NHSDigital
diff --git a/‎.gitattributes‎
Lines changed: 2 additions & 1 deletion b/‎.gitattributes‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/actions/check-terraform-format/action.yaml‎
Lines changed: 0 additions & 10 deletions b/‎.github/actions/check-terraform-format/action.yaml‎
Lines changed: 0 additions & 10 deletions
diff --git a/‎.github/actions/lint-terraform/action.yaml‎
Lines changed: 20 additions & 0 deletions b/‎.github/actions/lint-terraform/action.yaml‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎.github/actions/scan-secrets/action.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.github/actions/scan-secrets/action.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/stage-1-commit.yaml‎
Lines changed: 5 additions & 5 deletions b/‎.github/workflows/stage-1-commit.yaml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎.tool-versions‎
Lines changed: 20 additions & 7 deletions b/‎.tool-versions‎
Lines changed: 20 additions & 7 deletions
diff --git a/‎Makefile‎
Lines changed: 7 additions & 4 deletions b/‎Makefile‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎docs/developer-guides/Bash_and_Make.md‎
Lines changed: 150 additions & 0 deletions b/‎docs/developer-guides/Bash_and_Make.md‎
Lines changed: 150 additions & 0 deletions
@@ -1,6 +1,7 @@
 scripts/docker/** linguist-vendored
 scripts/githooks/** linguist-vendored
 scripts/reports/** linguist-vendored
+scripts/terraform/** linguist-vendored
+scripts/tests/test.mk linguist-vendored
 scripts/init.mk linguist-vendored
 scripts/shellscript-linter.sh linguist-vendored
-scripts/test.mk linguist-vendored
 
@@ -0,0 +1,20 @@
+name: "Lint Terraform"
+description: "Lint Terraform"
+inputs:
+  root-modules:
+    description: "Comma separated list of root module directories to validate, content of the 'infrastructure/environments' is checked by default"
+    required: false
+runs:
+  using: "composite"
+  steps:
+    - name: "Check Terraform format"
+      shell: bash
+      run: |
+        check_only=true scripts/githooks/check-terraform-format.sh
+    - name: "Validate Terraform"
+      shell: bash
+      run: |
+        stacks=${{ inputs.root-modules }}
+        for dir in $(find infrastructure/environments -maxdepth 1 -mindepth 1 -type d; echo ${stacks//,/$'\n'}); do
+          dir=$dir make terraform-validate
+        done
@@ -6,5 +6,5 @@ runs:
     - name: "Scan secrets"
       shell: bash
       run: |
-        export ALL_FILES=true
+        export ALL_FILES=true # Do not change this line, as new patterns may be added or history may be rewritten
         ./scripts/githooks/scan-secrets.sh
@@ -66,15 +66,15 @@ jobs:
           fetch-depth: 0 # Full history is needed to compare branches
       - name: "Check markdown format"
         uses: ./.github/actions/check-markdown-format
-  check-terraform-format:
+  lint-terraform:
     runs-on: ubuntu-latest
     timeout-minutes: 2
-    name: "Check Terraform format"
+    name: "Lint Terraform"
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4
-      - name: "Check Terraform format"
-        uses: ./.github/actions/check-terraform-format
+        uses: actions/checkout@v3
+      - name: "Lint Terraform"
+        uses: ./.github/actions/lint-terraform
   cloc-repository:
     runs-on: ubuntu-latest
     permissions:
 
@@ -1,12 +1,25 @@
-nodejs 18.16.0
-python 3.10.12
-terraform 1.5.0
+nodejs 18.17.1 # Always check AWS and Azure runtime support
+python 3.11.4 # Always check AWS and Azure runtime support
+terraform 1.5.6
 pre-commit 3.3.3
 
+# ==============================================================================
 # The section below is reserved for Docker image versions.
 
