weeheavy/pre-commit-opentofu
1
0
Fork 0
forked from github/pre-commit-opentofu
Code Pull requests Activity

Compare commits

base: weeheavy:main
Branches Tags
weeheavy:main
weeheavy:fix/bash3-compat
weeheavy:fix/7
weeheavy:master
weeheavy:feat/rename-terraform-to-tofu
weeheavy:v2.2.0
weeheavy:v2.1.0
weeheavy:v2.0.0
weeheavy:v1.0.4
weeheavy:v1.0.3
weeheavy:v1.0.2
weeheavy:v1.0.1
weeheavy:v1.0.0
..
compare: weeheavy:fix/7
Branches Tags
weeheavy:fix/bash3-compat
weeheavy:main
weeheavy:fix/7
weeheavy:master
weeheavy:feat/rename-terraform-to-tofu
github:main
github:dependabot/github_actions/actions/stale-10.1.0
github:fix/7
github:master
github:feat/rename-terraform-to-tofu
weeheavy:v2.2.0
weeheavy:v2.1.0
weeheavy:v2.0.0
weeheavy:v1.0.4
weeheavy:v1.0.3
weeheavy:v1.0.2
weeheavy:v1.0.1
weeheavy:v1.0.0
github:v1.0.3
github:v1.0.0
github:v1.0.1
github:v1.0.2
github:v1.0.4
github:v2.0.0
github:v2.1.0
github:v2.2.0
github:v2.2.1

No commits in common. "main" and "fix/7" have entirely different histories.
main ... fix/7

12 changed files with 96 additions and 162 deletions
Download patch file Download diff file Expand all files Collapse all files

10
.github/dependabot.yml vendored
View file

@ -1,10 +0,0 @@
---
version: 2
updates:
- package-ecosystem: "github-actions"
directory: /
schedule:
interval: daily
time: "11:00"
commit-message:
prefix: "gh-actions:"

4
.github/workflows/build-image-test.yaml vendored
View file

@ -15,7 +15,7 @@ jobs:
- name: Get changed Dockerfile - name: Get changed Dockerfile
id: changed-files-specific id: changed-files-specific
uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5 uses: tj-actions/changed-files@2c85495a7bb72f2734cb5181e29b2ee5e08e61f7 # v13.1
with: with:
files: | files: |
Dockerfile Dockerfile
@ -52,7 +52,7 @@ jobs:
- name: Dive - check image for waste files - name: Dive - check image for waste files
if: steps.changed-files-specific.outputs.any_changed == 'true' if: steps.changed-files-specific.outputs.any_changed == 'true'
uses: MaxymVlasov/dive-action@b08c8287e603d028c986d7044e83fa76bcca6a65 # v1.5.0 uses: MaxymVlasov/dive-action@0035999cae50d4ef657ac94be84f01812aa192a5 # v0.1.0
with: with:
image: ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }} image: ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}
config-file: ${{ github.workspace }}/.github/.dive-ci.yaml config-file: ${{ github.workspace }}/.github/.dive-ci.yaml

2
.github/workflows/pr-title.yml vendored
View file

@ -14,7 +14,7 @@ jobs:
steps: steps:
# Please look up the latest version from # Please look up the latest version from
# https://github.com/amannn/action-semantic-pull-request/releases # https://github.com/amannn/action-semantic-pull-request/releases
- uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with: with:

