[CES-155] Updated static_analysis.yaml with new action and pre-commit…

… updated (#1225)

.github/workflows/static_analysis.yml

@@ -14,93 +14,10 @@ on:
 
 jobs:
   static_analysis:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: init_terraform_folders
-        run: |
-          pids=()
-
-          # map value with path to domain root and path to config entry point
-          declare -A newmap
-
-          newmap[src/aks-platform]="."
-          newmap[src/domains/cgn]="./prod"
-          newmap[src/domains/selfcare]="./prod/westeurope"
-          newmap[src/domains/citizen-auth-app]="."
-          newmap[src/domains/citizen-auth-common]="."
-          newmap[src/domains/ioweb-app]="."
-          newmap[src/domains/ioweb-common]="."
-          newmap[src/domains/elk]="."
-          newmap[src/domains/messages-app]="."
-          newmap[src/domains/messages-common]="."
-          newmap[src/domains/payments-app]="."
-          newmap[src/domains/payments-common]="."
-          newmap[src/domains/profile-app]="."
-          newmap[src/domains/profile-common]="."
-          newmap[src/domains/functions]="."
-          newmap[src/github-runner]="."
-          newmap[src/packer]="."
-
-          TAG=$(cat .terraform-version)
-
-          docker pull hashicorp/terraform:$TAG
-
-          for f in "${!newmap[@]}"; do
-            pushd "$f"
-            # get the folder name of the current module
-            module_path=$(basename "$f")
-
-            # replace '.' with empty string
-            relativePath="${newmap[$f]//./}"
-
-            if [[ -f "99_main.tf" ]]; then
-              sed -i -e 's/  backend "azurerm" {}//g' 99_main.tf # use local backend
-            elif [[ -f "main.tf" ]]; then
-              sed -i -e 's/  backend "azurerm" {}//g' main.tf # use local backend
-            elif [[ -f "$(pwd)/$relativePath/main.tf" ]]; then
-              sed -i -e '/backend "azurerm" {/,/}/d' $(pwd)/$relativePath/main.tf # use local backend
-
-              # explaination: https://github.com/pagopa/io-infra/pull/906
-
-              # pushd "_modules"
-              # modules=$(find . -type d)
-
-              # for module in modules; do
-              #   folder_name=$(basename "$folder")
-              #   echo "DEBUG - run docker in folder: $folder_name"
-              #   docker run -v $(pwd):/tmp -w /tmp hashicorp/terraform:$TAG -chdir="./$folder_name" init &
-              #   pids+=($!)
-              # done
-              # popd
-            fi
-
-            # initialize the current module (eg selfcare) from the root level of the module (eg src/domains/)
-            # this allows the import of modules present at the same level (eg tests)
-            docker run -v $(dirname $(pwd)):/tmp -w /tmp hashicorp/terraform:$TAG -chdir="$module_path/${newmap[$f]}" init &
-            pids+=($!)
-
-            popd
-
-          done
-
-          # Wait for each specific process to terminate.
-          # Instead of this loop, a single call to 'wait' would wait for all the jobs
-          # to terminate, but it would not give us their exit status.
-          #
-          for pid in "${pids[@]}"; do
-            #
-            # Waiting on a specific PID makes the wait command return with the exit
-            # status of that process. Because of the 'set -e' setting, any exit status
-            # other than zero causes the current shell to terminate with that exit
-            # status as well.
-            #
-            wait "$pid"
-          done
-
-      - name: run_pre_commit_terraform
-        run: |
-          TAG="v1.96.1@sha256:9aea677ac51d67eb96b3bbb4cf93b16afdde5476f984e75e87888850d18146c9"
-          docker run -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a
+    uses:  pagopa/dx/.github/workflows/static_analysis.yaml@main
+    name: Terraform Validation
+    secrets: inherit
+    with:
+      terraform_version: "1.7.5"
+      pre_commit_tf_tag: "v1.96.1@sha256:9aea677ac51d67eb96b3bbb4cf93b16afdde5476f984e75e87888850d18146c9"
+      enable_modified_files_detection: false

.gitignore

@@ -42,3 +42,6 @@ __TMP
 .metals/
 __azurite_*
 /.idea
+
+**/modules/**/.terraform.lock.hcl
+**/_modules/**/.terraform.lock.hcl

