diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 000000000..50c8ea340
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,3 @@
+*
+!.dockerignore
+!Dockerfile
diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 000000000..b692705e2
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,14 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[{*.{py,md},Dockerfile}]
+indent_size = 4
+
+[*.md]
+trim_trailing_whitespace = false
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 000000000..e8de3562f
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @maxymvlasov @yermulnik
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
new file mode 100644
index 000000000..e606c0973
--- /dev/null
+++ b/.github/CONTRIBUTING.md
@@ -0,0 +1,142 @@
+# Notes for contributors
+
+1. Python hooks are supported now too. All you have to do is:
+ 1. add a line to the `console_scripts` array in `entry_points` in `setup.py`
+ 2. Put your python script in the `pre_commit_hooks` folder
+
+Enjoy the clean, valid, and documented code!
+
+* [Run and debug hooks locally](#run-and-debug-hooks-locally)
+* [Run hook performance test](#run-hook-performance-test)
+ * [Run via BASH](#run-via-bash)
+ * [Run via Docker](#run-via-docker)
+ * [Check results](#check-results)
+ * [Cleanup](#cleanup)
+* [Add new hook](#add-new-hook)
+ * [Before write code](#before-write-code)
+ * [Prepare basic documentation](#prepare-basic-documentation)
+ * [Add code](#add-code)
+ * [Finish with the documentation](#finish-with-the-documentation)
+
+## Run and debug hooks locally
+
+```bash
+pre-commit try-repo {-a} /path/to/local/pre-commit-terraform/repo {hook_name}
+```
+
+I.e.
+
+```bash
+pre-commit try-repo /mnt/c/Users/tf/pre-commit-terraform terraform_fmt # Run only `terraform_fmt` check
+pre-commit try-repo -a ~/pre-commit-terraform # run all existing checks from repo
+```
+
+Running `pre-commit` with `try-repo` ignores all arguments specified in `.pre-commit-config.yaml`.
+
+If you need to test hook with arguments, follow [pre-commit doc](https://pre-commit.com/#arguments-pattern-in-hooks) to test hooks.
+
+For example, to test that the [`terraform_fmt`](../README.md#terraform_fmt) hook works fine with arguments:
+
+```bash
+/tmp/pre-commit-terraform/terraform_fmt.sh --args=-diff --args=-write=false test-dir/main.tf test-dir/vars.tf
+```
+
+## Run hook performance test
+
+To check is your improvement not violate performance, we have dummy execution time tests.
+
+Script accept next options:
+
+| # | Name | Example value | Description |
+| --- | ---------------------------------- | ------------------------------------------------------------------------ | ---------------------------------------------------- |
+| 1 | `TEST_NUM` | `200` | How many times need repeat test |
+| 2 | `TEST_COMMAND` | `'pre-commit try-repo -a /tmp/159/pre-commit-terraform terraform_tfsec'` | Valid pre-commit command |
+| 3 | `TEST_DIR` | `'/tmp/infrastructure'` | Dir on what you run tests. |
+| 4 | `TEST_DESCRIPTION` | ```'`terraform_tfsec` PR #123:'``` | Text that you'd like to see in result |
+| 5 | `RAW_TEST_`
`RESULTS_FILE_NAME` | `terraform_tfsec_pr123` | (Temporary) File where all test data will be stored. |
+
+
+> **Note:** To make test results repeatable and comparable, be sure that on the test machine nothing generates an unstable workload. During tests good to stop any other apps and do not interact with the test machine.
+>
+> Otherwise, for eg, when you watch Youtube videos during one test and not during other, test results can differ up to 30% for the same test.
+
+### Run via BASH
+
+```bash
+# Install deps
+sudo apt install -y datamash
+# Run tests
+./hooks_performance_test.sh 200 'pre-commit try-repo -a /tmp/159/pre-commit-terraform terraform_tfsec' '/tmp/infrastructure' '`terraform_tfsec` v1.51.0:' 'terraform_tfsec_pr159'
+```
+
+### Run via Docker
+
+```bash
+# Build `pre-commit-terraform` image
+docker build -t pre-commit-terraform --build-arg INSTALL_ALL=true .
