weeheavy/pre-commit-opentofu
1
0
Fork 0
forked from github/pre-commit-opentofu
Code Pull requests Activity

chore: Improved code structure (moved hooks into a separate dir) (#316)

Browse source
This commit is contained in:
Maksym Vlasov 2022-01-06 17:09:51 +02:00 committed by GitHub
commit c5f2a618a8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
27 changed files with 1066 additions and 1591 deletions
Download patch file Download diff file Expand all files Collapse all files

24
.pre-commit-hooks.yaml
View file

@ -1,7 +1,7 @@
- id: infracost_breakdown
name: Infracost breakdown
description: Check terraform infrastructure cost
entry: infracost_breakdown.sh
entry: hooks/infracost_breakdown.sh
language: script
require_serial: true
files: \.(tf(vars)?|hcl)$
@ -10,7 +10,7 @@
- id: terraform_fmt
name: Terraform fmt
description: Rewrites all Terraform configuration files to a canonical format.
entry: terraform_fmt.sh
entry: hooks/terraform_fmt.sh
language: script
files: (\.tf|\.tfvars)$
exclude: \.terraform\/.*$
@ -19,7 +19,7 @@
name: Terraform docs
description: Inserts input and output documentation into README.md (using terraform-docs).
require_serial: true
entry: terraform_docs.sh
entry: hooks/terraform_docs.sh
language: script
files: (\.tf|\.terraform\.lock\.hcl)$
exclude: \.terraform\/.*$
@ -28,7 +28,7 @@
name: Terraform docs (without aggregate type defaults)
description: Inserts input and output documentation into README.md (using terraform-docs). Identical to terraform_docs.
require_serial: true
entry: terraform_docs.sh
entry: hooks/terraform_docs.sh
language: script
files: (\.tf)$
exclude: \.terraform\/.*$
@ -46,7 +46,7 @@
name: Terraform validate
description: Validates all Terraform configuration files.
require_serial: true
entry: terraform_validate.sh
entry: hooks/terraform_validate.sh
language: script
files: (\.tf|\.tfvars)$
exclude: \.terraform\/.*$
@ -55,7 +55,7 @@
name: Lock terraform provider versions
description: Updates provider signatures in dependency lock files.
require_serial: true
entry: terraform_providers_lock.sh
entry: hooks/terraform_providers_lock.sh
language: script
files: (\.terraform\.lock\.hcl)$
exclude: \.terraform\/.*$
@ -64,7 +64,7 @@
name: Terraform validate with tflint
description: Validates all Terraform configuration files with TFLint.
require_serial: true
entry: terraform_tflint.sh
entry: hooks/terraform_tflint.sh
language: script
files: (\.tf|\.tfvars)$
exclude: \.terraform\/.*$
@ -72,7 +72,7 @@
- id: terragrunt_fmt
name: Terragrunt fmt
description: Rewrites all Terragrunt configuration files to a canonical format.
entry: terragrunt_fmt.sh
entry: hooks/terragrunt_fmt.sh
language: script
files: (\.hcl)$
exclude: \.terraform\/.*$
@ -80,7 +80,7 @@
- id: terragrunt_validate
name: Terragrunt validate
description: Validates all Terragrunt configuration files.
entry: terragrunt_validate.sh
entry: hooks/terragrunt_validate.sh
language: script
files: (\.hcl)$
exclude: \.terraform\/.*$
@ -89,13 +89,13 @@
name: Terraform validate with tfsec
description: Static analysis of Terraform templates to spot potential security issues.
require_serial: true
entry: terraform_tfsec.sh
entry: hooks/terraform_tfsec.sh
language: script
- id: checkov
name: Checkov
description: Runs checkov on Terraform templates.
entry: checkov -d .
entry: hooks/checkov -d .
language: python
pass_filenames: false
always_run: false
@ -107,7 +107,7 @@
name: terrascan
description: Runs terrascan on Terraform templates.
language: script
entry: terrascan.sh
entry: hooks/terrascan.sh
files: \.tf$
exclude: \.terraform\/.*$
require_serial: true

