weeheavy/pre-commit-opentofu
1
0
Fork 0
forked from github/pre-commit-opentofu
Code Pull requests Activity

Compare commits

base: weeheavy:main
Branches Tags
weeheavy:main
weeheavy:fix/bash3-compat
weeheavy:fix/7
weeheavy:master
weeheavy:feat/rename-terraform-to-tofu
weeheavy:v2.2.0
weeheavy:v2.1.0
weeheavy:v2.0.0
weeheavy:v1.0.4
weeheavy:v1.0.3
weeheavy:v1.0.2
weeheavy:v1.0.1
weeheavy:v1.0.0
..
compare: weeheavy:master
Branches Tags
weeheavy:fix/bash3-compat
weeheavy:main
weeheavy:fix/7
weeheavy:master
weeheavy:feat/rename-terraform-to-tofu
github:main
github:dependabot/github_actions/actions/stale-10.1.0
github:fix/7
github:master
github:feat/rename-terraform-to-tofu
weeheavy:v2.2.0
weeheavy:v2.1.0
weeheavy:v2.0.0
weeheavy:v1.0.4
weeheavy:v1.0.3
weeheavy:v1.0.2
weeheavy:v1.0.1
weeheavy:v1.0.0
github:v1.0.3
github:v1.0.0
github:v1.0.1
github:v1.0.2
github:v1.0.4
github:v2.0.0
github:v2.1.0
github:v2.2.0
github:v2.2.1

No commits in common. "main" and "master" have entirely different histories.
main ... master

22 changed files with 387 additions and 299 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/.container-structure-test-config.yaml vendored
View file

@ -11,7 +11,7 @@ commandTests:
expectedOutput: ["^pre-commit ([0-9]+\\.){2}[0-9]+\\n$"]
- name: "tofu"
command: "tofu"
command: "terrtofuaform"
args: ["-version"]
expectedOutput: ["^OpenTofu v([0-9]+\\.){2}[0-9]+\\non linux_amd64\\n$"]

13
.github/.dive-ci.yaml vendored Normal file
View file

@ -0,0 +1,13 @@
rules:
# If the efficiency is measured below X%, mark as failed.
# Expressed as a ratio between 0-1.
lowestEfficiency: 0.981
# If the amount of wasted space is at least X or larger than X, mark as failed.
# Expressed in B, KB, MB, and GB.
highestWastedBytes: 32MB
# If the amount of wasted space makes up for X% or more of the image, mark as failed.
# Note: the base image layer is NOT included in the total image size.
# Expressed as a ratio between 0-1; fails if the threshold is met or crossed.
highestUserWastedPercent: 0.036

2
.github/CODEOWNERS vendored
View file

@ -1 +1 @@
* @Nmishin @anastasiiakozlova245 @kvendingoldo
* @maxymvlasov @yermulnik

0
.github/ISSUE_TEMPLATE/custom.md vendored
View file

10
.github/dependabot.yml vendored
View file

@ -1,10 +0,0 @@
---
version: 2
updates:
- package-ecosystem: "github-actions"
directory: /
schedule:
interval: daily
time: "11:00"
commit-message:
prefix: "gh-actions:"

4
.github/workflows/build-image-test.yaml vendored
View file

@ -15,7 +15,7 @@ jobs:
- name: Get changed Dockerfile
id: changed-files-specific
uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
uses: tj-actions/changed-files@2c85495a7bb72f2734cb5181e29b2ee5e08e61f7 # v13.1
with:
files: |
Dockerfile
@ -52,7 +52,7 @@ jobs:
- name: Dive - check image for waste files
if: steps.changed-files-specific.outputs.any_changed == 'true'
uses: MaxymVlasov/dive-action@b08c8287e603d028c986d7044e83fa76bcca6a65 # v1.5.0
uses: MaxymVlasov/dive-action@0035999cae50d4ef657ac94be84f01812aa192a5 # v0.1.0
with:
image: ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}
config-file: ${{ github.workspace }}/.github/.dive-ci.yaml

60
.github/workflows/build-image.yaml vendored
View file

@ -13,28 +13,27 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to ghcr.io
uses: docker/login-action@v3
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Login to GitHub Container Registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set tag for image
run: |
echo IMAGE_TAG=$([ ${{ github.ref_type }} == 'tag' ] && echo ${{ github.ref_name }} || echo 'latest') >> $GITHUB_ENV
- name: Build and Push release to ghcr.io
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Build and Push release
if: github.event_name != 'schedule'
uses: docker/build-push-action@v5
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
build-args: |
@ -49,9 +48,9 @@ jobs:
secrets: |
"github_token=${{ secrets.GITHUB_TOKEN }}"
- name: Build and Push nightly to ghcr.io
- name: Build and Push nightly
if: github.event_name == 'schedule'
uses: docker/build-push-action@v5
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
build-args: |
@ -64,38 +63,3 @@ jobs:
provenance: false
secrets: |
"github_token=${{ secrets.GITHUB_TOKEN }}"
- name: Login to DockerHub Container Registry
uses: docker/login-action@v3
with:
registry: registry.hub.docker.com
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Build and Push release to DockerHub
if: github.event_name != 'schedule'
uses: docker/build-push-action@v5
with:
context: .
build-args: |
INSTALL_ALL=true
platforms: linux/amd64,linux/arm64
push: true
tags: |
registry.hub.docker.com/tofuutils/pre-commit-opentofu:${{ env.IMAGE_TAG }}
registry.hub.docker.com/tofuutils/pre-commit-opentofu:latest
provenance: false
- name: Build and Push nightly to DockerHub
if: github.event_name == 'schedule'
uses: docker/build-push-action@v5
with:
context: .
build-args: |
INSTALL_ALL=true
platforms: linux/amd64,linux/arm64
push: true
tags: |
registry.hub.docker.com/tofuutils/pre-commit-opentofu:nightly
provenance: false

2
.github/workflows/pr-title.yml vendored
View file

@ -14,7 +14,7 @@ jobs:
steps:
# Please look up the latest version from
# https://github.com/amannn/action-semantic-pull-request/releases
- uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
- uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:

6
.github/workflows/pre-commit.yaml vendored
View file

@ -36,11 +36,11 @@ jobs:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
# Skip tofu_tflint which interferes to commit pre-commit auto-fixes
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
- uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: '3.9'
- name: Execute pre-commit
uses: pre-commit/action@576ff52938d158a24ac7e009dfa94b1455e7df99
uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # v2.0.3
env:
SKIP: no-commit-to-branch,hadolint
with:
@ -49,7 +49,7 @@ jobs:
# Run only skipped checks
- name: Execute pre-commit check that have no auto-fixes
if: always()
uses: pre-commit/action@576ff52938d158a24ac7e009dfa94b1455e7df99
uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # v2.0.3
env:
SKIP: check-added-large-files,check-merge-conflict,check-vcs-permalinks,forbid-new-submodules,no-commit-to-branch,end-of-file-fixer,trailing-whitespace,check-yaml,check-merge-conflict,check-executables-have-shebangs,check-case-conflict,mixed-line-ending,detect-aws-credentials,detect-private-key,shfmt,shellcheck
with:

4
.github/workflows/release.yml vendored
View file

@ -4,7 +4,7 @@ on:
workflow_dispatch:
push:
branches:
- main
- master
paths:
- '**/*.py'
- '**/*.sh'
@ -24,7 +24,7 @@ jobs:
fetch-depth: 0
- name: Release
uses: cycjimmy/semantic-release-action@0a51e81a6baff2acad3ee88f4121c589c73d0f0e # v4.2.0
uses: cycjimmy/semantic-release-action@61680d0e9b02ff86f5648ade99e01be17f0260a4 # v4.0.0
with:
semantic_version: 18.0.0
extra_plugins: |