+# Build test image
+docker build -t pre-commit-tests tests/
+# Run
+TEST_NUM=1
+TEST_DIR='/tmp/infrastructure'
+PRE_COMMIT_DIR="$(pwd)"
+TEST_COMMAND='pre-commit try-repo -a /pct terraform_tfsec'
+TEST_DESCRIPTION='`terraform_tfsec` v1.51.0:'
+RAW_TEST_RESULTS_FILE_NAME='terraform_tfsec_pr159'
+
+docker run -v "$PRE_COMMIT_DIR:/pct:rw" -v "$TEST_DIR:/lint:ro" pre-commit-tests \
+ $TEST_NUM "$TEST_COMMAND" '/lint' "$RAW_TEST_RESULTS_FILE_NAME" "$RAW_TEST_RESULTS_FILE_NAME"
+```
+
+### Check results
+
+Results will be located at `./test/results` dir.
+
+### Cleanup
+
+```bash
+sudo rm -rf tests/results
+```
+
+## Add new hook
+
+You can use [this PR](https://github.com/antonbabenko/pre-commit-terraform/pull/252) as an example.
+
+### Before write code
+
+1. Try to figure out future hook usage.
+2. Confirm the concept with [Anton Babenko](https://github.com/antonbabenko).
+
+### Prepare basic documentation
+
+1. Identify and describe dependencies in [Install dependencies](../README.md#1-install-dependencies) and [Available Hooks](../README.md#available-hooks) sections
+
+### Add code
+
+1. Based on prev. block, add hook dependencies installation to [Dockerfile](../Dockerfile).
+ Check that works:
+ * `docker build -t pre-commit --build-arg INSTALL_ALL=true .`
+ * `docker build -t pre-commit --build-arg _VERSION=latest .`
+ * `docker build -t pre-commit --build-arg _VERSION=<1.2.3> .`
+2. Add new hook to [`.pre-commit-hooks.yaml`](../.pre-commit-hooks.yaml)
+3. Create hook file. Don't forget to make it executable via `chmod +x /path/to/hook/file`.
+4. Test hook. How to do it is described in [Run and debug hooks locally](#run-and-debug-hooks-locally) section.
+5. Test hook one more time.
+ 1. Push commit with hook file to GitHub
+ 2. Grab SHA hash of the commit
+ 3. Test hook using `.pre-commit-config.yaml`:
+
+ ```yaml
+ repos:
+ - repo: https://github.com/antonbabenko/pre-commit-terraform # Your repo
+ rev: 3d76da3885e6a33d59527eff3a57d246dfb66620 # Your commit SHA
+ hooks:
+ - id: terraform_docs # New hook name
+ args:
+ - --args=--config=.terraform-docs.yml # Some args that you'd like to test
+ ```
+
+### Finish with the documentation
+
+1. Add hook description to [Available Hooks](../README.md#available-hooks).
+2. Create and populate a new hook section in [Hooks usage notes and examples](../README.md#hooks-usage-notes-and-examples).
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 000000000..9fdcfce62
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1,2 @@
+github: [antonbabenko]
+custom: https://www.paypal.me/antonbabenko
diff --git a/.github/ISSUE_TEMPLATE/bug_report_docker.md b/.github/ISSUE_TEMPLATE/bug_report_docker.md
new file mode 100644
index 000000000..a47e30657
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report_docker.md
@@ -0,0 +1,81 @@
+---
+name: Docker bug report
+about: Create a bug report
+labels:
+- bug
+- area/docker
+---
+
+
+
+### Describe the bug
+
+
+
+
+### How can we reproduce it?
+
+
+
+
+### Environment information
+
+* OS:
+
+
+
+* `docker info`:
+
+command output
+
+```bash
+INSERT_OUTPUT_HERE
+```
+
+file content
+
+```bash
+INSERT_FILE_CONTENT_HERE
+```
+
+file content
+
+```bash
+INSERT_FILE_CONTENT_HERE
+```
+
+
+
+
+Automated provisioning of Terraform workflows and Infrastructure as Code.