0
pre_commit_hooks/__init__.py → hooks/__init__.py
View file

46
terragrunt_fmt.sh → hooks/_common.sh Executable file → Normal file
View file

@ -1,26 +1,17 @@
#!/usr/bin/env bash
set -eo pipefail
function main {
common::initialize
common::parse_cmdline "$@"
common::per_dir_hook "${ARGS[*]}" "${FILES[@]}"
}
function common::initialize {
local SCRIPT_DIR
# get directory containing this script
SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
local -r script_dir=$1
# source getopt function
# shellcheck source=lib_getopt
. "$SCRIPT_DIR/lib_getopt"
. "$script_dir/../lib_getopt"
}
function common::parse_cmdline {
# common global arrays.
# Populated via `common::parse_cmdline` and can be used inside hooks' functions
declare -g -a ARGS=() FILES=() HOOK_CONFIG=()
declare -g -a ARGS=() HOOK_CONFIG=() FILES=()
local argv
argv=$(getopt -o a:,h: --long args:,hook-config: -- "$@") || return
@ -40,6 +31,7 @@ function common::parse_cmdline {
;;
--)
shift
# shellcheck disable=SC2034 # Variable is used
FILES=("$@")
break
;;
@ -90,18 +82,24 @@ function common::per_dir_hook {
exit $final_exit_code
}
function per_dir_hook_unique_part {
# common logic located in common::per_dir_hook
local -r args="$1"
local -r dir_path="$2"
function common::colorify {
# shellcheck disable=SC2034
local -r red="\e[0m\e[31m"
# shellcheck disable=SC2034
local -r green="\e[0m\e[32m"
# shellcheck disable=SC2034
local -r yellow="\e[0m\e[33m"
# Color reset
local -r RESET="\e[0m"
# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
terragrunt hclfmt ${args[@]}
# Params start #
local COLOR="${!1}"
local -r TEXT=$2
# Params end #
# return exit code to common::per_dir_hook
local exit_code=$?
return $exit_code
if [ "$PRE_COMMIT_COLOR" = "never" ]; then
COLOR=$RESET
fi
echo -e "${COLOR}${TEXT}${RESET}"
}
[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"

71
infracost_breakdown.sh → hooks/infracost_breakdown.sh
View file

@ -1,75 +1,18 @@
#!/usr/bin/env bash
set -eo pipefail
# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# shellcheck source=_common.sh
. "$SCRIPT_DIR/_common.sh"
function main {
common::initialize
common::initialize "$SCRIPT_DIR"
common::parse_cmdline "$@"
# shellcheck disable=SC2153 # False positive
infracost_breakdown_ "${HOOK_CONFIG[*]}" "${ARGS[*]}"
}
function common::colorify {
# shellcheck disable=SC2034
local -r red="\e[0m\e[31m"
# shellcheck disable=SC2034
local -r green="\e[0m\e[32m"
# shellcheck disable=SC2034
local -r yellow="\e[0m\e[33m"
# Color reset
local -r RESET="\e[0m"
# Params start #
local COLOR="${!1}"
local -r TEXT=$2
# Params end #
if [ "$PRE_COMMIT_COLOR" = "never" ]; then
COLOR=$RESET
fi
echo -e "${COLOR}${TEXT}${RESET}"
}
function common::initialize {
local SCRIPT_DIR
# get directory containing this script
SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# source getopt function
# shellcheck source=lib_getopt
. "$SCRIPT_DIR/lib_getopt"
}
function common::parse_cmdline {
# common global arrays.
# Populated via `common::parse_cmdline` and can be used inside hooks' functions
declare -g -a ARGS=() FILES=() HOOK_CONFIG=()
local argv
argv=$(getopt -o a:,h: --long args:,hook-config: -- "$@") || return
eval "set -- $argv"
for argv; do
case $argv in
-a | --args)
shift
ARGS+=("$1")
shift
;;
-h | --hook-config)
shift
HOOK_CONFIG+=("$1;")
shift
;;
--)
shift
# shellcheck disable=SC2034 # Common function
FILES=("$@")
break
;;
esac
done
}
function infracost_breakdown_ {
local -r hook_config="$1"
local args