6
.github/workflows/pre-commit.yaml vendored
View file

@ -36,11 +36,11 @@ jobs:
fetch-depth: 0 fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }} ref: ${{ github.event.pull_request.head.sha }}
# Skip tofu_tflint which interferes to commit pre-commit auto-fixes # Skip tofu_tflint which interferes to commit pre-commit auto-fixes
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with: with:
python-version: '3.9' python-version: '3.9'
- name: Execute pre-commit - name: Execute pre-commit
uses: pre-commit/action@576ff52938d158a24ac7e009dfa94b1455e7df99 uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # v2.0.3
env: env:
SKIP: no-commit-to-branch,hadolint SKIP: no-commit-to-branch,hadolint
with: with:
@ -49,7 +49,7 @@ jobs:
# Run only skipped checks # Run only skipped checks
- name: Execute pre-commit check that have no auto-fixes - name: Execute pre-commit check that have no auto-fixes
if: always() if: always()
uses: pre-commit/action@576ff52938d158a24ac7e009dfa94b1455e7df99 uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # v2.0.3
env: env:
SKIP: check-added-large-files,check-merge-conflict,check-vcs-permalinks,forbid-new-submodules,no-commit-to-branch,end-of-file-fixer,trailing-whitespace,check-yaml,check-merge-conflict,check-executables-have-shebangs,check-case-conflict,mixed-line-ending,detect-aws-credentials,detect-private-key,shfmt,shellcheck SKIP: check-added-large-files,check-merge-conflict,check-vcs-permalinks,forbid-new-submodules,no-commit-to-branch,end-of-file-fixer,trailing-whitespace,check-yaml,check-merge-conflict,check-executables-have-shebangs,check-case-conflict,mixed-line-ending,detect-aws-credentials,detect-private-key,shfmt,shellcheck
with: with:

2
.github/workflows/release.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
fetch-depth: 0 fetch-depth: 0
- name: Release - name: Release
uses: cycjimmy/semantic-release-action@0a51e81a6baff2acad3ee88f4121c589c73d0f0e # v4.2.0 uses: cycjimmy/semantic-release-action@61680d0e9b02ff86f5648ade99e01be17f0260a4 # v4.0.0
with: with:
semantic_version: 18.0.0 semantic_version: 18.0.0
extra_plugins: | extra_plugins: |

2
.github/workflows/stale-actions.yaml vendored
View file

@ -7,7 +7,7 @@ jobs:
stale: stale:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
with: with:
repo-token: ${{ secrets.GITHUB_TOKEN }} repo-token: ${{ secrets.GITHUB_TOKEN }}
# Staling issues and PR's # Staling issues and PR's