+
+
+
+
+
+
+Cloud cost estimates for Terraform.
+
+If you are using `pre-commit-terraform` already or want to support its development and [many other open-source projects](https://github.com/antonbabenko/terraform-aws-devops), please become a [GitHub Sponsor](https://github.com/sponsors/antonbabenko)!
+
+
+## Table of content
+
+* [Sponsors](#sponsors)
+* [Table of content](#table-of-content)
+* [How to install](#how-to-install)
+ * [1. Install dependencies](#1-install-dependencies)
+ * [2. Install the pre-commit hook globally](#2-install-the-pre-commit-hook-globally)
+ * [3. Add configs and hooks](#3-add-configs-and-hooks)
+ * [4. Run](#4-run)
+* [Available Hooks](#available-hooks)
+* [Hooks usage notes and examples](#hooks-usage-notes-and-examples)
+ * [checkov](#checkov)
+ * [infracost_breakdown](#infracost_breakdown)
+ * [terraform_docs](#terraform_docs)
+ * [terraform_docs_replace (deprecated)](#terraform_docs_replace-deprecated)
+ * [terraform_fmt](#terraform_fmt)
+ * [terraform_providers_lock](#terraform_providers_lock)
+ * [terraform_tflint](#terraform_tflint)
+ * [terraform_tfsec](#terraform_tfsec)
+ * [terraform_validate](#terraform_validate)
+ * [terrascan](#terrascan)
+* [Authors](#authors)
+* [License](#license)
+
+## How to install
+
+### 1. Install dependencies
+
+
+
+* [`pre-commit`](https://pre-commit.com/#install)
+* [`checkov`](https://github.com/bridgecrewio/checkov) required for `checkov` hook.
+* [`terraform-docs`](https://github.com/terraform-docs/terraform-docs) required for `terraform_docs` hook.
+* [`terragrunt`](https://terragrunt.gruntwork.io/docs/getting-started/install/) required for `terragrunt_validate` hook.
+* [`terrascan`](https://github.com/accurics/terrascan) required for `terrascan` hook.
+* [`TFLint`](https://github.com/terraform-linters/tflint) required for `terraform_tflint` hook.
+* [`TFSec`](https://github.com/liamg/tfsec) required for `terraform_tfsec` hook.
+* [`infracost`](https://github.com/infracost/infracost) required for `infracost_breakdown` hook.
+* [`jq`](https://github.com/stedolan/jq) required for `infracost_breakdown` hook.
+
+Docker
+
+**Pull docker image with all hooks**:
+
+```bash
+TAG=latest
+docker pull ghcr.io/antonbabenko/pre-commit-terraform:$TAG
+```
+
+All available tags [here](https://github.com/antonbabenko/pre-commit-terraform/pkgs/container/pre-commit-terraform/versions).
+
+**Build from scratch**:
+
+When `--build-arg` is not specified, the latest version of `pre-commit` and `terraform` will be only installed.
+
+```bash
+git clone git@github.com:antonbabenko/pre-commit-terraform.git
+cd pre-commit-terraform
+# Install the latest versions of all the tools
+docker build -t pre-commit-terraform --build-arg INSTALL_ALL=true .
+```
+
+To install a specific version of individual tools, define it using `--build-arg` arguments or set it to `latest`:
+
+```bash
+docker build -t pre-commit-terraform \
+ --build-arg PRE_COMMIT_VERSION=latest \
+ --build-arg TERRAFORM_VERSION=latest \
+ --build-arg CHECKOV_VERSION=2.0.405 \
+ --build-arg INFRACOST_VERSION=latest \
+ --build-arg TERRAFORM_DOCS_VERSION=0.15.0 \
+ --build-arg TERRAGRUNT_VERSION=latest \
+ --build-arg TERRASCAN_VERSION=1.10.0 \
+ --build-arg TFLINT_VERSION=0.31.0 \
+ --build-arg TFSEC_VERSION=latest \
+ .
