Merge branch 'main' into feature/CCM-14974-csv-reports-failure-events

Author: gareth-allan

.github/PULL_REQUEST_TEMPLATE.md

@@ -25,7 +25,7 @@
 - [ ] I have added tests to cover my changes
 - [ ] I have updated the documentation accordingly
 - [ ] This PR is a result of pair or mob programming
-- [ ] If I have used the 'skip-trivy-package' label I have done so responsibly and in the knowledge that this is being fixed as part of a separate ticket/PR.
+<!-- - [ ] If I have used the 'skip-trivy-package' label I have done so responsibly and in the knowledge that this is being fixed as part of a separate ticket/PR. TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 -->
 
 ---
 

.github/actions/trivy-iac/action.yaml

@@ -1,19 +1,20 @@
-name: "Trivy IaC Scan"
-description: "Scan Terraform IaC using Trivy"
-runs:
-  using: "composite"
-  steps:
-    - name: "Trivy Terraform IaC Scan"
-      shell: bash
-      run: |
-        components_exit_code=0
-        modules_exit_code=0
-        asdf plugin add trivy || true
-        asdf install trivy || true
-        ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$?
-        ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$?
+# TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+# name: "Trivy IaC Scan"
+# description: "Scan Terraform IaC using Trivy"
+# runs:
+#   using: "composite"
+#   steps:
+#     - name: "Trivy Terraform IaC Scan"
+#       shell: bash
+#       run: |
+#         components_exit_code=0
+#         modules_exit_code=0
+#         asdf plugin add trivy || true
+#         asdf install trivy || true
+#         ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$?
+#         ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$?
 
-        if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
-          echo "Trivy misconfigurations detected."
-          exit 1
-        fi
+#         if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
+#           echo "Trivy misconfigurations detected."
+#           exit 1
+#         fi

.github/actions/trivy-package/action.yaml

@@ -1,17 +1,18 @@
-name: "Trivy Package Scan"
-description: "Scan project packages using Trivy"
-runs:
-  using: "composite"
-  steps:
-    - name: "Trivy Package Scan"
-      shell: bash
-      run: |
-        exit_code=0
-        asdf plugin add trivy || true
-        asdf install trivy || true
-        ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$?
+# TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+# name: "Trivy Package Scan"
+# description: "Scan project packages using Trivy"
+# runs:
+#   using: "composite"
+#   steps:
+#     - name: "Trivy Package Scan"
+#       shell: bash
+#       run: |
+#         exit_code=0
+#         asdf plugin add trivy || true
+#         asdf install trivy || true
+#         ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$?
 
-        if [ $exit_code -ne 0 ]; then
-          echo "Trivy has detected package vulnerablilites. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption"
-          exit 1
-        fi
+#         if [ $exit_code -ne 0 ]; then
+#           echo "Trivy has detected package vulnerablilites. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption"
+#           exit 1
+#         fi

.github/workflows/cicd-1-pull-request.yaml

@@ -36,7 +36,8 @@ jobs:
       is_version_prerelease: ${{ steps.variables.outputs.is_version_prerelease }}
       does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
       pr_number: ${{ steps.pr_exists.outputs.pr_number }}
-      skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }}
+      # TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+      # skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }}
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
@@ -76,26 +77,27 @@ jobs:
             echo "does_pull_request_exist=false" >> $GITHUB_OUTPUT
             echo "pr_number=" >> $GITHUB_OUTPUT
           fi
-      - name: "Determine if Trivy package scan should be skipped"
-        id: skip_trivy
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ steps.pr_exists.outputs.pr_number }}
-        run: |
-          if [[ -z "$PR_NUMBER" ]]; then
-            echo "No pull request detected; Trivy package scan will run."
-            echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
-            exit 0
-          fi
+      # TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+      # - name: "Determine if Trivy package scan should be skipped"
+      #   id: skip_trivy
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      #     PR_NUMBER: ${{ steps.pr_exists.outputs.pr_number }}
+      #   run: |
+      #     if [[ -z "$PR_NUMBER" ]]; then
+      #       echo "No pull request detected; Trivy package scan will run."
+      #       echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
+      #       exit 0
+      #     fi
 