-# docker/koalaman/shellcheck latest@sha256:0b341f80c643aa5160815746421d22f189ed8d427fe66d639e8b79b15f8b5bf6
-# docker/hadolint/hadolint 2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42
-
+# alpine, SEE: https://hub.docker.com/_/alpine/tags
 # docker/alpine 3.18.3@sha256:c5c5fda71656f28e49ac9c5416b3643eaa6a108a8093151d6d1afc9463be8e33
-# docker/python 3.10.12-alpine3.18@sha256:268ba060f59c005d099661a70f53c353f2acd1401ca90f81869a04600cdae6f4
+
+# nodejs, SEE: https://hub.docker.com/_/node/tags
+# docker/node 18.17.1-alpine3.18@sha256:982b5b6f07cd9241c9ebb163829067deac8eaefc57cfa8f31927f4b18943d971
+
+# python, SEE: https://hub.docker.com/_/python/tags
+# docker/python 3.11.4-alpine3.18@sha256:0135ae6442d1269379860b361760ad2cf6ab7c403d21935a8015b48d5bf78a86
+
+# terraform, SEE: https://hub.docker.com/r/hashicorp/terraform/tags
+# docker/hashicorp/terraform 1.5.6@sha256:180a7efa983386a27b43657ed610e9deed9e6c3848d54f9ea9b6cb8a5c8c25f5
+
+# shellcheck, SEE: https://hub.docker.com/r/koalaman/shellcheck/tags
+# docker/koalaman/shellcheck latest@sha256:e40388688bae0fcffdddb7e4dea49b900c18933b452add0930654b2dea3e7d5c
+
+# hadolint, SEE: https://hub.docker.com/r/hadolint/hadolint/tags
+# docker/hadolint/hadolint 2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42
@@ -1,10 +1,11 @@
 # This file is for you! Edit it to implement your own hooks (make targets) into
 # the project as automated steps to be executed on locally and in the CD pipeline.
 
-include ./scripts/init.mk
-include ./scripts/test.mk
+include scripts/init.mk
 
-# Example targets are: dependencies, build, publish, deploy, clean, etc.
+# ==============================================================================
+
+# Example CI/CD targets are: dependencies, build, publish, deploy, clean, etc.
 
 dependencies: # Install dependencies needed to build and test the project
 	# TODO: Implement installation of your project dependencies
@@ -28,7 +29,9 @@ config:: # Configure development environment
 		python-install \
 		terraform-install
 
-.SILENT: \
+# ==============================================================================
+
+${VERBOSE}.SILENT: \
 	build \
 	clean \
 	config \
 