+```
+
+Set `-e PRE_COMMIT_COLOR=never` to disable the color output in `pre-commit`.
+
+MacOS
+
+[`coreutils`](https://formulae.brew.sh/formula/coreutils) is required for `terraform_validate` hook on MacOS (due to use of `realpath`).
+
+```bash
+brew install pre-commit terraform-docs tflint tfsec coreutils checkov terrascan infracost jq
+```
+
+Ubuntu 18.04
+
+```bash
+sudo apt update
+sudo apt install -y unzip software-properties-common
+sudo add-apt-repository ppa:deadsnakes/ppa
+sudo apt install -y python3.7 python3-pip
+python3 -m pip install --upgrade pip
+pip3 install --no-cache-dir pre-commit
+python3.7 -m pip install -U checkov
+curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E -m 1 "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar -xzf terraform-docs.tgz && rm terraform-docs.tgz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/
+curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E -m 1 "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/
+curl -L "$(curl -s https://api.github.com/repos/aquasecurity/tfsec/releases/latest | grep -o -E -m 1 "https://.+?tfsec-linux-amd64")" > tfsec && chmod +x tfsec && sudo mv tfsec /usr/bin/
+curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E -m 1 "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz && tar -xzf terrascan.tar.gz terrascan && rm terrascan.tar.gz && sudo mv terrascan /usr/bin/ && terrascan init
+sudo apt install -y jq && \
+curl -L "$(curl -s https://api.github.com/repos/infracost/infracost/releases/latest | grep -o -E -m 1 "https://.+?-linux-amd64.tar.gz")" > infracost.tgz && tar -xzf infracost.tgz && rm infracost.tgz && sudo mv infracost-linux-amd64 /usr/bin/infracost && infracost register
+```
+
+Ubuntu 20.04
+
+```bash
+sudo apt update
+sudo apt install -y unzip software-properties-common python3 python3-pip
+python3 -m pip install --upgrade pip
+pip3 install --no-cache-dir pre-commit
+pip3 install --no-cache-dir checkov
+curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E -m 1 "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar -xzf terraform-docs.tgz terraform-docs && rm terraform-docs.tgz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/
+curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E -m 1 "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz && tar -xzf terrascan.tar.gz terrascan && rm terrascan.tar.gz && sudo mv terrascan /usr/bin/ && terrascan init
+curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E -m 1 "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/
+curl -L "$(curl -s https://api.github.com/repos/aquasecurity/tfsec/releases/latest | grep -o -E -m 1 "https://.+?tfsec-linux-amd64")" > tfsec && chmod +x tfsec && sudo mv tfsec /usr/bin/
+sudo apt install -y jq && \
+curl -L "$(curl -s https://api.github.com/repos/infracost/infracost/releases/latest | grep -o -E -m 1 "https://.+?-linux-amd64.tar.gz")" > infracost.tgz && tar -xzf infracost.tgz && rm infracost.tgz && sudo mv infracost-linux-amd64 /usr/bin/infracost && infracost register
+```
+
+
[Install instructions here](#1-install-dependencies) |
+| ------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ |
+| `checkov` | [checkov](https://github.com/bridgecrewio/checkov) static analysis of terraform templates to spot potential security issues. [Hook notes](#checkov) | `checkov`
Ubuntu deps: `python3`, `python3-pip` |
+| `infracost_breakdown` | Check how much your infra costs with [infracost](https://github.com/infracost/infracost). [Hook notes](#infracost_breakdown) | `infracost`, `jq`, [Infracost API key](https://www.infracost.io/docs/#2-get-api-key) |
+| `terraform_docs_replace` | Runs `terraform-docs` and pipes the output directly to README.md. **DEPRECATED**, see [#248](https://github.com/antonbabenko/pre-commit-terraform/issues/248). [Hook notes](#terraform_docs_replace-deprecated) | `python3`, `terraform-docs` |
