diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..c6ee553 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +--- +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: / + schedule: + interval: daily + time: "11:00" + commit-message: + prefix: "gh-actions:" diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index f83e11e..0346a8f 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -9,13 +9,13 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 - name: Get changed Dockerfile id: changed-files-specific - uses: tj-actions/changed-files@2c85495a7bb72f2734cb5181e29b2ee5e08e61f7 # v13.1 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 with: files: | Dockerfile @@ -52,7 +52,7 @@ jobs: - name: Dive - check image for waste files if: steps.changed-files-specific.outputs.any_changed == 'true' - uses: MaxymVlasov/dive-action@0035999cae50d4ef657ac94be84f01812aa192a5 # v0.1.0 + uses: MaxymVlasov/dive-action@fafb796951b322cc4926b8a5eafda89ab9de8edf # v1.5.1 with: image: ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }} config-file: ${{ github.workspace }}/.github/.dive-ci.yaml diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 2d0c497..68a054f 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Set up QEMU uses: docker/setup-qemu-action@v3 diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 7a8b642..3d86d51 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -14,7 +14,7 @@ jobs: steps: # Please look up the latest version from # https://github.com/amannn/action-semantic-pull-request/releases - - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0 + - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index 1085384..96ca101 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -6,7 +6,7 @@ jobs: pre-commit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - run: | git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* @@ -31,16 +31,16 @@ jobs: curl -L "$(curl -s https://api.github.com/repos/hadolint/hadolint/releases/latest | grep -o -E -m 1 "https://.+?/hadolint-Linux-x86_64")" > hadolint \ && chmod +x hadolint && sudo mv hadolint /usr/bin/ # Need to success pre-commit fix push - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} # Skip tofu_tflint which interferes to commit pre-commit auto-fixes - - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: '3.9' - name: Execute pre-commit - uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # v2.0.3 + uses: pre-commit/action@576ff52938d158a24ac7e009dfa94b1455e7df99 env: SKIP: no-commit-to-branch,hadolint with: @@ -49,7 +49,7 @@ jobs: # Run only skipped checks - name: Execute pre-commit check that have no auto-fixes if: always() - uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # v2.0.3 + uses: pre-commit/action@576ff52938d158a24ac7e009dfa94b1455e7df99 env: SKIP: check-added-large-files,check-merge-conflict,check-vcs-permalinks,forbid-new-submodules,no-commit-to-branch,end-of-file-fixer,trailing-whitespace,check-yaml,check-merge-conflict,check-executables-have-shebangs,check-case-conflict,mixed-line-ending,detect-aws-credentials,detect-private-key,shfmt,shellcheck with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4aa0df1..d75e4e3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,13 +18,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false fetch-depth: 0 - name: Release - uses: cycjimmy/semantic-release-action@61680d0e9b02ff86f5648ade99e01be17f0260a4 # v4.0.0 + uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2 with: semantic_version: 18.0.0 extra_plugins: | diff --git a/.github/workflows/stale-actions.yaml b/.github/workflows/stale-actions.yaml index 32f08e7..d797c08 100644 --- a/.github/workflows/stale-actions.yaml +++ b/.github/workflows/stale-actions.yaml @@ -7,7 +7,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 + - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} # Staling issues and PR's diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index 0dbc918..c5c5f66 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -4,7 +4,7 @@ entry: hooks/infracost_breakdown.sh language: script require_serial: true - files: \.