CCM-5680 adding tfsec and fixing fmt

.tool-versions

@@ -2,7 +2,7 @@
 
 terraform 1.7.0
 pre-commit 3.6.0
-
+tfsec 1.28.6
 # ==============================================================================
 # The section below is reserved for Docker image versions.
 

infrastructure/terraform/components/acct/outputs.tf

@@ -1,7 +1,7 @@
 output "dns_zone" {
   value = {
-    id = aws_route53_zone.main.id
-    name = aws_route53_zone.main.name
+    id          = aws_route53_zone.main.id
+    name        = aws_route53_zone.main.name
     nameservers = aws_route53_zone.main.name_servers
   }
 }

infrastructure/terraform/components/acct/versions.tf

@@ -6,5 +6,5 @@ terraform {
     }
   }
 
-    required_version = ">= 1.9.0"
+  required_version = ">= 1.9.0"
 }

infrastructure/terraform/components/branch/locals_remote_state.tf

@@ -1,7 +1,7 @@
 locals {
   bootstrap = data.terraform_remote_state.bootstrap.outputs
   acct      = data.terraform_remote_state.acct.outputs
-  iam      = data.terraform_remote_state.iam.outputs
+  iam       = data.terraform_remote_state.iam.outputs
 }
 
 data "terraform_remote_state" "bootstrap" {

infrastructure/terraform/components/branch/module_amplify_branch.tf

@@ -1,7 +1,7 @@
 module "amplify_branch" {
-  source      = "../../modules/amp_branch"
+  source = "../../modules/amp_branch"
 
-  name           = lower(substr(join("", regexall("[a-zA-Z0-9-]+",var.branch_name)),0,25))
+  name           = lower(substr(join("", regexall("[a-zA-Z0-9-]+", var.branch_name)), 0, 25))
   aws_account_id = var.aws_account_id
   component      = var.component
   environment    = var.environment

infrastructure/terraform/components/branch/versions.tf

@@ -6,5 +6,5 @@ terraform {
     }
   }
 
-   required_version = ">= 1.9.0"
+  required_version = ">= 1.9.0"
 }

infrastructure/terraform/components/iam/amplify_app.tf

@@ -1,24 +1,24 @@
 resource "aws_amplify_app" "main" {
-  name = local.csi
+  name         = local.csi
   repository   = "https://github.com/NHSDigital/nhs-notify-iam-webauth"
   access_token = data.aws_ssm_parameter.github_pat_ssm_param_name.value
 
   iam_service_role_arn = aws_iam_role.amplify.arn
 
   enable_auto_branch_creation = false
   enable_branch_auto_build    = var.enable_amplify_branch_auto_build
-  platform = "WEB_COMPUTE"
+  platform                    = "WEB_COMPUTE"
 
   auto_branch_creation_patterns = [
     "*",
     "*/**"
   ]
 
   environment_variables = {
-    USER_POOL_ID        = aws_cognito_user_pool.main.id
+    USER_POOL_ID = aws_cognito_user_pool.main.id
     # HOSTED_LOGIN_DOMAIN = "auth.${var.environment}.${local.acct.dns_zone["name"]}"
-    NOTIFY_GROUP        = var.group
-    NOTIFY_ENVIRONMENT  = var.environment
-    NOTIFY_DOMAIN_NAME  = local.acct.dns_zone["name"]
+    NOTIFY_GROUP       = var.group
+    NOTIFY_ENVIRONMENT = var.environment
+    NOTIFY_DOMAIN_NAME = local.acct.dns_zone["name"]
   }
 }

infrastructure/terraform/components/iam/iam_role_amplify.tf

@@ -1,5 +1,5 @@
 resource "aws_iam_role" "amplify" {
-  name = "${local.csi}-service-role"
+  name               = "${local.csi}-service-role"
   assume_role_policy = data.aws_iam_policy_document.assumerole_amplify.json
 }
 

infrastructure/terraform/components/iam/module_amplify_branch.tf

@@ -1,5 +1,5 @@
 module "amplify_branch" {
-  source      = "../../modules/amp_branch"
+  source = "../../modules/amp_branch"
 
   name           = var.environment
   aws_account_id = var.aws_account_id

infrastructure/terraform/components/iam/outputs.tf

@@ -1,6 +1,6 @@
 output "cognito_user_pool" {
   value = {
-    id = aws_cognito_user_pool.main.id
+    id                 = aws_cognito_user_pool.main.id
     identity_providers = aws_cognito_user_pool_client.main.supported_identity_providers
   }
 }

infrastructure/terraform/components/iam/variables.tf

@@ -70,19 +70,19 @@ variable "root_domain_name" {
 }
 
 variable "enable_amplify_branch_auto_build" {
-  type = bool
+  type        = bool
   description = "Enable automatic building of branches"
-  default = false
+  default     = false
 }
 
 variable "cognito_user_pool_additional_callback_urls" {
-  type = list(string)
+  type        = list(string)
   description = "A list of additional callback_urls for the cognito user pool"
-  default = []
+  default     = []
 }
 
 variable "enable_cognito_built_in_idp" {
-  type = bool
+  type        = bool
   description = "Enable the use of Cognito as an IDP; CIS2 is prefered"
-  default = false
+  default     = false
 }

infrastructure/terraform/components/iam/versions.tf

@@ -6,5 +6,5 @@ terraform {
     }
   }
 
-   required_version = ">= 1.9.0"
+  required_version = ">= 1.9.0"
 }

infrastructure/terraform/etc/README.md

@@ -2,24 +2,20 @@
 
 ## Example configuration files may look like this with the global.tfvars forming the base, any configuration will override with a most specific config taking presidence. env > region > group > Global
 