2
.github/workflows/stale-actions.yaml vendored
View file

@ -7,7 +7,7 @@ jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
- uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
# Staling issues and PR's

43
.pre-commit-hooks.yaml
View file

@ -4,7 +4,7 @@
entry: hooks/infracost_breakdown.sh
language: script
require_serial: true
files: \.((tf|tofu)(vars)?|hcl)$
files: \.(tf(vars)?|hcl)$
exclude: \.terraform\/.*$
- id: tofu_fmt
@ -12,38 +12,34 @@
description: Rewrites all OpenTofu configuration files to a canonical format.
entry: hooks/tofu_fmt.sh
language: script
files: \.(tf|tofu)(vars)?$
files: (\.tf|\.tfvars)$
exclude: \.terraform\/.*$
- id: tofu_docs
name: OpenTofu docs
description:
Inserts input and output documentation into README.md (using
terraform-docs).
description: Inserts input and output documentation into README.md (using terraform-docs).
require_serial: true
entry: hooks/tofu_docs.sh
language: script
files: (\.(tf|tofu)|\.terraform\.lock\.hcl)$
files: (\.tf|\.terraform\.lock\.hcl)$
exclude: \.terraform\/.*$
- id: tofu_docs_without_aggregate_type_defaults
name: OpenTofu docs (without aggregate type defaults)
description:
Inserts input and output documentation into README.md (using
terraform-docs). Identical to terraform_docs.
description: Inserts input and output documentation into README.md (using terraform-docs). Identical to terraform_docs.
require_serial: true
entry: hooks/tofu_docs.sh
language: script
files: \.(tf|tofu)$
files: (\.tf)$
exclude: \.terraform\/.*$
- id: tofu_docs_replace
name: OpenTofu docs (overwrite README.md)
description: Overwrite content of README.md with terraform-docs.
require_serial: true
entry: hooks/tofu_docs_replace.py
entry: terraform_docs_replace
language: python
files: \.(tf|tofu)$
files: (\.tf)$
exclude: \.terraform\/.*$
- id: tofu_validate
@ -52,7 +48,7 @@
require_serial: true
entry: hooks/tofu_validate.sh
language: script
files: \.(tf|tofu)(vars)?$
files: (\.tf|\.tfvars)$
exclude: \.terraform\/.*$
- id: tofu_providers_lock
@ -70,13 +66,12 @@
require_serial: true
entry: hooks/tofu_tflint.sh
language: script
files: \.(tf|tofu)(vars)?$
files: (\.tf|\.tfvars)$
exclude: \.terraform\/.*$
- id: terragrunt_fmt
name: Terragrunt fmt
description:
Rewrites all Terragrunt configuration files to a canonical format.
description: Rewrites all Terragrunt configuration files to a canonical format.
entry: hooks/terragrunt_fmt.sh
language: script
files: (\.hcl)$
@ -92,20 +87,18 @@
- id: tofu_tfsec
name: OpenTofu validate with tfsec (deprecated, use "tofu_trivy")
description:
Static analysis of OpenTofu templates to spot potential security issues.
description: Static analysis of OpenTofu templates to spot potential security issues.
require_serial: true
entry: hooks/tofu_tfsec.sh
files: \.(tf|tofu)(vars)?$
files: \.tf(vars)?$
language: script
- id: tofu_trivy
name: OpenTofu validate with trivy
description:
Static analysis of OpenTofu templates to spot potential security issues.
description: Static analysis of OpenTofu templates to spot potential security issues.
require_serial: true
entry: hooks/tofu_trivy.sh
files: \.(tf|tofu)(vars)?$
files: \.tf(vars)?$
language: script
- id: checkov
@ -125,7 +118,7 @@
entry: hooks/tofu_checkov.sh
language: script
always_run: false
files: \.(tf|tofu)$
files: \.tf$
exclude: \.terraform\/.*$
require_serial: true
@ -145,7 +138,7 @@
description: Runs terrascan on OpenTofu templates.
language: script
entry: hooks/terrascan.sh
files: \.(tf|tofu)$
files: \.tf$
exclude: \.terraform\/.*$
require_serial: true
@ -156,5 +149,5 @@
entry: hooks/tfupdate.sh
args:
- --args=terraform
files: \.(tf|tofu)$
files: \.tf$
require_serial: true

52
CHANGELOG.md
View file

@ -2,59 +2,9 @@
All notable changes to this project will be documented in this file.
# [2.2.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.1.0...v2.2.0) (2025-03-29)
### Features
* make release ([e625db1](https://github.com/tofuutils/pre-commit-opentofu/commit/e625db13ec285e132f43cdf6e5aa3f3272e45451))
# [2.1.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.0.0...v2.1.0) (2024-10-16)
### Features
* spport .tofu files ([#6](https://github.com/tofuutils/pre-commit-opentofu/issues/6)) ([e059c58](https://github.com/tofuutils/pre-commit-opentofu/commit/e059c5859bceddf1ca018f55851f6940ad51f1c2))
# [2.0.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.4...v2.0.0) (2024-09-25)
### Features
* **tofu:** add handling for missing tofu binary in Docker image This commit introduces logic to gracefully handle the case when the tofu binary is not found in the Docker image, improving the overall user experience. BREAKING CHANGE: The previous behavior of the application when the tofu binary was missing may have caused unexpected crashes. ([14fc63e](https://github.com/tofuutils/pre-commit-opentofu/commit/14fc63eb5b04e3ad1525d06e437b15935841775f))
### BREAKING CHANGES
* **tofu:** The previous behavior of the application when the tofu binary was missing may have caused unexpected crashes."
## [1.0.4](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.3...v1.0.4) (2024-09-21)
### Bug Fixes
* docker image reference in README.md ([7b04f0c](https://github.com/tofuutils/pre-commit-opentofu/commit/7b04f0c24940f1642c8f599bfd0794dd46b0b274))
* docker image reference in README.md ([f9b71fe](https://github.com/tofuutils/pre-commit-opentofu/commit/f9b71fe08fedd4ceb23ced6fe2171edf24add290))
* dockerhub ([0fac591](https://github.com/tofuutils/pre-commit-opentofu/commit/0fac59197f2f2cb4bc417917e5adb6ac92a20b7a))
* entry for tofu_docs_replace ([f146463](https://github.com/tofuutils/pre-commit-opentofu/commit/f146463ac8effcfa441f3f6b21e811095f0da73c))
## [1.0.2](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.1...v1.0.2) (2024-03-08)
### Bug Fixes
* remove obsolete terraform checks and awk file hack ([97cba7a](https://github.com/tofuutils/pre-commit-opentofu/commit/97cba7a646996c7cae3719f1b6241d47da5882d9))
## [1.0.1](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.0...v1.0.1) (2024-03-07)
### Bug Fixes
* dockerfile ([65b197c](https://github.com/tofuutils/pre-commit-opentofu/commit/65b197c841dc10aa772c7fc2594a213a9158d2f4))
# [1.0.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.0) (2023-12-21)
### Features
* TODO
* TODO

