Merge branch 'main' into feature/CCM-8744_prevent-concurrent-sessions

Author: harrim91

.github/actions/lint-terraform/action.yaml

@@ -7,8 +7,6 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - uses: hashicorp/setup-terraform@v3
-    - uses: asdf-vm/actions/setup@v3
     - name: "Check Terraform format"
       shell: bash
       run: |
@@ -18,5 +16,6 @@ runs:
       run: |
         stacks=${{ inputs.root-modules }}
         for dir in $(find infrastructure/environments -maxdepth 1 -mindepth 1 -type d; echo ${stacks//,/$'\n'}); do
+          dir=$dir opts='-backend=false' make terraform-init
           dir=$dir make terraform-validate
         done

.github/actions/tfsec/action.yaml

@@ -3,8 +3,6 @@ description: "Scan HCL using TFSec"
 runs:
   using: "composite"
   steps:
-    - uses: hashicorp/setup-terraform@v3
-    - uses: asdf-vm/actions/setup@v3
     - name: "TFSec Scan - Components"
       shell: bash
       run: |

.github/workflows/scheduled-repository-template-sync.yaml

@@ -27,7 +27,7 @@ jobs:
 
     - name: Run syncronisation script
       run: |
-        ./scripts/githooks/sync-template-repo.sh
+        ./nhs-notify-repository-template/scripts/githooks/sync-template-repo.sh
         rm -Rf ./nhs-notify-repository-template
 
     - name: Create Pull Request

.gitignore

@@ -5,6 +5,7 @@
 *sbom*report*.json
 *vulnerabilities*report*.json
 *report*json.zip
+version.json
 .version
 
 *.code-workspace

.gitleaksignore

@@ -3,3 +3,5 @@
 cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:generic-api-key:37
 87312c6a627a7b0420956d49187fd15b130df170:src/__tests__/components/molecules/LoginStatus.test.tsx:jwt:23
 37ca9f5670f4cd7d91869845ca27defbe6156bb9:src/__tests__/components/molecules/LoginStatus.test.tsx:jwt:23
+b19d88d1d92b0530f065feefcf25d8cdd82a876a:tests/test-team/auth/user.json:jwt:15
+b19d88d1d92b0530f065feefcf25d8cdd82a876a:tests/test-team/auth/user.json:jwt:25

.tool-versions

@@ -1,5 +1,5 @@
 act 0.2.64
-gitleaks 8.18.4
+gitleaks 8.24.0
 pre-commit 3.6.0
 terraform 1.9.2
 terraform-docs 0.19.0
@@ -13,7 +13,7 @@ nodejs 20.18.2
 # TODO: Move this section - consider using a different file for the repository template dependencies.
 # docker/ghcr.io/anchore/grype v0.69.1@sha256:d41fcb371d0af59f311e72123dff46900ebd6d0482391b5a830853ee4f9d1a76 # SEE: https://github.com/anchore/grype/pkgs/container/grype
 # docker/ghcr.io/anchore/syft v0.92.0@sha256:63c60f0a21efb13e80aa1359ab243e49213b6cc2d7e0f8179da38e6913b997e0 # SEE: https://github.com/anchore/syft/pkgs/container/syft
-# docker/ghcr.io/gitleaks/gitleaks v8.18.0@sha256:fd2b5cab12b563d2cc538b14631764a1c25577780e3b7dba71657d58da45d9d9 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
+# docker/ghcr.io/gitleaks/gitleaks v8.24.0@sha256:2bcceac45179b3a91bff11a824d0fb952585b429e54fc928728b1d4d5c3e5176 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
 # docker/ghcr.io/igorshubovych/markdownlint-cli v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli
 # docker/ghcr.io/make-ops-tools/gocloc latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032 # SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc
 # docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 # SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image

infrastructure/terraform/bin/terraform.sh

@@ -8,7 +8,7 @@
 ##
 # Set Script Version
 ##
-readonly script_ver="1.8.0";
+readonly script_ver="1.8.1";
 
 ##
 # Standardised failure function
@@ -399,13 +399,16 @@ fi;
 pushd "${component_path}";
 readonly component_name=$(basename ${component_path});
 
-# Check for presence of tfenv (https://github.com/kamatama41/tfenv)
-# and a .terraform-version file. If both present, ensure required
-# version of terraform for this component is installed automagically.
-tfenv_bin="$(which tfenv 2>/dev/null)";
-if [[ -n "${tfenv_bin}" && -x "${tfenv_bin}" && -f .terraform-version ]]; then
-  ${tfenv_bin} install;
-fi;
+# install terraform
+# verify terraform version matches .tool-versions
+echo ${PWD}
+tool_version=$(grep "terraform " .tool-versions | cut -d ' ' -f 2)
+asdf plugin-add terraform && asdf install terraform "${tool_version}"
+current_version=$(terraform --version | head -n 1 | cut -d 'v' -f 2)
+
+if [ -z "${current_version}" ] || [ "${current_version}" != "${tool_version}" ]; then
+  error_and_die "Terraform version mismatch. Expected: ${tool_version}, Actual: ${current_version}"
+fi
 
