feat: Allow env vars expansion in --args section for all hooks (#363)

README.md

@@ -36,6 +36,7 @@ If you are using `pre-commit-terraform` already or want to support its developme
   * [4. Run](#4-run)
 * [Available Hooks](#available-hooks)
 * [Hooks usage notes and examples](#hooks-usage-notes-and-examples)
+  * [All hooks: Usage of environment variables in `--args`](#all-hooks-usage-of-environment-variables-in---args)
   * [checkov (deprecated) and terraform_checkov](#checkov-deprecated-and-terraform_checkov)
   * [infracost_breakdown](#infracost_breakdown)
   * [terraform_docs](#terraform_docs)
@@ -238,6 +239,24 @@ Check the [source file](https://github.com/antonbabenko/pre-commit-terraform/blo
 
 ## Hooks usage notes and examples
 
+### All hooks: Usage of environment variables in `--args`
+
+> All, except deprecated hooks: `checkov`, `terraform_docs_replace`
+
+You can use environment variables for the `--args` section.  
+Note: You _must_ use the `${ENV_VAR}` definition, `$ENV_VAR` will not expand.
+
+Config example:
+
+```yaml
+- id: terraform_tflint
+  args:
+  - --args=--config=${CONFIG_NAME}.${CONFIG_EXT}
+  - --args=--module
+```
+
+If for config above set up `export CONFIG_NAME=.tflint; export CONFIG_EXT=hcl` before `pre-commit run`, args will be expanded to `--config=.tflint.hcl --module`.
+
 ### checkov (deprecated) and terraform_checkov
 
 > `checkov` hook is deprecated, please use `terraform_checkov`.

hooks/_common.sh

@@ -55,6 +55,43 @@ function common::parse_cmdline {
   done
 }
 
+#######################################################################
+# Expand environment variables definition into their values in '--args'.
+# Support expansion only for ${ENV_VAR} vars, not $ENV_VAR.
+# Globals (modify):
+#   ARGS (array) arguments that configure wrapped tool behavior
+#######################################################################
+function common::parse_and_export_env_vars {
+  local arg_idx
+
+  for arg_idx in "${!ARGS[@]}"; do
+    local arg="${ARGS[$arg_idx]}"
+
+    # Repeat until all env vars will be expanded
+    while true; do
+      # Check if at least 1 env var exists in `$arg`
+      # shellcheck disable=SC2016 # '${' should not be expanded
+      if [[ "$arg" =~ .*'${'[A-Z_][A-Z0-9_]+?'}'.* ]]; then
+        # Get `ENV_VAR` from `.*${ENV_VAR}.*`
+        local env_var_name=${arg#*$\{}
+        env_var_name=${env_var_name%%\}*}
+        local env_var_value="${!env_var_name}"
+        # shellcheck disable=SC2016 # '${' should not be expanded
+        common::colorify "green" 'Found ${'"$env_var_name"'} in:        '"'$arg'"
+        # Replace env var name with its value.
+        # `$arg` will be checked in `if` conditional, `$ARGS` will be used in the next functions.
+        # shellcheck disable=SC2016 # '${' should not be expanded
+        arg=${arg/'${'$env_var_name'}'/$env_var_value}
+        ARGS[$arg_idx]=$arg
+        # shellcheck disable=SC2016 # '${' should not be expanded
+        common::colorify "green" 'After ${'"$env_var_name"'} expansion: '"'$arg'\n"
+        continue
+      fi
+      break
+    done
+  done
+}
+
 #######################################################################
 # This is a workaround to improve performance when all files are passed
 # See: https://github.com/antonbabenko/pre-commit-terraform/issues/309

hooks/infracost_breakdown.sh

@@ -13,6 +13,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::parse_and_export_env_vars
   # shellcheck disable=SC2153 # False positive
   infracost_breakdown_ "${HOOK_CONFIG[*]}" "${ARGS[*]}"
 }

hooks/terraform_checkov.sh

@@ -13,6 +13,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::parse_and_export_env_vars
   # shellcheck disable=SC2153 # False positive
   common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"
 }

hooks/terraform_docs.sh

@@ -13,6 +13,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::parse_and_export_env_vars
   # Support for setting relative PATH to .terraform-docs.yml config.
   # shellcheck disable=SC2178 # It's the simplest syntax for that case
   ARGS=${ARGS[*]/--config=/--config=$(pwd)\/}

hooks/terraform_fmt.sh

@@ -13,6 +13,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::parse_and_export_env_vars
   # shellcheck disable=SC2153 # False positive
   terraform_fmt_ "${ARGS[*]}" "${FILES[@]}"
 }

hooks/terraform_providers_lock.sh

@@ -13,6 +13,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::parse_and_export_env_vars
   # shellcheck disable=SC2153 # False positive
   common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"
 }

hooks/terraform_tflint.sh

@@ -13,6 +13,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::parse_and_export_env_vars
   # Support for setting PATH to repo root.
   # shellcheck disable=SC2178 # It's the simplest syntax for that case
   ARGS=${ARGS[*]/__GIT_WORKING_DIR__/$(pwd)\/}

hooks/terraform_tfsec.sh

@@ -12,6 +12,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::parse_and_export_env_vars
   # Support for setting PATH to repo root.
   # shellcheck disable=SC2178 # It's the simplest syntax for that case
   ARGS=${ARGS[*]/__GIT_WORKING_DIR__/$(pwd)\/}

hooks/terraform_validate.sh

@@ -16,6 +16,7 @@ export AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION:-us-east-1}
 function main {
   common::initialize "$SCRIPT_DIR"
   parse_cmdline_ "$@"
+  common::parse_and_export_env_vars
   terraform_validate_
 }
 

hooks/terragrunt_fmt.sh

@@ -12,6 +12,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::parse_and_export_env_vars
   # shellcheck disable=SC2153 # False positive
   common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"
 }

hooks/terragrunt_validate.sh

@@ -12,6 +12,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::parse_and_export_env_vars
   # shellcheck disable=SC2153 # False positive
   common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"
 }

hooks/terrascan.sh

@@ -12,6 +12,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::parse_and_export_env_vars
   # shellcheck disable=SC2153 # False positive
   common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"
 }

hooks/tfupdate.sh

@@ -12,6 +12,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::parse_and_export_env_vars
   # shellcheck disable=SC2153 # False positive
   common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"
 }