.pre-commit-config.yaml

@@ -1,18 +1,40 @@
 repos:
+  - repo: https://github.com/pagopa/dx
+    rev: c7410ed50d211e756cd4bbb8152e1b275b4485b4
+    hooks:
+      - id: terraform_providers_lock_staged
+
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.83.0
+    rev: v1.96.1
     hooks:
+      - id: terraform_tflint
+        args:
+          - --args=--disable-rule terraform_required_version
+          - --args=--disable-rule terraform_required_providers
+          - --args=--disable-rule terraform_unused_declarations
+          - --args=--disable-rule terraform_deprecated_interpolation
+          - --args=--disable-rule terraform_deprecated_index
+          - --args=--disable-rule terraform_typed_variables
+          - --args=--disable-rule terraform_map_duplicate_keys
+          - --args=--disable-rule terraform_module_pinned_source
+          - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
       - id: terraform_fmt
       - id: terraform_docs
+        name: terraform_docs on resources
         args:
-          - --args=--hide providers
-      - id: terraform_tfsec
-        args:
-          - --args=--exclude-downloaded-modules
+          - --hook-config=--create-file-if-not-exist=true
+        exclude: |
+          (?x)^(
+            src\/(?:.*\/)?(?:_?modules)\/.*
+          )$
       - id: terraform_validate
         exclude: '(\/_?modules\/.*)'
         args:
-          - --tf-init-args=-lockfile=readonly
           - --args=-json
           - --args=-no-color
           - --hook-config=--retry-once-with-cleanup=true
+      - id: terraform_trivy
+        files: ^src/
+        args:
+          - --args=--skip-dirs="**/.terraform"
+          - --args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore

.tflint.hcl

@@ -0,0 +1,18 @@
+config {
+  format = "default"
+  call_module_type = "local"
+  force = false
+  disabled_by_default = false
+}
+
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}
+
+# install the plugin by running 'tflint --init'
+plugin "azurerm" {
+    enabled = true
+    version = "0.27.0"
+    source  = "github.com/terraform-linters/tflint-ruleset-azurerm"
+}

.trivyignore

@@ -0,0 +1,19 @@
+# https://avd.aquasec.com/misconfig/azure/
+
+# Github repository shouldn’t be public.
+AVD-GIT-0001
+
+# GitHub branch protection does not require signed commits.
+AVD-GIT-0004
+
+# The minimum TLS version for Storage Accounts should be TLS1_2
+AVD-AZU-0011
+
+# LOW: Secret should have an expiry date specified
+AVD-AZU-0017
+
+# LOW: Secret does not have a content-type specified
+AVD-AZU-0015
+
+# CRITICAL: Vault network ACL does not block access by default
+AVD-AZU-0013

src/aks-platform/README.md

@@ -1,5 +1,5 @@
 <!-- markdownlint-disable -->
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
@@ -10,6 +10,16 @@
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | = 2.17.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | <= 3.2.1 |
 
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.33.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.71.0 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.8.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.17.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | 3.2.1 |
+
 ## Modules
 
 | Name | Source | Version |
@@ -95,4 +105,4 @@
 ## Outputs
 
 No outputs.
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->

src/common/prod/README.md

@@ -1,11 +1,19 @@
 <!-- markdownlint-disable -->
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | <= 3.116.0 |
 
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.116.0 |
+| <a name="provider_azurerm.prod-trial"></a> [azurerm.prod-trial](#provider\_azurerm.prod-trial) | 3.116.0 |
+| <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
+
 ## Modules
 
 | Name | Source | Version |
@@ -57,4 +65,4 @@ No inputs.
 ## Outputs
 
 No outputs.
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->

src/core/prod/README.md

@@ -1,11 +1,18 @@
 <!-- markdownlint-disable -->
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | <= 3.112.0 |
 
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.53.1 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.112.0 |
+
 ## Modules
 
 | Name | Source | Version |
@@ -56,4 +63,4 @@ No inputs.
 | <a name="output_key_vault"></a> [key\_vault](#output\_key\_vault) | n/a |
 | <a name="output_networking"></a> [networking](#output\_networking) | n/a |
 | <a name="output_resource_groups"></a> [resource\_groups](#output\_resource\_groups) | n/a |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->

src/domains/cgn/prod/README.md

@@ -1,11 +1,15 @@
 <!-- markdownlint-disable -->
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | <= 3.92.0 |
 
+## Providers
+
+No providers.
+
 ## Modules
 
 | Name | Source | Version |
@@ -38,4 +42,4 @@ No inputs.
 | <a name="output_resource_group_cgn_be"></a> [resource\_group\_cgn\_be](#output\_resource\_group\_cgn\_be) | n/a |
 | <a name="output_storage_account_cgn"></a> [storage\_account\_cgn](#output\_storage\_account\_cgn) | n/a |
 | <a name="output_storage_account_legal_backup"></a> [storage\_account\_legal\_backup](#output\_storage\_account\_legal\_backup) | n/a |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->

src/domains/citizen-auth-app/README.md

@@ -1,5 +1,5 @@
 <!-- markdownlint-disable -->
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
@@ -10,6 +10,13 @@
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | = 2.17.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | <= 3.2.1 |
 
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.33.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.116.0 |
+
 ## Modules
 
 | Name | Source | Version |
@@ -230,4 +237,4 @@
 ## Outputs
 
 No outputs.
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->

src/domains/citizen-auth-common/README.md

@@ -1,5 +1,5 @@
 <!-- markdownlint-disable -->
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
@@ -8,6 +8,13 @@
 | <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | <= 3.116.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | <= 3.2.1 |
 
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.53.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.116.0 |
+
 ## Modules
 
 | Name | Source | Version |
@@ -134,4 +141,4 @@
 ## Outputs
 
 No outputs.
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->