fix(ci): Pass all local pre-commit and security checks

This commit resolves all failing CI checks from the initial PR.

- Updates the cspell dictionary to recognize common IaC acronyms.
- Configures .pre-commit-config.yaml to correctly run Terraform, TFLint, and Trivy hooks.
- Updates trivyignore.yaml to manage acceptable risks for the PoC.
- Applies all automatic formatting fixes from the linting tools.
- Edited  .gitignore for Terraform-specific files (.terraform/, *.tfstate).

Author: nishkersh

.gitignore

@@ -17,6 +17,12 @@ __pycache__
 .python_history
 .python-version
 .ruff_cache
+**/.terraform/
+**/.terraform.lock.hcl
+*.tfstate
+*.tfstate.backup
+*.tfvars
+!*.tfvars.example
 .venv/
 .vscode
 *.code-workspace

.pre-commit-config.yaml

@@ -88,7 +88,7 @@ repos:
       - id: pyproject-fmt
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.92.0 
+    rev: v1.92.0
     hooks:
       - id: terraform_fmt
         files: \.tf$
@@ -98,3 +98,5 @@ repos:
         files: \.tf$
       - id: terraform_trivy
         files: \.tf$
+        args:
+          - --args=--ignorefile=../../../trivyignore.yaml

Terraform/modules/01-Network/main.tf

@@ -1,4 +1,4 @@
-#  VPC and Core Networking 
+#  VPC and Core Networking
 
 resource "aws_vpc" "main" {
   cidr_block           = var.vpc_cidr
@@ -11,6 +11,13 @@ resource "aws_vpc" "main" {
       Name = "${var.project_prefix}-${var.environment}-vpc"
     }
   )
+
+  lifecycle {
+    precondition {
+      condition     = length(var.availability_zones) == length(var.public_subnet_cidrs) && length(var.availability_zones) == length(var.private_subnet_cidrs)
+      error_message = "The number of items in availability_zones, public_subnet_cidrs, and private_subnet_cidrs lists must be equal."
+    }
+  }
 }
 
 resource "aws_internet_gateway" "main" {
@@ -24,7 +31,7 @@ resource "aws_internet_gateway" "main" {
   )
 }
 
-#  Subnets 
+#  Subnets
 
 # Deploys a public and private subnet into each specified Availability Zone.
 
@@ -57,7 +64,7 @@ resource "aws_subnet" "private" {
   )
 }
 
-#  Routing and NAT Gateway for Private Subnets 
+#  Routing and NAT Gateway for Private Subnets
 
 #  We create a SINGLE NAT Gateway and a SINGLE private route table. This is a cost
 # optimization but introduces a single-AZ egress SPOF compared to per-AZ NAT gateways.
@@ -126,15 +133,58 @@ resource "aws_route_table" "private" {
     }
   )
 }
-
 # Associate the single private route table with all private subnets.
 resource "aws_route_table_association" "private" {
   count          = length(aws_subnet.private)
   subnet_id      = aws_subnet.private[count.index].id
   route_table_id = aws_route_table.private.id
 }
 
-#  S3 Bucket for ALB Access Logs 
+# --- VPC Flow Logs ---
+# Added VPC Flow Logs to address the Trivy finding.
+
+resource "aws_cloudwatch_log_group" "vpc_flow_logs" {
+  name              = "/aws/vpc-flow-logs/${var.project_prefix}-${var.environment}"
+  retention_in_days = 30 # Or a configurable variable
+
+  tags = merge(var.tags, { Name = "${var.project_prefix}-${var.environment}-vpc-flow-logs-lg" })
+}
+
+resource "aws_iam_role" "vpc_flow_logs" {
+  name = "${var.project_prefix}-${var.environment}-vpc-flow-logs-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "vpc-flow-logs.amazonaws.com"
+        }
+      },
+    ]
+  })
+  tags = merge(var.tags, { Name = "${var.project_prefix}-${var.environment}-vpc-flow-logs-role" })
+}
+
+resource "aws_iam_role_policy_attachment" "vpc_flow_logs" {
+  role       = aws_iam_role.vpc_flow_logs.name
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess" # Scoped down for production if needed
+}
+
+resource "aws_flow_log" "main" {
+  iam_role_arn    = aws_iam_role.vpc_flow_logs.arn
+  log_destination = aws_cloudwatch_log_group.vpc_flow_logs.arn
+  traffic_type    = "ALL"
+  vpc_id          = aws_vpc.main.id
+
+  tags = merge(var.tags, { Name = "${var.project_prefix}-${var.environment}-vpc-flow-log" })
+
+  depends_on = [aws_iam_role_policy_attachment.vpc_flow_logs]
+}
+
+
+#  S3 Bucket for ALB Access Logs
 
 # This data source gets the AWS Account ID for the ELB service in the current region.
 data "aws_elb_service_account" "current" {}
@@ -221,7 +271,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "alb_access_logs"
     apply_server_side_encryption_by_default {
       sse_algorithm = "AES256"
     }
-    
+
   }
 }
 
@@ -233,11 +283,11 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "s3_server_access_
     apply_server_side_encryption_by_default {
       sse_algorithm = "AES256"
     }
-    
+
   }
 }
 
-# BUCKETS LIFECYCLE POLICIES 
+# BUCKETS LIFECYCLE POLICIES
 resource "aws_s3_bucket_lifecycle_configuration" "alb_access_logs" {
   count  = var.enable_alb_access_logs ? 1 : 0
   bucket = aws_s3_bucket.alb_access_logs[0].id
@@ -341,9 +391,9 @@ data "aws_iam_policy_document" "alb_access_logs" {
 