50
terraform_docs.sh → hooks/terraform_docs.sh
View file

@ -1,54 +1,22 @@
#!/usr/bin/env bash
set -eo pipefail
# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# shellcheck source=_common.sh
. "$SCRIPT_DIR/_common.sh"
function main {
common::initialize
common::initialize "$SCRIPT_DIR"
common::parse_cmdline "$@"
# Support for setting relative PATH to .terraform-docs.yml config.
# shellcheck disable=SC2178 # It's the simplest syntax for that case
ARGS=${ARGS[*]/--config=/--config=$(pwd)\/}
# shellcheck disable=SC2128 # It's the simplest syntax for that case
# shellcheck disable=SC2153 # False positive
terraform_docs_ "${HOOK_CONFIG[*]}" "$ARGS" "${FILES[@]}"
}
function common::initialize {
local SCRIPT_DIR
# get directory containing this script
SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# source getopt function
# shellcheck source=lib_getopt
. "$SCRIPT_DIR/lib_getopt"
}
function common::parse_cmdline {
# common global arrays.
# Populated via `common::parse_cmdline` and can be used inside hooks' functions
declare -g -a ARGS=() FILES=() HOOK_CONFIG=()
local argv
argv=$(getopt -o a:,h: --long args:,hook-config: -- "$@") || return
eval "set -- $argv"
for argv; do
case $argv in
-a | --args)
shift
ARGS+=("$1")
shift
;;
-h | --hook-config)
shift
HOOK_CONFIG+=("$1;")
shift
;;
--)
shift
FILES=("$@")
break
;;
esac
done
}
function terraform_docs_ {
local -r hook_config="$1"
local -r args="$2"

0
pre_commit_hooks/terraform_docs_replace.py → hooks/terraform_docs_replace.py
View file

48
terraform_fmt.sh → hooks/terraform_fmt.sh
View file

@ -1,52 +1,18 @@
#!/usr/bin/env bash
set -eo pipefail
# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# shellcheck source=_common.sh
. "$SCRIPT_DIR/_common.sh"
function main {
common::initialize
common::initialize "$SCRIPT_DIR"
common::parse_cmdline "$@"
# shellcheck disable=SC2153 # False positive
terraform_fmt_ "${ARGS[*]}" "${FILES[@]}"
}
function common::initialize {
local SCRIPT_DIR
# get directory containing this script
SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# source getopt function
# shellcheck source=lib_getopt
. "$SCRIPT_DIR/lib_getopt"
}
function common::parse_cmdline {
# common global arrays.
# Populated via `common::parse_cmdline` and can be used inside hooks' functions
declare -g -a ARGS=() FILES=() HOOK_CONFIG=()
local argv
argv=$(getopt -o a:,h: --long args:,hook-config: -- "$@") || return
eval "set -- $argv"
for argv; do
case $argv in
-a | --args)
shift
ARGS+=("$1")
shift
;;
-h | --hook-config)
shift
HOOK_CONFIG+=("$1;")
shift
;;
--)
shift
FILES=("$@")
break
;;
esac
done
}
function terraform_fmt_ {
local -r args="$1"
shift 1

42
hooks/terraform_providers_lock.sh Executable file
View file

@ -0,0 +1,42 @@
#!/usr/bin/env bash
set -eo pipefail
# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# shellcheck source=_common.sh
. "$SCRIPT_DIR/_common.sh"
function main {
common::initialize "$SCRIPT_DIR"
common::parse_cmdline "$@"
# shellcheck disable=SC2153 # False positive
common::per_dir_hook "${ARGS[*]}" "${FILES[@]}"
}
function per_dir_hook_unique_part {
# common logic located in common::per_dir_hook
local -r args="$1"
local -r dir_path="$2"
if [ ! -d ".terraform" ]; then
init_output=$(terraform init -backend=false 2>&1)
init_code=$?
if [ $init_code -ne 0 ]; then
common::colorify "red" "Init before validation failed: $dir_path"
common::colorify "red" "$init_output"
exit $init_code
fi
fi
# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
terraform providers lock ${args[@]}
# return exit code to common::per_dir_hook
local exit_code=$?
return $exit_code
}
[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"