110
Dockerfile
View file

@ -10,22 +10,22 @@ RUN apk add --no-cache \
curl=~8 && \
# Upgrade packages for be able get latest Checkov
python3 -m pip install --no-cache-dir --upgrade \
pip \
setuptools
pip \
setuptools
ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest}
ARG TOFU_VERSION=${TOFU_VERSION:-1.9.0}
ARG TOFU_VERSION=${TOFU_VERSION:-latest}
# Install pre-commit
RUN [ ${PRE_COMMIT_VERSION} = "latest" ] && pip3 install --no-cache-dir pre-commit \
|| pip3 install --no-cache-dir pre-commit==${PRE_COMMIT_VERSION}
RUN curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip \
&& curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_SHA256SUMS \
&& [ $(sha256sum "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" | cut -f 1 -d ' ') = "$(grep "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" tofu_*_SHA256SUMS | cut -f 1 -d ' ')" ] \
&& unzip tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip -d /usr/bin/ \
&& rm "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" \
&& rm "tofu_${TOFU_VERSION}_SHA256SUMS"
# TODO Install OpenTofu because pre-commit needs it
RUN if [ "${TOFU_VERSION}" = "latest" ]; then \
TOFU_VERSION="$(curl -s https://api.github.com/repos/hashicorp/terraform/releases/latest | grep tag_name | grep -o -E -m 1 "[0-9.]+")" \
; fi && \
curl -L "https://releases.hashicorp.com/terraform/${TOFU_VERSION}/terraform_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" > terraform.zip && \
unzip terraform.zip terraform && rm terraform.zip
#
# Install tools
@ -47,18 +47,18 @@ ARG HCLEDIT_VERSION=${HCLEDIT_VERSION:-false}
# specified in step below
ARG INSTALL_ALL=${INSTALL_ALL:-false}
RUN if [ "$INSTALL_ALL" != "false" ]; then \
echo "export CHECKOV_VERSION=latest" >> /.env && \
echo "export INFRACOST_VERSION=latest" >> /.env && \
echo "export TERRAFORM_DOCS_VERSION=latest" >> /.env && \
echo "export TERRAGRUNT_VERSION=latest" >> /.env && \
echo "export TERRASCAN_VERSION=latest" >> /.env && \
echo "export TFLINT_VERSION=latest" >> /.env && \
echo "export TFSEC_VERSION=latest" >> /.env && \
echo "export TRIVY_VERSION=latest" >> /.env && \
echo "export TFUPDATE_VERSION=latest" >> /.env && \
echo "export HCLEDIT_VERSION=latest" >> /.env \
echo "export CHECKOV_VERSION=latest" >> /.env && \
echo "export INFRACOST_VERSION=latest" >> /.env && \
echo "export TERRAFORM_DOCS_VERSION=latest" >> /.env && \
echo "export TERRAGRUNT_VERSION=latest" >> /.env && \
echo "export TERRASCAN_VERSION=latest" >> /.env && \
echo "export TFLINT_VERSION=latest" >> /.env && \
echo "export TFSEC_VERSION=latest" >> /.env && \
echo "export TRIVY_VERSION=latest" >> /.env && \
echo "export TFUPDATE_VERSION=latest" >> /.env && \
echo "export HCLEDIT_VERSION=latest" >> /.env \
; else \
touch /.env \
touch /.env \
; fi
@ -66,10 +66,10 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \
RUN . /.env && \
if [ "$CHECKOV_VERSION" != "false" ]; then \
( \
apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \
[ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \
|| pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \
apk del gcc libffi-dev musl-dev \
apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \
[ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \
|| pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \
apk del gcc libffi-dev musl-dev \
) \
; fi
@ -77,9 +77,9 @@ RUN . /.env && \
RUN . /.env && \
if [ "$INFRACOST_VERSION" != "false" ]; then \
( \
INFRACOST_RELEASES="https://api.github.com/repos/infracost/infracost/releases" && \
[ "$INFRACOST_VERSION" = "latest" ] && curl -L "$(curl -s ${INFRACOST_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \
|| curl -L "$(curl -s ${INFRACOST_RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \
INFRACOST_RELEASES="https://api.github.com/repos/infracost/infracost/releases" && \
[ "$INFRACOST_VERSION" = "latest" ] && curl -L "$(curl -s ${INFRACOST_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \
|| curl -L "$(curl -s ${INFRACOST_RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \
) && tar -xzf infracost.tgz && rm infracost.tgz && mv infracost-${TARGETOS}-${TARGETARCH} infracost \
; fi
@ -87,9 +87,9 @@ RUN . /.env && \
RUN . /.env && \
if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then \
( \
TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" && \
[ "$TERRAFORM_DOCS_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \
|| curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \
TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" && \
[ "$TERRAFORM_DOCS_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \
|| curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \
) && tar -xzf terraform-docs.tgz terraform-docs && rm terraform-docs.tgz && chmod +x terraform-docs \
; fi
@ -97,9 +97,9 @@ RUN . /.env && \
RUN . /.env \
&& if [ "$TERRAGRUNT_VERSION" != "false" ]; then \
( \
TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" && \
[ "$TERRAGRUNT_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \
|| curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \
TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" && \
[ "$TERRAGRUNT_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \
|| curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \
) && chmod +x terragrunt \
; fi
@ -111,9 +111,9 @@ RUN . /.env && \
# Convert the first letter to Uppercase
OS="$(echo ${TARGETOS} | cut -c1 | tr '[:lower:]' '[:upper:]' | xargs echo -n; echo ${TARGETOS} | cut -c2-)"; \
( \
TERRASCAN_RELEASES="https://api.github.com/repos/tenable/terrascan/releases" && \
[ "$TERRASCAN_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \
|| curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \
TERRASCAN_RELEASES="https://api.github.com/repos/tenable/terrascan/releases" && \
[ "$TERRASCAN_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \
|| curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \
) && tar -xzf terrascan.tar.gz terrascan && rm terrascan.tar.gz && \
./terrascan init \
; fi
@ -122,9 +122,9 @@ RUN . /.env && \
RUN . /.env && \
if [ "$TFLINT_VERSION" != "false" ]; then \
( \
TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" && \
[ "$TFLINT_VERSION" = "latest" ] && curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \
|| curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \
TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" && \
[ "$TFLINT_VERSION" = "latest" ] && curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \
|| curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \
) && unzip tflint.zip && rm tflint.zip \
; fi
@ -132,9 +132,9 @@ RUN . /.env && \
RUN . /.env && \
if [ "$TFSEC_VERSION" != "false" ]; then \
( \
TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" && \
[ "$TFSEC_VERSION" = "latest" ] && curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \
|| curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \
TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" && \
[ "$TFSEC_VERSION" = "latest" ] && curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \
|| curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \
) && chmod +x tfsec \
; fi
@ -143,9 +143,9 @@ RUN . /.env && \
if [ "$TRIVY_VERSION" != "false" ]; then \
if [ "$TARGETARCH" != "amd64" ]; then ARCH="$TARGETARCH"; else ARCH="64bit"; fi; \
( \
TRIVY_RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases" && \
[ "$TRIVY_VERSION" = "latest" ] && curl -L "$(curl -s ${TRIVY_RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \
|| curl -L "$(curl -s ${TRIVY_RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \
TRIVY_RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases" && \
[ "$TRIVY_VERSION" = "latest" ] && curl -L "$(curl -s ${TRIVY_RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \
|| curl -L "$(curl -s ${TRIVY_RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \
) && tar -xzf trivy.tar.gz trivy && rm trivy.tar.gz \
; fi
@ -153,9 +153,9 @@ RUN . /.env && \
RUN . /.env && \
if [ "$TFUPDATE_VERSION" != "false" ]; then \
( \
TFUPDATE_RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases" && \
[ "$TFUPDATE_VERSION" = "latest" ] && curl -L "$(curl -s ${TFUPDATE_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \
|| curl -L "$(curl -s ${TFUPDATE_RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \
TFUPDATE_RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases" && \
[ "$TFUPDATE_VERSION" = "latest" ] && curl -L "$(curl -s ${TFUPDATE_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \
|| curl -L "$(curl -s ${TFUPDATE_RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \
) && tar -xzf tfupdate.tgz tfupdate && rm tfupdate.tgz \
; fi
@ -163,9 +163,9 @@ RUN . /.env && \
RUN . /.env && \
if [ "$HCLEDIT_VERSION" != "false" ]; then \
( \
HCLEDIT_RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" && \
[ "$HCLEDIT_VERSION" = "latest" ] && curl -L "$(curl -s ${HCLEDIT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \
|| curl -L "$(curl -s ${HCLEDIT_RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \
HCLEDIT_RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" && \
[ "$HCLEDIT_VERSION" = "latest" ] && curl -L "$(curl -s ${HCLEDIT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \
|| curl -L "$(curl -s ${HCLEDIT_RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \
) && tar -xzf hcledit.tgz hcledit && rm hcledit.tgz \
; fi
@ -208,9 +208,8 @@ COPY --from=builder \
/usr/local/bin/pre-commit \
# Hooks and terraform binaries
/bin_dir/ \
/usr/bin/tofu \
/usr/local/bin/checkov* \
/usr/bin/
/usr/bin/
# Copy pre-commit packages
COPY --from=builder /usr/local/lib/python3.12/site-packages/ /usr/local/lib/python3.12/site-packages/
# Copy terrascan policies
@ -218,10 +217,10 @@ COPY --from=builder /root/ /root/
# Install hooks extra deps
RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \
apk add --no-cache perl=~5 \
apk add --no-cache perl=~5 \
; fi && \
if [ "$(grep -o '^infracost SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \
apk add --no-cache jq=~1 \
apk add --no-cache jq=~1 \
; fi && \
# Fix git runtime fatal:
# unsafe repository ('/lint' is owned by someone else)
@ -235,4 +234,3 @@ ENV INFRACOST_API_KEY=${INFRACOST_API_KEY:-}
ENV INFRACOST_SKIP_UPDATE_CHECK=${INFRACOST_SKIP_UPDATE_CHECK:-false}
ENTRYPOINT [ "/entrypoint.sh" ]

