Merge dependabot/go_modules/docs/adr/assets/ADR-003/examples/golang/go_modules-232a611e2d into dependabotCombined

github-actions[bot] · web-flow · commit 983879b9728d · 2025-02-18T14:22:08.000Z
diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml
@@ -32,7 +32,7 @@ runs:
       run: zip lines-of-code-report.json.zip lines-of-code-report.json
     - name: "Upload CLOC report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: lines-of-code-report.json.zip
         path: ./lines-of-code-report.json.zip
diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml
@@ -32,7 +32,7 @@ runs:
       run: zip sbom-repository-report.json.zip sbom-repository-report.json
     - name: "Upload SBOM report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: sbom-repository-report.json.zip
         path: ./sbom-repository-report.json.zip
@@ -47,7 +47,7 @@ runs:
       run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json
     - name: "Upload vulnerabilities report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: vulnerabilities-repository-report.json.zip
         path: ./vulnerabilities-repository-report.json.zip
diff --git a/.github/actions/tfsec/action.yaml b/.github/actions/tfsec/action.yaml
@@ -6,12 +6,13 @@ runs:
     - name: "TFSec Scan - Components"
       shell: bash
       run: |
-        for component in $(find infrastructure/terraform/components -mindepth 1 -type d); do
-          scripts/terraform/tfsec.sh $component
-        done
-    - name: "TFSec Scan - Modules"
-      shell: bash
-      run: |
-        for module in $(find infrastructure/terraform/modules -mindepth 1 -type d); do
-          scripts/terraform/tfsec.sh $module
-        done
+        components_exit_code=0
+        modules_exit_code=0
+
+        ./scripts/terraform/tfsec.sh ./infrastructure/terraform/components || components_exit_code=$?
+        ./scripts/terraform/tfsec.sh ./infrastructure/terraform/modules || modules_exit_code=$?
+
+        if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
+          echo "One or more TFSec scans failed."
+          exit 1
+        fi
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -59,7 +59,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        uses: actions/upload-artifact@v4
         with:
           name: SARIF file
           path: results.sarif
@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           sarif_file: results.sarif
diff --git a/docs/adr/assets/ADR-003/examples/golang/go.mod b/docs/adr/assets/ADR-003/examples/golang/go.mod
@@ -7,4 +7,4 @@ require (
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 )
 