39
hooks/terraform_tflint.sh Executable file
View file

@ -0,0 +1,39 @@
#!/usr/bin/env bash
set -eo pipefail
# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# shellcheck source=_common.sh
. "$SCRIPT_DIR/_common.sh"
function main {
common::initialize "$SCRIPT_DIR"
common::parse_cmdline "$@"
# Support for setting PATH to repo root.
# shellcheck disable=SC2178 # It's the simplest syntax for that case
ARGS=${ARGS[*]/__GIT_WORKING_DIR__/$(pwd)\/}
# shellcheck disable=SC2128 # It's the simplest syntax for that case
common::per_dir_hook "$ARGS" "${FILES[@]}"
}
function per_dir_hook_unique_part {
# common logic located in common::per_dir_hook
local -r args="$1"
local -r dir_path="$2"
# Print checked PATH **only** if TFLint have any messages
# shellcheck disable=SC2091,SC2068 # Suppress error output
$(tflint ${args[@]} 2>&1) 2> /dev/null || {
common::colorify "yellow" "TFLint in $dir_path/:"
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
tflint ${args[@]}
}
# return exit code to common::per_dir_hook
local exit_code=$?
return $exit_code
}
[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"

34
hooks/terraform_tfsec.sh Executable file
View file

@ -0,0 +1,34 @@
#!/usr/bin/env bash
set -eo pipefail
# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# shellcheck source=_common.sh
. "$SCRIPT_DIR/_common.sh"
function main {
common::initialize "$SCRIPT_DIR"
common::parse_cmdline "$@"
# Support for setting PATH to repo root.
# shellcheck disable=SC2178 # It's the simplest syntax for that case
ARGS=${ARGS[*]/__GIT_WORKING_DIR__/$(pwd)\/}
# shellcheck disable=SC2128 # It's the simplest syntax for that case
common::per_dir_hook "$ARGS" "${FILES[@]}"
}
function per_dir_hook_unique_part {
# common logic located in common::per_dir_hook
local -r args="$1"
# shellcheck disable=SC2034 # Unused var.
local -r dir_path="$2"
# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
tfsec ${args[@]}
# return exit code to common::per_dir_hook
local exit_code=$?
return $exit_code
}
[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"

19
terraform_validate.sh → hooks/terraform_validate.sh
View file

@ -1,25 +1,20 @@
#!/usr/bin/env bash
set -eo pipefail
# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# shellcheck source=_common.sh
. "$SCRIPT_DIR/_common.sh"
# `terraform validate` requires this env variable to be set
export AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION:-us-east-1}
function main {
common::initialize
common::initialize "$SCRIPT_DIR"
parse_cmdline_ "$@"
terraform_validate_
}
function common::initialize {
local SCRIPT_DIR
# get directory containing this script
SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# source getopt function
# shellcheck source=lib_getopt
. "$SCRIPT_DIR/lib_getopt"
}
function parse_cmdline_ {
declare argv
argv=$(getopt -o e:i:a: --long envs:,init-args:,args: -- "$@") || return
@ -119,9 +114,7 @@ function terraform_validate_ {
}
# global arrays
declare -a ARGS
declare -a INIT_ARGS
declare -a ENVS
declare -a FILES
[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"

31
hooks/terragrunt_fmt.sh Executable file
View file

@ -0,0 +1,31 @@
#!/usr/bin/env bash
set -eo pipefail
# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# shellcheck source=_common.sh
. "$SCRIPT_DIR/_common.sh"
function main {
common::initialize "$SCRIPT_DIR"
common::parse_cmdline "$@"
# shellcheck disable=SC2153 # False positive
common::per_dir_hook "${ARGS[*]}" "${FILES[@]}"
}
function per_dir_hook_unique_part {
# common logic located in common::per_dir_hook
local -r args="$1"
# shellcheck disable=SC2034 # Unused var.
local -r dir_path="$2"
# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
terragrunt hclfmt ${args[@]}
# return exit code to common::per_dir_hook
local exit_code=$?
return $exit_code
}
[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"