41
.pre-commit-hooks.yaml
View file

@ -4,7 +4,7 @@
entry: hooks/infracost_breakdown.sh entry: hooks/infracost_breakdown.sh
language: script language: script
require_serial: true require_serial: true
files: \.((tf|tofu)(vars)?|hcl)$ files: \.(tf(vars)?|hcl)$
exclude: \.terraform\/.*$ exclude: \.terraform\/.*$
- id: tofu_fmt - id: tofu_fmt
@ -12,29 +12,25 @@
description: Rewrites all OpenTofu configuration files to a canonical format. description: Rewrites all OpenTofu configuration files to a canonical format.
entry: hooks/tofu_fmt.sh entry: hooks/tofu_fmt.sh
language: script language: script
files: \.(tf|tofu)(vars)?$ files: (\.tf|\.tfvars)$
exclude: \.terraform\/.*$ exclude: \.terraform\/.*$
- id: tofu_docs - id: tofu_docs
name: OpenTofu docs name: OpenTofu docs
description: description: Inserts input and output documentation into README.md (using terraform-docs).
Inserts input and output documentation into README.md (using
terraform-docs).
require_serial: true require_serial: true
entry: hooks/tofu_docs.sh entry: hooks/tofu_docs.sh
language: script language: script
files: (\.(tf|tofu)|\.terraform\.lock\.hcl)$ files: (\.tf|\.terraform\.lock\.hcl)$
exclude: \.terraform\/.*$ exclude: \.terraform\/.*$
- id: tofu_docs_without_aggregate_type_defaults - id: tofu_docs_without_aggregate_type_defaults
name: OpenTofu docs (without aggregate type defaults) name: OpenTofu docs (without aggregate type defaults)
description: description: Inserts input and output documentation into README.md (using terraform-docs). Identical to terraform_docs.
Inserts input and output documentation into README.md (using
terraform-docs). Identical to terraform_docs.
require_serial: true require_serial: true
entry: hooks/tofu_docs.sh entry: hooks/tofu_docs.sh
language: script language: script
files: \.(tf|tofu)$ files: (\.tf)$
exclude: \.terraform\/.*$ exclude: \.terraform\/.*$
- id: tofu_docs_replace - id: tofu_docs_replace
@ -43,7 +39,7 @@
require_serial: true require_serial: true
entry: hooks/tofu_docs_replace.py entry: hooks/tofu_docs_replace.py
language: python language: python
files: \.(tf|tofu)$ files: (\.tf)$
exclude: \.terraform\/.*$ exclude: \.terraform\/.*$
- id: tofu_validate - id: tofu_validate
@ -52,7 +48,7 @@
require_serial: true require_serial: true
entry: hooks/tofu_validate.sh entry: hooks/tofu_validate.sh
language: script language: script
files: \.(tf|tofu)(vars)?$ files: (\.tf|\.tfvars)$
exclude: \.terraform\/.*$ exclude: \.terraform\/.*$
- id: tofu_providers_lock - id: tofu_providers_lock
@ -70,13 +66,12 @@
require_serial: true require_serial: true
entry: hooks/tofu_tflint.sh entry: hooks/tofu_tflint.sh
language: script language: script
files: \.(tf|tofu)(vars)?$ files: (\.tf|\.tfvars)$
exclude: \.terraform\/.*$ exclude: \.terraform\/.*$
- id: terragrunt_fmt - id: terragrunt_fmt
name: Terragrunt fmt name: Terragrunt fmt
description: description: Rewrites all Terragrunt configuration files to a canonical format.
Rewrites all Terragrunt configuration files to a canonical format.
entry: hooks/terragrunt_fmt.sh entry: hooks/terragrunt_fmt.sh
language: script language: script
files: (\.hcl)$ files: (\.hcl)$
@ -92,20 +87,18 @@
- id: tofu_tfsec - id: tofu_tfsec
name: OpenTofu validate with tfsec (deprecated, use "tofu_trivy") name: OpenTofu validate with tfsec (deprecated, use "tofu_trivy")
description: description: Static analysis of OpenTofu templates to spot potential security issues.
Static analysis of OpenTofu templates to spot potential security issues.
require_serial: true require_serial: true
entry: hooks/tofu_tfsec.sh entry: hooks/tofu_tfsec.sh
files: \.(tf|tofu)(vars)?$ files: \.tf(vars)?$
language: script language: script
- id: tofu_trivy - id: tofu_trivy
name: OpenTofu validate with trivy name: OpenTofu validate with trivy
description: description: Static analysis of OpenTofu templates to spot potential security issues.
Static analysis of OpenTofu templates to spot potential security issues.
require_serial: true require_serial: true
entry: hooks/tofu_trivy.sh entry: hooks/tofu_trivy.sh
files: \.(tf|tofu)(vars)?$ files: \.tf(vars)?$
language: script language: script
- id: checkov - id: checkov
@ -125,7 +118,7 @@
entry: hooks/tofu_checkov.sh entry: hooks/tofu_checkov.sh
language: script language: script
always_run: false always_run: false
files: \.(tf|tofu)$ files: \.tf$
exclude: \.terraform\/.*$ exclude: \.terraform\/.*$
require_serial: true require_serial: true
@ -145,7 +138,7 @@
description: Runs terrascan on OpenTofu templates. description: Runs terrascan on OpenTofu templates.
language: script language: script
entry: hooks/terrascan.sh entry: hooks/terrascan.sh
files: \.(tf|tofu)$ files: \.tf$
exclude: \.terraform\/.*$ exclude: \.terraform\/.*$
require_serial: true require_serial: true
@ -156,5 +149,5 @@
entry: hooks/tfupdate.sh entry: hooks/tfupdate.sh
args: args:
- --args=terraform - --args=terraform
files: \.(tf|tofu)$ files: \.tf$
require_serial: true require_serial: true

