[CES-155] Updated static_analysis.yaml with new action and pre-commit updated

.github/workflows/static_analysis.yml

@@ -14,93 +14,10 @@ on:
 
 jobs:
   static_analysis:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: init_terraform_folders
-        run: |
-          pids=()
-
-          # map value with path to domain root and path to config entry point
-          declare -A newmap
-
-          newmap[src/aks-platform]="."
-          newmap[src/domains/cgn]="./prod"
-          newmap[src/domains/selfcare]="./prod/westeurope"
-          newmap[src/domains/citizen-auth-app]="."
-          newmap[src/domains/citizen-auth-common]="."
-          newmap[src/domains/ioweb-app]="."
-          newmap[src/domains/ioweb-common]="."
-          newmap[src/domains/elk]="."
-          newmap[src/domains/messages-app]="."
-          newmap[src/domains/messages-common]="."
-          newmap[src/domains/payments-app]="."
-          newmap[src/domains/payments-common]="."
-          newmap[src/domains/profile-app]="."
-          newmap[src/domains/profile-common]="."
-          newmap[src/domains/functions]="."
-          newmap[src/github-runner]="."
-          newmap[src/packer]="."
-
-          TAG=$(cat .terraform-version)
-
-          docker pull hashicorp/terraform:$TAG
-
-          for f in "${!newmap[@]}"; do
-            pushd "$f"
-            # get the folder name of the current module
-            module_path=$(basename "$f")
-
-            # replace '.' with empty string
-            relativePath="${newmap[$f]//./}"
-
-            if [[ -f "99_main.tf" ]]; then
-              sed -i -e 's/  backend "azurerm" {}//g' 99_main.tf # use local backend
-            elif [[ -f "main.tf" ]]; then
-              sed -i -e 's/  backend "azurerm" {}//g' main.tf # use local backend
-            elif [[ -f "$(pwd)/$relativePath/main.tf" ]]; then
-              sed -i -e '/backend "azurerm" {/,/}/d' $(pwd)/$relativePath/main.tf # use local backend
-
-              # explaination: https://github.com/pagopa/io-infra/pull/906
-
-              # pushd "_modules"
-              # modules=$(find . -type d)
-
-              # for module in modules; do
-              #   folder_name=$(basename "$folder")
-              #   echo "DEBUG - run docker in folder: $folder_name"
-              #   docker run -v $(pwd):/tmp -w /tmp hashicorp/terraform:$TAG -chdir="./$folder_name" init &
-              #   pids+=($!)
-              # done
-              # popd
-            fi
-
-            # initialize the current module (eg selfcare) from the root level of the module (eg src/domains/)
-            # this allows the import of modules present at the same level (eg tests)
-            docker run -v $(dirname $(pwd)):/tmp -w /tmp hashicorp/terraform:$TAG -chdir="$module_path/${newmap[$f]}" init &
-            pids+=($!)
-
-            popd
-
-          done
-
-          # Wait for each specific process to terminate.
-          # Instead of this loop, a single call to 'wait' would wait for all the jobs
-          # to terminate, but it would not give us their exit status.
-          #
-          for pid in "${pids[@]}"; do
-            #
-            # Waiting on a specific PID makes the wait command return with the exit
-            # status of that process. Because of the 'set -e' setting, any exit status
-            # other than zero causes the current shell to terminate with that exit
-            # status as well.
-            #
-            wait "$pid"
-          done
-
-      - name: run_pre_commit_terraform
-        run: |
-          TAG="v1.96.1@sha256:9aea677ac51d67eb96b3bbb4cf93b16afdde5476f984e75e87888850d18146c9"
-          docker run -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a
+    uses:  pagopa/dx/.github/workflows/static_analysis.yaml@main
+    name: Terraform Validation
+    secrets: inherit
+    with:
+      terraform_version: "1.7.5"
+      pre_commit_tf_tag: "v1.96.1@sha256:9aea677ac51d67eb96b3bbb4cf93b16afdde5476f984e75e87888850d18146c9"
+      enable_modified_files_detection: false

.gitignore

@@ -42,3 +42,6 @@ __TMP
 .metals/
 __azurite_*
 /.idea
+
+# **/modules/**/.terraform.lock.hcl
+# **/_modules/**/.terraform.lock.hcl

.pre-commit-config.yaml

@@ -1,18 +1,32 @@
 repos:
+  - repo: local
+    hooks:
+      - id: terraform-providers-lock-staged
+        name: Terraform Providers Lock (on staged .terraform.lock.hcl files)
+        entry: ./.utils/terraform_lock_precommit.sh
+        language: script
+        pass_filenames: false
+        verbose: true
+
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.83.0
+    rev: v1.96.1
     hooks:
+      - id: terraform_tflint
+        args:
+          - --args=--disable-rule terraform_required_version
+          - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
       - id: terraform_fmt
       - id: terraform_docs
+        name: terraform_docs on modules
         args:
+          # - --hook-config=--create-file-if-not-exist=true
           - --args=--hide providers
-      - id: terraform_tfsec
-        args:
-          - --args=--exclude-downloaded-modules
       - id: terraform_validate
-        exclude: '(\/_?modules\/.*)'
         args:
-          - --tf-init-args=-lockfile=readonly
           - --args=-json
           - --args=-no-color
           - --hook-config=--retry-once-with-cleanup=true
+      - id: terraform_trivy
+        args:
+          - --args=--skip-dirs="**/.terraform"
+          - --args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore

.tflint.hcl

@@ -0,0 +1,18 @@
+config {
+  format = "default"
+  call_module_type = "local"
+  force = false
+  disabled_by_default = false
+}
+
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}
+
+# install the plugin by running 'tflint --init'
+plugin "azurerm" {
+    enabled = true
+    version = "0.27.0"
+    source  = "github.com/terraform-linters/tflint-ruleset-azurerm"
+}

.trivyignore

@@ -0,0 +1,10 @@
+# https://avd.aquasec.com/misconfig/azure/
+
+# Github repository shouldn’t be public.
+AVD-GIT-0001
+
+# GitHub branch protection does not require signed commits.
+AVD-GIT-0004
+
+# The minimum TLS version for Storage Accounts should be TLS1_2
+AVD-AZU-0011

.utils/terraform_lock_precommit.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Find all .terraform.lock.hcl files that have been modified or added to the staging
+staged_lock_files=$(git status --porcelain | grep '[AM][ ]*s.*.terraform.lock.hcl$' | awk '{print $2}')
+
+if [[ -z "$staged_lock_files" ]]; then
+  echo "No .terraform.lock.hcl files to process."
+  exit 0
+fi
+
+# Run terraform providers lock in each directory containing a .terraform.lock.hcl file
+for lockfile in $staged_lock_files; do
+  dir=$(dirname "$lockfile")
+
+  echo "Run terraform providers lock in: $dir"
+
+  # Go to the directory
+  cd "$dir" || exit
+
+  # Run terraform providers lock
+  terraform providers lock \
+    -platform=windows_amd64 \
+    -platform=darwin_amd64 \
+    -platform=darwin_arm64 \
+    -platform=linux_amd64
+
+  # Return to the previous directory
+  cd - > /dev/null
+done