4
LICENSE
View file

@ -1,5 +1,5 @@
Copyright (c) 2017 Anton Babenko, https://github.com/antonbabenko/pre-commit-terraform
Copyright (c) 2024 tofuutils authors
Copyright (c) 2017 Anton Babenko
Copyright (c) 2024 ttofuutils authors
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the

87
README.md
View file

@ -1,6 +1,6 @@
# Collection of git hooks for OpenTofu to be used with [pre-commit framework](http://pre-commit.com/)
[![Github tag](https://img.shields.io/github/tag/tofuutils/pre-commit-opentofu.svg)](https://github.com/tofuutils/pre-commit-opentofu/releases) ![maintenance status](https://img.shields.io/maintenance/yes/2024.svg) [![Help Contribute to Open Source](https://www.codetriage.com/tofuutils/pre-commit-opentofu/badges/users.svg)](https://www.codetriage.com/tofuutils/pre-commit-opentofu)
[![Github tag](https://img.shields.io/github/tag/tofuutils/pre-commit-opentofu.svg)](https://github.com/tofuutils/pre-commit-opentofu/releases) ![maintenance status](https://img.shields.io/maintenance/yes/2023.svg) [![Help Contribute to Open Source](https://www.codetriage.com/tofuutils/pre-commit-opentofu/badges/users.svg)](https://www.codetriage.com/tofuutils/pre-commit-opentofu)
Want to contribute? Check [open issues](https://github.com/tofuutils/pre-commit-opentofu/issues?q=label%3A%22good+first+issue%22+is%3Aopen+sort%3Aupdated-desc) and [contributing notes](/.github/CONTRIBUTING.md).
@ -10,6 +10,7 @@ If you are using `pre-commit-opentofu` already or want to support its developmen
## Table of content
* [Sponsors](#sponsors)
* [Table of content](#table-of-content)
* [How to install](#how-to-install)
* [1. Install dependencies](#1-install-dependencies)
@ -48,7 +49,7 @@ If you are using `pre-commit-opentofu` already or want to support its developmen
<!-- markdownlint-disable no-inline-html -->
* [`pre-commit`](https://pre-commit.com/#install),
<sub><sup>[`opentofu`](https://opentofu.org/docs/intro/install/),
<sub><sup>[`terraform`](https://www.terraform.io/downloads.html),
<sub><sup>[`git`](https://git-scm.com/downloads),
<sub><sup>POSIX compatible shell,
<sub><sup>Internet connection (on first run),
@ -58,17 +59,17 @@ If you are using `pre-commit-opentofu` already or want to support its developmen
<sub><sup>Some basic physical laws,
<sub><sup>Hope that it all will work.
</sup></sub></sup></sub></sup></sub></sup></sub></sup></sub></sup></sub></sup></sub></sup></sub></sup></sub><br><br>
* [`checkov`](https://github.com/bridgecrewio/checkov) required for `tofu_checkov` hook.
* [`terraform-docs`](https://github.com/terraform-docs/terraform-docs) required for `tofu_docs` hook.
* [`checkov`](https://github.com/bridgecrewio/checkov) required for `terraform_checkov` hook.
* [`terraform-docs`](https://github.com/terraform-docs/terraform-docs) required for `terraform_docs` hook.
* [`terragrunt`](https://terragrunt.gruntwork.io/docs/getting-started/install/) required for `terragrunt_validate` hook.
* [`terrascan`](https://github.com/tenable/terrascan) required for `terrascan` hook.
* [`TFLint`](https://github.com/terraform-linters/tflint) required for `tofu_tflint` hook.
* [`TFSec`](https://github.com/liamg/tfsec) required for `tofu_tfsec` hook.
* [`Trivy`](https://github.com/aquasecurity/trivy) required for `tofu_trivy` hook.
* [`TFLint`](https://github.com/terraform-linters/tflint) required for `terraform_tflint` hook.
* [`TFSec`](https://github.com/liamg/tfsec) required for `terraform_tfsec` hook.
* [`Trivy`](https://github.com/aquasecurity/trivy) required for `terraform_trivy` hook.
* [`infracost`](https://github.com/infracost/infracost) required for `infracost_breakdown` hook.
* [`jq`](https://github.com/stedolan/jq) required for `tofu_validate` with `--retry-once-with-cleanup` flag, and for `infracost_breakdown` hook.
* [`tfupdate`](https://github.com/minamijoyo/tfupdate) required for `tfupdate` hook.
* [`hcledit`](https://github.com/minamijoyo/hcledit) required for `tofu_wrapper_module_for_each` hook.
* [`hcledit`](https://github.com/minamijoyo/hcledit) required for `terraform_wrapper_module_for_each` hook.
<details><summary><b>Docker</b></summary><br>
@ -76,7 +77,7 @@ If you are using `pre-commit-opentofu` already or want to support its developmen
```bash
TAG=latest
docker pull tofuutils/pre-commit-opentofu:$TAG
docker pull ghcr.io/tofuutils/pre-commit-opentofu:$TAG
```
All available tags [here](https://github.com/tofuutils/pre-commit-opentofu/pkgs/container/pre-commit-opentofu/versions).
@ -86,7 +87,7 @@ All available tags [here](https://github.com/tofuutils/pre-commit-opentofu/pkgs/
> **Note**: To build image you need to have [`docker buildx`](https://docs.docker.com/build/install-buildx/) enabled as default builder.
> Otherwise - provide `TARGETOS` and `TARGETARCH` as additional `--build-arg`'s to `docker build`.
When hooks-related `--build-arg`s are not specified, only the latest version of `pre-commit` and `opentofu` will be installed.
When hooks-related `--build-arg`s are not specified, only the latest version of `pre-commit` and `terraform` will be installed.
```bash
git clone git@github.com:tofuutils/pre-commit-opentofu.git
@ -172,28 +173,6 @@ curl -L "$(curl -s https://api.github.com/repos/minamijoyo/hcledit/releases/late
</details>
<details><summary><b>Ubuntu 22.04</b></summary><br>
```bash
sudo apt update
sudo apt install -y unzip software-properties-common python3 python3-pip
python3 -m pip install --upgrade pip
pip3 install --no-cache-dir pre-commit
pip3 install --no-cache-dir checkov
curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E -m 1 "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar -xzf terraform-docs.tgz terraform-docs && rm terraform-docs.tgz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/
curl -L "$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o -E -m 1 "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz && tar -xzf terrascan.tar.gz terrascan && rm terrascan.tar.gz && sudo mv terrascan /usr/bin/ && terrascan init
curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E -m 1 "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/
curl -L "$(curl -s https://api.github.com/repos/aquasecurity/tfsec/releases/latest | grep -o -E -m 1 "https://.+?tfsec-linux-amd64")" > tfsec && chmod +x tfsec && sudo mv tfsec /usr/bin/
curl -L "$(curl -s https://api.github.com/repos/aquasecurity/trivy/releases/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_Linux-64bit.tar.gz")" > trivy.tar.gz && tar -xzf trivy.tar.gz trivy && rm trivy.tar.gz && sudo mv trivy /usr/bin
sudo apt install -y jq && \