-          labels=$(gh pr view "$PR_NUMBER" --json labels --jq '.labels[].name')
-          echo "Labels on PR #$PR_NUMBER: $labels"
+      #     labels=$(gh pr view "$PR_NUMBER" --json labels --jq '.labels[].name')
+      #     echo "Labels on PR #$PR_NUMBER: $labels"
 
-          if echo "$labels" | grep -Fxq 'skip-trivy-package'; then
-            echo "skip_trivy_package=true" >> $GITHUB_OUTPUT
-          else
-            echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
-          fi
+      #     if echo "$labels" | grep -Fxq 'skip-trivy-package'; then
+      #       echo "skip_trivy_package=true" >> $GITHUB_OUTPUT
+      #     else
+      #       echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
+      #     fi
       - name: "List variables"
         run: |
           export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}"
@@ -119,7 +121,8 @@ jobs:
       build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
       nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
       python_version: "${{ needs.metadata.outputs.python_version }}"
-      skip_trivy_package: ${{ needs.metadata.outputs.skip_trivy_package == 'true' }}
+      # TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+      # skip_trivy_package: ${{ needs.metadata.outputs.skip_trivy_package == 'true' }}
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
   #    secrets: inherit

.github/workflows/stage-1-commit.yaml

@@ -23,10 +23,11 @@ on:
         description: "Python version, set by the CI/CD pipeline workflow"
         required: true
         type: string
-      skip_trivy_package:
-        description: "Skip Trivy package scan when true"
-        type: boolean
-        default: false
+      # TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+      # skip_trivy_package:
+      #   description: "Skip Trivy package scan when true"
+      #   type: boolean
+      #   default: false
       terraform_version:
         description: "Terraform version, set by the CI/CD pipeline workflow"
         required: true
@@ -144,41 +145,42 @@ jobs:
         uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # v4
       - name: "Lint Terraform"
         uses: ./.github/actions/lint-terraform
-  trivy-iac:
-    name: "Trivy IaC Scan"
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    needs: detect-terraform-changes
-    if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
-    permissions:
-      contents: read
-      packages: read
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v4
-      - name: "Setup ASDF"
-        uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # v4
-      - name: "Trivy IaC Scan"
-        uses: ./.github/actions/trivy-iac
-  trivy-package:
-    if: ${{ !inputs.skip_trivy_package }}
-    name: "Trivy Package Scan"
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-      packages: read
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v4
-      - name: "Setup ASDF"
-        uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
-      - name: "Trivy Package Scan"
-        uses: ./.github/actions/trivy-package
+  # TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+  # trivy-iac:
+  #   name: "Trivy IaC Scan"
+  #   runs-on: ubuntu-latest
+  #   timeout-minutes: 10
+  #   needs: detect-terraform-changes
+  #   if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
+  #   permissions:
+  #     contents: read
+  #     packages: read
+  #   env:
+  #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #   steps:
+  #     - name: "Checkout code"
+  #       uses: actions/checkout@v4
+  #     - name: "Setup ASDF"
+  #       uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # v4
+  #     - name: "Trivy IaC Scan"
+  #       uses: ./.github/actions/trivy-iac
+  # trivy-package:
+  #   if: ${{ !inputs.skip_trivy_package }}
+  #   name: "Trivy Package Scan"
+  #   runs-on: ubuntu-latest
+  #   timeout-minutes: 10
+  #   permissions:
+  #     contents: read
+  #     packages: read
+  #   env:
+  #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #   steps:
+  #     - name: "Checkout code"
+  #       uses: actions/checkout@v4
+  #     - name: "Setup ASDF"
+  #       uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
+  #     - name: "Trivy Package Scan"
+  #       uses: ./.github/actions/trivy-package
   count-lines-of-code:
     name: "Count lines of code"
     runs-on: ubuntu-latest

