CCM-6633 repo tidy

Author: aidenvaines-cgi

scripts/terraform/terraform.lib.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# WARNING: Please DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead.
+
+set -euo pipefail
+
+# A set of Terraform functions written in Bash.
+#
+# Usage:
+#   $ source ./terraform.lib.sh
+
+# ==============================================================================
+# Common Terraform functions.
+
+# Format Terraform code.
+# Arguments (provided as environment variables):
+#   dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is '.']
+#   opts=[options to pass to the Terraform fmt command, default is '-recursive']
+function terraform-fmt() {
+  for d in "${PWD}infrastructure/"*; do
+    if [ -d "$d" ]; then
+        terraform fmt --recursive "${d}"
+    fi
+  done
+}

scripts/terraform/terraform.mk

@@ -0,0 +1,54 @@
+# This file is for you! Edit it to implement your own Terraform make targets.
+
+# ==============================================================================
+# Custom implementation - implementation of a make target should not exceed 5 lines of effective code.
+# In most cases there should be no need to modify the existing make targets.
+
+terraform-fmt: # Format Terraform files - optional: terraform_dir|dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is one of the module variables or the example directory, if not set], terraform_opts|opts=[options to pass to the Terraform fmt command, default is '-recursive'] @Quality
+	make _terraform cmd="fmt" \
+		dir=$(or ${terraform_dir}, ${dir}) \
+		opts=$(or ${terraform_opts}, ${opts})
+
+_terraform: # Terraform command wrapper - mandatory: cmd=[command to execute]; optional: dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is one of the module variables or the example directory, if not set], opts=[options to pass to the Terraform command, default is none/empty]
+	# 'TERRAFORM_STACK' is passed to the functions as environment variable
+	TERRAFORM_STACK=$(or ${TERRAFORM_STACK}, $(or ${terraform_stack}, $(or ${STACK}, ${stack})))
+	dir=$(or ${dir}, ${TERRAFORM_STACK})
+	. "scripts/terraform/terraform.lib.sh"; \
+	terraform-${cmd} # 'dir' and 'opts' are accessible by the function as environment variables, if set
+
+# ==============================================================================
+# Quality checks - please DO NOT edit this section!
+
+terraform-shellscript-lint: # Lint all Terraform module shell scripts @Quality
+	for file in $$(find scripts/terraform -type f -name "*.sh"); do
+		file=$${file} scripts/shellscript-linter.sh
+	done
+
+terraform-sec: # TFSEC check against Terraform files - optional: terraform_dir|dir=[path to a directory where the command will be executed, relative to the project's top-level directory, default is one of the module variables or the example directory, if not set], terraform_opts|opts=[options to pass to the Terraform fmt command, default is '-recursive'] @Quality
+	tfsec infrastructure/terraform \
+		--force-all-dirs \
+		--exclude-downloaded-modules \
+		--config-file scripts/config/tfsec.yml
+
+# ==============================================================================
+# Configuration - please DO NOT edit this section!
+
+terraform-install: # Install Terraform @Installation
+	make _install-dependency name="terraform"
+
+# ==============================================================================
+
+${VERBOSE}.SILENT: \
+	_terraform \
+	clean \
+	terraform-apply \
+	terraform-destroy \
+	terraform-example-clean \
+	terraform-example-destroy-aws-infrastructure \
+	terraform-example-provision-aws-infrastructure \
+	terraform-fmt \
+	terraform-init \
+	terraform-install \
+	terraform-plan \
+	terraform-shellscript-lint \
+	terraform-validate \

