diff --git a/.tool-versions b/.tool-versions
index 32db55a..6211f54 100644
--- a/.tool-versions
+++ b/.tool-versions
@@ -2,7 +2,7 @@
terraform 1.7.0
pre-commit 3.6.0
-
+tfsec 1.28.6
# ==============================================================================
# The section below is reserved for Docker image versions.
diff --git a/infrastructure/terraform/components/acct/outputs.tf b/infrastructure/terraform/components/acct/outputs.tf
index d406aef..0e91021 100644
--- a/infrastructure/terraform/components/acct/outputs.tf
+++ b/infrastructure/terraform/components/acct/outputs.tf
@@ -1,7 +1,7 @@
output "dns_zone" {
value = {
- id = aws_route53_zone.main.id
- name = aws_route53_zone.main.name
+ id = aws_route53_zone.main.id
+ name = aws_route53_zone.main.name
nameservers = aws_route53_zone.main.name_servers
}
}
diff --git a/infrastructure/terraform/components/acct/versions.tf b/infrastructure/terraform/components/acct/versions.tf
index 5be0c2c..5fba18d 100644
--- a/infrastructure/terraform/components/acct/versions.tf
+++ b/infrastructure/terraform/components/acct/versions.tf
@@ -6,5 +6,5 @@ terraform {
}
}
- required_version = ">= 1.9.0"
+ required_version = ">= 1.9.0"
}
diff --git a/infrastructure/terraform/components/branch/locals_remote_state.tf b/infrastructure/terraform/components/branch/locals_remote_state.tf
index f7fd302..bc45071 100644
--- a/infrastructure/terraform/components/branch/locals_remote_state.tf
+++ b/infrastructure/terraform/components/branch/locals_remote_state.tf
@@ -1,7 +1,7 @@
locals {
bootstrap = data.terraform_remote_state.bootstrap.outputs
acct = data.terraform_remote_state.acct.outputs
- iam = data.terraform_remote_state.iam.outputs
+ iam = data.terraform_remote_state.iam.outputs
}
data "terraform_remote_state" "bootstrap" {
diff --git a/infrastructure/terraform/components/branch/module_amplify_branch.tf b/infrastructure/terraform/components/branch/module_amplify_branch.tf
index af409ff..70aeea8 100644
--- a/infrastructure/terraform/components/branch/module_amplify_branch.tf
+++ b/infrastructure/terraform/components/branch/module_amplify_branch.tf
@@ -1,7 +1,7 @@
module "amplify_branch" {
- source = "../../modules/amp_branch"
+ source = "../../modules/amp_branch"
- name = lower(substr(join("", regexall("[a-zA-Z0-9-]+",var.branch_name)),0,25))
+ name = lower(substr(join("", regexall("[a-zA-Z0-9-]+", var.branch_name)), 0, 25))
aws_account_id = var.aws_account_id
component = var.component
environment = var.environment
diff --git a/infrastructure/terraform/components/branch/versions.tf b/infrastructure/terraform/components/branch/versions.tf
index b623365..5fba18d 100644
--- a/infrastructure/terraform/components/branch/versions.tf
+++ b/infrastructure/terraform/components/branch/versions.tf
@@ -6,5 +6,5 @@ terraform {
}
}
- required_version = ">= 1.9.0"
+ required_version = ">= 1.9.0"
}
diff --git a/infrastructure/terraform/components/iam/amplify_app.tf b/infrastructure/terraform/components/iam/amplify_app.tf
index 2fea25d..95b6c22 100644
--- a/infrastructure/terraform/components/iam/amplify_app.tf
+++ b/infrastructure/terraform/components/iam/amplify_app.tf
@@ -1,5 +1,5 @@
resource "aws_amplify_app" "main" {
- name = local.csi
+ name = local.csi
repository = "https://github.com/NHSDigital/nhs-notify-iam-webauth"
access_token = data.aws_ssm_parameter.github_pat_ssm_param_name.value
@@ -7,7 +7,7 @@ resource "aws_amplify_app" "main" {
enable_auto_branch_creation = false
enable_branch_auto_build = var.enable_amplify_branch_auto_build
- platform = "WEB_COMPUTE"
+ platform = "WEB_COMPUTE"
auto_branch_creation_patterns = [
"*",
@@ -15,10 +15,10 @@ resource "aws_amplify_app" "main" {
]