(tf(vars)?|hcl)$ + files: \.((tf|tofu)(vars)?|hcl)$ exclude: \.terraform\/.*$ - id: tofu_fmt @@ -12,25 +12,29 @@ description: Rewrites all OpenTofu configuration files to a canonical format. entry: hooks/tofu_fmt.sh language: script - files: (\.tf|\.tfvars)$ + files: \.(tf|tofu)(vars)?$ exclude: \.terraform\/.*$ - id: tofu_docs name: OpenTofu docs - description: Inserts input and output documentation into README.md (using terraform-docs). + description: + Inserts input and output documentation into README.md (using + terraform-docs). require_serial: true entry: hooks/tofu_docs.sh language: script - files: (\.tf|\.terraform\.lock\.hcl)$ + files: (\.(tf|tofu)|\.terraform\.lock\.hcl)$ exclude: \.terraform\/.*$ - id: tofu_docs_without_aggregate_type_defaults name: OpenTofu docs (without aggregate type defaults) - description: Inserts input and output documentation into README.md (using terraform-docs). Identical to terraform_docs. + description: + Inserts input and output documentation into README.md (using + terraform-docs). Identical to terraform_docs. require_serial: true entry: hooks/tofu_docs.sh language: script - files: (\.tf)$ + files: \.(tf|tofu)$ exclude: \.terraform\/.*$ - id: tofu_docs_replace @@ -39,7 +43,7 @@ require_serial: true entry: hooks/tofu_docs_replace.py language: python - files: (\.tf)$ + files: \.(tf|tofu)$ exclude: \.terraform\/.*$ - id: tofu_validate @@ -48,7 +52,7 @@ require_serial: true entry: hooks/tofu_validate.sh language: script - files: (\.tf|\.tfvars)$ + files: \.(tf|tofu)(vars)?$ exclude: \.terraform\/.*$ - id: tofu_providers_lock @@ -66,12 +70,13 @@ require_serial: true entry: hooks/tofu_tflint.sh language: script - files: (\.tf|\.tfvars)$ + files: \.(tf|tofu)(vars)?$ exclude: \.terraform\/.*$ - id: terragrunt_fmt name: Terragrunt fmt - description: Rewrites all Terragrunt configuration files to a canonical format. + description: + Rewrites all Terragrunt configuration files to a canonical format. entry: hooks/terragrunt_fmt.sh language: script files: (\.hcl)$ @@ -87,18 +92,20 @@ - id: tofu_tfsec name: OpenTofu validate with tfsec (deprecated, use "tofu_trivy") - description: Static analysis of OpenTofu templates to spot potential security issues. + description: + Static analysis of OpenTofu templates to spot potential security issues. require_serial: true entry: hooks/tofu_tfsec.sh - files: \.tf(vars)?$ + files: \.(tf|tofu)(vars)?$ language: script - id: tofu_trivy name: OpenTofu validate with trivy - description: Static analysis of OpenTofu templates to spot potential security issues. + description: + Static analysis of OpenTofu templates to spot potential security issues. require_serial: true entry: hooks/tofu_trivy.sh - files: \.tf(vars)?$ + files: \.(tf|tofu)(vars)?$ language: script - id: checkov @@ -118,7 +125,7 @@ entry: hooks/tofu_checkov.sh language: script always_run: false - files: \.tf$ + files: \.(tf|tofu)$ exclude: \.terraform\/.*$ require_serial: true @@ -138,7 +145,7 @@ description: Runs terrascan on OpenTofu templates. language: script entry: hooks/terrascan.sh - files: \.tf$ + files: \.(tf|tofu)$ exclude: \.terraform\/.*$ require_serial: true @@ -149,5 +156,5 @@ entry: hooks/tfupdate.sh args: - --args=terraform - files: \.tf$ + files: \.(tf|tofu)$ require_serial: true diff --git a/CHANGELOG.md b/CHANGELOG.md index e02f1ca..4c0f74a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,28 @@ All notable changes to this project will be documented in this file. +## [2.2.1](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.2.0...v2.2.1) (2025-06-04) + + +### Bug Fixes + +* make infracost_breakdown.sh compatible with bash 3.2 (macOS) ([df886fa](https://github.com/tofuutils/pre-commit-opentofu/commit/df886fa772e7d1eedf5603327c0cf02968e7d779)) +* Update pre-commit/action version ([#30](https://github.com/tofuutils/pre-commit-opentofu/issues/30)) ([44c7b5d](https://github.com/tofuutils/pre-commit-opentofu/commit/44c7b5dec9362d2fe7ed5e8786f4d95956791d3d)) + +# [2.2.