-require golang.org/x/net v0.23.0 // indirect
+require golang.org/x/net v0.33.0 // indirect
diff --git a/docs/adr/assets/ADR-003/examples/golang/go.sum b/docs/adr/assets/ADR-003/examples/golang/go.sum
@@ -3,8 +3,8 @@ github.com/go-resty/resty/v2 v2.7.0/go.mod h1:9PWDzw47qPphMRFfhsyk0NnSgvluHcljSM
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 golang.org/x/net v0.0.0-20211029224645-99673261e6eb/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
-golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
diff --git a/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf b/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf
@@ -0,0 +1,22 @@
+resource "aws_iam_policy" "github_deploy_overload" {
+  name        = "${local.csi}-github-deploy-overload"
+  description = "Overloads the github permission to perform build actions for services in this account"
+  policy      = data.aws_iam_policy_document.github_deploy.json
+}
+
+resource "aws_iam_role_policy_attachment" "github_deploy_overload" {
+  role       = local.bootstrap.iam_github_deploy_role["name"]
+  policy_arn = aws_iam_policy.github_deploy_overload.arn
+}
+
+#tfsec:ignore:aws-iam-no-policy-wildcards Policy voilation expected for CI user role
+data "aws_iam_policy_document" "github_deploy" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "grafana:*",
+    ]
+    resources = ["*"]
+  }
+}
diff --git a/infrastructure/terraform/components/acct/locals_remote_state.tf b/infrastructure/terraform/components/acct/locals_remote_state.tf
@@ -0,0 +1,21 @@
+locals {
+  bootstrap = data.terraform_remote_state.bootstrap.outputs
+}
+
+data "terraform_remote_state" "bootstrap" {
+  backend = "s3"
+
+  config = {
+    bucket = local.terraform_state_bucket
+
+    key = format(
+      "%s/%s/%s/%s/bootstrap.tfstate",
+      var.project,
+      var.aws_account_id,
+      "eu-west-2",
+      "bootstrap"
+    )
+
+    region = "eu-west-2"
+  }
+}
diff --git a/infrastructure/terraform/components/examplecomponent/locals_remote_state.tf b/infrastructure/terraform/components/examplecomponent/locals_remote_state.tf
@@ -0,0 +1,40 @@
+locals {
+  bootstrap = data.terraform_remote_state.bootstrap.outputs
+  acct      = data.terraform_remote_state.acct.outputs
+}
+
+data "terraform_remote_state" "bootstrap" {
+  backend = "s3"
+
+  config = {
+    bucket = local.terraform_state_bucket
+
+    key = format(
+      "%s/%s/%s/%s/bootstrap.tfstate",
+      var.project,
+      var.aws_account_id,
+      "eu-west-2",
+      "bootstrap"
+    )
+
+    region = "eu-west-2"
+  }
+}
+
+data "terraform_remote_state" "acct" {
+  backend = "s3"
+
+  config = {
+    bucket = local.terraform_state_bucket
+
+    key = format(
+      "%s/%s/%s/%s/acct.tfstate",
+      var.project,
+      var.aws_account_id,
+      "eu-west-2",
+      var.parent_acct_environment
+    )
+
+    region = "eu-west-2"
+  }
+}
diff --git a/infrastructure/terraform/components/examplecomponent/locals_tfscaffold.tf b/infrastructure/terraform/components/examplecomponent/locals_tfscaffold.tf
@@ -0,0 +1,44 @@
+locals {
+  terraform_state_bucket = format(
+    "%s-tfscaffold-%s-%s",
+    var.project,
+    var.aws_account_id,
+    var.region,
+  )
+
+  csi = replace(
+    format(
+      "%s-%s-%s",
+      var.project,
+      var.environment,
+      var.component,
+    ),
+    "_",
+    "",
+  )
+
+  # CSI for use in resources with a global namespace, i.e. S3 Buckets
+  csi_global = replace(
+    format(
+      "%s-%s-%s-%s-%s",
+      var.project,
+      var.aws_account_id,
+      var.region,
+      var.environment,
+      var.component,
+    ),
+    "_",
+    "",
+  )
+
+  default_tags = merge(
+    var.default_tags,
+    {
+      Project     = var.project
+      Environment = var.environment
+      Component   = var.component
+      Group       = var.group
+      Name        = local.csi
+    },
+  )
+}
diff --git a/infrastructure/terraform/components/examplecomponent/variables.tf b/infrastructure/terraform/components/examplecomponent/variables.tf
@@ -1 +1,58 @@
-# Define the variables that will be initialised in etc/{env,versions}_<region>_<environment>.tfvars...
+##
+# Basic Required Variables for tfscaffold Components
+##
+
+variable "project" {
+  type        = string
+  description = "The name of the tfscaffold project"
+}
+
+variable "environment" {
+  type        = string
+  description = "The name of the tfscaffold environment"
+}
+
+variable "aws_account_id" {
+  type        = string
+  description = "The AWS Account ID (numeric)"
+}
+
+variable "region" {
+  type        = string
+  description = "The AWS Region"
+}
+
+variable "group" {
+  type        = string
+  description = "The group variables are being inherited from (often synonmous with account short-name)"
+}
+
+##
+# tfscaffold variables specific to this component
+##
+
+# This is the only primary variable to have its value defined as
+# a default within its declaration in this file, because the variables
+# purpose is as an identifier unique to this component, rather
+# then to the environment from where all other variables come.
+variable "component" {
+  type        = string
+  description = "The variable encapsulating the name of this component"
+  default     = "examplecomponent"
+}
+
+variable "default_tags" {
+  type        = map(string)
+  description = "A map of default tags to apply to all taggable resources within the component"
+  default     = {}
+}
+
+##
+# Variables specific to the component
+##
+
+variable "log_retention_in_days" {
+  type        = number
+  description = "The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite"
+  default     = 0
+}
diff --git a/scripts/terraform/terraform.mk b/scripts/terraform/terraform.mk
@@ -61,7 +61,7 @@ terraform-sec: # TFSEC check against Terraform files - optional: terraform_dir|d
 		--exclude-downloaded-modules \
 		--tfvars-file infrastructure/terraform/etc/global.tfvars \
 		--tfvars-file infrastructure/terraform/etc/env_eu-west-2_main.tfvars \
-		--config-file scripts/config/tfsec.yml
+		--config-file scripts/config/tfsec.yaml
 
 # ==============================================================================
 # Module tests and examples - please DO NOT edit this section!
diff --git a/scripts/terraform/tfsec.sh b/scripts/terraform/tfsec.sh
@@ -37,12 +37,10 @@ function run-tfsec-natively() {
 
   echo "Running TFSec on directory: $dir_to_scan"
   tfsec \
-    --concise-output \
     --force-all-dirs \
     --exclude-downloaded-modules \
     --config-file scripts/config/tfsec.yaml \
     --format text \
-    --soft-fail \
     "$dir_to_scan"
 
   check-tfsec-status

Original file line number	Diff line number	Diff line change
`@@ -7,4 +7,4 @@ require (`
`7`	`7`	`github.com/golang-jwt/jwt v3.2.2+incompatible`
`8`	`8`	`)`
`9`	`9`
`10`		`-require golang.org/x/net v0.23.0 // indirect`
	`10`	`+require golang.org/x/net v0.33.0 // indirect`