36
CHANGELOG.md
View file

@ -2,42 +2,6 @@
All notable changes to this project will be documented in this file. All notable changes to this project will be documented in this file.
# [2.2.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.1.0...v2.2.0) (2025-03-29)
### Features
* make release ([e625db1](https://github.com/tofuutils/pre-commit-opentofu/commit/e625db13ec285e132f43cdf6e5aa3f3272e45451))
# [2.1.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.0.0...v2.1.0) (2024-10-16)
### Features
* spport .tofu files ([#6](https://github.com/tofuutils/pre-commit-opentofu/issues/6)) ([e059c58](https://github.com/tofuutils/pre-commit-opentofu/commit/e059c5859bceddf1ca018f55851f6940ad51f1c2))
# [2.0.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.4...v2.0.0) (2024-09-25)
### Features
* **tofu:** add handling for missing tofu binary in Docker image This commit introduces logic to gracefully handle the case when the tofu binary is not found in the Docker image, improving the overall user experience. BREAKING CHANGE: The previous behavior of the application when the tofu binary was missing may have caused unexpected crashes. ([14fc63e](https://github.com/tofuutils/pre-commit-opentofu/commit/14fc63eb5b04e3ad1525d06e437b15935841775f))
### BREAKING CHANGES
* **tofu:** The previous behavior of the application when the tofu binary was missing may have caused unexpected crashes."
## [1.0.4](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.3...v1.0.4) (2024-09-21)
### Bug Fixes
* docker image reference in README.md ([7b04f0c](https://github.com/tofuutils/pre-commit-opentofu/commit/7b04f0c24940f1642c8f599bfd0794dd46b0b274))
* docker image reference in README.md ([f9b71fe](https://github.com/tofuutils/pre-commit-opentofu/commit/f9b71fe08fedd4ceb23ced6fe2171edf24add290))
* dockerhub ([0fac591](https://github.com/tofuutils/pre-commit-opentofu/commit/0fac59197f2f2cb4bc417917e5adb6ac92a20b7a))
* entry for tofu_docs_replace ([f146463](https://github.com/tofuutils/pre-commit-opentofu/commit/f146463ac8effcfa441f3f6b21e811095f0da73c))
## [1.0.2](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.1...v1.0.2) (2024-03-08) ## [1.0.2](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.1...v1.0.2) (2024-03-08)