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.1.0...v2.2.0) (2025-03-29) + + +### Features + +* make release ([e625db1](https://github.com/tofuutils/pre-commit-opentofu/commit/e625db13ec285e132f43cdf6e5aa3f3272e45451)) + +# [2.1.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.0.0...v2.1.0) (2024-10-16) + + +### Features + +* spport .tofu files ([#6](https://github.com/tofuutils/pre-commit-opentofu/issues/6)) ([e059c58](https://github.com/tofuutils/pre-commit-opentofu/commit/e059c5859bceddf1ca018f55851f6940ad51f1c2)) + # [2.0.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.4...v2.0.0) (2024-09-25) diff --git a/Dockerfile b/Dockerfile index 39255fc..1616bfd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,22 +10,22 @@ RUN apk add --no-cache \ curl=~8 && \ # Upgrade packages for be able get latest Checkov python3 -m pip install --no-cache-dir --upgrade \ - pip \ - setuptools + pip \ + setuptools ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest} -ARG TOFU_VERSION=${TOFU_VERSION:-1.6.1} +ARG TOFU_VERSION=${TOFU_VERSION:-1.9.0} # Install pre-commit RUN [ ${PRE_COMMIT_VERSION} = "latest" ] && pip3 install --no-cache-dir pre-commit \ || pip3 install --no-cache-dir pre-commit==${PRE_COMMIT_VERSION} RUN curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip \ - && curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_SHA256SUMS \ - && [ $(sha256sum "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" | cut -f 1 -d ' ') = "$(grep "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" tofu_*_SHA256SUMS | cut -f 1 -d ' ')" ] \ - && unzip tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip -d /usr/bin/ \ - && rm "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" \ - && rm "tofu_${TOFU_VERSION}_SHA256SUMS" + && curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_SHA256SUMS \ + && [ $(sha256sum "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" | cut -f 1 -d ' ') = "$(grep "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" tofu_*_SHA256SUMS | cut -f 1 -d ' ')" ] \ + && unzip tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip -d /usr/bin/ \ + && rm "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" \ + && rm "tofu_${TOFU_VERSION}_SHA256SUMS" # # Install tools @@ -47,18 +47,18 @@ ARG HCLEDIT_VERSION=${HCLEDIT_VERSION:-false} # specified in step below ARG INSTALL_ALL=${INSTALL_ALL:-false} RUN if [ "$INSTALL_ALL" != "false" ]; then \ - echo "export CHECKOV_VERSION=latest" >> /.env && \ - echo "export INFRACOST_VERSION=latest" >> /.env && \ - echo "export TERRAFORM_DOCS_VERSION=latest" >> /.env && \ - echo "export TERRAGRUNT_VERSION=latest" >> /.env && \ - echo "export TERRASCAN_VERSION=latest" >> /.env && \ - echo "export TFLINT_VERSION=latest" >> /.env && \ - echo "export TFSEC_VERSION=latest" >> /.env && \ - echo "export TRIVY_VERSION=latest" >> /.env && \ - echo "export TFUPDATE_VERSION=latest" >> /.env && \ - echo "export HCLEDIT_VERSION=latest" >> /.env \ + echo "export CHECKOV_VERSION=latest" >> /.env && \ + echo "export INFRACOST_VERSION=latest" >> /.env && \ + echo "export TERRAFORM_DOCS_VERSION=latest" >> /.env && \ + echo "export TERRAGRUNT_VERSION=latest" >> /.env && \ + echo "export TERRASCAN_VERSION=latest" >> /.env && \ + echo "export TFLINT_VERSION=latest" >> /.env && \ + echo "export TFSEC_VERSION=latest" >> /.env && \ + echo "export TRIVY_VERSION=latest" >> /.env && \ + echo "export TFUPDATE_VERSION=latest" >> /.env && \ + echo "export HCLEDIT_VERSION=latest" >> /.env \ ; else \ - touch /.env \ + touch /.env \ ; fi @@ -66,10 +66,10 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \ RUN . /.env && \ if [ "$CHECKOV_VERSION" != "false" ]; then \ ( \ - apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \ - [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \ - || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ - apk del gcc libffi-dev musl-dev \ + apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \ + [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \ + || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ + apk del gcc libffi-dev musl-dev \ ) \ ; fi @@ -77,9 +77,9 @@ RUN . /.env && \ RUN . /.env && \ if [ "$INFRACOST_VERSION" != "false" ]; then \ ( \ - INFRACOST_RELEASES="https://api.github.com/repos/infracost/infracost/releases" && \ - [ "$INFRACOST_VERSION" = "latest" ] && curl -L "$(curl -s ${INFRACOST_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \ - || curl -L "$(curl -s ${INFRACOST_RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \ + INFRACOST_RELEASES="https://api.github.com/repos/infracost/infracost/releases" && \ + [ "$INFRACOST_VERSION" = "latest" ] && curl -L "$(curl -s ${INFRACOST_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \ + || curl -L "$(curl -s ${INFRACOST_RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \ ) && tar -xzf infracost.tgz && rm infracost.tgz && mv infracost-${TARGETOS}-${TARGETARCH} infracost \ ; fi @@ -87,9 +87,9 @@ RUN . /.env && \ RUN . /.env && \ if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then \ ( \ - TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" && \ - [ "$TERRAFORM_DOCS_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \ - || curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \ + TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" && \ + [ "$TERRAFORM_DOCS_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \ + || curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \ ) && tar -xzf terraform-docs.tgz terraform-docs && rm terraform-docs.tgz && chmod +x terraform-docs \ ; fi @@ -97,9 +97,9 @@ RUN . /.env && \ RUN . /.env \ && if [ "$TERRAGRUNT_VERSION" != "false" ]; then \ ( \ - TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" && \ - [ "$TERRAGRUNT_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \ - || curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \ + TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" && \ + [ "$TERRAGRUNT_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \ + || curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \ ) && chmod +x terragrunt \ ; fi @@ -111,9 +111,9 @@ RUN . /.env && \ # Convert the first letter to Uppercase OS="$(echo ${TARGETOS} | cut -c1 | tr '[:lower:]' '[:upper:]' | xargs echo -n; echo ${TARGETOS} | cut -c2-)"; \ ( \ - TERRASCAN_RELEASES="https://api.github.com/repos/tenable/terrascan/releases" && \ - [ "$TERRASCAN_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \ - || curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \ + TERRASCAN_RELEASES="https://api.github.com/repos/tenable/terrascan/releases" && \ + [ "$TERRASCAN_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \ + || curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \ ) && tar -xzf terrascan.tar.gz terrascan && rm terrascan.tar.gz && \ ./terrascan init \ ; fi @@ -122,9 +122,9 @@ RUN . /.env && \ RUN . /.env && \ if [ "$TFLINT_VERSION" != "false" ]; then \ ( \ - TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" && \ - [ "$TFLINT_VERSION" = "latest" ] && curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \ - || curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \ + TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" && \ + [ "$TFLINT_VERSION" = "latest" ] && curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \ + || curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \ ) && unzip tflint.zip && rm tflint.zip \ ; fi @@ -132,9 +132,9 @@ RUN . /.env && \ RUN . /.env && \ if [ "$TFSEC_VERSION" != "false" ]; then \ ( \ - TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" && \ - [ "$TFSEC_VERSION" = "latest" ] && curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \ - || curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \ + TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" && \ + [ "$TFSEC_VERSION" = "latest" ] && curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \ + || curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \ ) && chmod +x tfsec \ ; fi @@ -143,9 +143,9 @@ RUN . /.env && \ if [ "$TRIVY_VERSION" != "false" ]; then \ if [ "$TARGETARCH" != "amd64" ]; then ARCH="$TARGETARCH"; else ARCH="64bit"; fi; \ ( \ - TRIVY_RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases" && \ - [ "$TRIVY_VERSION" = "latest" ] && curl -L "$(curl -s ${TRIVY_RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \ - || curl -L "$(curl -s ${TRIVY_RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \ + TRIVY_RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases" && \ + [ "$TRIVY_VERSION" = "latest" ] && curl -L "$(curl -s ${TRIVY_RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \ + || curl -L "$(curl -s ${TRIVY_RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \ ) && tar -xzf trivy.tar.gz trivy && rm trivy.tar.gz \ ; fi @@ -153,9 +153,9 @@ RUN . /.env && \ RUN . /.env && \ if [ "$TFUPDATE_VERSION" != "false" ]; then \ ( \ - TFUPDATE_RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases" && \ - [ "$TFUPDATE_VERSION" = "latest" ] && curl -L "$(curl -s ${TFUPDATE_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \ - || curl -L "$(curl -s ${TFUPDATE_RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \ + TFUPDATE_RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases" && \ + [ "$TFUPDATE_VERSION" = "latest" ] && curl -L "$(curl -s ${TFUPDATE_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \ + || curl -L "$(curl -s ${TFUPDATE_RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \ ) && tar -xzf tfupdate.tgz tfupdate && rm tfupdate.tgz \ ; fi @@ -163,9 +163,9 @@ RUN . /.env && \ RUN . /.env && \ if [ "$HCLEDIT_VERSION" != "false" ]; then \ ( \ - HCLEDIT_RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" && \ - [ "$HCLEDIT_VERSION" = "latest" ] && curl -L "$(curl -s ${HCLEDIT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \ - || curl -L "$(curl -s ${HCLEDIT_RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \ + HCLEDIT_RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" && \ + [ "$HCLEDIT_VERSION" = "latest" ] && curl -L "$(curl -s ${HCLEDIT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \ + || curl -L "$(curl -s ${HCLEDIT_RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \ ) && tar -xzf hcledit.tgz hcledit && rm hcledit.tgz \ ; fi @@ -210,7 +210,7 @@ COPY --from=builder \ /bin_dir/ \ /usr/bin/tofu \ /usr/local/bin/checkov* \ - /usr/bin/ + /usr/bin/ # Copy pre-commit packages COPY --from=builder /usr/local/lib/python3.12/site-packages/ /usr/local/lib/python3.12/site-packages/ # Copy terrascan policies @@ -218,10 +218,10 @@ COPY --from=builder /root/ /root/ # Install hooks extra deps RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \ - apk add --no-cache perl=~5 \ + apk add --no-cache perl=~5 \ ; fi && \ if [ "$(grep -o '^infracost SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \ - apk add --no-cache jq=~1 \ + apk add --no-cache jq=~1 \ ; fi && \ # Fix git runtime fatal: # unsafe repository ('/lint' is owned by someone else) @@ -235,3 +235,4 @@ ENV INFRACOST_API_KEY=${INFRACOST_API_KEY:-} ENV INFRACOST_SKIP_UPDATE_CHECK=${INFRACOST_SKIP_UPDATE_CHECK:-false} ENTRYPOINT [ "/entrypoint.sh" ] + diff --git a/README.md b/README.md index 73c4bb0..023ad0c 100644 --- a/README.md +++ b/README.md @@ -552,7 +552,7 @@ To replicate functionality in `tofu_docs` hook: - --args=--config=.terraform-docs.yml ``` -### terraftofu_fmtorm_fmt +### tofu_fmt 1. `tofu_fmt` supports custom arguments so you can pass [supported flags](https://www.terraform.io/docs/cli/commands/fmt.html#usage). Eg: diff --git a/hooks/infracost_breakdown.sh b/hooks/infracost_breakdown.sh index 5515791..121f49b 100755 --- a/hooks/infracost_breakdown.sh +++ b/hooks/infracost_breakdown.sh @@ -70,19 +70,24 @@ function infracost_breakdown_ { # -h .totalHourlyCost > 0.1 # --hook-config=.currency == "USD" first_char=${check:0:1} - last_char=${check: -1} + last_char=${check:$((${#check} - 1)):1} if [ "$first_char" == "$last_char" ] && { [ "$first_char" == '"' ] || [ "$first_char" == "'" ] }; then - check="${check:1:-1}" + check="${check:1:$((${#check} - 2))}" fi - mapfile -t operations < <(echo "$check" | grep -oE '[!<>=]{1,2}') + # Replace mapfile with while read loop for bash 3.2 compatibility + operations=() + while IFS= read -r line; do + operations+=("$line") + done < <(echo "$check" | grep -oE '[!