environment_variables = {
- USER_POOL_ID = aws_cognito_user_pool.main.id
+ USER_POOL_ID = aws_cognito_user_pool.main.id
# HOSTED_LOGIN_DOMAIN = "auth.${var.environment}.${local.acct.dns_zone["name"]}"
- NOTIFY_GROUP = var.group
- NOTIFY_ENVIRONMENT = var.environment
- NOTIFY_DOMAIN_NAME = local.acct.dns_zone["name"]
+ NOTIFY_GROUP = var.group
+ NOTIFY_ENVIRONMENT = var.environment
+ NOTIFY_DOMAIN_NAME = local.acct.dns_zone["name"]
}
}
diff --git a/infrastructure/terraform/components/iam/iam_role_amplify.tf b/infrastructure/terraform/components/iam/iam_role_amplify.tf
index bd13c70..c26ec81 100644
--- a/infrastructure/terraform/components/iam/iam_role_amplify.tf
+++ b/infrastructure/terraform/components/iam/iam_role_amplify.tf
@@ -1,5 +1,5 @@
resource "aws_iam_role" "amplify" {
- name = "${local.csi}-service-role"
+ name = "${local.csi}-service-role"
assume_role_policy = data.aws_iam_policy_document.assumerole_amplify.json
}
diff --git a/infrastructure/terraform/components/iam/module_amplify_branch.tf b/infrastructure/terraform/components/iam/module_amplify_branch.tf
index db6d8be..03c76c7 100644
--- a/infrastructure/terraform/components/iam/module_amplify_branch.tf
+++ b/infrastructure/terraform/components/iam/module_amplify_branch.tf
@@ -1,5 +1,5 @@
module "amplify_branch" {
- source = "../../modules/amp_branch"
+ source = "../../modules/amp_branch"
name = var.environment
aws_account_id = var.aws_account_id
diff --git a/infrastructure/terraform/components/iam/outputs.tf b/infrastructure/terraform/components/iam/outputs.tf
index 60d6758..f0bb257 100644
--- a/infrastructure/terraform/components/iam/outputs.tf
+++ b/infrastructure/terraform/components/iam/outputs.tf
@@ -1,6 +1,6 @@
output "cognito_user_pool" {
value = {
- id = aws_cognito_user_pool.main.id
+ id = aws_cognito_user_pool.main.id
identity_providers = aws_cognito_user_pool_client.main.supported_identity_providers
}
}
diff --git a/infrastructure/terraform/components/iam/variables.tf b/infrastructure/terraform/components/iam/variables.tf
index a76b4b5..44ad61d 100644
--- a/infrastructure/terraform/components/iam/variables.tf
+++ b/infrastructure/terraform/components/iam/variables.tf
@@ -70,19 +70,19 @@ variable "root_domain_name" {
}
variable "enable_amplify_branch_auto_build" {
- type = bool
+ type = bool
description = "Enable automatic building of branches"
- default = false
+ default = false
}
variable "cognito_user_pool_additional_callback_urls" {
- type = list(string)
+ type = list(string)
description = "A list of additional callback_urls for the cognito user pool"
- default = []
+ default = []
}
variable "enable_cognito_built_in_idp" {
- type = bool
+ type = bool
description = "Enable the use of Cognito as an IDP; CIS2 is prefered"
- default = false
+ default = false
}
diff --git a/infrastructure/terraform/components/iam/versions.tf b/infrastructure/terraform/components/iam/versions.tf
index b623365..5fba18d 100644
--- a/infrastructure/terraform/components/iam/versions.tf
+++ b/infrastructure/terraform/components/iam/versions.tf
@@ -6,5 +6,5 @@ terraform {
}
}
- required_version = ">= 1.9.0"
+ required_version = ">= 1.9.0"
}
diff --git a/infrastructure/terraform/etc/README.md b/infrastructure/terraform/etc/README.md
index 23f35cc..0c683ab 100644
--- a/infrastructure/terraform/etc/README.md
+++ b/infrastructure/terraform/etc/README.md
@@ -2,24 +2,20 @@
## Example configuration files may look like this with the global.tfvars forming the base, any configuration will override with a most specific config taking presidence. env > region > group > Global
-**env_eu-west-2_example.tfvars**
-```
+```env_eu-west-2_example.tfvars
environment = "example"
```
-**eu-west-2.tfvars**