108
Dockerfile
View file

@ -10,22 +10,22 @@ RUN apk add --no-cache \
curl=~8 && \ curl=~8 && \
# Upgrade packages for be able get latest Checkov # Upgrade packages for be able get latest Checkov
python3 -m pip install --no-cache-dir --upgrade \ python3 -m pip install --no-cache-dir --upgrade \
pip \ pip \
setuptools setuptools
ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest} ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest}
ARG TOFU_VERSION=${TOFU_VERSION:-1.9.0} ARG TOFU_VERSION=${TOFU_VERSION:-1.6.1}
# Install pre-commit # Install pre-commit
RUN [ ${PRE_COMMIT_VERSION} = "latest" ] && pip3 install --no-cache-dir pre-commit \ RUN [ ${PRE_COMMIT_VERSION} = "latest" ] && pip3 install --no-cache-dir pre-commit \
|| pip3 install --no-cache-dir pre-commit==${PRE_COMMIT_VERSION} || pip3 install --no-cache-dir pre-commit==${PRE_COMMIT_VERSION}
RUN curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip \ RUN curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip \
&& curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_SHA256SUMS \ && curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_SHA256SUMS \
&& [ $(sha256sum "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" | cut -f 1 -d ' ') = "$(grep "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" tofu_*_SHA256SUMS | cut -f 1 -d ' ')" ] \ && [ $(sha256sum "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" | cut -f 1 -d ' ') = "$(grep "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" tofu_*_SHA256SUMS | cut -f 1 -d ' ')" ] \
&& unzip tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip -d /usr/bin/ \ && unzip tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip \
&& rm "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" \ && mv tofu /usr/bin/tofu
&& rm "tofu_${TOFU_VERSION}_SHA256SUMS"
# #
# Install tools # Install tools
@ -47,18 +47,18 @@ ARG HCLEDIT_VERSION=${HCLEDIT_VERSION:-false}
# specified in step below # specified in step below
ARG INSTALL_ALL=${INSTALL_ALL:-false} ARG INSTALL_ALL=${INSTALL_ALL:-false}
RUN if [ "$INSTALL_ALL" != "false" ]; then \ RUN if [ "$INSTALL_ALL" != "false" ]; then \
echo "export CHECKOV_VERSION=latest" >> /.env && \ echo "export CHECKOV_VERSION=latest" >> /.env && \
echo "export INFRACOST_VERSION=latest" >> /.env && \ echo "export INFRACOST_VERSION=latest" >> /.env && \
echo "export TERRAFORM_DOCS_VERSION=latest" >> /.env && \ echo "export TERRAFORM_DOCS_VERSION=latest" >> /.env && \
echo "export TERRAGRUNT_VERSION=latest" >> /.env && \ echo "export TERRAGRUNT_VERSION=latest" >> /.env && \
echo "export TERRASCAN_VERSION=latest" >> /.env && \ echo "export TERRASCAN_VERSION=latest" >> /.env && \
echo "export TFLINT_VERSION=latest" >> /.env && \ echo "export TFLINT_VERSION=latest" >> /.env && \
echo "export TFSEC_VERSION=latest" >> /.env && \ echo "export TFSEC_VERSION=latest" >> /.env && \
echo "export TRIVY_VERSION=latest" >> /.env && \ echo "export TRIVY_VERSION=latest" >> /.env && \
echo "export TFUPDATE_VERSION=latest" >> /.env && \ echo "export TFUPDATE_VERSION=latest" >> /.env && \
echo "export HCLEDIT_VERSION=latest" >> /.env \ echo "export HCLEDIT_VERSION=latest" >> /.env \
; else \ ; else \
touch /.env \ touch /.env \
; fi ; fi
@ -66,10 +66,10 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \
RUN . /.env && \ RUN . /.env && \
if [ "$CHECKOV_VERSION" != "false" ]; then \ if [ "$CHECKOV_VERSION" != "false" ]; then \
( \ ( \
apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \ apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \
[ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \ [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \
|| pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \
apk del gcc libffi-dev musl-dev \ apk del gcc libffi-dev musl-dev \
) \ ) \
; fi ; fi
@ -77,9 +77,9 @@ RUN . /.env && \
RUN . /.env && \ RUN . /.env && \
if [ "$INFRACOST_VERSION" != "false" ]; then \ if [ "$INFRACOST_VERSION" != "false" ]; then \
( \ ( \
INFRACOST_RELEASES="https://api.github.com/repos/infracost/infracost/releases" && \ INFRACOST_RELEASES="https://api.github.com/repos/infracost/infracost/releases" && \