<>=]{1,2}') + # Get the very last operator, that is used in comparison inside `jq` query. # From the example below we need to pick the `>` which is in between `add` and `1000`, # but not the `!=`, which goes earlier in the `jq` expression # [.projects[].diff.totalMonthlyCost | select (.!=null) | tonumber] | add > 1000 - operation=${operations[-1]} + operation=${operations[$((${#operations[@]} - 1))]} IFS="$operation" read -r -a jq_check <<< "$check" real_value="$(jq "${jq_check[0]}" <<< "$RESULTS")" diff --git a/hooks/tofu_docs.sh b/hooks/tofu_docs.sh index b7c9e30..8b8d136 100755 --- a/hooks/tofu_docs.sh +++ b/hooks/tofu_docs.sh @@ -155,7 +155,7 @@ function tofu_docs { # if $create_if_not_exist && [[ ! -f "$text_file" ]]; then dir_have_tf_files="$( - find . -maxdepth 1 -type f | sed 's|.*\.||' | sort -u | grep -oE '^tf$|^tfvars$' || + find . -maxdepth 1 -type f | sed 's|.*\.||' | sort -u | grep -oE '^tofu|^tf$|^tfvars$' || exit 0 )" diff --git a/hooks/tofu_docs_replace.py b/hooks/tofu_docs_replace.py index a9cf6c9..26f1d06 100644 --- a/hooks/tofu_docs_replace.py +++ b/hooks/tofu_docs_replace.py @@ -7,30 +7,41 @@ import sys def main(argv=None): parser = argparse.ArgumentParser( description="""Run terraform-docs on a set of files. Follows the standard convention of - pulling the documentation from main.tf in order to replace the entire + pulling the documentation from main.(tf|tofu) in order to replace the entire README.md file each time.""" ) parser.add_argument( - '--dest', dest='dest', default='README.md', + "--dest", + dest="dest", + default="README.md", ) parser.add_argument( - '--sort-inputs-by-required', dest='sort', action='store_true', - help='[deprecated] use --sort-by-required instead', + "--sort-inputs-by-required", + dest="sort", + action="store_true", + help="[deprecated] use --sort-by-required instead", ) parser.add_argument( - '--sort-by-required', dest='sort', action='store_true', + "--sort-by-required", + dest="sort", + action="store_true", ) parser.add_argument( - '--with-aggregate-type-defaults', dest='aggregate', action='store_true', - help='[deprecated]', + "--with-aggregate-type-defaults", + dest="aggregate", + action="store_true", + help="[deprecated]", ) - parser.add_argument('filenames', nargs='*', help='Filenames to check.') + parser.add_argument("filenames", nargs="*", help="Filenames to check.") args = parser.parse_args(argv) dirs = [] for filename in args.filenames: - if (os.path.realpath(filename) not in dirs and - (filename.endswith(".tf") or filename.endswith(".tfvars"))): + if os.path.realpath(filename) not in dirs and ( + filename.endswith(".tf") + or filename.endswith(".tofu") + or filename.endswith(".tfvars") + ): dirs.append(os.path.dirname(filename)) retval = 0 @@ -38,12 +49,12 @@ def main(argv=None): for dir in dirs: try: procArgs = [] - procArgs.append('terraform-docs') + procArgs.append("terraform-docs") if args.sort: - procArgs.append('--sort-by-required') - procArgs.append('md') + procArgs.append("--sort-by-required") + procArgs.append("md") procArgs.append("./{dir}".format(dir=dir)) - procArgs.append('>') + procArgs.append(">") procArgs.append("./{dir}/{dest}".format(dir=dir, dest=args.dest)) subprocess.check_call(" ".join(procArgs), shell=True) except subprocess.CalledProcessError as e: @@ -52,5 +63,5 @@ def main(argv=None): return retval -if __name__ == '__main__': +if __name__ == "__main__": sys.exit(main()) diff --git a/hooks/tofu_wrapper_module_for_each.sh b/hooks/tofu_wrapper_module_for_each.sh index f1a70ef..c87db22 100755 --- a/hooks/tofu_wrapper_module_for_each.sh +++ b/hooks/tofu_wrapper_module_for_each.sh @@ -312,10 +312,10 @@ EOF # Read content of all OpenTofu files # shellcheck disable=SC2207 - all_tf_content=$(find "${full_module_dir}" -name '*.tf' -maxdepth 1 -type f -exec cat {} +) + all_tf_content=$(find "${full_module_dir}" -regex '.*\.(tf|tofu)' -maxdepth 1 -type f -exec cat {} +) if [[ ! $all_tf_content ]]; then - common::colorify "yellow" "Skipping ${full_module_dir} because there are no *.tf files." + common::colorify "yellow" "Skipping ${full_module_dir} because there are no *.(tf|tofu) files." continue fi