curl -L "$(curl -s https://api.github.com/repos/infracost/infracost/releases/latest | grep -o -E -m 1 "https://.+?-linux-amd64.tar.gz")" > infracost.tgz && tar -xzf infracost.tgz && rm infracost.tgz && sudo mv infracost-linux-amd64 /usr/bin/infracost && infracost register
curl -L "$(curl -s https://api.github.com/repos/minamijoyo/tfupdate/releases/latest | grep -o -E -m 1 "https://.+?_linux_amd64.tar.gz")" > tfupdate.tar.gz && tar -xzf tfupdate.tar.gz tfupdate && rm tfupdate.tar.gz && sudo mv tfupdate /usr/bin/
curl -L "$(curl -s https://api.github.com/repos/minamijoyo/hcledit/releases/latest | grep -o -E -m 1 "https://.+?_linux_amd64.tar.gz")" > hcledit.tar.gz && tar -xzf hcledit.tar.gz hcledit && rm hcledit.tar.gz && sudo mv hcledit /usr/bin/
```
</details>
<details><summary><b>Windows 10/11</b></summary>
We highly recommend using [WSL/WSL2](https://docs.microsoft.com/en-us/windows/wsl/install) with Ubuntu and following the Ubuntu installation guide. Or use Docker.
@ -256,39 +235,39 @@ Or, using Docker ([available tags](https://github.com/tofuutils/pre-commit-opent
```bash
TAG=latest
docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint tofuutils/pre-commit-opentofu:$TAG run -a
docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint ghcr.io/tofuutils/pre-commit-opentofu:$TAG run -a
```
Execute this command to list the versions of the tools in Docker:
```bash
TAG=latest
docker run --rm --entrypoint cat tofuutils/pre-commit-opentofu:$TAG /usr/bin/tools_versions_info
docker run --rm --entrypoint cat ghcr.io/tofuutils/pre-commit-opentofu:$TAG /usr/bin/tools_versions_info
```
## Available Hooks
There are several [pre-commit](https://pre-commit.com/) hooks to keep OpenTofu configurations (both `*.tf` and `*.tfvars`) and Terragrunt configurations (`*.hcl`) in a good shape:
There are several [pre-commit](https://pre-commit.com/) hooks to keep Terraform configurations (both `*.tf` and `*.tfvars`) and Terragrunt configurations (`*.hcl`) in a good shape:
<!-- markdownlint-disable no-inline-html -->
| Hook name | Description | Dependencies<br><sup>[Install instructions here](#1-install-dependencies)</sup> |
| ------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ |
| `checkov` and `tofu_checkov` | [checkov](https://github.com/bridgecrewio/checkov) static analysis of OpenTofu templates to spot potential security issues. [Hook notes](#checkov-deprecated-and-tofu_checkov) | `checkov`<br>Ubuntu deps: `python3`, `python3-pip` |
| `infracost_breakdown` | Check how much your infra costs with [infracost](https://github.com/infracost/infracost). [Hook notes](#infracost_breakdown) | `infracost`, `jq`, [Infracost API key](https://www.infracost.io/docs/#2-get-api-key) |
| `tofu_docs` | Inserts input and output documentation into `README.md`. Recommended. [Hook notes](#terraform_docs) | `terraform-docs` |
| `tofu_docs_replace` | Runs `terraform-docs` and pipes the output directly to README.md. **DEPRECATED**. [Hook notes](#terraform_docs_replace-deprecated) | `python3`, `terraform-docs` |
| `tofu_docs_without_`<br>`aggregate_type_defaults` | Inserts input and output documentation into `README.md` without aggregate type defaults. Hook notes same as for [tofu_docs](#terraform_docs) | `tofu-docs` |
| `tofu_fmt` | Reformat all OpenTofu configuration files to a canonical format. [Hook notes](#terraform_fmt) | - |
| `tofu_providers_lock` | Updates provider signatures in [dependency lock files](https://www.terraform.io/docs/cli/commands/providers/lock.html). [Hook notes](#terraform_providers_lock) | - |
| `tofu_tflint` | Validates all OpenTofu configuration files with [TFLint](https://github.com/terraform-linters/tflint). [Available TFLint rules](https://github.com/terraform-linters/tflint/tree/master/docs/rules#rules). [Hook notes](#terraform_tflint). | `tflint` |
| `tofu_tfsec` | [TFSec](https://github.com/aquasecurity/tfsec) static analysis of terraform templates to spot potential security issues. **DEPRECATED**, use `tofu_trivy`. [Hook notes](#terraform_tfsec-deprecated) | `tfsec` |
| `tofu_trivy` | [Trivy](https://github.com/aquasecurity/trivy) static analysis of terraform templates to spot potential security issues. [Hook notes](#terraform_trivy) | `trivy` |
| `terraform_docs` | Inserts input and output documentation into `README.md`. Recommended. [Hook notes](#terraform_docs) | `terraform-docs` |
| `terraform_docs_replace` | Runs `terraform-docs` and pipes the output directly to README.md. **DEPRECATED**, see [#248](https://github.com/tofuutils/pre-commit-opentofu/issues/248). [Hook notes](#terraform_docs_replace-deprecated) | `python3`, `terraform-docs` |
| `terraform_docs_without_`<br>`aggregate_type_defaults` | Inserts input and output documentation into `README.md` without aggregate type defaults. Hook notes same as for [terraform_docs](#terraform_docs) | `terraform-docs` |
| `terraform_fmt` | Reformat all Terraform configuration files to a canonical format. [Hook notes](#terraform_fmt) | - |
| `terraform_providers_lock` | Updates provider signatures in [dependency lock files](https://www.terraform.io/docs/cli/commands/providers/lock.html). [Hook notes](#terraform_providers_lock) | - |
| `terraform_tflint` | Validates all Terraform configuration files with [TFLint](https://github.com/terraform-linters/tflint). [Available TFLint rules](https://github.com/terraform-linters/tflint/tree/master/docs/rules#rules). [Hook notes](#terraform_tflint). | `tflint` |
| `terraform_tfsec` | [TFSec](https://github.com/aquasecurity/tfsec) static analysis of terraform templates to spot potential security issues. **DEPRECATED**, use `tofu_trivy`. [Hook notes](#terraform_tfsec-deprecated) | `tfsec` |
| `terraform_trivy` | [Trivy](https://github.com/aquasecurity/trivy) static analysis of terraform templates to spot potential security issues. [Hook notes](#terraform_trivy) | `trivy` |
| `tofu_validate` | Validates all Terraform configuration files. [Hook notes](#tofu_validate) | `jq`, only for `--retry-once-with-cleanup` flag |
| `terragrunt_fmt` | Reformat all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) to a canonical format. | `terragrunt` |
| `terragrunt_validate` | Validates all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) | `terragrunt` |
| `tofu_wrapper_module_for_each` | Generates OpenTofu wrappers with `for_each` in module. [Hook notes](#terraform_wrapper_module_for_each) | `hcledit` |
| `terrascan` | [terrascan](https://github.com/tenable/terrascan) Detect compliance and security violations. [Hook notes](#terrascan) | `terrascan` |
| `tfupdate` | [tfupdate](https://github.com/minamijoyo/tfupdate) Update version constraints of OpenTofu core, providers, and modules. [Hook notes](#tfupdate) | `tfupdate` |
