CCM-8881: Apply synced template repo changes

Author: m-houston

.github/actions/lint-terraform/action.yaml

@@ -7,8 +7,6 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - uses: hashicorp/setup-terraform@v3
-    - uses: asdf-vm/actions/setup@v3
     - name: "Check Terraform format"
       shell: bash
       run: |
@@ -18,5 +16,6 @@ runs:
       run: |
         stacks=${{ inputs.root-modules }}
         for dir in $(find infrastructure/environments -maxdepth 1 -mindepth 1 -type d; echo ${stacks//,/$'\n'}); do
+          dir=$dir opts='-backend=false' make terraform-init
           dir=$dir make terraform-validate
         done

.github/actions/tfsec/action.yaml

@@ -3,8 +3,6 @@ description: "Scan HCL using TFSec"
 runs:
   using: "composite"
   steps:
-    - uses: hashicorp/setup-terraform@v3
-    - uses: asdf-vm/actions/setup@v3
     - name: "TFSec Scan - Components"
       shell: bash
       run: |

.gitignore

@@ -5,6 +5,7 @@
 *sbom*report*.json
 *vulnerabilities*report*.json
 *report*json.zip
+version.json
 .version
 
 *.code-workspace

infrastructure/terraform/bin/terraform.sh

@@ -8,7 +8,7 @@
 ##
 # Set Script Version
 ##
-readonly script_ver="1.8.0";
+readonly script_ver="1.8.1";
 
 ##
 # Standardised failure function
@@ -399,13 +399,16 @@ fi;
 pushd "${component_path}";
 readonly component_name=$(basename ${component_path});
 
-# Check for presence of tfenv (https://github.com/kamatama41/tfenv)
-# and a .terraform-version file. If both present, ensure required
-# version of terraform for this component is installed automagically.
-tfenv_bin="$(which tfenv 2>/dev/null)";
-if [[ -n "${tfenv_bin}" && -x "${tfenv_bin}" && -f .terraform-version ]]; then
-  ${tfenv_bin} install;
-fi;
+# install terraform
+# verify terraform version matches .tool-versions
+echo ${PWD}
+tool_version=$(grep "terraform " .tool-versions | cut -d ' ' -f 2)
+asdf plugin-add terraform && asdf install terraform "${tool_version}"
+current_version=$(terraform --version | head -n 1 | cut -d 'v' -f 2)
+
+if [ -z "${current_version}" ] || [ "${current_version}" != "${tool_version}" ]; then
+  error_and_die "Terraform version mismatch. Expected: ${tool_version}, Actual: ${current_version}"
+fi
 
 # Regardless of bootstrapping or not, we'll be using this string.
 # If bootstrapping, we will fill it with variables,
@@ -536,26 +539,24 @@ fi;
 [ -f "${dynamic_file_path}" ] && tf_var_file_paths+=("${dynamic_file_path}");
 
 # Warn on duplication
-if [ ${#tf_var_file_paths[@]} -gt 0 ]; then
-  duplicate_variables="$(cat "${tf_var_file_paths[@]}" | sed -n -e 's/\(^[a-zA-Z0-9_\-]\+\)\s*=.*$/\1/p' | sort | uniq -d)";
-  [ -n "${duplicate_variables}" ] \
-    && echo -e "
-  ###################################################################
-  # WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING #
-  ###################################################################
-  The following input variables appear to be duplicated:
-
-  ${duplicate_variables}
-
-  This could lead to unexpected behaviour. Overriding of variables
-  has previously been unpredictable and is not currently supported,
-  but it may work.
-
-  Recent changes to terraform might give you useful overriding and
-  map-merging functionality, please use with caution and report back
-  on your successes & failures.
-  ###################################################################";
-fi
+duplicate_variables="$(cat "${tf_var_file_paths[@]}" | sed -n -e 's/\(^[a-zA-Z0-9_\-]\+\)\s*=.*$/\1/p' | sort | uniq -d)";
+[ -n "${duplicate_variables}" ] \
+  && echo -e "
+###################################################################
+# WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING #
+###################################################################
+The following input variables appear to be duplicated:
+
+${duplicate_variables}
+
+This could lead to unexpected behaviour. Overriding of variables
+has previously been unpredictable and is not currently supported,
+but it may work.
+
+Recent changes to terraform might give you useful overriding and
+map-merging functionality, please use with caution and report back
+on your successes & failures.
+###################################################################";
 
 # Build up the tfvars arguments for terraform command line
 for file_path in "${tf_var_file_paths[@]}"; do

scripts/config/.repository-template-sync-ignore

@@ -21,3 +21,4 @@ scripts/config/sonar-scanner.properties
 */examples/
 docs/
 infrastructure/terraform/components/
+docker/examples/

scripts/config/gitleaks.toml

@@ -1,4 +1,5 @@
 # SEE: https://github.com/gitleaks/gitleaks/#configuration
+# Do not edit this file directly as it will be overwritten by changes from the nhs-notify-repository-template on next sync
 
