Merge branch 'feature/CCM-8588-templates-require-proof' of https://github.com/NHSDigital/nhs-notify-web-template-management into feature/CCM-8588-templates-require-proof

Author: nicki-nhs

.github/actions/tfsec/action.yaml .github/actions/trivy/action.yaml.github/actions/tfsec/action.yaml renamed to .github/actions/trivy/action.yaml

@@ -1,18 +1,17 @@
-name: "TFSec Scan"
-description: "Scan HCL using TFSec"
+name: "Trivy Scan"
 runs:
   using: "composite"
   steps:
-    - name: "TFSec Scan - Components"
+    - name: "Trivy Terraform IAC Scan"
       shell: bash
       run: |
         components_exit_code=0
         modules_exit_code=0
 
-        ./scripts/terraform/tfsec.sh ./infrastructure/terraform/components || components_exit_code=$?
-        ./scripts/terraform/tfsec.sh ./infrastructure/terraform/modules || modules_exit_code=$?
+        ./scripts/terraform/trivy.sh ./infrastructure/terraform/components || components_exit_code=$?
+        ./scripts/terraform/trivy.sh ./infrastructure/terraform/modules || modules_exit_code=$?
 
         if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
-          echo "One or more TFSec scans failed."
+          echo "Trivy misconfigurations detected."
           exit 1
         fi

.github/workflows/stage-1-commit.yaml

@@ -135,8 +135,8 @@ jobs:
         uses: actions/checkout@v4
       - name: "Lint Terraform"
         uses: ./.github/actions/lint-terraform
-  tfsec:
-    name: "TFSec Scan"
+  trivy:
+    name: "Trivy Scan"
     runs-on: ubuntu-latest
     timeout-minutes: 5
     needs: detect-terraform-changes
@@ -148,8 +148,8 @@ jobs:
         uses: asdf-vm/actions/setup@v3
       - name: "Perform Setup"
         uses: ./.github/actions/setup
-      - name: "TFSec Scan"
-        uses: ./.github/actions/tfsec
+      - name: "Trivy Scan"
+        uses: ./.github/actions/trivy
   count-lines-of-code:
     name: "Count lines of code"
     runs-on: ubuntu-latest

.tool-versions

@@ -1,12 +1,12 @@
 act 0.2.64
 gitleaks 8.24.0
+jq 1.6
+nodejs 20.18.2
 pre-commit 3.6.0
 terraform 1.9.2
 terraform-docs 0.19.0
+trivy 0.61.0
 vale 3.6.0
-tfsec 1.28.10
-nodejs 20.18.2
-jq 1.6
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.

infrastructure/terraform/components/acct/README.md

@@ -44,7 +44,7 @@
 | <a name="output_github_pat_ssm_param_name"></a> [github\_pat\_ssm\_param\_name](#output\_github\_pat\_ssm\_param\_name) | n/a |
 | <a name="output_s3_buckets"></a> [s3\_buckets](#output\_s3\_buckets) | n/a |
 | <a name="output_vpc_nat_ips"></a> [vpc\_nat\_ips](#output\_vpc\_nat\_ips) | n/a |
-| <a name="output_vpc_public_subnets"></a> [vpc\_public\_subnets](#output\_vpc\_public\_subnets) | n/a |
+| <a name="output_vpc_subnets"></a> [vpc\_subnets](#output\_vpc\_subnets) | n/a |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->

infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf

@@ -9,7 +9,7 @@ resource "aws_iam_role_policy_attachment" "github_deploy_overload" {
   policy_arn = aws_iam_policy.github_deploy_overload.arn
 }
 