   #  This statement denies any access to the bucket over insecure HTTP.
   statement {
-    sid       = "DenyInsecureTransport"
-    effect    = "Deny"
-    actions   = ["s3:*"]
+    sid     = "DenyInsecureTransport"
+    effect  = "Deny"
+    actions = ["s3:*"]
     resources = [
       aws_s3_bucket.alb_access_logs[0].arn,
       "${aws_s3_bucket.alb_access_logs[0].arn}/*"
@@ -389,8 +439,8 @@ data "aws_iam_policy_document" "s3_server_access_logs" {
 
   # Deny any access over insecure HTTP
   statement {
-    sid    = "DenyInsecureTransport"
-    effect = "Deny"
+    sid     = "DenyInsecureTransport"
+    effect  = "Deny"
     actions = ["s3:*"]
     resources = [
       aws_s3_bucket.s3_server_access_logs[0].arn,
@@ -430,7 +480,7 @@ resource "aws_s3_bucket_policy" "s3_server_access_logs" {
   ]
 }
 
-#  Application Load Balancer 
+#  Application Load Balancer
 
 resource "aws_security_group" "alb" {
   name        = "${var.project_prefix}-${var.environment}-alb-sg"
@@ -454,11 +504,12 @@ resource "aws_security_group" "alb" {
     description = "Allow HTTPS traffic from anywhere"
   }
 
+  # Restrict egress to within the VPC. The ALB now only talk to internal targets (like ECS), not the entire internet.
   egress {
     protocol    = "-1"
     from_port   = 0
     to_port     = 0
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = [var.vpc_cidr]
     description = "Allow all outbound traffic"
   }
 
@@ -471,11 +522,11 @@ resource "aws_security_group" "alb" {
 }
 
 resource "aws_lb" "main" {
-  name               = "${var.project_prefix}-${var.environment}-alb"
-  internal           = false
-  load_balancer_type = "application"
-  security_groups    = [aws_security_group.alb.id]
-  subnets            = aws_subnet.public[*].id
+  name                       = "${var.project_prefix}-${var.environment}-alb"
+  internal                   = false
+  load_balancer_type         = "application"
+  security_groups            = [aws_security_group.alb.id]
+  subnets                    = aws_subnet.public[*].id
   drop_invalid_header_fields = true
 
   # Deletion protection should be enabled via a variable for production.
@@ -533,4 +584,4 @@ resource "aws_lb_listener" "https" {
       status_code  = "404"
     }
   }
-}
+}

Terraform/modules/01-Network/outputs.tf

@@ -26,4 +26,4 @@ output "alb_dns_name" {
 output "alb_https_listener_arn" {
   description = "The ARN of the ALB's HTTPS listener."
   value       = aws_lb_listener.https.arn
-}
+}

Terraform/modules/01-Network/variables.tf

@@ -15,7 +15,6 @@ variable "environment" {
     error_message = "The environment must be one of: dev, staging, prod."
   }
 }
-
 variable "vpc_cidr" {
   description = "The CIDR block for the VPC."
   type        = string
@@ -31,16 +30,16 @@ variable "public_subnet_cidrs" {
   description = "A list of CIDR blocks for the public subnets. The number of CIDRs must match the number of availability_zones."
   type        = list(string)
   validation {
-  condition     = length(var.public_subnet_cidrs) > 0 && length(var.public_subnet_cidrs) == length(var.availability_zones)
-  error_message = "Provide at least one public subnet CIDR, and ensure its count matches availability_zones."
-}
+    condition     = length(var.public_subnet_cidrs) > 0
+    error_message = "Provide at least one public subnet CIDR, and ensure its count matches availability_zones."
+  }
 }
 
 variable "private_subnet_cidrs" {
   description = "A list of CIDR blocks for the private subnets. The number of CIDRs must match the number of availability_zones."
   type        = list(string)
   validation {
-    condition     = length(var.private_subnet_cidrs) > 0 && length(var.private_subnet_cidrs) == length(var.availability_zones)
+    condition     = length(var.private_subnet_cidrs) > 0
     error_message = "Provide at least one private subnet CIDR, and ensure its count matches availability_zones."
   }
 }
@@ -67,4 +66,4 @@ variable "alb_access_logs_bucket_name" {
   description = "The name of the S3 bucket to store ALB access logs. Must be globally unique. If left empty, a name will be generated."
   type        = string
   default     = ""
-}
+}

Terraform/modules/01-Network/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.14.1"
+    }
+  }
+}

trivyignore.yaml

@@ -7,3 +7,8 @@ vulnerabilities:
   - id: CVE-2025-27113  # libxml2 null dereference
   - id: CVE-2025-31115  # xz heap use-after-free
   - id: CVE-2025-6965   # sqlite integer truncation
+misconfigurations:
+  - id: AVD-AWS-0053  # AVD-AWS-0053: Ignoring because the ALB is intentionally public-facing.
+  - id: AVD-AWS-0132  # AVD-AWS-0132: Ignoring because AWS-managed keys (AES256) are acceptable for this PoC.
+  - id: AVD-AWS-0164  # AVD-AWS-0164: Ignoring because public subnets are required for the ALB and NAT Gateway.
+  - id: AVD-AWS-0017  # AVD-AWS-0017: Ignoring because default CloudWatch encryption is acceptable for this PoC.