CCM-8478 TFSecHardFail

Author: aidenvaines-cgi

.github/actions/tfsec/action.yaml

@@ -6,12 +6,13 @@ runs:
     - name: "TFSec Scan - Components"
       shell: bash
       run: |
-        for component in $(find infrastructure/terraform/components -mindepth 1 -type d); do
-          scripts/terraform/tfsec.sh $component
-        done
-    - name: "TFSec Scan - Modules"
-      shell: bash
-      run: |
-        for module in $(find infrastructure/terraform/modules -mindepth 1 -type d); do
-          scripts/terraform/tfsec.sh $module
-        done
+        components_exit_code=0
+        modules_exit_code=0
+
+        ./scripts/terraform/tfsec.sh ./infrastructure/terraform/components || components_exit_code=$?
+        ./scripts/terraform/tfsec.sh ./infrastructure/terraform/modules || modules_exit_code=$?
+
+        if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
+          echo "One or more TFSec scans failed."
+          exit 1
+        fi

scripts/terraform/terraform.mk

@@ -61,7 +61,7 @@ terraform-sec: # TFSEC check against Terraform files - optional: terraform_dir|d
 		--exclude-downloaded-modules \
 		--tfvars-file infrastructure/terraform/etc/global.tfvars \
 		--tfvars-file infrastructure/terraform/etc/env_eu-west-2_main.tfvars \
-		--config-file scripts/config/tfsec.yml
+		--config-file scripts/config/tfsec.yaml
 
 # ==============================================================================
 # Module tests and examples - please DO NOT edit this section!

scripts/terraform/tfsec.sh

@@ -37,12 +37,10 @@ function run-tfsec-natively() {
 
   echo "Running TFSec on directory: $dir_to_scan"
   tfsec \
-    --concise-output \
     --force-all-dirs \
     --exclude-downloaded-modules \
     --config-file scripts/config/tfsec.yaml \
     --format text \
-    --soft-fail \
     "$dir_to_scan"
 
   check-tfsec-status