scripts/terraform/terraform.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# WARNING: Please DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead.
+
+set -euo pipefail
+
+# Terraform command wrapper. It will run the command natively if Terraform is
+# installed, otherwise it will run it in a Docker container.
+#
+# Usage:
+#   $ [options] ./terraform.sh
+#
+# Options:
+#   cmd=command             # Terraform command to execute
+#   FORCE_USE_DOCKER=true   # If set to true the command is run in a Docker container, default is 'false'
+#   VERBOSE=true            # Show all the executed commands, default is 'false'
+
+# ==============================================================================
+
+function main() {
+
+  cd "$(git rev-parse --show-toplevel)"
+
+  if command -v terraform > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
+    # shellcheck disable=SC2154
+    cmd=$cmd run-terraform-natively
+  else
+    cmd=$cmd run-terraform-in-docker
+  fi
+}
+
+# Run Terraform natively.
+# Arguments (provided as environment variables):
+#   cmd=[Terraform command to execute]
+function run-terraform-natively() {
+
+  # shellcheck disable=SC2086
+  terraform $cmd
+}
+
+# Run Terraform in a Docker container.
+# Arguments (provided as environment variables):
+#   cmd=[Terraform command to execute]
+function run-terraform-in-docker() {
+
+  # shellcheck disable=SC1091
+  source ./scripts/docker/docker.lib.sh
+
+  # shellcheck disable=SC2155
+  local image=$(name=hashicorp/terraform docker-get-image-version-and-pull)
+  # shellcheck disable=SC2086
+  docker run --rm --platform linux/amd64 \
+    --volume "$PWD":/workdir \
+    --workdir /workdir \
+    "$image" \
+      $cmd
+}
+
+# ==============================================================================
+
+function is-arg-true() {
+
+  if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+# ==============================================================================
+
+is-arg-true "${VERBOSE:-false}" && set -x
+
+main "$@"
+
+exit 0

scripts/terraform/tfsec.sh

@@ -0,0 +1,103 @@
+#!/usr/bin/env bash
+
+# WARNING: Please DO NOT edit this file! It is maintained in the Repository Template (https://github.com/NHSDigital/nhs-notify-repository-template). Raise a PR instead.
+
+set -euo pipefail
+
+# TFSec command wrapper. It will run the command natively if TFSec is
+# installed, otherwise it will run it in a Docker container.
+# Run tfsec for security checks on Terraform code.
+#
+# Usage:
+#   $ ./tfsec.sh [directory]
+# ==============================================================================
+
+function main() {
+
+  cd "$(git rev-parse --show-toplevel)"
+
+  local dir_to_scan=${1:-.}
+
+  if command -v tfsec > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
+    # shellcheck disable=SC2154
+    run-tfsec-natively "$dir_to_scan"
+  else
+    run-tfsec-in-docker "$dir_to_scan"
+  fi
+}
+
+# Run tfsec on the specified directory.
+# Arguments:
+#   $1 - Directory to scan
+function run-tfsec-natively() {
+
+  local dir_to_scan="$1"
+
+  echo "TFSec found locally, running natively"
+
+  echo "Running TFSec on directory: $dir_to_scan"
+  tfsec \
+    --concise-output \
+    --force-all-dirs \
+    --exclude-downloaded-modules \
+    --config-file scripts/config/tfsec.yaml \
+    --format text \
+    --soft-fail \
+    "$dir_to_scan"
+
+  check-tfsec-status
+}
+
+# Check the exit status of tfsec.
+function check-tfsec-status() {
+
+  if [ $? -eq 0 ]; then
+    echo "TFSec completed successfully."
+  else
+    echo "TFSec found issues."
+    exit 1
+  fi
+}
+
+function run-tfsec-in-docker() {
+
+  # shellcheck disable=SC1091
+  source ./scripts/docker/docker.lib.sh
+  local dir_to_scan="$1"
+
+  # shellcheck disable=SC2155
+  local image=$(name=aquasec/tfsec docker-get-image-version-and-pull)
+  # shellcheck disable=SC2086
+  echo "TFSec not found locally, running in Docker Container"
+  echo "Running TFSec on directory: $dir_to_scan"
+  docker run --rm --platform linux/amd64 \
+    --volume "$PWD":/workdir \
+    --workdir /workdir \
+    "$image" \
+        --concise-output \
+        --force-all-dirs \
+        --exclude-downloaded-modules \
+        --config-file scripts/config/tfsec.yaml \
+        --format text \
+        --soft-fail \
+        "$dir_to_scan"
+    check-tfsec-status
+}
+# ==============================================================================
+
+function is-arg-true() {
+
+  if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+# ==============================================================================
+
+is-arg-true "${VERBOSE:-false}" && set -x
+
+main "$@"
+
+exit 0