31
hooks/terragrunt_validate.sh Executable file
View file

@ -0,0 +1,31 @@
#!/usr/bin/env bash
set -eo pipefail
# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# shellcheck source=_common.sh
. "$SCRIPT_DIR/_common.sh"
function main {
common::initialize "$SCRIPT_DIR"
common::parse_cmdline "$@"
# shellcheck disable=SC2153 # False positive
common::per_dir_hook "${ARGS[*]}" "${FILES[@]}"
}
function per_dir_hook_unique_part {
# common logic located in common::per_dir_hook
local -r args="$1"
# shellcheck disable=SC2034 # Unused var.
local -r dir_path="$2"
# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
terragrunt validate ${args[@]}
# return exit code to common::per_dir_hook
local exit_code=$?
return $exit_code
}
[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"

31
hooks/terrascan.sh Executable file
View file

@ -0,0 +1,31 @@
#!/usr/bin/env bash
set -eo pipefail
# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# shellcheck source=_common.sh
. "$SCRIPT_DIR/_common.sh"
function main {
common::initialize "$SCRIPT_DIR"
common::parse_cmdline "$@"
# shellcheck disable=SC2153 # False positive
common::per_dir_hook "${ARGS[*]}" "${FILES[@]}"
}
function per_dir_hook_unique_part {
# common logic located in common::per_dir_hook
local -r args="$1"
# shellcheck disable=SC2034 # Unused var.
local -r dir_path="$2"
# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
terrascan scan -i terraform ${args[@]}
# return exit code to common::per_dir_hook
local exit_code=$?
return $exit_code
}
[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"

2
setup.py
View file

@ -27,7 +27,7 @@ setup(
],
entry_points={
'console_scripts': [
'terraform_docs_replace = pre_commit_hooks.terraform_docs_replace:main',
'terraform_docs_replace = hooks.terraform_docs_replace:main',
],
},
)

141
terraform_providers_lock.sh
View file

@ -1,141 +0,0 @@
#!/usr/bin/env bash
set -eo pipefail
function main {
common::initialize
common::parse_cmdline "$@"
common::per_dir_hook "${ARGS[*]}" "${FILES[@]}"
}
function common::colorify {
# shellcheck disable=SC2034
local -r red="\e[0m\e[31m"
# shellcheck disable=SC2034
local -r green="\e[0m\e[32m"
# shellcheck disable=SC2034
local -r yellow="\e[0m\e[33m"
# Color reset
local -r RESET="\e[0m"
# Params start #
local COLOR="${!1}"
local -r TEXT=$2
# Params end #
if [ "$PRE_COMMIT_COLOR" = "never" ]; then
COLOR=$RESET
fi
echo -e "${COLOR}${TEXT}${RESET}"
}
function common::initialize {
local SCRIPT_DIR
# get directory containing this script
SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# source getopt function
# shellcheck source=lib_getopt
. "$SCRIPT_DIR/lib_getopt"
}
function common::parse_cmdline {
# common global arrays.
# Populated via `common::parse_cmdline` and can be used inside hooks' functions
declare -g -a ARGS=() FILES=() HOOK_CONFIG=()
local argv
argv=$(getopt -o a:,h: --long args:,hook-config: -- "$@") || return
eval "set -- $argv"
for argv; do
case $argv in
-a | --args)
shift
ARGS+=("$1")
shift
;;
-h | --hook-config)
shift
HOOK_CONFIG+=("$1;")
shift
;;
--)
shift
FILES=("$@")
break
;;
esac
done
}
function common::per_dir_hook {
local -r args="$1"
shift 1
local -a -r files=("$@")
# consume modified files passed from pre-commit so that
# hook runs against only those relevant directories
local index=0
for file_with_path in "${files[@]}"; do
file_with_path="${file_with_path// /__REPLACED__SPACE__}"
dir_paths[index]=$(dirname "$file_with_path")
((index += 1))
done
# preserve errexit status
shopt -qo errexit && ERREXIT_IS_SET=true
# allow hook to continue if exit_code is greater than 0
set +e
local final_exit_code=0
# run hook for each path
for dir_path in $(echo "${dir_paths[*]}" | tr ' ' '\n' | sort -u); do
dir_path="${dir_path//__REPLACED__SPACE__/ }"
pushd "$dir_path" > /dev/null || continue
per_dir_hook_unique_part "$args" "$dir_path"
local exit_code=$?
if [ $exit_code -ne 0 ]; then
final_exit_code=$exit_code
fi
popd > /dev/null
done
# restore errexit if it was set before the "for" loop
[[ $ERREXIT_IS_SET ]] && set -e
# return the hook final exit_code
exit $final_exit_code
}
function per_dir_hook_unique_part {
# common logic located in common::per_dir_hook
local -r args="$1"
local -r dir_path="$2"
if [ ! -d ".terraform" ]; then
init_output=$(terraform init -backend=false 2>&1)
init_code=$?
if [ $init_code -ne 0 ]; then
common::colorify "red" "Init before validation failed: $dir_path"
common::colorify "red" "$init_output"
exit $init_code
fi
fi
# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
terraform providers lock ${args[@]}
# return exit code to common::per_dir_hook
local exit_code=$?
return $exit_code
}
[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"