.tool-versions

@@ -6,8 +6,8 @@ pre-commit 3.6.0
 python 3.14.0
 terraform 1.10.1
 terraform-docs 0.19.0
-trivy 0.69.2
 vale 3.6.0
+# trivy 0.61.0 - TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
 # ==============================================================================
 # The section below is reserved for Docker image versions.
 

infrastructure/terraform/components/dl/cloudwatch_event_bus.tf

@@ -27,3 +27,36 @@ resource "aws_cloudwatch_log_delivery_source" "main_trace_logs" {
   log_type     = "TRACE_LOGS"
   resource_arn = aws_cloudwatch_event_bus.main.arn
 }
+
+data "aws_iam_policy_document" "main_event_bus_document" {
+  statement {
+    sid    = "AllowCrossDomainEventBridgeToPutEvent"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${var.shared_infra_account_id}:root"]
+    }
+
+    actions = [
+      "events:PutEvents",
+    ]
+
+    resources = [
+      aws_cloudwatch_event_bus.main.arn,
+    ]
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values = [
+        "arn:aws:events:${var.region}:${var.shared_infra_account_id}:rule/*-data-plane*"
+      ]
+    }
+  }
+}
+
+resource "aws_cloudwatch_event_bus_policy" "main_event_bus_policy" {
+  policy         = data.aws_iam_policy_document.main_event_bus_document.json
+  event_bus_name = aws_cloudwatch_event_bus.main.name
+}

package-lock.json

@@ -118,9 +118,10 @@ terraform-validate-all: # Validate all Terraform components @Quality
 		fi; \
 	done
 
-terraform-sec: # Run Trivy IaC security scanning on Terraform code @Quality
-	# Example: make terraform-sec
-	./scripts/terraform/trivy-scan.sh --mode iac infrastructure/terraform
+# TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+# terraform-sec: # Run Trivy IaC security scanning on Terraform code @Quality
+# 	# Example: make terraform-sec
+# 	./scripts/terraform/trivy-scan.sh --mode iac infrastructure/terraform
 
 terraform-docs: # Generate Terraform documentation - optional: component=[specific component, or all if omitted] @Quality
 	# Example: make terraform-docs component=mycomp
@@ -168,6 +169,6 @@ ${VERBOSE}.SILENT: \
 	terraform-output \
 	terraform-plan \
 	terraform-plan-destroy \
-	terraform-sec \
+#   terraform-sec \
 	terraform-validate \
 	terraform-validate-all \

scripts/terraform/terraform.mk

@@ -131,24 +131,12 @@ export async function handleCli(args: string[]): Promise<CliResult> {
   }
 }
 
-// Execute CLI if this module is run directly
-// Note: This uses eval to prevent Jest/CommonJS from parsing import.meta
 // istanbul ignore next - CLI entry point, difficult to test in Jest
-// @ts-ignore
-try {
-  const importMeta = eval('import.meta');
-  if (importMeta && importMeta.url === `file://${process.argv[1]}`) {
-    handleCli(process.argv.slice(2)).then((result) => {
-      process.exit(result.exitCode);
-    }).catch((err) => {
-      console.error('Unexpected error:', err);
-      process.exit(1);
-    });
-  }
-} catch {
-  // Intentionally ignoring exception: import.meta not available in CommonJS/Jest environments.
-  // This is expected when the module is imported rather than executed directly.
-  if (process.env.DEBUG) {
-    console.debug('Module loaded in CommonJS/Jest environment (import.meta not available)');
-  }
+if (process.argv[1]?.endsWith('generate-docs-cli.ts')) {
+  handleCli(process.argv.slice(2)).then((result) => {
+    process.exit(result.exitCode);
+  }).catch((err) => {
+    console.error('Unexpected error:', err);
+    process.exit(1);
+  });
 }