption-customer-key resource "aws_s3_bucket_server_side_encryption_configuration" "access_logs" { bucket = aws_s3_bucket.access_logs.bucket diff --git a/infrastructure/terraform/components/reporting/sfn_state_machine_completed_batch_report.tf b/infrastructure/terraform/components/reporting/sfn_state_machine_completed_batch_report.tf index b3ac492f..6e6b848d 100644 --- a/infrastructure/terraform/components/reporting/sfn_state_machine_completed_batch_report.tf +++ b/infrastructure/terraform/components/reporting/sfn_state_machine_completed_batch_report.tf @@ -54,6 +54,7 @@ resource "aws_iam_policy" "sfn_completed_batch_report" { policy = data.aws_iam_policy_document.sfn_completed_batch_report.json } +#tfsec:ignore:aws-iam-no-policy-wildcards data "aws_iam_policy_document" "sfn_completed_batch_report" { statement { diff --git a/infrastructure/terraform/components/reporting/sfn_state_machine_completed_comms_report.tf b/infrastructure/terraform/components/reporting/sfn_state_machine_completed_comms_report.tf index 45b3619e..1125c020 100644 --- a/infrastructure/terraform/components/reporting/sfn_state_machine_completed_comms_report.tf +++ b/infrastructure/terraform/components/reporting/sfn_state_machine_completed_comms_report.tf @@ -54,6 +54,7 @@ resource "aws_iam_policy" "sfn_completed_comms_report" { policy = data.aws_iam_policy_document.sfn_completed_comms_report.json } +#tfsec:ignore:aws-iam-no-policy-wildcards data "aws_iam_policy_document" "sfn_completed_comms_report" { statement { diff --git a/infrastructure/terraform/components/reporting/sfn_state_machine_housekeeping.tf b/infrastructure/terraform/components/reporting/sfn_state_machine_housekeeping.tf index ae74e0ad..cb652c48 100644 --- a/infrastructure/terraform/components/reporting/sfn_state_machine_housekeeping.tf +++ b/infrastructure/terraform/components/reporting/sfn_state_machine_housekeeping.tf @@ -20,7 +20,7 @@ resource "aws_sfn_state_machine" "housekeeping" { "${aws_athena_named_query.request_item_status_summary_batch_vacuum.id}" ] database_name = "${aws_glue_catalog_database.reporting.name}" - iam_role = "${aws_iam_role.sfn_housekeeping.arn}" + iam_role = "${aws_iam_role.sfn_housekeeping.arn}" }) logging_configuration { @@ -73,6 +73,7 @@ resource "aws_iam_policy" "sfn_housekeeping" { policy = data.aws_iam_policy_document.sfn_housekeeping.json } +#tfsec:ignore:aws-iam-no-policy-wildcards data "aws_iam_policy_document" "sfn_housekeeping" { statement { diff --git a/infrastructure/terraform/components/reporting/sfn_state_machine_ingestion.tf b/infrastructure/terraform/components/reporting/sfn_state_machine_ingestion.tf index 7beaa52c..bc88caac 100644 --- a/infrastructure/terraform/components/reporting/sfn_state_machine_ingestion.tf +++ b/infrastructure/terraform/components/reporting/sfn_state_machine_ingestion.tf @@ -63,6 +63,7 @@ resource "aws_iam_policy" "sfn_ingestion" { policy = data.aws_iam_policy_document.sfn_ingestion.json } +#tfsec:ignore:aws-iam-no-policy-wildcards data "aws_iam_policy_document" "sfn_ingestion" { statement { diff --git a/infrastructure/terraform/components/reporting/sfn_state_machine_watchdog.tf b/infrastructure/terraform/components/reporting/sfn_state_machine_watchdog.tf index 0a3e65c3..e2c4aee3 100644 --- a/infrastructure/terraform/components/reporting/sfn_state_machine_watchdog.tf +++ b/infrastructure/terraform/components/reporting/sfn_state_machine_watchdog.tf @@ -64,8 +64,9 @@ resource "aws_iam_policy" "sfn_watchdog" { policy = data.aws_iam_policy_document.sfn_watchdog.json } +#tfsec:ignore:aws-iam-no-policy-wildcards data "aws_iam_policy_document" "sfn_watchdog" { - + #tfsec:ignore:aws-iam-no-policy-wildcards statement { sid = "AllowAthena" effect = "Allow" diff --git a/scripts/init.mk b/scripts/init.mk index 373f8a4f..b2fb7e4a 100644 --- a/scripts/init.mk +++ b/scripts/init.mk @@ -7,19 +7,31 @@ include scripts/tests/test.mk # ============================================================================== runner-act: # Run GitHub Actions locally - mandatory: workflow=[workflow file name], job=[job name] @Development - source ./scripts/docker/docker.lib.sh + . "./scripts/docker/docker.lib.sh"; \ act $(shell [[ "${VERBOSE}" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$$ ]] && echo --verbose) \ --container-architecture linux/amd64 \ - --platform ubuntu-latest=$$(name="ghcr.io/nhs-england-tools/github-runner-image" docker-get-image-version-and-pull) \ + --platform ubuntu-latest=ghcr.io/catthehacker/ubuntu:full-latest \ --container-options "--privileged" \ --bind \ --pull=false \ --reuse \ --rm \ - --defaultbranch main \ --workflows .github/workflows/${workflow}.yaml \ --job ${job} + +runner-act-workflow: # Run GitHub Actions locally - mandatory: workflow=[workflow file name] @Development + . "./scripts/docker/docker.lib.sh"; \ + act $(shell [[ "${VERBOSE}" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$$ ]] && echo --verbose) \ + --container-architecture linux/amd64 \ + --platform ubuntu-latest=ghcr.io/catthehacker/ubuntu:full-latest \ + --container-options "--privileged" \ + --bind \ + --pull=false \ + --reuse \ + --rm \ + --workflows .github/workflows/${workflow}.yaml + version-create-effective-file: # Create effective version file - optional: dir=[path to the VERSION file to use, default is '.'], BUILD_DATETIME=[build date and time in the '%Y-%m-%dT%H:%M:%S%z' format generated by the CI/CD pipeline, default is current date and time] @Development source scripts/docker/docker.lib.sh version-create-effective-file diff --git a/scripts/terraform/terraform.lib.sh b/scripts/terraform/terraform.lib.sh index 7793b9b0..a44f8b49 100644 --- a/scripts/terraform/terraform.lib.sh +++ b/scripts/terraform/terraform.lib.sh @@ -53,8 +53,11 @@ function terraform-destroy() { # dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is '.'] # opts=[options to pass to the Terraform fmt command, default is '-recursive'] function terraform-fmt() { - - _terraform fmt -recursive # 'dir' and 'opts' are passed to the function as environment variables, if set + for d in "${PWD}infrastructure/"*; do + if [ -d "$d" ]; then + terraform fmt --recursive "${d}" + fi + done } # Validate Terraform code. @@ -73,7 +76,10 @@ function _terraform() { local cmd="-chdir=$dir $* ${opts:-}" local project_dir="$(git rev-parse --show-toplevel)" - cmd="$cmd" "$project_dir/scripts/terraform/terraform.sh" + echo dir:${dir} + echo cmd:${cmd} + echo project_dir:${project_dir} + cmd="$cmd" "$project_dir/infrastructure/terraform/bin/terraform.sh" } # Remove Terraform files. diff --git a/scripts/terraform/terraform.mk b/scripts/terraform/terraform.mk index 0902e8de..07d3e672 100644 --- a/scripts/terraform/terraform.mk +++ b/scripts/terraform/terraform.mk @@ -46,17 +46,12 @@ clean:: # Remove Terraform files (terraform) - optional: terraform_dir|dir=[path opts=$(or ${terraform_opts}, ${opts}) _terraform: # Terraform command wrapper - mandatory: cmd=[command to execute]; optional: dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is one of the module variables or the example directory, if not set], opts=[options to pass to the Terraform command, default is none/empty] + # 'TERRAFORM_STACK' is passed to the functions as environment variable + TERRAFORM_STACK=$(or ${TERRAFORM_STACK}, $(or ${terraform_stack}, $(or ${STACK}, ${stack}))) dir=$(or ${dir}, ${TERRAFORM_STACK}) - source scripts/terraform/terraform.lib.sh + . "scripts/terraform/terraform.lib.sh"; \ terraform-${cmd} # 'dir' and 'opts' are accessible by the function as environment variables, if set -terraform-docs: # Terraform-docs check against Terraform files - optional: terraform_dir|dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is one of the module variables or the example directory, if not set], terraform_opts|opts=[options to pass to the Terraform fmt command, default is '-recursive'] @Quality - for dir in ./infrastructure/terraform/components/* ./infrastructure/terraform/modules/*; do \ - if [ -d "$$dir" ]; then \ - ./scripts/terraform/terraform-docs.sh $$dir; \ - fi \ - done - # ============================================================================== # Quality checks - please DO NOT edit this section! @@ -65,7 +60,18 @@ terraform-shellscript-lint: # Lint all Terraform module shell scripts @Quality file=$${file} scripts/shellscript-linter.sh done +terraform-sec: # TFSEC check against Terraform files - optional: terraform_dir|dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is one of the module variables or the example directory, if not set], terraform_opts|opts=[options to pass to the Terraform fmt command, default is '-recursive'] @Quality + tfsec infrastructure/terraform \ + --force-all-dirs \ + --exclude-downloaded-modules \ + --config-file scripts/config/tfsec.yaml +terraform-docs: # Terraform-docs check against Terraform files - optional: terraform_dir|dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is one of the module variables or the example directory, if not set], terraform_opts|opts=[options to pass to the Terraform fmt command, default is '-recursive'] @Quality + for dir in ./infrastructure/terraform/components/* ./infrastructure/terraform/modules/*; do \ + if [ -d "$$dir" ]; then \ + ./scripts/terraform/terraform-docs.sh $$dir; \ + fi \ + done # ============================================================================== # Configuration - please DO NOT edit this section! diff --git a/scripts/terraform/tfsec.sh b/scripts/terraform/tfsec.sh index 73549952..5d13e60a 100755 --- a/scripts/terraform/tfsec.sh +++ b/scripts/terraform/tfsec.sh @@ -37,12 +37,10 @@ function run-tfsec-natively() { echo "Running TFSec on directory: $dir_to_scan" tfsec \ - --concise-output \ --force-all-dirs \ --exclude-downloaded-modules \ --config-file scripts/config/tfsec.yaml \ --format text \ - --soft-fail \ "$dir_to_scan" check-tfsec-status