[ "$INFRACOST_VERSION" = "latest" ] && curl -L "$(curl -s ${INFRACOST_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \ [ "$INFRACOST_VERSION" = "latest" ] && curl -L "$(curl -s ${INFRACOST_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \
|| curl -L "$(curl -s ${INFRACOST_RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \ || curl -L "$(curl -s ${INFRACOST_RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \
) && tar -xzf infracost.tgz && rm infracost.tgz && mv infracost-${TARGETOS}-${TARGETARCH} infracost \ ) && tar -xzf infracost.tgz && rm infracost.tgz && mv infracost-${TARGETOS}-${TARGETARCH} infracost \
; fi ; fi
@ -87,9 +87,9 @@ RUN . /.env && \
RUN . /.env && \ RUN . /.env && \
if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then \ if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then \
( \ ( \
TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" && \ TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" && \
[ "$TERRAFORM_DOCS_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \ [ "$TERRAFORM_DOCS_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \
|| curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \ || curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \
) && tar -xzf terraform-docs.tgz terraform-docs && rm terraform-docs.tgz && chmod +x terraform-docs \ ) && tar -xzf terraform-docs.tgz terraform-docs && rm terraform-docs.tgz && chmod +x terraform-docs \
; fi ; fi
@ -97,9 +97,9 @@ RUN . /.env && \
RUN . /.env \ RUN . /.env \
&& if [ "$TERRAGRUNT_VERSION" != "false" ]; then \ && if [ "$TERRAGRUNT_VERSION" != "false" ]; then \
( \ ( \
TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" && \ TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" && \
[ "$TERRAGRUNT_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \ [ "$TERRAGRUNT_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \
|| curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \ || curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \
) && chmod +x terragrunt \ ) && chmod +x terragrunt \
; fi ; fi
@ -111,9 +111,9 @@ RUN . /.env && \
# Convert the first letter to Uppercase # Convert the first letter to Uppercase
OS="$(echo ${TARGETOS} | cut -c1 | tr '[:lower:]' '[:upper:]' | xargs echo -n; echo ${TARGETOS} | cut -c2-)"; \ OS="$(echo ${TARGETOS} | cut -c1 | tr '[:lower:]' '[:upper:]' | xargs echo -n; echo ${TARGETOS} | cut -c2-)"; \
( \ ( \
TERRASCAN_RELEASES="https://api.github.com/repos/tenable/terrascan/releases" && \ TERRASCAN_RELEASES="https://api.github.com/repos/tenable/terrascan/releases" && \
[ "$TERRASCAN_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \ [ "$TERRASCAN_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \
|| curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \ || curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \
) && tar -xzf terrascan.tar.gz terrascan && rm terrascan.tar.gz && \ ) && tar -xzf terrascan.tar.gz terrascan && rm terrascan.tar.gz && \
./terrascan init \ ./terrascan init \
; fi ; fi
@ -122,9 +122,9 @@ RUN . /.env && \
RUN . /.env && \ RUN . /.env && \
if [ "$TFLINT_VERSION" != "false" ]; then \ if [ "$TFLINT_VERSION" != "false" ]; then \
( \ ( \
TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" && \ TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" && \
[ "$TFLINT_VERSION" = "latest" ] && curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \ [ "$TFLINT_VERSION" = "latest" ] && curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \
|| curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \ || curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \
) && unzip tflint.zip && rm tflint.zip \ ) && unzip tflint.zip && rm tflint.zip \
; fi ; fi
@ -132,9 +132,9 @@ RUN . /.env && \
RUN . /.env && \ RUN . /.env && \
if [ "$TFSEC_VERSION" != "false" ]; then \ if [ "$TFSEC_VERSION" != "false" ]; then \
( \ ( \
TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" && \ TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" && \
[ "$TFSEC_VERSION" = "latest" ] && curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \ [ "$TFSEC_VERSION" = "latest" ] && curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \
|| curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \ || curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \
) && chmod +x tfsec \ ) && chmod +x tfsec \
