Merge remote-tracking branch 'origin/main' into dev_container_build

Author: anthony-nhs

.github/workflows/quality-checks.yml

@@ -288,7 +288,7 @@ jobs:
           declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar")
           for ruleset in "${rulesets[@]}"
           do
-            echo "Checking all templates in cloudformation folder with ruleest $ruleset"
+            echo "Checking all templates in cloudformation folder with ruleset $ruleset"
 
             ~/.guard/bin/cfn-guard validate \
                 --data cloudformation \
@@ -305,7 +305,7 @@ jobs:
           declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar")
           for ruleset in "${rulesets[@]}"
           do
-            echo "Checking all templates in cdk.out folder with ruleest $ruleset"
+            echo "Checking all templates in cdk.out folder with ruleset $ruleset"
 
             ~/.guard/bin/cfn-guard validate \
                 --data cdk.out \
@@ -314,6 +314,42 @@ jobs:
                 > "cfn_guard_output/cdk.out_$ruleset.txt"
           done
 
+      - name: Download terraform plans
+        uses: actions/download-artifact@v5
+        with:
+          pattern: '*_terraform_plan'
+          path: terraform_plans/
+          merge-multiple: true
+
+      - name: Check terraform plans exist
+        id: check_terraform_plans
+        run: |
+          if [ ! -d terraform_plans ]; then
+            echo "Terraform plans not present."
+            echo "terraform_plans_exist=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "Terraform plans present:"
+            ls -l terraform_plans/
+            echo "terraform_plans_exist=true" >> "$GITHUB_OUTPUT"
+          fi
+      
+      - name: Run cfn-guard script for terraform plans
+        if: steps.check_terraform_plans.outputs.terraform_plans_exist == 'true'
+        run: |
+          #!/usr/bin/env bash
+
+          declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar")
+          for ruleset in "${rulesets[@]}"
+          do
+            echo "Checking terraform plans with ruleset $ruleset"
+
+            ~/.guard/bin/cfn-guard validate \
+                --data terraform_plans \
+                    --rules "/tmp/ruleset/output/$ruleset.guard" \
+                --show-summary fail \
+                > "cfn_guard_output/terraform_plans_$ruleset.txt"
+          done
+
       - name: Show cfn-guard output
         if: failure()
         run: find cfn_guard_output -type f -print0 | xargs -0 cat

README.md

@@ -17,7 +17,8 @@ The main quality checks workflow runs comprehensive checks for EPS repositories.
 - **Run Linting** Runs `make lint`.
 - **Run actionlint** Runs actionlint using [actionlint](https://github.com/raven-actions/actionlint)
 - **Run shellcheck**: Runs shellcheck using [action-shellcheck](https://github.com/ludeeus/action-shellcheck)
-- **Run cfn-lint** Runs [cfn-lint](https://github.com/aws-cloudformation/cfn-lint) against files in cloudformation and SAMtemplates folders
+- **Validate CloudFormation Templates** (*Conditional*): If CloudFormation, AWS SAM templates or CDK are present, runs `cfn-lint` (SAM and cloudformation only) and `cfn-guard` to validate templates against AWS best practices and security rules.
+- **Validate Terraform Plans** Terraform plans can also be scanned by `cfn-guard` by uploading plans as artefacts in the calling workflow. All Terraform plans must end _terraform_plan and be in json format.
 - **Run Unit Tests**  Runs `make test`.
 - **CDK Synth** (*Conditional*): Runs `make cdk-synth` if packages/cdk folder exists
 - **Run cloudformation-guard** (*Conditional*): Runs [cfn-guard](https://github.com/aws-cloudformation/cloudformation-guard) if CloudFormation, AWS SAM templates or CDK are present