Feature/CCM-6245 TFSec scanning

.github/actions/tfsec/action.yaml

@@ -0,0 +1,21 @@
+name: "TFSec Scan"
+description: "Scan HCL using TFSec"
+inputs:
+  root-modules:
+    description: "Comma separated list of root module directories to validate, content of the 'infrastructure/environments' is checked by default"
+    required: false
+runs:
+  using: "composite"
+  steps:
+    - name: "TFSec Scan Components"
+      shell: bash
+      run: |
+        for component in $(find infrastructure/terraform/components -mindepth 1 -type d); do
+          scripts/terraform/tfsec.sh $component
+        done
+    - name: "TFSec Scan Modules"
+      shell: bash
+      run: |
+        for module in $(find infrastructure/terraform/modules -mindepth 1 -type d); do
+          scripts/terraform/tfsec.sh $module
+        done

.github/workflows/stage-1-commit.yaml

@@ -86,6 +86,15 @@ jobs:
         uses: actions/checkout@v4
       - name: "Lint Terraform"
         uses: ./.github/actions/lint-terraform
+  tfsec:
+    name: "TFSec Scan"
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+      - name: "TFSec Scan"
+        uses: ./.github/actions/tfsec
   count-lines-of-code:
     name: "Count lines of code"
     runs-on: ubuntu-latest

.tool-versions

@@ -4,6 +4,7 @@ terraform 1.9.1
 pre-commit 3.6.0
 nodejs 18.18.2
 gitleaks 8.18.4
+tfsec 1.28.10
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.

.vscode/settings.json

@@ -9,7 +9,6 @@
     "**/CVS": true,
     "**/Thumbs.db": true,
     ".devcontainer": true,
-    ".github": true,
     ".vscode": false
   }
 }

scripts/config/tfsec.yaml

@@ -0,0 +1 @@
+minimum_severity: MEDIUM

scripts/terraform/terraform.mk

@@ -66,6 +66,14 @@ terraform-install: # Install Terraform @Installation
 
 # ==============================================================================
 
+# ==============================================================================
+# Configuration - please DO NOT edit this section!
+
+tfsec-install: # Install Terraform @Installation
+	make _install-dependency name="tfsec"
+
+# ==============================================================================
+
 ${VERBOSE}.SILENT: \
 	_terraform \
 	clean \

scripts/terraform/tfsec.sh

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+# WARNING: Please DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead.
+
+set -euo pipefail
+
+# Run tfsec for security checks on Terraform code.
+#
+# Usage:
+#   $ ./tfsec.sh [directory]
+# ==============================================================================
+
+function main() {
+
+  cd "$(git rev-parse --show-toplevel)"
+
+  local dir_to_scan=${1:-.}
+  run-tfsec "$dir_to_scan"
+}
+
+# Run tfsec on the specified directory.
+# Arguments:
+#   $1 - Directory to scan
+function run-tfsec() {
+
+  local dir_to_scan="$1"
+
+  if ! command -v tfsec &> /dev/null; then
+    echo "TFSec could not be found. Please install using 'asdf install tfsec'."
+    exit 1
+  fi
+
+  echo "Running TFSec on directory: $dir_to_scan"
+  tfsec \
+    --concise-output \
+    --force-all-dirs \
+    --exclude-downloaded-modules \
+    --config-file ../config/tfsec.yaml \
+    "$dir_to_scan"
+
+  check-tfsec-status
+}
+
+# Check the exit status of tfsec.
+function check-tfsec-status() {
+
+  if [ $? -eq 0 ]; then
+    echo "TFSec completed successfully."
+  else
+    echo "TFSec found issues."
+    exit 1
+  fi
+}
+
+# ==============================================================================
+
+main "$@"
+
+exit 0