Merge branch 'main' into dependabotCombined

Author: github-actions[bot]

.github/actions/tfsec/action.yaml

@@ -0,0 +1,15 @@
+name: "Trivy Scan"
+runs:
+  using: "composite"
+  steps:
+    - name: "Trivy Terraform IAC Scan"
+      shell: bash
+      run: |
+        modules_exit_code=0
+
+        ./scripts/terraform/trivy.sh ./infrastructure/modules || modules_exit_code=$?
+
+        if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
+          echo "Trivy misconfigurations detected."
+          exit 1
+        fi

.github/actions/trivy/action.yaml

@@ -40,9 +40,9 @@ jobs:
           echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
           echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
           echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
-          echo "nodejs_version=$(grep "^nodejs " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
-          echo "python_version=$(grep "^python " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
-          echo "terraform_version=$(grep "^terraform " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "version=$(echo $version)" >> $GITHUB_OUTPUT
           echo "is_version_prerelease=$(if [[ $version == *-* ]]; then echo "true"; else echo "false"; fi)" >> $GITHUB_OUTPUT
 

.github/workflows/cicd-1-pull-request.yaml

@@ -45,9 +45,9 @@ jobs:
           echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
           echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
           echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
-          echo "nodejs_version=$(grep "^nodejs " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
-          echo "python_version=$(grep "^python " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
-          echo "terraform_version=$(grep "^terraform " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           # TODO: Get the version, but it may not be the .version file as this should come from the CI/CD Pull Request Workflow
           echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT
           # echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT

.github/workflows/cicd-3-deploy.yaml

@@ -135,8 +135,8 @@ jobs:
         uses: actions/checkout@v4
       - name: "Lint Terraform"
         uses: ./.github/actions/lint-terraform
-  tfsec:
-    name: "TFSec Scan"
+  trivy:
+    name: "Trivy Scan"
     runs-on: ubuntu-latest
     timeout-minutes: 5
     needs: detect-terraform-changes
@@ -148,8 +148,8 @@ jobs:
         uses: asdf-vm/actions/setup@v3
       - name: "Perform Setup"
         uses: ./.github/actions/setup
-      - name: "TFSec Scan"
-        uses: ./.github/actions/tfsec
+      - name: "Trivy Scan"
+        uses: ./.github/actions/trivy
   count-lines-of-code:
     name: "Count lines of code"
     runs-on: ubuntu-latest

.github/workflows/stage-1-commit.yaml

@@ -1,12 +1,12 @@
 # This file is for you! Please, updated to the versions agreed by your team.
 
+gitleaks 8.18.4
+nodejs 18.18.2
+pre-commit 3.6.0
 terraform 1.9.2
 terraform-docs 0.19.0
-pre-commit 3.6.0
-nodejs 18.18.2
-gitleaks 8.18.4
-tfsec 1.28.10
 terraform-docs 0.19.0
+trivy 0.61.0
 vale 3.6.0
 
 

.tool-versions

@@ -24,7 +24,6 @@
 | <a name="input_environment_variables"></a> [environment\_variables](#input\_environment\_variables) | Environment variables to be used for amplify branch | `map(string)` | `{}` | no |
 | <a name="input_framework"></a> [framework](#input\_framework) | Set what framework to use | `string` | `null` | no |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
-| <a name="input_module"></a> [module](#input\_module) | The name of this module. This is a special variable, it should be set only here and never overridden. | `string` | `"kms"` | no |
 | <a name="input_name"></a> [name](#input\_name) | A unique name to distinguish this module invocation from others within the same CSI scope | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | The name of the terraformscaffold project calling the module | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |

infrastructure/modules/amp_branch/README.md

@@ -1,32 +1,18 @@
 locals {
+  module = "amp"
+
   csi = format(
-    "%s-%s-%s-%s-%s",
+    "%s-%s-%s-%s",
     var.project,
     var.environment,
     var.component,
-    var.module,
     var.name,
   )
 
-  # CSI for use in resources with an account namespace, eg IAM roles
-  csi_account = replace(
-    format(
-      "%s-%s-%s-%s-%s-%s",
-      var.project,
-      var.region,
-      var.environment,
-      var.component,
-      var.module,
-      var.name,
-    ),
-    "_",
-    "",
-  )
-
   default_tags = merge(
     var.default_tags,
     {
-      Module = var.module
+      Module = local.module
       Name   = local.csi
     },
   )

infrastructure/modules/amp_branch/locals.tf

@@ -32,16 +32,6 @@ variable "description" {
   description = "Description for the branch"
 }
 
-##
-# Module self-identification
-##
-
-variable "module" {
-  type        = string
-  description = "The name of this module. This is a special variable, it should be set only here and never overridden."
-  default     = "kms"
-}
-
 ##
 # Variable specific to the module
 ##

infrastructure/modules/amp_branch/variables.tf

@@ -62,6 +62,7 @@ No requirements.
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | Default tag map for application to all taggable resources in the module | `map(string)` | `{}` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the environment where AWS Backup is configured. | `string` | n/a | yes |
 | <a name="input_management_ci_role_arn"></a> [management\_ci\_role\_arn](#input\_management\_ci\_role\_arn) | ARN of Terraform role used to deploy to account | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | The variable encapsulating the name of this bucket | `string` | n/a | yes |
 | <a name="input_notification_kms_key"></a> [notification\_kms\_key](#input\_notification\_kms\_key) | The ARN of the bootstrap KMS key used for encryption at rest of the SNS topic. | `string` | n/a | yes |
 | <a name="input_notifications_target_email_address"></a> [notifications\_target\_email\_address](#input\_notifications\_target\_email\_address) | The email address to which backup notifications will be sent via SNS. | `string` | `""` | no |
 | <a name="input_principal_org_id"></a> [principal\_org\_id](#input\_principal\_org\_id) | The AWS Org ID (numeric) | `string` | n/a | yes |