-```
+```eu-west-2.tfvars
region = "eu-west-2"
```
-**group_example.tfvars**
-```
+```group_example.tfvars
group = "example"
aws_account_id = "1234567890"
```
-**global.tfvars**
-```
+```global.tfvars
tfscaffold_bucket_prefix = "nhs-notify-tfscaffold"
project = "myproject"
aws_account_id = "0987654321"
diff --git a/infrastructure/terraform/modules/amp_branch/variables.tf b/infrastructure/terraform/modules/amp_branch/variables.tf
index 5798d9e..168aec6 100644
--- a/infrastructure/terraform/modules/amp_branch/variables.tf
+++ b/infrastructure/terraform/modules/amp_branch/variables.tf
@@ -62,22 +62,22 @@ variable "name" {
variable "cognito_user_pool_client_id" {
description = "Cognito User Pool client ID"
- type = string
+ type = string
}
variable "cognito_user_pool_identity_provider_names" {
description = "A list of Cognito IDP names"
- type = list(string)
+ type = list(string)
}
variable "amplify_app_id" {
description = "Amplify application ID"
- type = string
+ type = string
}
variable "branch" {
description = "The name of the branch being deployed"
- type = string
+ type = string
}
variable "domain_name" {
diff --git a/infrastructure/terraform/modules/kms/README.md b/infrastructure/terraform/modules/kms/README.md
deleted file mode 100644
index 31fe336..0000000
--- a/infrastructure/terraform/modules/kms/README.md
+++ /dev/null
@@ -1,42 +0,0 @@
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [alias](#input\_alias) | Alias name for the hieradata KMS key | `string` | n/a | yes |
-| [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
-| [component](#input\_component) | The name of the terraformscaffold component calling this module | `string` | n/a | yes |
-| [default\_tags](#input\_default\_tags) | Default tag map for application to all taggable resources in the module | `map(string)` | `{}` | no |
-| [deletion\_window](#input\_deletion\_window) | KMS key deletion window | `string` | n/a | yes |
-| [environment](#input\_environment) | The name of the terraformscaffold environment the module is called for | `string` | n/a | yes |
-| [iam\_delegation](#input\_iam\_delegation) | Whether to delegate administration of the key to the local account. Defaults to true | `bool` | `true` | no |
-| [key\_policy\_documents](#input\_key\_policy\_documents) | List of KMS key policy JSON documents | `list(string)` | `[]` | no |
-| [module](#input\_module) | The name of this module. This is a special variable, it should be set only here and never overridden. | `string` | `"kms"` | no |
-| [name](#input\_name) | A unique name to distinguish this module invocation from others within the same CSI scope | `string` | n/a | yes |
-| [project](#input\_project) | The name of the terraformscaffold project calling the module | `string` | n/a | yes |
-| [region](#input\_region) | The AWS Region | `string` | n/a | yes |
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [admin\_policy\_arn](#output\_admin\_policy\_arn) | n/a |
-| [key\_arn](#output\_key\_arn) | n/a |
-| [key\_id](#output\_key\_id) | n/a |
-| [user\_policy\_arn](#output\_user\_policy\_arn) | n/a |
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | n/a |
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_iam_policy.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_kms_alias.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
-| [aws_kms_key.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_iam_policy_document.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-
diff --git a/infrastructure/terraform/modules/kms/data_iam_kms_admin_policy.tf b/infrastructure/terraform/modules/kms/data_iam_kms_admin_policy.tf
index 25d4fb3..9a62b87 100644
