feat: enable file scanning on Vault S3 bucket (#611)

.github/workflows/terragrunt-apply-production.yml

@@ -99,6 +99,11 @@ jobs:
         working-directory: env/cloud/s3
         run: terragrunt apply --terragrunt-non-interactive -auto-approve
 
+      # Depends on S3
+      - name: Terragrunt apply file_scanning
+        working-directory: env/cloud/file_scanning
+        run: terragrunt apply --terragrunt-non-interactive -auto-approve
+
       # Depends on kms
       - name: Terragrunt apply sns
         working-directory: env/cloud/sns

.github/workflows/terragrunt-apply-staging.yml

@@ -126,6 +126,9 @@ jobs:
             s3:
               - 'aws/s3/**'
               - 'env/cloud/s3/**'
+            file_scanning:
+              - 'aws/file_scanning/**'
+              - 'env/cloud/file_scanning/**'
             secrets:
               - 'aws/secrets/**'
               - 'env/cloud/secrets/**'
@@ -172,6 +175,12 @@ jobs:
         working-directory: env/cloud/s3
         run: terragrunt apply --terragrunt-non-interactive -auto-approve
 
+      # Depends on S3
+      - name: Terragrunt apply file_scanning
+        if: ${{ steps.filter.outputs.file_scanning == 'true' || steps.filter.outputs.common == 'true' }}
+        working-directory: env/cloud/file_scanning
+        run: terragrunt apply --terragrunt-non-interactive -auto-approve
+
       # Depends on kms
       - name: Terragrunt apply sns
         if: ${{ steps.filter.outputs.sns == 'true' || steps.filter.outputs.common == 'true' }}

.github/workflows/terragrunt-plan-all-staging.yml

@@ -116,6 +116,14 @@ jobs:
           comment: "false"
           terragrunt: "true"
 
+      # Depends on S3
+      - name: Terragrunt plan file_scanning
+        uses: cds-snc/terraform-plan@28d2efe5155573489fa5b5816fad20d44d1f274b # v3.0.7
+        with:
+          directory: "env/cloud/file_scanning"
+          comment: "false"
+          terragrunt: "true"
+
       # Depends on kms
       - name: Terragrunt plan sns
         uses: cds-snc/terraform-plan@28d2efe5155573489fa5b5816fad20d44d1f274b # v3.0.7

.github/workflows/terragrunt-plan-production.yml

@@ -134,6 +134,16 @@ jobs:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           terragrunt: "true"
 
+      # Depends on S3
+      - name: Terragrunt plan file_scanning
+        uses: cds-snc/terraform-plan@28d2efe5155573489fa5b5816fad20d44d1f274b # v3.0.7
+        with:
+          directory: "env/cloud/file_scanning"
+          comment-delete: "true"
+          comment-title: "Production: file_scanning"
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          terragrunt: "true"
+
       # Depends on kms
       - name: Terragrunt plan sns
         uses: cds-snc/terraform-plan@28d2efe5155573489fa5b5816fad20d44d1f274b # v3.0.7

.github/workflows/terragrunt-plan-staging.yml

@@ -130,6 +130,9 @@ jobs:
             s3:
               - 'aws/s3/**'
               - 'env/cloud/s3/**'
+            file_scanning:
+              - 'aws/file_scanning/**'
+              - 'env/cloud/file_scanning/**'
             secrets:
               - 'aws/secrets/**'
               - 'env/cloud/secrets/**'
@@ -211,6 +214,17 @@ jobs:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           terragrunt: "true"
 
+      # Depends on S3
+      - name: Terragrunt plan file_scanning
+        if: ${{ steps.filter.outputs.file_scanning == 'true' || steps.filter.outputs.common == 'true' }}
+        uses: cds-snc/terraform-plan@28d2efe5155573489fa5b5816fad20d44d1f274b # v3.0.7
+        with:
+          directory: "env/cloud/file_scanning"
+          comment-delete: "true"
+          comment-title: "Staging: file_scanning"
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          terragrunt: "true"
+
       # Depends on kms
       - name: Terragrunt plan sns
         if: ${{ steps.filter.outputs.sns == 'true' || steps.filter.outputs.common == 'true' }}

aws/file_scanning/vault_scan_object.tf

@@ -3,10 +3,9 @@ locals {
 }
 
 module "vault_scan_object" {
+  source = "github.com/cds-snc/terraform-modules//S3_scan_object?ref=1e2debaf58fdb65da1910f0d42efcc786ddd0722" // commit id for version 9.2.3
 
-  source = "github.com/cds-snc/terraform-modules//S3_scan_object?ref=7fc77cf456b17e320c871cc6418bd82a5cb2e28b"
-
-  s3_upload_bucket_name   = var.vault_file_storage_id
+  s3_upload_bucket_names  = [var.vault_file_storage_id]
   s3_scan_object_role_arn = "arn:aws:iam::${local.scan_files_account}:role/s3-scan-object"
   scan_files_role_arn     = "arn:aws:iam::${local.scan_files_account}:role/scan-files-api"
 

env/cloud/file_scanning/terragrunt.hcl

@@ -2,25 +2,23 @@ terraform {
   source = "../../../aws//file_scanning"
 }
 
-include {
-  path = find_in_parent_folders()
-}
-
-
 dependencies {
   paths = ["../s3"]
 }
 
 dependency "s3" {
   config_path                             = "../s3"
-  mock_outputs_merge_strategy_with_state  = "shallow"
   mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
+  mock_outputs_merge_strategy_with_state  = "shallow"
   mock_outputs = {
-    vault_file_storage_id = null
+    vault_file_storage_id = "forms-staging-vault-file-storage"
   }
 }
 
 inputs = {
   vault_file_storage_id = dependency.s3.outputs.vault_file_storage_id
 }
 
+include {
+  path = find_in_parent_folders()
+}