-**env_eu-west-2_example.tfvars**
-```
+```env_eu-west-2_example.tfvars
 environment = "example"
 ```
 
-**eu-west-2.tfvars**
-```
+```eu-west-2.tfvars
 region = "eu-west-2"
 ```
 
-**group_example.tfvars**
-```
+```group_example.tfvars
 group = "example"
 aws_account_id = "1234567890"
 ```
 
-**global.tfvars**
-```
+```global.tfvars
 tfscaffold_bucket_prefix = "nhs-notify-tfscaffold"
 project        = "myproject"
 aws_account_id = "0987654321"

infrastructure/terraform/modules/amp_branch/variables.tf

@@ -62,22 +62,22 @@ variable "name" {
 
 variable "cognito_user_pool_client_id" {
   description = "Cognito User Pool client ID"
-  type = string
+  type        = string
 }
 
 variable "cognito_user_pool_identity_provider_names" {
   description = "A list of Cognito IDP names"
-  type = list(string)
+  type        = list(string)
 }
 
 variable "amplify_app_id" {
   description = "Amplify application ID"
-  type = string
+  type        = string
 }
 
 variable "branch" {
   description = "The name of the branch being deployed"
-  type = string
+  type        = string
 }
 
 variable "domain_name" {

infrastructure/terraform/modules/kms/data_iam_kms_admin_policy.tf

@@ -1,3 +1,4 @@
+#tfsec:ignore:aws-iam-no-policy-wildcards
 data "aws_iam_policy_document" "admin" {
   policy_id = "${local.csi}-admin"
 

infrastructure/terraform/modules/kms/data_iam_kms_user_policy.tf

@@ -1,3 +1,4 @@
+#tfsec:ignore:aws-iam-no-policy-wildcards
 data "aws_iam_policy_document" "user" {
   policy_id = "${local.csi}-user"
 

scripts/config/tfsec.yml

@@ -0,0 +1,3 @@
+---
+minimum_severity: WARNING
+exclude:

scripts/config/vale/styles/Vocab/words/accept.txt

@@ -1,17 +1,19 @@
+[A-Z]+s
 Bitwarden
+bot
+config
 Cyber
 Dependabot
+env
 Gitleaks
 Grype
+idempotence
 OAuth
 Octokit
+onboarding
 Podman
 Python
 Syft
 Terraform
-Trufflehog
-bot
-idempotence
-onboarding
 toolchain
-[A-Z]+s
+Trufflehog

scripts/terraform/terraform.mk

@@ -42,9 +42,9 @@ clean:: # Remove Terraform files (terraform) - optional: terraform_dir|dir=[path
 
 _terraform: # Terraform command wrapper - mandatory: cmd=[command to execute]; optional: dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is one of the module variables or the example directory, if not set], opts=[options to pass to the Terraform command, default is none/empty]
 	# 'TERRAFORM_STACK' is passed to the functions as environment variable
-	TERRAFORM_STACK=$(or ${TERRAFORM_STACK}, $(or ${terraform_stack}, $(or ${STACK}, $(or ${stack}, scripts/terraform/examples/terraform-state-aws-s3))))
+	TERRAFORM_STACK=$(or ${TERRAFORM_STACK}, $(or ${terraform_stack}, $(or ${STACK}, ${stack})))
 	dir=$(or ${dir}, ${TERRAFORM_STACK})
-	source scripts/terraform/terraform.lib.sh
+	. "scripts/terraform/terraform.lib.sh"; \
 	terraform-${cmd} # 'dir' and 'opts' are accessible by the function as environment variables, if set
 
 # ==============================================================================
@@ -55,6 +55,12 @@ terraform-shellscript-lint: # Lint all Terraform module shell scripts @Quality
 		file=$${file} scripts/shellscript-linter.sh
 	done
 
+terraform-sec: # TFSEC check against Terraform files - optional: terraform_dir|dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is one of the module variables or the example directory, if not set], terraform_opts|opts=[options to pass to the Terraform fmt command, default is '-recursive'] @Quality
+	tfsec infrastructure/terraform \
+		--force-all-dirs \
+		--exclude-downloaded-modules \
+		--config-file scripts/config/tfsec.yml
+
 # ==============================================================================
 # Module tests and examples - please DO NOT edit this section!
 
@@ -68,7 +74,7 @@ terraform-example-destroy-aws-infrastructure: # Destroy example of AWS infrastru
 
 terraform-example-clean: # Remove Terraform example files @ExamplesAndTests
 	dir=$(or ${dir}, ${TERRAFORM_STACK})
-	source scripts/terraform/terraform.lib.sh
+	. "scripts/terraform/terraform.lib.sh"; \
 	terraform-clean
 	rm -f ${TERRAFORM_STACK}/.terraform.lock.hcl