- Shell 86.3%
- Dockerfile 10.8%
- Python 2.9%
| .chglog | ||
| .github | ||
| pre_commit_hooks | ||
| .pre-commit-config.yaml | ||
| .pre-commit-hooks.yaml | ||
| CHANGELOG.md | ||
| LICENSE | ||
| Makefile | ||
| README.md | ||
| setup.py | ||
| terraform_docs.sh | ||
| terraform_fmt.sh | ||
| terraform_tflint.sh | ||
| terraform_tfsec.sh | ||
| terraform_validate.sh | ||
| terragrunt_fmt.sh | ||
Collection of git hooks for Terraform to be used with pre-commit framework
How to install
1. Install dependencies
pre-committerraform-docsrequired forterraform_docshooks.GNU awkis required if usingterraform-docsolder than 0.8.0 with Terraform 0.12.TFLintrequired forterraform_tflinthook.TFSecrequired forterraform_tfsechook.coreutilsrequired forterraform_validatehook on macOS (due to use ofrealpath).
MacOS
brew tap liamg/tfsec
brew install pre-commit gawk terraform-docs tflint tfsec coreutils
Ubuntu
sudo apt install python3-pip gawk &&\
pip3 install pre-commit
curl -L "$(curl -s https://api.github.com/repos/segmentio/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64")" > terraform-docs && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/
curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/
env GO111MODULE=on go get -u github.com/liamg/tfsec/cmd/tfsec
2. Install the pre-commit hook globally
DIR=~/.git-template
git config --global init.templateDir ${DIR}
pre-commit init-templatedir -t pre-commit ${DIR}
3. Add configs and hooks
Step into the repository you want to have the pre-commit hooks installed and run:
git init
cat <<EOF > .pre-commit-config.yaml
repos:
- repo: git://github.com/antonbabenko/pre-commit-terraform
rev: <VERSION> # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
hooks:
- id: terraform_fmt
- id: terraform_docs
EOF
4. Run
After pre-commit hook has been installed you can run it manually on all files in the repository
pre-commit run -a
Available Hooks
There are several pre-commit hooks to keep Terraform configurations (both *.tf and *.tfvars) and Terragrunt configurations (*.hcl) in a good shape:
| Hook name | Description |
|---|---|
terraform_fmt |
Rewrites all Terraform configuration files to a canonical format. |
terraform_validate |
Validates all Terraform configuration files. |
terraform_docs |
Inserts input and output documentation into README.md. Recommended. |
terraform_docs_without_aggregate_type_defaults |
Inserts input and output documentation into README.md without aggregate type defaults. |
terraform_docs_replace |
Runs terraform-docs and pipes the output directly to README.md |
terraform_tflint |
Validates all Terraform configuration files with TFLint. |
terragrunt_fmt |
Rewrites all Terragrunt configuration files (*.hcl) to a canonical format. |
terraform_tfsec |
TFSec static analysis of terraform templates to spot potential security issues. |
Check the source file to know arguments used for each hook.
Notes about terraform_docs hooks
terraform_docsandterraform_docs_without_aggregate_type_defaultswill insert/update documentation generated by terraform-docs framed by markers:
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
if they are present in README.md.
-
terraform_docs_replacereplaces the entire README.md rather than doing string replacement between markers. Put your additional documentation at the top of yourmain.tffor it to be pulled in. The optional--destargument lets you change the name of the file that gets created/modified.- Example:
hooks: - id: terraform_docs_replace args: ['--with-aggregate-type-defaults', '--sort-inputs-by-required', '--dest=TEST.md'] -
It is possible to pass additional arguments to shell scripts when using
terraform_docsandterraform_docs_without_aggregate_type_defaults. Send pull-request with the new hook if there is something missing.
Notes about terraform_tflint hooks
-
terraform_tflintsupports custom arguments so you can enable module inspection, deep check mode etc.- Example:
hooks: - id: terraform_tflint args: ['args=--deep']In order to pass multiple args, try the following:
- id: terraform_tflint args: - 'args=--deep' - 'args=--enable-rule=terraform_documented_variables'
Notes about terraform_tfsec hooks
terraform_tfsecwill recurse all directories/modules.- To ignore specific warnings, follow the convention from the
documentation.
- Example:
resource "aws_security_group_rule" "my-rule" { type = "ingress" cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS006 }
Notes for developers
- Python hooks are supported now too. All you have to do is:
- add a line to the
console_scriptsarray inentry_pointsinsetup.py - Put your python script in the
pre_commit_hooksfolder
- add a line to the
Enjoy the clean and documented code!
Authors
This repository is managed by Anton Babenko with help from these awesome contributors.
License
MIT licensed. See LICENSE for full details.