; fi ; fi
@ -143,9 +143,9 @@ RUN . /.env && \
if [ "$TRIVY_VERSION" != "false" ]; then \ if [ "$TRIVY_VERSION" != "false" ]; then \
if [ "$TARGETARCH" != "amd64" ]; then ARCH="$TARGETARCH"; else ARCH="64bit"; fi; \ if [ "$TARGETARCH" != "amd64" ]; then ARCH="$TARGETARCH"; else ARCH="64bit"; fi; \
( \ ( \
TRIVY_RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases" && \ TRIVY_RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases" && \
[ "$TRIVY_VERSION" = "latest" ] && curl -L "$(curl -s ${TRIVY_RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \ [ "$TRIVY_VERSION" = "latest" ] && curl -L "$(curl -s ${TRIVY_RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \
|| curl -L "$(curl -s ${TRIVY_RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \ || curl -L "$(curl -s ${TRIVY_RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \
) && tar -xzf trivy.tar.gz trivy && rm trivy.tar.gz \ ) && tar -xzf trivy.tar.gz trivy && rm trivy.tar.gz \
; fi ; fi
@ -153,9 +153,9 @@ RUN . /.env && \
RUN . /.env && \ RUN . /.env && \
if [ "$TFUPDATE_VERSION" != "false" ]; then \ if [ "$TFUPDATE_VERSION" != "false" ]; then \
( \ ( \
TFUPDATE_RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases" && \ TFUPDATE_RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases" && \
[ "$TFUPDATE_VERSION" = "latest" ] && curl -L "$(curl -s ${TFUPDATE_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \ [ "$TFUPDATE_VERSION" = "latest" ] && curl -L "$(curl -s ${TFUPDATE_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \
|| curl -L "$(curl -s ${TFUPDATE_RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \ || curl -L "$(curl -s ${TFUPDATE_RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \
) && tar -xzf tfupdate.tgz tfupdate && rm tfupdate.tgz \ ) && tar -xzf tfupdate.tgz tfupdate && rm tfupdate.tgz \
; fi ; fi
@ -163,9 +163,9 @@ RUN . /.env && \
RUN . /.env && \ RUN . /.env && \
if [ "$HCLEDIT_VERSION" != "false" ]; then \ if [ "$HCLEDIT_VERSION" != "false" ]; then \
( \ ( \
HCLEDIT_RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" && \ HCLEDIT_RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" && \
[ "$HCLEDIT_VERSION" = "latest" ] && curl -L "$(curl -s ${HCLEDIT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \ [ "$HCLEDIT_VERSION" = "latest" ] && curl -L "$(curl -s ${HCLEDIT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \
|| curl -L "$(curl -s ${HCLEDIT_RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \ || curl -L "$(curl -s ${HCLEDIT_RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \
) && tar -xzf hcledit.tgz hcledit && rm hcledit.tgz \ ) && tar -xzf hcledit.tgz hcledit && rm hcledit.tgz \
; fi ; fi
@ -208,9 +208,8 @@ COPY --from=builder \
/usr/local/bin/pre-commit \ /usr/local/bin/pre-commit \
# Hooks and terraform binaries # Hooks and terraform binaries
/bin_dir/ \ /bin_dir/ \
/usr/bin/tofu \
/usr/local/bin/checkov* \ /usr/local/bin/checkov* \
/usr/bin/ /usr/bin/
# Copy pre-commit packages # Copy pre-commit packages
COPY --from=builder /usr/local/lib/python3.12/site-packages/ /usr/local/lib/python3.12/site-packages/ COPY --from=builder /usr/local/lib/python3.12/site-packages/ /usr/local/lib/python3.12/site-packages/
# Copy terrascan policies # Copy terrascan policies
@ -218,10 +217,10 @@ COPY --from=builder /root/ /root/
# Install hooks extra deps # Install hooks extra deps
RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \ RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \
apk add --no-cache perl=~5 \ apk add --no-cache perl=~5 \
; fi && \ ; fi && \
if [ "$(grep -o '^infracost SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \ if [ "$(grep -o '^infracost SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \
apk add --no-cache jq=~1 \ apk add --no-cache jq=~1 \
; fi && \ ; fi && \
# Fix git runtime fatal: # Fix git runtime fatal:
# unsafe repository ('/lint' is owned by someone else) # unsafe repository ('/lint' is owned by someone else)
@ -235,4 +234,3 @@ ENV INFRACOST_API_KEY=${INFRACOST_API_KEY:-}
ENV INFRACOST_SKIP_UPDATE_CHECK=${INFRACOST_SKIP_UPDATE_CHECK:-false} ENV INFRACOST_SKIP_UPDATE_CHECK=${INFRACOST_SKIP_UPDATE_CHECK:-false}
ENTRYPOINT [ "/entrypoint.sh" ] ENTRYPOINT [ "/entrypoint.sh" ]

