Add CloudFormation solution tag stack for Terraform infra

[kunanit]

Summary

Add an empty CloudFormation stack to carry the AWS solution tag for Terraform deployments, mirroring the CDK FastMainStack description. Also bump Terraform version to 0.4.0-tf.1 and update version bump playbooks to include the new stack description step.

Version

• Target FAST Release: v0.4.0
• Terraform Version: 0.4.0-tf.1

Changes [CDK parity related]

CloudFormation Solution Tag Stack

Adds an aws_cloudformation_stack resource that deploys an empty CloudFormation stack whose Description carries the AWS solution tag identifier (uksb-v6dos0t5g8), matching how CDK embeds the tag in its FastMainStack description.

CDK references

• infra-cdk/lib/fast-main-stack.ts — stack description field containing solution tag

Components

• aws_cloudformation_stack.solution_tag — Empty CloudFormation stack with a WaitConditionHandle resource, used solely to surface the solution tag in CloudFormation

Variables/Outputs:

• None

Implementation Notes:

CDK natively embeds the solution tag in its stack description. Terraform has no equivalent mechanism for associating a CloudFormation-style solution identifier with a deployment, so we create a minimal CloudFormation stack via the aws_cloudformation_stack resource. The stack contains only a WaitConditionHandle (the simplest no-op CloudFormation resource) and carries the solution tag in its Description field. The stack is named ${var.stack_name_base}-solution-tag.

Other Changes

• Bumped infra-terraform/VERSION from 0.4.0-tf.0 to 0.4.0-tf.1
• Updated docs/VERSION_BUMP_PLAYBOOK.md to include infra-terraform/main.tf stack description as a version bump step (now step 7)
• Updated infra-terraform/TF_VERSION_BUMP_PLAYBOOK.md to include the main.tf description update step and corrected the git tag format to v<VERSION-tf.X>

Testing

• Deployed and tested with test script:
• ruff lint

Documentation

• Updated docs/VERSION_BUMP_PLAYBOOK.md with new step for main.tf stack description
• Updated infra-terraform/TF_VERSION_BUMP_PLAYBOOK.md with new procedure step and corrected tag format

[github-actions]

Latest scan for commit: 8522716 | Updated: 2026-03-24 03:01:09 UTC

Security Scan Results

Scan Metadata

• Project: ASH
• Scan executed: 2026-03-24T03:00:53+00:00
• ASH version: 3.2.2

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

Column Explanations:

Severity Levels (S/C/H/M/L/I):

• Suppressed (S): Security findings that have been explicitly suppressed/ignored and don't affect the scanner's pass/fail status
• Critical (C): The most severe security vulnerabilities requiring immediate remediation (e.g., SQL injection, remote code execution)
• High (H): Serious security vulnerabilities that should be addressed promptly (e.g., authentication bypasses, privilege escalation)
• Medium (M): Moderate security risks that should be addressed in normal development cycles (e.g., weak encryption, input validation issues)
• Low (L): Minor security concerns with limited impact (e.g., information disclosure, weak recommendations)
• Info (I): Informational findings for awareness with minimal security risk (e.g., code quality suggestions, best practice recommendations)

Other Columns:

• Time: Duration taken by each scanner to complete its analysis
• Action: Total number of actionable findings at or above the configured severity threshold that require attention

Scanner Results:

• PASSED: Scanner found no security issues at or above the configured severity threshold - code is clean for this scanner
• FAILED: Scanner found security vulnerabilities at or above the threshold that require attention and remediation
• MISSING: Scanner could not run because required dependencies/tools are not installed or available
• SKIPPED: Scanner was intentionally disabled or excluded from this scan
• ERROR: Scanner encountered an execution error and could not complete successfully

Severity Thresholds (Thresh Column):

• CRITICAL: Only Critical severity findings cause scanner to fail
• HIGH: High and Critical severity findings cause scanner to fail
• MEDIUM (MED): Medium, High, and Critical severity findings cause scanner to fail
• LOW: Low, Medium, High, and Critical severity findings cause scanner to fail
• ALL: Any finding of any severity level causes scanner to fail

Threshold Source: Values in parentheses indicate where the threshold is configured:

• (g) = global: Set in the global_settings section of ASH configuration
• (c) = config: Set in the individual scanner configuration section
• (s) = scanner: Default threshold built into the scanner itself

Statistics calculation:

• All statistics are calculated from the final aggregated SARIF report
• Suppressed findings are counted separately and do not contribute to actionable findings
• Scanner status is determined by comparing actionable findings to the threshold

Scanner	S	C	H	M	L	I	Time	Action	Result	Thresh
bandit	0	0	0	0	0	0	816ms	0	PASSED	MED (g)
cdk-nag	0	0	0	0	0	0	35.8s	0	PASSED	MED (g)
cfn-nag	0	0	0	0	0	0	7ms	0	PASSED	MED (g)
checkov	1	0	0	0	0	0	6.3s	0	PASSED	MED (g)
detect-secrets	0	0	0	0	0	0	160ms	0	PASSED	MED (g)
grype	0	0	0	0	0	0	39.3s	0	PASSED	MED (g)
npm-audit	0	0	0	0	0	0	293ms	0	PASSED	MED (g)
opengrep	0	0	0	0	0	0	21.7s	0	PASSED	MED (g)
semgrep	0	0	0	0	0	0	18.0s	0	PASSED	MED (g)
syft	0	0	0	0	0	0	1.6s	0	PASSED	MED (g)