| `tfupdate` | [tfupdate](https://github.com/minamijoyo/tfupdate) Update version constraints of Terraform core, providers, and modules. [Hook notes](#tfupdate) | `tfupdate` |
<!-- markdownlint-enable no-inline-html -->
Check the [source file](https://github.com/tofuutils/pre-commit-opentofu/blob/master/.pre-commit-hooks.yaml) to know arguments used for each hook.
@ -297,7 +276,7 @@ Check the [source file](https://github.com/tofuutils/pre-commit-opentofu/blob/ma
### Known limitations
OpenTofu operates on a per-dir basis, while `pre-commit` framework only supports files and files that exist. This means if you only remove the TF-related file without any other changes in the same dir, checks will be skipped. Example and details [here](https://github.com/pre-commit/pre-commit/issues/3048).
OpenTOfu operates on a per-dir basis, while `pre-commit` framework only supports files and files that exist. This means if you only remove the TF-related file without any other changes in the same dir, checks will be skipped. Example and details [here](https://github.com/pre-commit/pre-commit/issues/3048).
### All hooks: Usage of environment variables in `--args`
@ -371,17 +350,17 @@ For deprecated hook you need to specify each argument separately:
]
```
2. When you have multiple directories and want to run `tofu_checkov` in all of them and share a single config file - use the `__GIT_WORKING_DIR__` placeholder. It will be replaced by `tofu_checkov` hooks with the Git working directory (repo root) at run time. For example:
2. When you have multiple directories and want to run `terraform_checkov` in all of them and share a single config file - use the `__GIT_WORKING_DIR__` placeholder. It will be replaced by `terraform_checkov` hooks with the Git working directory (repo root) at run time. For example:
```yaml
- id: tofu_checkov
- id: terraform_checkov
args:
- --args=--config-file __GIT_WORKING_DIR__/.checkov.yml
```
### infracost_breakdown
`infracost_breakdown` executes `infracost breakdown` command and compare the estimated costs with those specified in the hook-config. `infracost breakdown` parses OpenTofu HCL code, and calls Infracost Cloud Pricing API (remote version or [self-hosted version](https://www.infracost.io/docs/cloud_pricing_api/self_hosted)).
`infracost_breakdown` executes `infracost breakdown` command and compare the estimated costs with those specified in the hook-config. `infracost breakdown` parses Terraform HCL code, and calls Infracost Cloud Pricing API (remote version or [self-hosted version](https://www.infracost.io/docs/cloud_pricing_api/self_hosted)).
Unlike most other hooks, this hook triggers once if there are any changed files in the repository.
@ -471,9 +450,9 @@ Unlike most other hooks, this hook triggers once if there are any changed files
* You need to provide [Infracost API key](https://www.infracost.io/docs/integrations/environment_variables/#infracost_api_key) via `-e INFRACOST_API_KEY=<your token>`. By default, it is saved in `~/.config/infracost/credentials.yml`
* Set `-e INFRACOST_SKIP_UPDATE_CHECK=true` to [skip the Infracost update check](https://www.infracost.io/docs/integrations/environment_variables/#infracost_skip_update_check) if you use this hook as part of your CI/CD pipeline.
### tofu_docs
### terraform_docs
1. `tofu_docs` and `tofu_docs_without_aggregate_type_defaults` will insert/update documentation generated by [terraform-docs](https://github.com/terraform-docs/terraform-docs) framed by markers:
1. `tofu_docs` and `terraform_docs_without_aggregate_type_defaults` will insert/update documentation generated by [terraform-docs](https://github.com/terraform-docs/terraform-docs) framed by markers:
```txt
<!-- BEGINNING OF PRE-COMMIT-OPENTOFU DOCS HOOK -->
@ -689,7 +668,7 @@ To replicate functionality in `tofu_docs` hook:
- --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
```
3. By default, pre-commit-opentofu performs directory switching into the OpenTofu modules for you. If you want to delgate the directory changing to the binary - this will allow tflint to determine the full paths for error/warning messages, rather than just module relative paths. *Note: this requires `tflint>=0.44.0`.* For example:
3. By default, pre-commit-opentofu performs directory switching into the terraform modules for you. If you want to delgate the directory changing to the binary - this will allow tflint to determine the full paths for error/warning messages, rather than just module relative paths. *Note: this requires `tflint>=0.44.0`.* For example:
```yaml
- id: tofu_tflint
@ -861,7 +840,7 @@ To replicate functionality in `tofu_docs` hook:
**Warning**: If you use OpenTofu workspaces, DO NOT use this option ([details](https://github.com/tofuutils/pre-commit-opentofu/issues/203#issuecomment-918791847)). Consider the first option, or wait for [`force-init`](https://github.com/tofuutils/pre-commit-opentofu/issues/224) option implementation.
4. `tofu_validate` in a repo with OpenTofu module, written using OpenTofu 1.6.0+ and which uses provider `configuration_aliases` ([Provider Aliases Within Modules](https://www.terraform.io/language/modules/develop/providers#provider-aliases-within-modules)), errors out.
4. `tofu_validate` in a repo with TerrOpenTofuaform module, written using OpenTofu 1.6.0+ and which uses provider `configuration_aliases` ([Provider Aliases Within Modules](https://www.terraform.io/language/modules/develop/providers#provider-aliases-within-modules)), errors out.
When running the hook against OpenTofu code where you have provider `configuration_aliases` defined in a `required_providers` configuration block, OpenTofu will throw an error like:
@ -997,7 +976,7 @@ The [recommended command](#4-run) to run the Docker container is:
```bash
TAG=latest
docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint tofuutils/pre-commit-opentofu:$TAG run -a
docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint ghcr.io/tofuutils/pre-commit-opentofu:$TAG run -a
```
which uses your current session's user ID and group ID to set the variable in the run command. Without this setting, you may find files and directories owned by `root` in your local repository.
@ -1041,7 +1020,7 @@ Finally, you can execute `docker run` with an additional volume mount so that th
# run pre-commit-opentofu with docker
# adding volume for .netrc file
# .netrc needs to be in /root/ dir
docker run --rm -e "USERID=$(id -u):$(id -g)" -v ~/.netrc:/root/.netrc -v $(pwd):/lint -w /lint tofuutils/pre-commit-opentofu:latest run -a
docker run --rm -e "USERID=$(id -u):$(id -g)" -v ~/.netrc:/root/.netrc -v $(pwd):/lint -w /lint ghcr.io/tofuutils/pre-commit-opentofu:latest run -a
```
## Authors