2
hooks/tofu_docs.sh
View file

@ -155,7 +155,7 @@ function tofu_docs {
# #
if $create_if_not_exist && [[ ! -f "$text_file" ]]; then if $create_if_not_exist && [[ ! -f "$text_file" ]]; then
dir_have_tf_files="$( dir_have_tf_files="$(
find . -maxdepth 1 -type f | sed 's|.*\.||' | sort -u | grep -oE '^tofu|^tf$|^tfvars$' || find . -maxdepth 1 -type f | sed 's|.*\.||' | sort -u | grep -oE '^tf$|^tfvars$' ||
exit 0 exit 0
)" )"

41
hooks/tofu_docs_replace.py
View file

@ -7,41 +7,30 @@ import sys
def main(argv=None): def main(argv=None):
parser = argparse.ArgumentParser( parser = argparse.ArgumentParser(
description="""Run terraform-docs on a set of files. Follows the standard convention of description="""Run terraform-docs on a set of files. Follows the standard convention of
pulling the documentation from main.(tf|tofu) in order to replace the entire pulling the documentation from main.tf in order to replace the entire
README.md file each time.""" README.md file each time."""
) )
parser.add_argument( parser.add_argument(
"--dest", '--dest', dest='dest', default='README.md',
dest="dest",
default="README.md",
) )
parser.add_argument( parser.add_argument(
"--sort-inputs-by-required", '--sort-inputs-by-required', dest='sort', action='store_true',
dest="sort", help='[deprecated] use --sort-by-required instead',
action="store_true",
help="[deprecated] use --sort-by-required instead",
) )
parser.add_argument( parser.add_argument(
"--sort-by-required", '--sort-by-required', dest='sort', action='store_true',
dest="sort",
action="store_true",
) )
parser.add_argument( parser.add_argument(
"--with-aggregate-type-defaults", '--with-aggregate-type-defaults', dest='aggregate', action='store_true',
dest="aggregate", help='[deprecated]',
action="store_true",
help="[deprecated]",
) )
parser.add_argument("filenames", nargs="*", help="Filenames to check.") parser.add_argument('filenames', nargs='*', help='Filenames to check.')
args = parser.parse_args(argv) args = parser.parse_args(argv)
dirs = [] dirs = []
for filename in args.filenames: for filename in args.filenames:
if os.path.realpath(filename) not in dirs and ( if (os.path.realpath(filename) not in dirs and
filename.endswith(".tf") (filename.endswith(".tf") or filename.endswith(".tfvars"))):
or filename.endswith(".tofu")
or filename.endswith(".tfvars")
):
dirs.append(os.path.dirname(filename)) dirs.append(os.path.dirname(filename))
retval = 0 retval = 0
@ -49,12 +38,12 @@ def main(argv=None):
for dir in dirs: for dir in dirs:
try: try:
procArgs = [] procArgs = []
procArgs.append("terraform-docs") procArgs.append('terraform-docs')
if args.sort: if args.sort:
procArgs.append("--sort-by-required") procArgs.append('--sort-by-required')
procArgs.append("md") procArgs.append('md')
procArgs.append("./{dir}".format(dir=dir)) procArgs.append("./{dir}".format(dir=dir))
procArgs.append(">") procArgs.append('>')
procArgs.append("./{dir}/{dest}".format(dir=dir, dest=args.dest)) procArgs.append("./{dir}/{dest}".format(dir=dir, dest=args.dest))
subprocess.check_call(" ".join(procArgs), shell=True) subprocess.check_call(" ".join(procArgs), shell=True)
except subprocess.CalledProcessError as e: except subprocess.CalledProcessError as e:
@ -63,5 +52,5 @@ def main(argv=None):
return retval return retval
if __name__ == "__main__": if __name__ == '__main__':
sys.exit(main()) sys.exit(main())

4
hooks/tofu_wrapper_module_for_each.sh
View file

@ -312,10 +312,10 @@ EOF
# Read content of all OpenTofu files # Read content of all OpenTofu files
# shellcheck disable=SC2207 # shellcheck disable=SC2207
all_tf_content=$(find "${full_module_dir}" -regex '.*\.(tf|tofu)' -maxdepth 1 -type f -exec cat {} +) all_tf_content=$(find "${full_module_dir}" -name '*.tf' -maxdepth 1 -type f -exec cat {} +)
if [[ ! $all_tf_content ]]; then if [[ ! $all_tf_content ]]; then
common::colorify "yellow" "Skipping ${full_module_dir} because there are no *.(tf|tofu) files." common::colorify "yellow" "Skipping ${full_module_dir} because there are no *.tf files."
continue continue
fi fi