137
terraform_tflint.sh
View file

@ -1,137 +0,0 @@
#!/usr/bin/env bash
set -eo pipefail
function main {
common::initialize
common::parse_cmdline "$@"
# Support for setting PATH to repo root.
ARGS=${ARGS[*]/__GIT_WORKING_DIR__/$(pwd)\/}
common::per_dir_hook "$ARGS" "${FILES[@]}"
}
function common::colorify {
# shellcheck disable=SC2034
local -r red="\e[0m\e[31m"
# shellcheck disable=SC2034
local -r green="\e[0m\e[32m"
# shellcheck disable=SC2034
local -r yellow="\e[0m\e[33m"
# Color reset
local -r RESET="\e[0m"
# Params start #
local COLOR="${!1}"
local -r TEXT=$2
# Params end #
if [ "$PRE_COMMIT_COLOR" = "never" ]; then
COLOR=$RESET
fi
echo -e "${COLOR}${TEXT}${RESET}"
}
function common::initialize {
local SCRIPT_DIR
# get directory containing this script
SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# source getopt function
# shellcheck source=lib_getopt
. "$SCRIPT_DIR/lib_getopt"
}
function common::parse_cmdline {
# common global arrays.
# Populated via `common::parse_cmdline` and can be used inside hooks' functions
declare -g -a ARGS=() FILES=() HOOK_CONFIG=()
local argv
argv=$(getopt -o a:,h: --long args:,hook-config: -- "$@") || return
eval "set -- $argv"
for argv; do
case $argv in
-a | --args)
shift
ARGS+=("$1")
shift
;;
-h | --hook-config)
shift
HOOK_CONFIG+=("$1;")
shift
;;
--)
shift
FILES=("$@")
break
;;
esac
done
}
function common::per_dir_hook {
local -r args="$1"
shift 1
local -a -r files=("$@")
# consume modified files passed from pre-commit so that
# hook runs against only those relevant directories
local index=0
for file_with_path in "${files[@]}"; do
file_with_path="${file_with_path// /__REPLACED__SPACE__}"
dir_paths[index]=$(dirname "$file_with_path")
((index += 1))
done
# preserve errexit status
shopt -qo errexit && ERREXIT_IS_SET=true
# allow hook to continue if exit_code is greater than 0
set +e
local final_exit_code=0
# run hook for each path
for dir_path in $(echo "${dir_paths[*]}" | tr ' ' '\n' | sort -u); do
dir_path="${dir_path//__REPLACED__SPACE__/ }"
pushd "$dir_path" > /dev/null || continue
per_dir_hook_unique_part "$args" "$dir_path"
local exit_code=$?
if [ $exit_code -ne 0 ]; then
final_exit_code=$exit_code
fi
popd > /dev/null
done
# restore errexit if it was set before the "for" loop
[[ $ERREXIT_IS_SET ]] && set -e
# return the hook final exit_code
exit $final_exit_code
}
function per_dir_hook_unique_part {
# common logic located in common::per_dir_hook
local -r args="$1"
local -r dir_path="$2"
# Print checked PATH **only** if TFLint have any messages
# shellcheck disable=SC2091,SC2068 # Suppress error output
$(tflint ${args[@]} 2>&1) 2> /dev/null || {
common::colorify "yellow" "TFLint in $dir_path/:"
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
tflint ${args[@]}
}
# return exit code to common::per_dir_hook
local exit_code=$?
return $exit_code
}
[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"

