New: [AEA-5667] - Run CloudFormation Guard against Terraform plans (#24)

## Summary

- ✨ Now scans Terraform plans using CloudFormation Guard.

Author: originalphil

.gitallowed

@@ -1,2 +1,3 @@
 token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
 .*\.gitallowed.*
+id-token: write

.github/workflows/quality-checks.yml

@@ -192,32 +192,6 @@ jobs:
         run: |
           make check-licenses
 
-      - name: Check licenses (Python)
-        if: steps.check_poetry.outputs.uses_poetry == 'true'
-        run: |
-          #!/bin/bash
-          set -euo pipefail
-
-          # Install pip-licenses if not already installed
-          if ! poetry run pip show pip-licenses > /dev/null 2>&1; then
-            echo "pip-licenses is not detected. Installing..."
-            poetry run pip install pip-licenses
-          fi
-
-          # known packages with dual licensing
-          IGNORE_PACKAGES="PyGithub chardet text-unidecode"
-          LICENSES=$(poetry run pip-licenses  --ignore-packages "${IGNORE_PACKAGES}")
-          INCOMPATIBLE_LIBS=$(echo "$LICENSES" | grep 'GPL' || true)
-
-          if [[ -z $INCOMPATIBLE_LIBS ]]; then
-              echo "Checked licenses are OK"
-              exit 0
-          else
-              echo "The following libraries were found which are not compatible with this project's license:"
-              echo "$INCOMPATIBLE_LIBS"
-              exit 1
-          fi
-
       - name: Run code lint
         run: make lint
 
@@ -301,7 +275,7 @@ jobs:
           declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar")
           for ruleset in "${rulesets[@]}"
           do
-            echo "Checking all templates in cloudformation folder with ruleest $ruleset"
+            echo "Checking all templates in cloudformation folder with ruleset $ruleset"
 
             ~/.guard/bin/cfn-guard validate \
                 --data cloudformation \
@@ -318,7 +292,7 @@ jobs:
           declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar")
           for ruleset in "${rulesets[@]}"
           do
-            echo "Checking all templates in cdk.out folder with ruleest $ruleset"
+            echo "Checking all templates in cdk.out folder with ruleset $ruleset"
 
             ~/.guard/bin/cfn-guard validate \
                 --data cdk.out \
@@ -327,6 +301,42 @@ jobs:
                 > "cfn_guard_output/cdk.out_$ruleset.txt"
           done
 
+      - name: Download terraform plans
+        uses: actions/download-artifact@v5
+        with:
+          pattern: '*_terraform_plan'
+          path: terraform_plans/
+          merge-multiple: true
+
+      - name: Check terraform plans exist
+        id: check_terraform_plans
+        run: |
+          if [ ! -d terraform_plans ]; then
+            echo "Terraform plans not present."
+            echo "terraform_plans_exist=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "Terraform plans present:"
+            ls -l terraform_plans/
+            echo "terraform_plans_exist=true" >> "$GITHUB_OUTPUT"
+          fi
+      
+      - name: Run cfn-guard script for terraform plans
+        if: steps.check_terraform_plans.outputs.terraform_plans_exist == 'true'
+        run: |
+          #!/usr/bin/env bash
+
+          declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar")
+          for ruleset in "${rulesets[@]}"
+          do
+            echo "Checking terraform plans with ruleset $ruleset"
+
+            ~/.guard/bin/cfn-guard validate \
+                --data terraform_plans \
+                    --rules "/tmp/ruleset/output/$ruleset.guard" \
+                --show-summary fail \
+                > "cfn_guard_output/terraform_plans_$ruleset.txt"
+          done
+
       - name: Show cfn-guard output
         if: failure()
         run: find cfn_guard_output -type f -print0 | xargs -0 cat

README.md

@@ -10,6 +10,7 @@ A workflow to run the quality checks for EPS repositories. The main element of t
 - **Scan git history for secrets**: Scans for secret-like patterns, using https://github.com/NHSDigital/software-engineering-quality-framework/blob/main/tools/nhsd-git-secrets/git-secrets
 - **SonarCloud Scan**: Performs code analysis using SonarCloud to detect quality issues and vulnerabilities.
 - **Validate CloudFormation Templates** (*Conditional*): If CloudFormation, AWS SAM templates or CDK are present, runs `cfn-lint` (SAM and cloudformation only) and `cfn-guard` to validate templates against AWS best practices and security rules.
+- **Validate Terraform Plans** Terraform plans can also be scanned by `cfn-guard` by uploading plans as artefacts in the calling workflow. All Terraform plans must end _terraform_plan and be in json format.
 - **CDK Synth** (*Conditional*): Runs `make cdk-synth` if packages/cdk folder exists
 - **Check Licenses**: Runs `make check-licenses`.
 - **Check Python Licenses** (*Conditional*): If the project uses Poetry, scans Python dependencies for incompatible licenses.