CCM-10921: Add Lambda Boilerplate

Author: jamesthompson26-nhs

.github/actions/tfsec/action.yaml .github/actions/trivy/action.yaml.github/actions/tfsec/action.yaml renamed to .github/actions/trivy/action.yaml

@@ -1,18 +1,17 @@
-name: "TFSec Scan"
-description: "Scan HCL using TFSec"
+name: "Trivy Scan"
 runs:
   using: "composite"
   steps:
-    - name: "TFSec Scan - Components"
+    - name: "Trivy Terraform IAC Scan"
       shell: bash
       run: |
         components_exit_code=0
         modules_exit_code=0
 
-        ./scripts/terraform/tfsec.sh ./infrastructure/terraform/components || components_exit_code=$?
-        ./scripts/terraform/tfsec.sh ./infrastructure/terraform/modules || modules_exit_code=$?
+        ./scripts/terraform/trivy.sh ./infrastructure/terraform/components || components_exit_code=$?
+        ./scripts/terraform/trivy.sh ./infrastructure/terraform/modules || modules_exit_code=$?
 
         if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
-          echo "One or more TFSec scans failed."
+          echo "Trivy misconfigurations detected."
           exit 1
         fi

.github/workflows/stage-1-commit.yaml

@@ -135,8 +135,8 @@ jobs:
         uses: actions/checkout@v4
       - name: "Lint Terraform"
         uses: ./.github/actions/lint-terraform
-  tfsec:
-    name: "TFSec Scan"
+  trivy:
+    name: "Trivy Scan"
     runs-on: ubuntu-latest
     timeout-minutes: 5
     needs: detect-terraform-changes
@@ -148,8 +148,8 @@ jobs:
         uses: asdf-vm/actions/setup@v3
       - name: "Perform Setup"
         uses: ./.github/actions/setup
-      - name: "TFSec Scan"
-        uses: ./.github/actions/tfsec
+      - name: "Trivy Scan"
+        uses: ./.github/actions/trivy
   count-lines-of-code:
     name: "Count lines of code"
     runs-on: ubuntu-latest

.tool-versions

@@ -7,7 +7,6 @@ pre-commit 3.6.0
 python 3.13.2
 terraform 1.9.2
 terraform-docs 0.19.0
-tfsec 1.28.10
 trivy 0.61.0
 vale 3.6.0
 

infrastructure/terraform/components/examplecomponent/README.md

@@ -13,6 +13,7 @@ No requirements.
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"examplecomponent"` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
+| <a name="input_force_lambda_code_deploy"></a> [force\_lambda\_code\_deploy](#input\_force\_lambda\_code\_deploy) | If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development | `bool` | `false` | no |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |

infrastructure/terraform/components/examplecomponent/variables.tf

@@ -56,3 +56,9 @@ variable "log_retention_in_days" {
   description = "The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite"
   default     = 0
 }
+
+variable "force_lambda_code_deploy" {
+  type        = bool
+  description = "If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development"
+  default     = false
+}

scripts/terraform/tfsec.sh scripts/terraform/trivy.shscripts/terraform/tfsec.sh renamed to scripts/terraform/trivy.sh

@@ -9,7 +9,7 @@ set -euo pipefail
 # Run tfsec for security checks on Terraform code.
 #
 # Usage:
-#   $ ./tfsec.sh [directory]
+#   $ ./trivy.sh [directory]
 # ==============================================================================
 
 function main() {
@@ -18,68 +18,63 @@ function main() {
 
   local dir_to_scan=${1:-.}
 
-  if command -v tfsec > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
+  if command -v trivy > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
     # shellcheck disable=SC2154
-    run-tfsec-natively "$dir_to_scan"
+    run-trivy-natively "$dir_to_scan"
   else
-    run-tfsec-in-docker "$dir_to_scan"
+    run-trivy-in-docker "$dir_to_scan"
   fi
 }
 
-# Run tfsec on the specified directory.
+# Run trivy on the specified directory.
 # Arguments:
 #   $1 - Directory to scan
-function run-tfsec-natively() {
+function run-trivy-natively() {
 
   local dir_to_scan="$1"
 
-  echo "TFSec found locally, running natively"
+  echo "Trivy found locally, running natively"
 
-  echo "Running TFSec on directory: $dir_to_scan"
-  tfsec \
-    --force-all-dirs \
-    --exclude-downloaded-modules \
-    --config-file scripts/config/tfsec.yaml \
-    --format text \
-    "$dir_to_scan"
+  echo "Running Trivy on directory: $dir_to_scan"
+  trivy config \
+    --config scripts/config/trivy.yaml \
+    --tf-exclude-downloaded-modules \
+    "${dir_to_scan}"
 
-  check-tfsec-status
+  check-trivy-status
 }
 
 # Check the exit status of tfsec.
-function check-tfsec-status() {
+function check-trivy-status() {
 
   if [ $? -eq 0 ]; then
-    echo "TFSec completed successfully."
+    echo "Trivy completed successfully."
   else
-    echo "TFSec found issues."
+    echo "Trivy found issues."
     exit 1
   fi
 }
 
-function run-tfsec-in-docker() {
+function run-trivy-in-docker() {
 
   # shellcheck disable=SC1091
   source ./scripts/docker/docker.lib.sh
   local dir_to_scan="$1"
 
   # shellcheck disable=SC2155
-  local image=$(name=aquasec/tfsec docker-get-image-version-and-pull)
+  local image=$(name=aquasec/trivy docker-get-image-version-and-pull)
   # shellcheck disable=SC2086
-  echo "TFSec not found locally, running in Docker Container"
-  echo "Running TFSec on directory: $dir_to_scan"
+  echo "Trivy not found locally, running in Docker Container"
+  echo "Running Trivy on directory: $dir_to_scan"
   docker run --rm --platform linux/amd64 \
     --volume "$PWD":/workdir \
     --workdir /workdir \
     "$image" \
-        --concise-output \
-        --force-all-dirs \
-        --exclude-downloaded-modules \
-        --config-file scripts/config/tfsec.yaml \
-        --format text \
-        --soft-fail \
-        "$dir_to_scan"
-    check-tfsec-status
+    config \
+    --config scripts/config/trivy.yaml \
+    --tf-exclude-downloaded-modules \
+    "${dir_to_scan}"
+    check-trivy-status
 }
 # ==============================================================================