234
hooks/tofu_docs.sh
View file

@ -26,17 +26,18 @@ function main {
ARGS[i]=${ARGS[i]/--config=/--config=$(pwd)\/}
done
# shellcheck disable=SC2153 # False positive
tofu_check_ "${HOOK_CONFIG[*]}" "${ARGS[*]}" "${FILES[@]}"
terraform_docs_ "${HOOK_CONFIG[*]}" "${ARGS[*]}" "${FILES[@]}"
}
#######################################################################
# TODO Function which checks `terraform-docs` exists
# TODO Function which prepares hacks for old versions of `terraform` and
# `terraform-docs` that them call `terraform_docs`
# Arguments:
# hook_config (string with array) arguments that configure hook behavior
# args (string with array) arguments that configure wrapped tool behavior
# files (array) filenames to check
#######################################################################
function tofu_check_ {
function tofu_docs_ {
local -r hook_config="$1"
local -r args="$2"
shift 2
@ -45,12 +46,40 @@ function tofu_check_ {
# Get hook settings
IFS=";" read -r -a configs <<< "$hook_config"
local hack_tofu_docs
hack_terraform_docs=$(tofu version | sed -n 1p | grep -c 0.12) || true
if [[ ! $(command -v terraform-docs) ]]; then
echo "ERROR: terraform-docs is required by tofu_docs pre-commit hook but is not installed or in the system's PATH."
echo "ERROR: terraform-docs is required by terraform_docs pre-commit hook but is not installed or in the system's PATH."
exit 1
fi
tofu_docs "${configs[*]}" "${args[*]}" "${files[@]}"
local is_old_terraform_docs
is_old_terraform_docs=$(terraform-docs version | grep -o "v0.[1-7]\." | tail -1) || true
if [[ -z "$is_old_terraform_docs" ]]; then # Using terraform-docs 0.8+ (preferred)
terraform_docs "0" "${configs[*]}" "$args" "${files[@]}"
elif [[ "$hack_terraform_docs" == "1" ]]; then # Using awk script because terraform-docs is older than 0.8 and terraform 0.12 is used
if [[ ! $(command -v awk) ]]; then
# TODO: pls check it
echo "ERROR: awk is required for terraform-docs hack to work with Terraform 0.12."
exit 1
fi
local tmp_file_awk
tmp_file_awk=$(mktemp "${TMPDIR:-/tmp}/tofu-docs-XXXXXXXXXX")
tofu_docs_awk "$tmp_file_awk"
tofu_docs "$tmp_file_awk" "${configs[*]}" "$args" "${files[@]}"
rm -f "$tmp_file_awk"
else # Using terraform 0.11 and no awk script is needed for that
# TODO: should be deleted for OpenTofu.
tofu_docs "0" "${configs[*]}" "$args" "${files[@]}"
fi
}
#######################################################################
@ -58,14 +87,18 @@ function tofu_check_ {
# (depends on provided hook_config) OpenTofu documentation in
# markdown format
# Arguments:
# terraform_docs_awk_file (string) filename where awk hack for old
# `terraform-docs` was written. Needed for TF 0.12+.
# Hack skipped when `tofu_docs_awk_file == "0"`
# hook_config (string with array) arguments that configure hook behavior
# args (string with array) arguments that configure wrapped tool behavior
# files (array) filenames to check
#######################################################################
function tofu_docs {
local -r hook_config="$1"
local -r args="$2"
shift 2
local -r tofu_docs_awk_file="$1"
local -r hook_config="$2"
local args="$3"
shift 3
local -a -r files=("$@")
local -a paths
@ -155,7 +188,7 @@ function tofu_docs {
#
if $create_if_not_exist && [[ ! -f "$text_file" ]]; then
dir_have_tf_files="$(
find . -maxdepth 1 -type f | sed 's|.*\.||' | sort -u | grep -oE '^tofu|^tf$|^tfvars$' ||
find . -maxdepth 1 -type f | sed 's|.*\.||' | sort -u | grep -oE '^tf$|^tfvars$' ||
exit 0
)"
@ -191,8 +224,22 @@ function tofu_docs {
fi
fi
# shellcheck disable=SC2086
terraform-docs $tf_docs_formatter $args ./ > "$tmp_file"
if [[ "$terraform_docs_awk_file" == "0" ]]; then
# shellcheck disable=SC2086
terraform-docs $tf_docs_formatter $args ./ > "$tmp_file"
else
# Can't append extension for mktemp, so renaming instead
local tmp_file_docs
tmp_file_docs=$(mktemp "${TMPDIR:-/tmp}/tofu-docs-XXXXXXXXXX")
mv "$tmp_file_docs" "$tmp_file_docs.tf"
local tmp_file_docs_tf
tmp_file_docs_tf="$tmp_file_docs.tf"
awk -f "$terraform_docs_awk_file" ./*.tf > "$tmp_file_docs_tf"
# shellcheck disable=SC2086
terraform-docs $tf_docs_formatter $args "$tmp_file_docs_tf" > "$tmp_file"
rm -f "$tmp_file_docs_tf"
fi
# Use of insertion markers to insert the terraform-docs output between the markers
# Replace content between markers with the placeholder - https://stackoverflow.com/questions/1212799/how-do-i-extract-lines-between-two-line-delimiters-in-perl#1212834
@ -211,4 +258,169 @@ function tofu_docs {
rm -f "$config_file_no_color"
}
#######################################################################
# Function which creates file with `awk` hacks for old versions of
# `terraform-docs`
# Arguments:
# output_file (string) filename where hack will be written to
#######################################################################
function tofu_docs_awk {
local -r output_file=$1
cat << "EOF" > "$output_file"
# This script converts Terraform 0.12 variables/outputs to something suitable for `terraform-docs`
# As of terraform-docs v0.6.0, HCL2 is not supported. This script is a *dirty hack* to get around it.
# https://github.com/terraform-docs/terraform-docs/
# https://github.com/terraform-docs/terraform-docs/issues/62
# Script was originally found here: https://github.com/cloudposse/build-harness/blob/master/bin/terraform-docs.awk
{
if ( $0 ~ /\{/ ) {
braceCnt++
}
if ( $0 ~ /\}/ ) {
braceCnt--
}
# ----------------------------------------------------------------------------------------------
# variable|output "..." {
# ----------------------------------------------------------------------------------------------
# [END] variable/output block
if (blockCnt > 0 && blockTypeCnt == 0 && blockDefaultCnt == 0) {
if (braceCnt == 0 && blockCnt > 0) {
blockCnt--
print $0
}
}
# [START] variable or output block started
if ($0 ~ /^[[:space:]]*(variable|output)[[:space:]][[:space:]]*"(.*?)"/) {
# Normalize the braceCnt and block (should be 1 now)
braceCnt = 1
blockCnt = 1
# [CLOSE] "default" and "type" block
blockDefaultCnt = 0
blockTypeCnt = 0
# Print variable|output line
print $0
}
# ----------------------------------------------------------------------------------------------
# default = ...
# ----------------------------------------------------------------------------------------------
# [END] multiline "default" continues/ends
if (blockCnt > 0 && blockTypeCnt == 0 && blockDefaultCnt > 0) {
print $0
# Count opening blocks
blockDefaultCnt += gsub(/\(/, "")
blockDefaultCnt += gsub(/\[/, "")
blockDefaultCnt += gsub(/\{/, "")
# Count closing blocks
blockDefaultCnt -= gsub(/\)/, "")
blockDefaultCnt -= gsub(/\]/, "")
blockDefaultCnt -= gsub(/\}/, "")
}
# [START] multiline "default" statement started
if (blockCnt > 0 && blockTypeCnt == 0 && blockDefaultCnt == 0) {
if ($0 ~ /^[[:space:]][[:space:]]*(default)[[:space:]][[:space:]]*=/) {
if ($3 ~ "null") {
print " default = \"null\""
} else {
print $0
# Count opening blocks
blockDefaultCnt += gsub(/\(/, "")
blockDefaultCnt += gsub(/\[/, "")
blockDefaultCnt += gsub(/\{/, "")
# Count closing blocks
blockDefaultCnt -= gsub(/\)/, "")
blockDefaultCnt -= gsub(/\]/, "")
blockDefaultCnt -= gsub(/\}/, "")
}
}
}
# ----------------------------------------------------------------------------------------------
# type = ...
# ----------------------------------------------------------------------------------------------
# [END] multiline "type" continues/ends
if (blockCnt > 0 && blockTypeCnt > 0 && blockDefaultCnt == 0) {
# The following 'print $0' would print multiline type definitions
#print $0
# Count opening blocks
blockTypeCnt += gsub(/\(/, "")
blockTypeCnt += gsub(/\[/, "")
blockTypeCnt += gsub(/\{/, "")
# Count closing blocks
blockTypeCnt -= gsub(/\)/, "")
blockTypeCnt -= gsub(/\]/, "")
blockTypeCnt -= gsub(/\}/, "")
}
# [START] multiline "type" statement started
if (blockCnt > 0 && blockTypeCnt == 0 && blockDefaultCnt == 0) {
if ($0 ~ /^[[:space:]][[:space:]]*(type)[[:space:]][[:space:]]*=/ ) {
if ($3 ~ "object") {
print " type = \"object\""
} else {
# Convert multiline stuff into single line
if ($3 ~ /^[[:space:]]*list[[:space:]]*\([[:space:]]*$/) {
type = "list"
} else if ($3 ~ /^[[:space:]]*string[[:space:]]*\([[:space:]]*$/) {
type = "string"
} else if ($3 ~ /^[[:space:]]*map[[:space:]]*\([[:space:]]*$/) {
type = "map"
} else {
type = $3
}
# legacy quoted types: "string", "list", and "map"
if (type ~ /^[[:space:]]*"(.*?)"[[:space:]]*$/) {
print " type = " type
} else {
print " type = \"" type "\""
}
}
# Count opening blocks
blockTypeCnt += gsub(/\(/, "")
blockTypeCnt += gsub(/\[/, "")
blockTypeCnt += gsub(/\{/, "")
# Count closing blocks
blockTypeCnt -= gsub(/\)/, "")
blockTypeCnt -= gsub(/\]/, "")
blockTypeCnt -= gsub(/\}/, "")
}
}
# ----------------------------------------------------------------------------------------------
# description = ...
# ----------------------------------------------------------------------------------------------
# [PRINT] single line "description"
if (blockCnt > 0 && blockTypeCnt == 0 && blockDefaultCnt == 0) {
if ($0 ~ /^[[:space:]][[:space:]]*description[[:space:]][[:space:]]*=/) {
print $0
}
}
# ----------------------------------------------------------------------------------------------
# value = ...
# ----------------------------------------------------------------------------------------------
## [PRINT] single line "value"
#if (blockCnt > 0 && blockTypeCnt == 0 && blockDefaultCnt == 0) {
# if ($0 ~ /^[[:space:]][[:space:]]*value[[:space:]][[:space:]]*=/) {
# print $0
# }
#}
# ----------------------------------------------------------------------------------------------
# Newlines, comments, everything else
# ----------------------------------------------------------------------------------------------
#if (blockTypeCnt == 0 && blockDefaultCnt == 0) {
# Comments with '#'
if ($0 ~ /^[[:space:]]*#/) {
print $0
}
# Comments with '//'
if ($0 ~ /^[[:space:]]*\/\//) {
print $0
}
# Newlines
if ($0 ~ /^[[:space:]]*$/) {
print $0
}
#}
}
EOF
}
[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"