-#tfsec:ignore:aws-iam-no-policy-wildcards Policy voilation expected for CI user role
+#trivy:ignore:aws-iam-no-policy-wildcards Policy voilation expected for CI user role
 data "aws_iam_policy_document" "github_deploy" {
   statement {
     effect = "Allow"

infrastructure/terraform/components/acct/outputs.tf

@@ -20,7 +20,7 @@ output "s3_buckets" {
   }
 }
 
-output "vpc_public_subnets" {
+output "vpc_subnets" {
   value = {
     public  = module.vpc.public_subnets
     private = module.vpc.private_subnets

infrastructure/terraform/components/app/iam_role_amplify.tf

@@ -46,7 +46,7 @@ data "aws_iam_policy_document" "amplify" {
       "logs:PutLogEvents",
     ]
 
-    #tfsec:ignore:aws-iam-no-policy-wildcards
+    #trivy:ignore:aws-iam-no-policy-wildcards
     resources = [
       "${aws_cloudwatch_log_group.amplify.arn}:*",
       "${aws_cloudwatch_log_group.amplify.arn}:log-stream:*",
@@ -59,7 +59,7 @@ data "aws_iam_policy_document" "amplify" {
       "logs:DescribeLogGroups",
     ]
 
-    #tfsec:ignore:aws-iam-no-policy-wildcards
+    #trivy:ignore:aws-iam-no-policy-wildcards
     resources = [
       "arn:aws:logs:${var.region}:${var.aws_account_id}:*"
     ]

infrastructure/terraform/modules/backend-api/README.md

@@ -43,6 +43,7 @@ No requirements.
 | <a name="module_lambda_delete_failed_scanned_object"></a> [lambda\_delete\_failed\_scanned\_object](#module\_lambda\_delete\_failed\_scanned\_object) | ../lambda-function | n/a |
 | <a name="module_lambda_send_letter_proof"></a> [lambda\_send\_letter\_proof](#module\_lambda\_send\_letter\_proof) | ../lambda-function | n/a |
 | <a name="module_lambda_set_file_virus_scan_status"></a> [lambda\_set\_file\_virus\_scan\_status](#module\_lambda\_set\_file\_virus\_scan\_status) | ../lambda-function | n/a |
+| <a name="module_lambda_sftp_poll"></a> [lambda\_sftp\_poll](#module\_lambda\_sftp\_poll) | ../lambda-function | n/a |
 | <a name="module_lambda_validate_letter_template_files"></a> [lambda\_validate\_letter\_template\_files](#module\_lambda\_validate\_letter\_template\_files) | ../lambda-function | n/a |
 | <a name="module_list_template_lambda"></a> [list\_template\_lambda](#module\_list\_template\_lambda) | ../lambda-function | n/a |
 | <a name="module_s3bucket_internal"></a> [s3bucket\_internal](#module\_s3bucket\_internal) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |

infrastructure/terraform/modules/backend-api/api_gateway_rest_api_main.tf

@@ -4,5 +4,5 @@ resource "aws_api_gateway_rest_api" "main" {
   description                  = "Templates API"
   disable_execute_api_endpoint = false
 
-  binary_media_types = [ "multipart/form-data" ]
+  binary_media_types = ["multipart/form-data"]
 }

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_sftp_poll.tf

@@ -0,0 +1,27 @@
+resource "aws_cloudwatch_event_rule" "sftp_poll" {
+  for_each = var.letter_suppliers
+
+  name                = "${local.csi}-sftp-poll-${lower(each.key)}"
+  schedule_expression = "rate(1 hour)" # Runs at the top of every hour
+
+  state = each.value.enable_polling ? "ENABLED" : "DISABLED"
+}
+
+resource "aws_cloudwatch_event_target" "sftp_poll" {
+  for_each = var.letter_suppliers
+  rule     = aws_cloudwatch_event_rule.sftp_poll[each.key].name
+  arn      = module.lambda_sftp_poll.function_arn
+
+  input = jsonencode({
+    supplier : each.key
+  })
+}
+
+resource "aws_lambda_permission" "allow_cloudwatch" {
+  for_each      = var.letter_suppliers
+  statement_id  = "AllowExecutionFromCloudWatch${each.key}"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_sftp_poll.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.sftp_poll[each.key].arn
+}