Linting, security scans and docs 🥇 (#1)

* add workflows for linting, resolve several linting issues by removing unuses variables, and pinning provider versions * update Github workflows, tflint, trivy. Update readme * update service data check
CDCgov · Nov 12, 2024 · 75bbd5b · 75bbd5b
1 parent fb8fcea
commit 75bbd5b
Show file tree

Hide file tree

Showing 10 changed files with 191 additions and 86 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -2,7 +2,7 @@
 name: Bug report
 about: Create a report to help us improve
 title: ''
-labels: ''
+labels: Streamline eCR, Cloud Enablement, aws, bug
 assignees: ''
 
 ---

diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -2,7 +2,7 @@
 name: Feature request
 about: Suggest an idea for this project
 title: ''
-labels: ''
+labels: Streamline eCR, Cloud Enablement, aws, enhancement
 assignees: ''
 
 ---

diff --git a/.github/ISSUE_TEMPLATE/maintenance.md b/.github/ISSUE_TEMPLATE/maintenance.md
@@ -2,7 +2,7 @@
 name: Maintenance
 about: Questions and requests related to organizational support and maintenance
 title: ''
-labels: ''
+labels: Streamline eCR, Cloud Enablement, aws
 assignees: ''
 
 ---

diff --git a/.github/workflows/tflint.yaml b/.github/workflows/tflint.yaml
@@ -0,0 +1,46 @@
+name: Terraform Linting
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  tflint:
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
+
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout source code
+
+      - uses: actions/cache@v4
+        name: Cache plugin dir
+        with:
+          path: ~/.tflint.d/plugins
+          key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }}
+
+      - uses: terraform-linters/setup-tflint@v4
+        name: Setup TFLint
+        with:
+          tflint_version: v0.52.0
+
+      - name: Show version
+        run: tflint --version
+
+      - name: Init TFLint
+        run: tflint --init
+        # If rate limiting becomes an issue, setup a GitHub token and enable it as an environment variable
+        # env:
+          # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+          # GITHUB_TOKEN: ${{ github.token }}
+
+      - name: Run TFLint
+        run: tflint -f compact
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -0,0 +1,33 @@
+name: Terraform Security Scan
+
+on:
+  pull_request:
+  push:
+    branches: 
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run tflint
+        uses: ghcr.io/terraform-linters/tflint
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'fs'
+          scan-ref: .
+          scanners: 'vuln,secret,config'
+          ignore-unfixed: false
+          exit-code: '1'
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -0,0 +1,10 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}
+
+plugin "aws" {
+    enabled = true
+    version = "0.34.0"
+    source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
diff --git a/README.md b/README.md
@@ -1,27 +1,27 @@
-# CDCgov GitHub Organization Open Source Project Template
-
-**Template for clearance: This project serves as a template to aid projects in starting up and moving through clearance procedures. To start, create a new repository and implement the required [open practices](open_practices.md), train on and agree to adhere to the organization's [rules of behavior](rules_of_behavior.md), and [send a request through the create repo form](https://forms.office.com/Pages/ResponsePage.aspx?id=aQjnnNtg_USr6NJ2cHf8j44WSiOI6uNOvdWse4I-C2NUNk43NzMwODJTRzA4NFpCUk1RRU83RTFNVi4u) using language from this template as a Guide.**