 # Regardless of bootstrapping or not, we'll be using this string.
 # If bootstrapping, we will fill it with variables,
@@ -536,26 +539,24 @@ fi;
 [ -f "${dynamic_file_path}" ] && tf_var_file_paths+=("${dynamic_file_path}");
 
 # Warn on duplication
-if [ ${#tf_var_file_paths[@]} -gt 0 ]; then
-  duplicate_variables="$(cat "${tf_var_file_paths[@]}" | sed -n -e 's/\(^[a-zA-Z0-9_\-]\+\)\s*=.*$/\1/p' | sort | uniq -d)";
-  [ -n "${duplicate_variables}" ] \
-    && echo -e "
-  ###################################################################
-  # WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING #
-  ###################################################################
-  The following input variables appear to be duplicated:
-
-  ${duplicate_variables}
-
-  This could lead to unexpected behaviour. Overriding of variables
-  has previously been unpredictable and is not currently supported,
-  but it may work.
-
-  Recent changes to terraform might give you useful overriding and
-  map-merging functionality, please use with caution and report back
-  on your successes & failures.
-  ###################################################################";
-fi
+duplicate_variables="$(cat "${tf_var_file_paths[@]}" | sed -n -e 's/\(^[a-zA-Z0-9_\-]\+\)\s*=.*$/\1/p' | sort | uniq -d)";
+[ -n "${duplicate_variables}" ] \
+  && echo -e "
+###################################################################
+# WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING #
+###################################################################
+The following input variables appear to be duplicated:
+
+${duplicate_variables}
+
+This could lead to unexpected behaviour. Overriding of variables
+has previously been unpredictable and is not currently supported,
+but it may work.
+
+Recent changes to terraform might give you useful overriding and
+map-merging functionality, please use with caution and report back
+on your successes & failures.
+###################################################################";
 
 # Build up the tfvars arguments for terraform command line
 for file_path in "${tf_var_file_paths[@]}"; do

infrastructure/terraform/components/acct/README.md

@@ -26,6 +26,7 @@
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_s3bucket_access_logs"></a> [s3bucket\_access\_logs](#module\_s3bucket\_access\_logs) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_s3bucket_backup_reports"></a> [s3bucket\_backup\_reports](#module\_s3bucket\_backup\_reports) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 ## Outputs
 

infrastructure/terraform/components/acct/module_s3bucket_access_logs.tf

@@ -0,0 +1,146 @@
+module "s3bucket_access_logs" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket?ref=v1.0.8"
+
+  name = "access-logs"
+
+  aws_account_id = var.aws_account_id
+  region         = var.region
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+
+  acl           = "private"
+  force_destroy = false
+  versioning    = true
+
+  lifecycle_rules = [
+    {
+      enabled = true
+
+      noncurrent_version_transition = [
+        {
+          noncurrent_days = "30"
+          storage_class   = "STANDARD_IA"
+        }
+      ]
+
+      noncurrent_version_expiration = {
+        noncurrent_days = "90"
+      }
+
+      abort_incomplete_multipart_upload = {
+        days = "1"
+      }
+    }
+  ]
+
+  policy_documents = [
+    data.aws_iam_policy_document.s3bucket_access_logs.json
+  ]
+
+  public_access = {
+    block_public_acls       = true
+    block_public_policy     = true
+    ignore_public_acls      = true
+    restrict_public_buckets = true
+  }
+
+
+  default_tags = {
+    Name = "S3 bucket access logs"
+  }
+}
+
+data "aws_iam_policy_document" "s3bucket_access_logs" {
+  statement {
+    sid    = "DontAllowNonSecureConnection"
+    effect = "Deny"
+
+    actions = [
+      "s3:*",
+    ]
+
+    resources = [
+      module.s3bucket_access_logs.arn,
+      "${module.s3bucket_access_logs.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        "*",
+      ]
+    }
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+
+      values = [
+        "false",
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToList"
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      module.s3bucket_lambda_artefacts.arn,
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToGet"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+    ]
+
+    resources = [
+      "${module.s3bucket_lambda_artefacts.arn}/*",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowS3AccessLogging"
+    effect = "Allow"
+
+    actions = [
+      "s3:PutObject",
+    ]
+
+    resources = [
+      "${module.s3bucket_access_logs.arn}/*",
+    ]
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "logging.s3.amazonaws.com",
+      ]
+    }
+  }
+}

infrastructure/terraform/components/acct/module_s3bucket_backup_reports.tf

@@ -38,6 +38,10 @@ module "s3bucket_backup_reports" {
     data.aws_iam_policy_document.s3bucket_backup_reports.json
   ]
 
+  bucket_logging_target = {
+    bucket = module.s3bucket_access_logs.id
+  }
+
   public_access = {
     block_public_acls       = true
     block_public_policy     = true