@@ -0,0 +1,150 @@
+# Developer Guide: Bash and Make
+
+- [Developer Guide: Bash and Make](#developer-guide-bash-and-make)
+  - [Using Make](#using-make)
+  - [Using Bash](#using-bash)
+  - [Make and Bash working together](#make-and-bash-working-together)
+  - [Conventions](#conventions)
+    - [Debugging](#debugging)
+    - [Scripts](#scripts)
+  - [TODO](#todo)
+
+## Using Make
+
+Sample make target definition:
+
+```makefile
+some-target: # Short target description - mandatory: foo=[description]; optional: baz=[description, default is 'qux']
+    # Recipe implementation...
+```
+
+Run make target from a terminal:
+
+```shell
+foo=bar make some-target # Environment variable is passed to the make target execution process
+make some-target foo=bar # Make argument is passed to the make target execution process
+```
+
+By convention we use uppercase variables for global settings that you would ordinarily associate with environment variables. We use lower-case variables as arguments to call functions or make targets, in this case.
+
+All make targets should be added to the `${VERBOSE}.SILENT:` section of the `make` file, which prevents `make` from printing commands before executing them. The `${VERBOSE}` prefix on the `.SILENT:` special target allows toggling it if needed. If you explicitly want output from a certain line, use `echo`.
+
+It is worth noting that by default, `make` creates a new system process to execute each line of a recipe. This is not the desired behaviour for us and the entire content of a make recipe (a target) should be run in a single shell invocation. This has been configured in this repository by setting the [`.ONESHELL:`](https://www.gnu.org/software/make/manual/html_node/One-Shell.html) special target in the `scripts/init.mk` file.
+
+## Using Bash
+
+When working in the command-line ensure the environment variables are reset to their initial state. This can be done by reloading shell using the `env -i $SHELL` command.
+
+Sample Bash function definition:
+
+```shell
+# Short function description
+# Arguments (provided as environment variables):
+#   foo=[description]
+#   baz=[description, default is 'qux']
+function some-shell-function() {
+    # Function implementation...
+```
+
+Run Bash function from a terminal:
+
+```shell
+source scripts/a-suite-of-shell-functions
+foo=bar some-shell-function # Environment variable is accessible by the function executed in the same operating system process
+```
+
+```shell
+source scripts/a-suite-of-shell-functions
+foo=bar
+some-shell-function # Environment variable is still accessible by the function
+```
+
+Run Bash script from a terminal, bear in mind that executing a script creates a child operating system process:
+
+```shell
+# Environment variable has to be exported to be passed to a child process, DO NOT use this pattern
+export foo=bar
+scripts/a-shell-script
+```
+
+```shell
+# or to be set in the same line before creating a new process, prefer this pattern over the previous one
+foo=bar scripts/a-shell-script
+
+# or when multiple variables are required
+foo=bar \
+baz=qux \
+  scripts/a-shell-script
+```
+
+By convention we use uppercase variables for global settings that you would ordinarily associate with environment variables. We use lower-case variables as arguments to be passed into specific functions we call, usually on the same line, right before the function name.
+
+The command `set -euo pipefail` is commonly used in the Bash scripts, to configure the behavior of the script in a way that makes it more robust and easier to debug. Here is a breakdown of each option switch:
+
+- `-e`: Ensures that the script exits immediately if any command returns a non-zero exit status.
+- `-u`: Makes the script exit if there is an attempt to use an uninitialised variable.
+- `-o pipefail`: ensures that if any command in a pipeline fails (i.e., returns a non-zero exit status), then the entire pipeline will return that non-zero status. By default, a pipeline returns the exit status of the last command.
+
+## Make and Bash working together
+
+Sample make target calling a Bash function. Notice that `baz` is going to be accessible to the function as it is executed in the same operating system process:
+
+```makefile
+some-target: # Run shell function - mandatory: foo=[description]
+  source scripts/a-suite-of-shell-function
+  baz=qux
+  some-shell-function # 'foo' and 'baz' are accessible by the function
+```
+
+Sample make target calling another make target. In this case a parameter `baz` has to be passed as a variable to the make target, which is executed in a child process:
+
+```makefile
+some-target: # Call another target - mandatory: foo=[description]
+  baz=qux \
+    make another-target # 'foo' and 'baz' are passed to the make target
+```
+
+Run it from a terminal:
+
+```shell
+foo=bar make some-target
+```
+
+## Conventions
+
+### Debugging
+
+To assist in investigating scripting issues, the `VERBOSE` variable is available for both Make and Bash scripts. If it is set to `true` or `1`, it prints all the commands that the script executes to the standard output. Here is how to use it:
+
+for Make targets
+
+```shell
+VERBOSE=1 make docker-example-build
+```
+
+for Bash scripts
+
+```shell
+VERBOSE=1 scripts/shellscript-linter.sh
+```
+
+### Scripts
+
+Most scripts provided with this repository template can utilise tools installed on your `PATH` if they are available or run them from within a Docker container. To force a script to use Docker, the `FORCE_USE_DOCKER` variable is provided. Here is an example of how to use it:
+
+```shell
+FORCE_USE_DOCKER=1 scripts/shellscript-linter.sh
+```
+
+You can combine it with the `VERBOSE` flag to see the details of the execution flow:
+
+```shell
+VERBOSE=1 FORCE_USE_DOCKER=1 scripts/shellscript-linter.sh
+```
+
+## TODO
+
+- Use of CLI tools installed and available on `$PATH`
+- Commands run in Docker containers when a CLI tool is not installed
+- Explain the concept of modules in this repository
+- Make is used as an orchestrator and tool to integrate development processes with the CI/CD pipeline