--- a/infrastructure/terraform/modules/kms/data_iam_kms_admin_policy.tf
+++ b/infrastructure/terraform/modules/kms/data_iam_kms_admin_policy.tf
@@ -1,3 +1,4 @@
+#tfsec:ignore:aws-iam-no-policy-wildcards
data "aws_iam_policy_document" "admin" {
policy_id = "${local.csi}-admin"
diff --git a/infrastructure/terraform/modules/kms/data_iam_kms_user_policy.tf b/infrastructure/terraform/modules/kms/data_iam_kms_user_policy.tf
index 99a63f9..5cb6f3b 100644
--- a/infrastructure/terraform/modules/kms/data_iam_kms_user_policy.tf
+++ b/infrastructure/terraform/modules/kms/data_iam_kms_user_policy.tf
@@ -1,3 +1,4 @@
+#tfsec:ignore:aws-iam-no-policy-wildcards
data "aws_iam_policy_document" "user" {
policy_id = "${local.csi}-user"
diff --git a/scripts/config/tfsec.yml b/scripts/config/tfsec.yml
new file mode 100644
index 0000000..e19ea1c
--- /dev/null
+++ b/scripts/config/tfsec.yml
@@ -0,0 +1,3 @@
+---
+minimum_severity: WARNING
+exclude:
diff --git a/scripts/config/vale/styles/Vocab/words/accept.txt b/scripts/config/vale/styles/Vocab/words/accept.txt
index eb9cd04..a895c39 100644
--- a/scripts/config/vale/styles/Vocab/words/accept.txt
+++ b/scripts/config/vale/styles/Vocab/words/accept.txt
@@ -1,17 +1,19 @@
+[A-Z]+s
Bitwarden
+bot
+config
Cyber
Dependabot
+env
Gitleaks
Grype
+idempotence
OAuth
Octokit
+onboarding
Podman
Python
Syft
Terraform
-Trufflehog
-bot
-idempotence
-onboarding
toolchain
-[A-Z]+s
+Trufflehog
diff --git a/scripts/terraform/terraform.mk b/scripts/terraform/terraform.mk
index 120a059..0db0a88 100644
--- a/scripts/terraform/terraform.mk
+++ b/scripts/terraform/terraform.mk
@@ -42,9 +42,9 @@ clean:: # Remove Terraform files (terraform) - optional: terraform_dir|dir=[path
_terraform: # Terraform command wrapper - mandatory: cmd=[command to execute]; optional: dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is one of the module variables or the example directory, if not set], opts=[options to pass to the Terraform command, default is none/empty]
# 'TERRAFORM_STACK' is passed to the functions as environment variable
- TERRAFORM_STACK=$(or ${TERRAFORM_STACK}, $(or ${terraform_stack}, $(or ${STACK}, $(or ${stack}, scripts/terraform/examples/terraform-state-aws-s3))))
+ TERRAFORM_STACK=$(or ${TERRAFORM_STACK}, $(or ${terraform_stack}, $(or ${STACK}, ${stack})))
dir=$(or ${dir}, ${TERRAFORM_STACK})
- source scripts/terraform/terraform.lib.sh
+ . "scripts/terraform/terraform.lib.sh"; \
terraform-${cmd} # 'dir' and 'opts' are accessible by the function as environment variables, if set
# ==============================================================================
@@ -55,6 +55,12 @@ terraform-shellscript-lint: # Lint all Terraform module shell scripts @Quality
file=$${file} scripts/shellscript-linter.sh
done
+terraform-sec: # TFSEC check against Terraform files - optional: terraform_dir|dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is one of the module variables or the example directory, if not set], terraform_opts|opts=[options to pass to the Terraform fmt command, default is '-recursive'] @Quality
+ tfsec infrastructure/terraform \
+ --force-all-dirs \
+ --exclude-downloaded-modules \
+ --config-file scripts/config/tfsec.yml
+
# ==============================================================================
# Module tests and examples - please DO NOT edit this section!
@@ -68,7 +74,7 @@ terraform-example-destroy-aws-infrastructure: # Destroy example of AWS infrastru
terraform-example-clean: # Remove Terraform example files @ExamplesAndTests
dir=$(or ${dir}, ${TERRAFORM_STACK})
- source scripts/terraform/terraform.lib.sh
+ . "scripts/terraform/terraform.lib.sh"; \
terraform-clean
rm -f ${TERRAFORM_STACK}/.terraform.lock.hcl