-
-**General disclaimer** This repository was created for use by CDC programs to collaborate on public health related projects in support of the [CDC mission](https://www.cdc.gov/about/organization/mission.htm).  GitHub is not hosted by the CDC, but is a third party website used by CDC and its partners to share information and collaborate on software. CDC use of GitHub does not imply an endorsement of any one particular service, product, or enterprise. 
-
-## Access Request, Repo Creation Request
-
-* [CDC GitHub Open Project Request Form](https://forms.office.com/Pages/ResponsePage.aspx?id=aQjnnNtg_USr6NJ2cHf8j44WSiOI6uNOvdWse4I-C2NUNk43NzMwODJTRzA4NFpCUk1RRU83RTFNVi4u) _[Requires a CDC Office365 login, if you do not have a CDC Office365 please ask a friend who does to submit the request on your behalf. If you're looking for access to the CDCEnt private organization, please use the [GitHub Enterprise Cloud Access Request form](https://forms.office.com/Pages/ResponsePage.aspx?id=aQjnnNtg_USr6NJ2cHf8j44WSiOI6uNOvdWse4I-C2NUQjVJVDlKS1c0SlhQSUxLNVBaOEZCNUczVS4u).]_
-
-## Related documents
-
-* [Open Practices](open_practices.md)
-* [Rules of Behavior](rules_of_behavior.md)
-* [Thanks and Acknowledgements](thanks.md)
-* [Disclaimer](DISCLAIMER.md)
-* [Contribution Notice](CONTRIBUTING.md)
-* [Code of Conduct](code-of-conduct.md)
-
-## Overview
-
-Describe the purpose of your project. Add additional sections as necessary to help collaborators and potential collaborators understand and use your project.
-  
-## Public Domain Standard Notice
+# Table of Contents
+[1. Overview](#1-overview)\
+[2. Notices](#2-notices)
+- [Table of Contents](#table-of-contents)
+- [1. Overview](#1-overview)
+- [2. Notices](#2-notices)
+  - [2.1 Public Domain Standard Notice](#21-public-domain-standard-notice)
+  - [2.2 License Standard Notice](#22-license-standard-notice)
+  - [2.3 Privacy Standard Notice](#23-privacy-standard-notice)
+  - [2.4 Contributing Standard Notice](#24-contributing-standard-notice)
+  - [2.5 Records Management Standard Notice](#25-records-management-standard-notice)
+  - [2.6 Additional Standard Notices](#26-additional-standard-notices)
+- [3. Architectural Design](#3-architectural-design)
+
+# 1. Overview
+
+The Data Integration Building Blocks (DIBBs) project is an effort to help state, local, territorial, and tribal public health departments better make sense of and utilize their data. You can read more about the project on the [main DIBBs repository](https://github.com/CDCgov/phdi/blob/main/README.md).
+
+This repository is specifically to develop an AWS "starter kit" for the DIBBs project. This will enable our jurisdictional partners to build from this repository to provision their own AWS infrastructure.
+
++ [Return to Table of Contents](#table-of-contents).
+
+# 2. Notices
+## 2.1 Public Domain Standard Notice
 This repository constitutes a work of the United States Government and is not
 subject to domestic copyright protection under 17 USC § 105. This repository is in
 the public domain within the United States, and copyright and related rights in
@@ -30,7 +30,10 @@ All contributions to this repository will be released under the CC0 dedication.
 submitting a pull request you are agreeing to comply with this waiver of
 copyright interest.
 