 [extend]
 useDefault = true # SEE: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
@@ -16,4 +17,15 @@ regexes = [
 ]
 
 [allowlist]
-paths = ['''.terraform.lock.hcl''', '''poetry.lock''', '''yarn.lock''']
+paths = [
+  '''.terraform.lock.hcl''',
+  '''poetry.lock''',
+  '''yarn.lock''',
+  '''Gemfile.lock''',
+]
+
+# Exclude Chrome version in user agent
+regexTarget = "line"
+regexes = [
+  '''Chrome/[\d.]+'''
+]

scripts/config/pre-commit.yaml

@@ -1,43 +1,62 @@
 repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0 # Use the ref you want to point at
+    hooks:
+      - id: trailing-whitespace
+      - id: detect-aws-credentials
+        args: [--allow-missing-credentials]
+      - id: check-added-large-files
+      - id: check-symlinks
+      - id: detect-private-key
+      - id: end-of-file-fixer
+        exclude: .+\.cs
+      - id: forbid-new-submodules
+      - id: mixed-line-ending
+      - id: pretty-format-json
+        args: ['--autofix']
+    # -   id: ...
   - repo: local
     hooks:
-    - id: scan-secrets
-      name: Scan secrets
-      entry: ./scripts/githooks/scan-secrets.sh
-      args: ["check=staged-changes"]
-      language: script
-      pass_filenames: false
+      - id: sort-dictionary
+        name: Sort dictionary
+        entry: ./scripts/githooks/sort-dictionary.sh
+        language: script
+        pass_filenames: false
   - repo: local
     hooks:
-    - id: check-file-format
-      name: Check file format
-      entry: ./scripts/githooks/check-file-format.sh
-      args: ["check=staged-changes"]
-      language: script
-      pass_filenames: false
+      - id: scan-secrets
+        name: Scan secrets
+        entry: /usr/bin/env check=whole-history ./scripts/githooks/scan-secrets.sh
+        language: script
+        pass_filenames: false
   - repo: local
     hooks:
-    - id: check-markdown-format
-      name: Check Markdown format
-      entry: ./scripts/githooks/check-markdown-format.sh
-      args: ["check=staged-changes"]
-      language: script
-      pass_filenames: false
+      - id: check-file-format
+        name: Check file format
+        entry: /usr/bin/env check=branch ./scripts/githooks/check-file-format.sh
+        language: script
+        pass_filenames: false
   - repo: local
     hooks:
-    - id: check-english-usage
-      name: Check English usage
-      entry: ./scripts/githooks/check-english-usage.sh
-      args: ["check=staged-changes"]
-      language: script
-      pass_filenames: false
+      - id: check-markdown-format
+        name: Check Markdown format
+        entry: /usr/bin/env check=branch ./scripts/githooks/check-markdown-format.sh
+        language: script
+        pass_filenames: false
   - repo: local
     hooks:
-    - id: lint-terraform
-      name: Lint Terraform
-      entry: ./scripts/githooks/check-terraform-format.sh
-      language: script
-      pass_filenames: false
+      - id: check-english-usage
+        name: Check English usage
+        entry: /usr/bin/env check=branch ./scripts/githooks/check-english-usage.sh
+        language: script
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: lint-terraform
+        name: Lint Terraform
+        entry: ./scripts/githooks/check-terraform-format.sh
+        language: script
+        pass_filenames: false
   - repo: local
     hooks:
       - id: generate-terraform-docs

scripts/git-repo/auto-link.md

@@ -0,0 +1,11 @@
+# GitHub
+
+## Auto link Protection Rules
+
+This will create the auto link to Jira.
+
+```sh
+./auto-link.sh $reponame $PAT
+```
+
+PAT must have `administration:write`. [Create an auto link](https://docs.github.com/en/rest/repos/autolinks?apiVersion=2022-11-28#create-an-autolink-for-a-repository)

scripts/git-repo/auto-link.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+curl -L \
+  -X POST \
+  -H "Accept: application/vnd.github+json" \
+  -H "Authorization: Bearer $2" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  https://api.github.com/repos/NHSDigital/$1/autolinks \
+  -d '{"key_prefix":"CCM-","url_template":" https://nhsd-jira.digital.nhs.uk/browse/CCM-<num>","is_alphanumeric":true}'

scripts/git-repo/branch-protection.md

@@ -0,0 +1,11 @@
+# GitHub
+
+## Branch Protection Rules
+
+This will create the default branch protection rules using GitHub API.
+
+```sh
+./branch-protection.sh $reponame $PAT
+```
+
+PAT must have `administration:write`. [Create a repository rule set](https://docs.github.com/en/rest/repos/rules?apiVersion=2022-11-28#create-a-repository-ruleset)