diff --git a/.github/workflows/branch.yml b/.github/workflows/branch.yml index 0a40df0..20c4c2e 100644 --- a/.github/workflows/branch.yml +++ b/.github/workflows/branch.yml @@ -104,9 +104,6 @@ jobs: uses: aquasecurity/trivy-action@master with: scan-type: config - ignore-unfixed: true - skip-dirs: '"**/*/.terraform"' - exit-code: 1 format: sarif output: 'trivy-results.sarif' diff --git a/tofu/config/staging/.terraform.lock.hcl b/tofu/config/staging/.terraform.lock.hcl index 9e91a95..fe42e27 100644 --- a/tofu/config/staging/.terraform.lock.hcl +++ b/tofu/config/staging/.terraform.lock.hcl @@ -2,19 +2,19 @@ # Manual edits may be lost in future updates. provider "registry.opentofu.org/hashicorp/aws" { - version = "5.49.0" - constraints = ">= 5.44.0, ~> 5.44" + version = "5.50.0" + constraints = ">= 3.29.0, >= 3.74.0, >= 5.30.0, >= 5.37.0, >= 5.44.0, ~> 5.44, >= 5.46.0" hashes = [ - "h1:AZ3scqlcBQlDVHe8nnUIpsE9VlcjD/uN86p9WSTPjfE=", - "zh:322e5ff7b3a1059b74d656eb16e56e4e0c5ac892fd80593959b4a1ffe558b794", - "zh:3a393b4b5b371dd390a1fc60d532cb0dd3bb4e092a3965f125f35e82ead704b1", - "zh:7b42169c170ce122ecdede71af8ab229b74b27be30f731a3e682db8d4bb80cb0", - "zh:7e2ac928ffcb4cf74eba3abb1e0b57fe3d19703a20068531c3329721dc0a4881", - "zh:9bc1df526041b3b0b773bb435015d04bdd12ae06e93a849cf60f0db5d8679971", - "zh:9db31718f4a1bb48633414ee960a13005d8c1f4504dbd8ec594b370f664ea94b", - "zh:abb6afcb0e16f0e1db7e122ae185cf214d7a3000eb9b223d980aed6e7a7b5853", - "zh:b78ebff83350ded37a7dbaf9124ce0fdf5e374eec645559cc0f8d72f2ac9327e", - "zh:cf0c600d1157487467df4813aa5b6e7201159e95ce7849f57bffedca92641bfa", - "zh:da8cd355307f653fb457b5e65a6bf465e1d88a36ef8388723833b3dce408d981", + "h1:ZN7MLKklx+LTYZvRerNw5O2qHA913Xg9eQW99uqfbI8=", + "zh:17345c5dee93b49009c7941b1e47bb6fe94376e2d0ffc83bfd80f75c9857e2cd", + "zh:2ed80ee2aa5db4fe29700e5488cd67409331a5a586102511a512c34e0f31bc38", + "zh:30cbf46810151a2f587bbeb4172e3534186e4cfae03d4d91a90dc4d3b304acb4", + "zh:449b4562b8530e2d3e7555d3ed9bc0a5a9ead1067784e86572b26b98f87a073f", + "zh:7a853b8ae08304c8d4e8d37a607e21d1a06e0956b3aef9e52b569dc556438d90", + "zh:8a6923372241b0b4aa58631e5a9487b6c8eebd456d001422f0b05f707ec29744", + "zh:90e1b8c7a51a97d2cae255b225f9260bf75bff72c13b791453fbed8f2d2ac729", + "zh:a0b4f62de237913e22387630668a79754fb23c231ea8629615722287cf5e58c5", + "zh:c4632d2dad5ec905f625b75b80d996047967c1d2105c11daad8cbc69972fdeda", + "zh:ce8866ce789f27e97b890dd8a82dea101deb66daf2e651ed387584aecc51d8b4", ] } diff --git a/tofu/config/staging/main.tf b/tofu/config/staging/main.tf index 87dc058..9302770 100644 --- a/tofu/config/staging/main.tf +++ b/tofu/config/staging/main.tf @@ -14,3 +14,49 @@ module "backend" { project = "illinois-getchildcare" environment = "staging" } + +# Create an S3 bucket and KMS key for logging. +module "logging" { + source = "github.com/codeforamerica/tofu-modules/aws/logging" + + project = "illinois-getchildcare" + environment = "staging" +} + +# Create a VPC with public and private subnets. Since this is a staging +# environment, we'll use a single NAT gateway to reduce costs. +module "vpc" { + source = "github.com/codeforamerica/tofu-modules/aws/vpc" + + cidr = "10.0.20.0/22" + project = "illinois-getchildcare" + environment = "staging" + single_nat_gateway = true + logging_key_id = module.logging.kms_key_arn + + private_subnets = ["10.0.22.0/26", "10.0.22.64/26", "10.0.22.128/26"] + public_subnets = ["10.0.20.0/26", "10.0.20.64/26", "10.0.20.128/26"] +} + +# Deploy the Document Transfer service to a Fargate cluster. +module "document_transfer" { + source = "github.com/codeforamerica/tofu-modules/aws/fargate_service" + + project = "illinois-getchildcare" + project_short = "il-gcc" + environment = "staging" + service = "document-transfer" + service_short = "doc-trans" + domain = "staging.document-transfer.cfa.codes" + vpc_id = module.vpc.vpc_id + private_subnets = module.vpc.private_subnets + public_subnets = module.vpc.public_subnets + logging_key_id = module.logging.kms_key_arn + container_port = 3000 + force_delete = true +} + +# Display commands to push the Docker image to ECR. +output "document_transfer_docker_push" { + value = module.document_transfer.docker_push +} diff --git a/tofu/config/staging/providers.tf b/tofu/config/staging/providers.tf index 6a6da32..50d074a 100644 --- a/tofu/config/staging/providers.tf +++ b/tofu/config/staging/providers.tf @@ -5,6 +5,7 @@ provider "aws" { tags = { project = "illinois-getchildcare" environment = "staging" + tofu = "true" } } } diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..871791c --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,10 @@ +exit-code: 1 +misconfiguration: + ignore-unfixed: true + terraform: + exclude-downloaded-modules: true +scan: + scanners: + - misconfig + skip-dirs: + - "**/*/.terraform"