-## License Standard Notice
+
++ [Return to Table of Contents](#table-of-contents).
+
+## 2.2 License Standard Notice
 The repository utilizes code licensed under the terms of the Apache Software
 License and therefore is licensed under ASL v2 or later.
 
@@ -43,33 +46,47 @@ WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 PARTICULAR PURPOSE. See the Apache Software License for more details.
 
 You should have received a copy of the Apache Software License along with this
-program. If not, see http://www.apache.org/licenses/LICENSE-2.0.html
+program. If not, see http://www.apache.org/licenses/LICENSE-2.0.html.
 
 The source code forked from other open source projects will inherit its license.
 
-## Privacy Standard Notice
+
++ [Return to Table of Contents](#table-of-contents).
+
+## 2.3 Privacy Standard Notice
 This repository contains only non-sensitive, publicly available data and
 information. All material and community participation is covered by the
 [Disclaimer](DISCLAIMER.md)
 and [Code of Conduct](code-of-conduct.md).
 For more information about CDC's privacy policy, please visit [http://www.cdc.gov/other/privacy.html](https://www.cdc.gov/other/privacy.html).
 
-## Contributing Standard Notice
+
++ [Return to Table of Contents](#table-of-contents).
+
+## 2.4 Contributing Standard Notice
 Anyone is encouraged to contribute to the repository by [forking](https://help.github.com/articles/fork-a-repo)
-and submitting a pull request. (If you are new to GitHub, you might start with a
-[basic tutorial](https://help.github.com/articles/set-up-git).) By contributing
-to this project, you grant a world-wide, royalty-free, perpetual, irrevocable,
-non-exclusive, transferable license to all users under the terms of the
-[Apache Software License v2](http://www.apache.org/licenses/LICENSE-2.0.html) or
-later.
+and submitting a pull request. (If you are new to GitHub, you might start with a [basic tutorial](https://help.github.com/articles/set-up-git).) By contributing to this project, you grant a world-wide, royalty-free, perpetual, irrevocable, non-exclusive, transferable license to all users under the terms of the [Apache Software License v2](http://www.apache.org/licenses/LICENSE-2.0.html) or later.
 
 All comments, messages, pull requests, and other submissions received through
 CDC including this GitHub page may be subject to applicable federal law, including but not limited to the Federal Records Act, and may be archived. Learn more at [http://www.cdc.gov/other/privacy.html](http://www.cdc.gov/other/privacy.html).
 
-## Records Management Standard Notice
-This repository is not a source of government records, but is a copy to increase
-collaboration and collaborative potential. All government records will be
-published through the [CDC web site](http://www.cdc.gov).
 
-## Additional Standard Notices
++ [Return to Table of Contents](#table-of-contents).
+
+## 2.5 Records Management Standard Notice
+This repository is not a source of government records, but is a copy to increase collaboration and collaborative potential. All government records will be published through the [CDC web site](http://www.cdc.gov).
+
++ [Return to Table of Contents](#table-of-contents).
+
+## 2.6 Additional Standard Notices
 Please refer to [CDC's Template Repository](https://github.com/CDCgov/template) for more information about [contributing to this repository](https://github.com/CDCgov/template/blob/main/CONTRIBUTING.md), [public domain notices and disclaimers](https://github.com/CDCgov/template/blob/main/DISCLAIMER.md), and [code of conduct](https://github.com/CDCgov/template/blob/main/code-of-conduct.md).
+
+
++ [Return to Table of Contents](#table-of-contents).
+
+# 3. Architectural Design
+The current architectural design for dibbs-aws is as follows:
+
+![Current DIBBS Architecture as of 6-24-2024](https://github.com/CDCgov/dibbs-aws/assets/29112142/7d43d3c1-5d61-41b8-a1c3-bb4884073825)
+
++ [Return to Table of Contents](#table-of-contents).
diff --git a/_local.tf b/_local.tf
@@ -6,22 +6,21 @@ resource "random_string" "s3_viewer" {
 