109
terraform_tfsec.sh
View file

@ -1,109 +0,0 @@
#!/usr/bin/env bash
set -eo pipefail
function main {
common::initialize
common::parse_cmdline "$@"
# Support for setting PATH to repo root.
ARGS=${ARGS[*]/__GIT_WORKING_DIR__/$(pwd)\/}
common::per_dir_hook "$ARGS" "${FILES[@]}"
}
function common::initialize {
local SCRIPT_DIR
# get directory containing this script
SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# source getopt function
# shellcheck source=lib_getopt
. "$SCRIPT_DIR/lib_getopt"
}
function common::parse_cmdline {
# common global arrays.
# Populated via `common::parse_cmdline` and can be used inside hooks' functions
declare -g -a ARGS=() FILES=() HOOK_CONFIG=()
local argv
argv=$(getopt -o a:,h: --long args:,hook-config: -- "$@") || return
eval "set -- $argv"
for argv; do
case $argv in
-a | --args)
shift
ARGS+=("$1")
shift
;;
-h | --hook-config)
shift
HOOK_CONFIG+=("$1;")
shift
;;
--)
shift
FILES=("$@")
break
;;
esac
done
}
function common::per_dir_hook {
local -r args="$1"
shift 1
local -a -r files=("$@")
# consume modified files passed from pre-commit so that
# hook runs against only those relevant directories
local index=0
for file_with_path in "${files[@]}"; do
file_with_path="${file_with_path// /__REPLACED__SPACE__}"
dir_paths[index]=$(dirname "$file_with_path")
((index += 1))
done
# preserve errexit status
shopt -qo errexit && ERREXIT_IS_SET=true
# allow hook to continue if exit_code is greater than 0
set +e
local final_exit_code=0
# run hook for each path
for dir_path in $(echo "${dir_paths[*]}" | tr ' ' '\n' | sort -u); do
dir_path="${dir_path//__REPLACED__SPACE__/ }"
pushd "$dir_path" > /dev/null || continue
per_dir_hook_unique_part "$args" "$dir_path"
local exit_code=$?
if [ $exit_code -ne 0 ]; then
final_exit_code=$exit_code
fi
popd > /dev/null
done
# restore errexit if it was set before the "for" loop
[[ $ERREXIT_IS_SET ]] && set -e
# return the hook final exit_code
exit $final_exit_code
}
function per_dir_hook_unique_part {
# common logic located in common::per_dir_hook
local -r args="$1"
local -r dir_path="$2"
# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
tfsec ${args[@]}
# return exit code to common::per_dir_hook
local exit_code=$?
return $exit_code
}
[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"