41
hooks/tofu_docs_replace.py
View file

@ -7,41 +7,30 @@ import sys
def main(argv=None):
parser = argparse.ArgumentParser(
description="""Run terraform-docs on a set of files. Follows the standard convention of
pulling the documentation from main.(tf|tofu) in order to replace the entire
pulling the documentation from main.tf in order to replace the entire
README.md file each time."""
)
parser.add_argument(
"--dest",
dest="dest",
default="README.md",
'--dest', dest='dest', default='README.md',
)
parser.add_argument(
"--sort-inputs-by-required",
dest="sort",
action="store_true",
help="[deprecated] use --sort-by-required instead",
'--sort-inputs-by-required', dest='sort', action='store_true',
help='[deprecated] use --sort-by-required instead',
)
parser.add_argument(
"--sort-by-required",
dest="sort",
action="store_true",
'--sort-by-required', dest='sort', action='store_true',
)
parser.add_argument(
"--with-aggregate-type-defaults",
dest="aggregate",
action="store_true",
help="[deprecated]",
'--with-aggregate-type-defaults', dest='aggregate', action='store_true',
help='[deprecated]',
)
parser.add_argument("filenames", nargs="*", help="Filenames to check.")
parser.add_argument('filenames', nargs='*', help='Filenames to check.')
args = parser.parse_args(argv)
dirs = []
for filename in args.filenames:
if os.path.realpath(filename) not in dirs and (
filename.endswith(".tf")
or filename.endswith(".tofu")
or filename.endswith(".tfvars")
):
if (os.path.realpath(filename) not in dirs and
(filename.endswith(".tf") or filename.endswith(".tfvars"))):
dirs.append(os.path.dirname(filename))
retval = 0
@ -49,12 +38,12 @@ def main(argv=None):
for dir in dirs:
try:
procArgs = []
procArgs.append("terraform-docs")
procArgs.append('terraform-docs')
if args.sort:
procArgs.append("--sort-by-required")
procArgs.append("md")
procArgs.append('--sort-by-required')
procArgs.append('md')
procArgs.append("./{dir}".format(dir=dir))
procArgs.append(">")
procArgs.append('>')
procArgs.append("./{dir}/{dest}".format(dir=dir, dest=args.dest))
subprocess.check_call(" ".join(procArgs), shell=True)
except subprocess.CalledProcessError as e:
@ -63,5 +52,5 @@ def main(argv=None):
return retval
if __name__ == "__main__":
if __name__ == '__main__':
sys.exit(main())

2
hooks/tofu_providers_lock.sh
View file

@ -134,7 +134,7 @@ function per_dir_hook_unique_part {
# TODO: Remove in 2.0
if [ ! "$mode" ]; then
common::colorify "yellow" "DEPRECATION NOTICE: We introduced '--mode' flag for this hook.
Check migration instructions at https://github.com/tofuutils/pre-commit-opentofu#tofu_providers_lock
Check migration instructions at https://github.com/tofuutils/pre-commit-opentofu#terraform_providers_lock
"
common::tofu_init 'OpenTofu providers lock' "$dir_path" || {
exit_code=$?

2
hooks/tofu_tfsec.sh
View file

@ -23,7 +23,7 @@ function main {
fi
common::colorify "yellow" "tfsec tool was deprecated, and replaced by trivy. You can check trivy hook here:"
common::colorify "yellow" "https://github.com/tofuutils/pre-commit-opentofu/tree/master#tofu_trivy"
common::colorify "yellow" "https://github.com/tofuutils/pre-commit-opentofu/tree/master#terraform_trivy"
common::per_dir_hook "$HOOK_ID" "${#ARGS[@]}" "${ARGS[@]}" "${FILES[@]}"
}

2
hooks/tofu_validate.sh
View file

@ -111,7 +111,7 @@ function per_dir_hook_unique_part {
esac
done
# First try `tofu validate` with the hope that all deps are
# First try `terratofuform validate` with the hope that all deps are
# pre-installed. That is needed for cases when `.terraform/modules`
# or `.terraform/providers` missed AND that is expected.
tofu validate "${args[@]}" &> /dev/null && {

4
hooks/tofu_wrapper_module_for_each.sh
View file

@ -312,10 +312,10 @@ EOF
# Read content of all OpenTofu files
# shellcheck disable=SC2207
all_tf_content=$(find "${full_module_dir}" -regex '.*\.(tf|tofu)' -maxdepth 1 -type f -exec cat {} +)
all_tf_content=$(find "${full_module_dir}" -name '*.tf' -maxdepth 1 -type f -exec cat {} +)
if [[ ! $all_tf_content ]]; then
common::colorify "yellow" "Skipping ${full_module_dir} because there are no *.(tf|tofu) files."
common::colorify "yellow" "Skipping ${full_module_dir} because there are no *.tf files."
continue
fi