 locals {
   registry_url      = var.disable_ecr == false ? "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com" : "ghcr.io/cdcgov/phdi"
-  registry_auth     = data.aws_ecr_authorization_token.this.proxy_endpoint
   registry_username = data.aws_ecr_authorization_token.this.user_name
   registry_password = data.aws_ecr_authorization_token.this.password
-  service_data = {
+  service_data = length(var.service_data) > 0 ? var.service_data : {
     ecr-viewer = {
       short_name     = "ecrv",
       fargate_cpu    = 1024,
       fargate_memory = 2048,
-      min_capacity   = 1
-      max_capacity   = 5
+      min_capacity   = 1,
+      max_capacity   = 5,
       app_image      = var.disable_ecr == false ? "${terraform.workspace}-ecr-viewer" : "ecr-viewer",
       app_version    = var.phdi_version,
       container_port = 3000,
       host_port      = 3000,
-      public         = true
-      registry_url   = local.registry_url
+      public         = true,
+      registry_url   = local.registry_url,
       env_vars = [
         {
           name  = "AWS_REGION",
@@ -61,64 +60,64 @@ locals {
       short_name     = "fhirc",
       fargate_cpu    = 1024,
       fargate_memory = 2048,
-      min_capacity   = 1
-      max_capacity   = 5
+      min_capacity   = 1,
+      max_capacity   = 5,
       app_image      = var.disable_ecr == false ? "${terraform.workspace}-fhir-converter" : "fhir-converter",
       app_version    = var.phdi_version,
       container_port = 8080,
       host_port      = 8080,
-      public         = false
-      registry_url   = local.registry_url
+      public         = false,
+      registry_url   = local.registry_url,
       env_vars       = []
     },
     ingestion = {
       short_name     = "inge",
       fargate_cpu    = 1024,
       fargate_memory = 2048,
-      min_capacity   = 1
-      max_capacity   = 5
+      min_capacity   = 1,
+      max_capacity   = 5,
       app_image      = var.disable_ecr == false ? "${terraform.workspace}-ingestion" : "ingestion",
       app_version    = var.phdi_version,
       container_port = 8080,
       host_port      = 8080,
-      public         = false
-      registry_url   = local.registry_url
+      public         = false,
+      registry_url   = local.registry_url,
       env_vars       = []
     },
     validation = {
       short_name     = "vali",
       fargate_cpu    = 1024,
       fargate_memory = 2048,
-      min_capacity   = 1
-      max_capacity   = 5
+      min_capacity   = 1,
+      max_capacity   = 5,
       app_image      = var.disable_ecr == false ? "${terraform.workspace}-validation" : "validation",
       app_version    = var.phdi_version,
       container_port = 8080,
       host_port      = 8080,
-      public         = false
-      registry_url   = local.registry_url
+      public         = false,
+      registry_url   = local.registry_url,
       env_vars       = []
     },
     trigger-code-reference = {
       short_name     = "trigcr",
       fargate_cpu    = 1024,
       fargate_memory = 2048,
-      min_capacity   = 1
-      max_capacity   = 5
+      min_capacity   = 1,
+      max_capacity   = 5,
       app_image      = var.disable_ecr == false ? "${terraform.workspace}-trigger-code-reference" : "trigger-code-reference",
       app_version    = var.phdi_version,
       container_port = 8080,
       host_port      = 8080,
-      public         = false
-      registry_url   = local.registry_url
+      public         = false,
+      registry_url   = local.registry_url,
       env_vars       = []
     },
     message-parser = {
       short_name     = "msgp",
       fargate_cpu    = 1024,
       fargate_memory = 2048,
-      min_capacity   = 1
-      max_capacity   = 5
+      min_capacity   = 1,
+      max_capacity   = 5,
       app_image      = var.disable_ecr == false ? "${terraform.workspace}-message-parser" : "message-parser",
       app_version    = var.phdi_version,
       container_port = 8080,
@@ -131,14 +130,14 @@ locals {
       short_name     = "orch",
       fargate_cpu    = 1024,
       fargate_memory = 2048,
-      min_capacity   = 1
-      max_capacity   = 5
+      min_capacity   = 1,
+      max_capacity   = 5,
       app_image      = var.disable_ecr == false ? "${terraform.workspace}-orchestration" : "orchestration",
       app_version    = var.phdi_version,
       container_port = 8080,
       host_port      = 8080,
-      public         = true
-      registry_url   = local.registry_url
+      public         = true,
+      registry_url   = local.registry_url,
       env_vars = [
         {
           name  = "OTEL_METRICS",
@@ -177,11 +176,9 @@ locals {
   }
   local_name = "${var.project}-${var.owner}-${terraform.workspace}"
 
-  # service_data                 = var.service_data == {} ? local.default_service_data : local.default_service_data
   appmesh_name                 = var.appmesh_name == "" ? local.local_name : var.appmesh_name
   cloudmap_namespace_name      = var.cloudmap_namespace_name == "" ? local.local_name : var.cloudmap_namespace_name
-  cloudmap_service_name        = var.cloudmap_service_name == "" ? local.local_name : var.cloudmap_service_name
-  ecs_alb_name                 = var.ecs_alb_name == "" ? "${local.local_name}" : var.ecs_alb_name
+  ecs_alb_name                 = var.ecs_alb_name == "" ? local.local_name : var.ecs_alb_name
   ecs_alb_tg_name              = var.ecs_alb_tg_name == "" ? local.local_name : var.ecs_alb_tg_name
   ecs_task_execution_role_name = var.ecs_task_execution_role_name == "" ? "${local.local_name}-tern" : var.ecs_task_execution_role_name
   ecs_task_role_name           = var.ecs_task_role_name == "" ? "${local.local_name}-trn" : var.ecs_task_role_name