107
terragrunt_validate.sh
View file

@ -1,107 +0,0 @@
#!/usr/bin/env bash
set -eo pipefail
function main {
common::initialize
common::parse_cmdline "$@"
common::per_dir_hook "${ARGS[*]}" "${FILES[@]}"
}
function common::initialize {
local SCRIPT_DIR
# get directory containing this script
SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# source getopt function
# shellcheck source=lib_getopt
. "$SCRIPT_DIR/lib_getopt"
}
function common::parse_cmdline {
# common global arrays.
# Populated via `common::parse_cmdline` and can be used inside hooks' functions
declare -g -a ARGS=() FILES=() HOOK_CONFIG=()
local argv
argv=$(getopt -o a:,h: --long args:,hook-config: -- "$@") || return
eval "set -- $argv"
for argv; do
case $argv in
-a | --args)
shift
ARGS+=("$1")
shift
;;
-h | --hook-config)
shift
HOOK_CONFIG+=("$1;")
shift
;;
--)
shift
FILES=("$@")
break
;;
esac
done
}
function common::per_dir_hook {
local -r args="$1"
shift 1
local -a -r files=("$@")
# consume modified files passed from pre-commit so that
# hook runs against only those relevant directories
local index=0
for file_with_path in "${files[@]}"; do
file_with_path="${file_with_path// /__REPLACED__SPACE__}"
dir_paths[index]=$(dirname "$file_with_path")
((index += 1))
done
# preserve errexit status
shopt -qo errexit && ERREXIT_IS_SET=true
# allow hook to continue if exit_code is greater than 0
set +e
local final_exit_code=0
# run hook for each path
for dir_path in $(echo "${dir_paths[*]}" | tr ' ' '\n' | sort -u); do
dir_path="${dir_path//__REPLACED__SPACE__/ }"
pushd "$dir_path" > /dev/null || continue
per_dir_hook_unique_part "$args" "$dir_path"
local exit_code=$?
if [ $exit_code -ne 0 ]; then
final_exit_code=$exit_code
fi
popd > /dev/null
done
# restore errexit if it was set before the "for" loop
[[ $ERREXIT_IS_SET ]] && set -e
# return the hook final exit_code
exit $final_exit_code
}
function per_dir_hook_unique_part {
# common logic located in common::per_dir_hook
local -r args="$1"
local -r dir_path="$2"
# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
terragrunt validate ${args[@]}
# return exit code to common::per_dir_hook
local exit_code=$?
return $exit_code
}
[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"

107
terrascan.sh
View file

@ -1,107 +0,0 @@
#!/usr/bin/env bash
set -eo pipefail
function main {
common::initialize
common::parse_cmdline "$@"
common::per_dir_hook "${ARGS[*]}" "${FILES[@]}"
}
function common::initialize {
local SCRIPT_DIR
# get directory containing this script
SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# source getopt function
# shellcheck source=lib_getopt
. "$SCRIPT_DIR/lib_getopt"
}
function common::parse_cmdline {
# common global arrays.
# Populated via `common::parse_cmdline` and can be used inside hooks' functions
declare -g -a ARGS=() FILES=() HOOK_CONFIG=()
local argv
argv=$(getopt -o a:,h: --long args:,hook-config: -- "$@") || return
eval "set -- $argv"
for argv; do
case $argv in
-a | --args)
shift
ARGS+=("$1")
shift
;;
-h | --hook-config)
shift
HOOK_CONFIG+=("$1;")
shift
;;
--)
shift
FILES=("$@")
break
;;
esac
done
}
function common::per_dir_hook {
local -r args="$1"
shift 1
local -a -r files=("$@")
# consume modified files passed from pre-commit so that
# hook runs against only those relevant directories
local index=0
for file_with_path in "${files[@]}"; do
file_with_path="${file_with_path// /__REPLACED__SPACE__}"
dir_paths[index]=$(dirname "$file_with_path")
((index += 1))
done
# preserve errexit status
shopt -qo errexit && ERREXIT_IS_SET=true
# allow hook to continue if exit_code is greater than 0
set +e
local final_exit_code=0
# run hook for each path
for dir_path in $(echo "${dir_paths[*]}" | tr ' ' '\n' | sort -u); do
dir_path="${dir_path//__REPLACED__SPACE__/ }"
pushd "$dir_path" > /dev/null || continue
per_dir_hook_unique_part "$args" "$dir_path"
local exit_code=$?
if [ $exit_code -ne 0 ]; then
final_exit_code=$exit_code
fi
popd > /dev/null
done
# restore errexit if it was set before the "for" loop
[[ $ERREXIT_IS_SET ]] && set -e
# return the hook final exit_code
exit $final_exit_code
}
function per_dir_hook_unique_part {
# common logic located in common::per_dir_hook
local -r args="$1"
local -r dir_path="$2"
# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
terrascan scan -i terraform ${args[@]}
# return exit code to common::per_dir_hook
local exit_code=$?
return $exit_code
}
[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"