+| `terraform_docs_without_`
`aggregate_type_defaults` | Inserts input and output documentation into `README.md` without aggregate type defaults. Hook notes same as for [terraform_docs](#terraform_docs) | `terraform-docs` |
+| `terraform_docs` | Inserts input and output documentation into `README.md`. Recommended. [Hook notes](#terraform_docs) | `terraform-docs` |
+| `terraform_fmt` | Reformat all Terraform configuration files to a canonical format. [Hook notes](#terraform_fmt) | - |
+| `terraform_providers_lock` | Updates provider signatures in [dependency lock files](https://www.terraform.io/docs/cli/commands/providers/lock.html). [Hook notes](#terraform_providers_lock) | - |
+| `terraform_tflint` | Validates all Terraform configuration files with [TFLint](https://github.com/terraform-linters/tflint). [Available TFLint rules](https://github.com/terraform-linters/tflint/tree/master/docs/rules#rules). [Hook notes](#terraform_tflint). | `tflint` |
+| `terraform_tfsec` | [TFSec](https://github.com/aquasecurity/tfsec) static analysis of terraform templates to spot potential security issues. [Hook notes](#terraform_tfsec) | `tfsec` |
+| `terraform_validate` | Validates all Terraform configuration files. [Hook notes](#terraform_validate) | - |
+| `terragrunt_fmt` | Reformat all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) to a canonical format. | `terragrunt` |
+| `terragrunt_validate` | Validates all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) | `terragrunt` |
+| `terrascan` | [terrascan](https://github.com/accurics/terrascan) Detect compliance and security violations. [Hook notes](#terrascan) | `terrascan` |
+
+
+Check the [source file](https://github.com/antonbabenko/pre-commit-terraform/blob/master/.pre-commit-hooks.yaml) to know arguments used for each hook.
+
+## Hooks usage notes and examples
+
+### checkov
+
+For [checkov](https://github.com/bridgecrewio/checkov) you need to specify each argument separately:
+
+```yaml
+- id: checkov
+ args: [
+ "-d", ".",
+ "--skip-check", "CKV2_AWS_8",
+ ]
+```
+
+### infracost_breakdown
+
+`infracost_breakdown` executes `infracost breakdown` command and compare the estimated costs with those specified in the hook-config. `infracost breakdown` normally runs `terraform init`, `terraform plan`, and calls Infracost Cloud Pricing API (remote version or [self-hosted version](https://www.infracost.io/docs/cloud_pricing_api/self_hosted)).
+
+Unlike most other hooks, this hook triggers once if there are any changed files in the repository.
+
+1. `infracost_breakdown` supports [all `infracost breakdown` arguments](https://www.infracost.io/docs/#useful-options). The following example only shows costs:
+
+ ```yaml
+ - id: infracost_breakdown
+ args:
+ - --args=--path=./env/dev
+ verbose: true # Always show costs
+ ```
+
+ Output
+
+ ```bash
+ Running in "env/dev"
+
+ Summary: {
+ "unsupportedResourceCounts": {
+ "aws_sns_topic_subscription": 1
+ }
+ }
+
+ Total Monthly Cost: 86.83 USD
+ Total Monthly Cost (diff): 86.83 USD
+ ```
+
+ Output
+
+ ```bash
+ Running in "env/dev"
+ Passed: .totalHourlyCost|tonumber > 0.1 0.11894520547945205 > 0.1
+ Failed: .totalHourlyCost|tonumber > 1 0.11894520547945205 > 1
+ Passed: .projects[].diff.totalMonthlyCost|tonumber !=10000 86.83 != 10000
+ Passed: .currency == "USD" "USD" == "USD"
+
+ Summary: {
+ "unsupportedResourceCounts": {
+ "aws_sns_topic_subscription": 1
+ }
+ }
+
+ Total Monthly Cost: 86.83 USD
+ Total Monthly Cost (diff): 86.83 USD
+ ```
+
+ 
+
+
+
+## License
+
+MIT licensed. See [LICENSE](LICENSE) for full details.
diff --git a/assets/env0.png b/assets/env0.png
new file mode 100644
index 000000000..da3eec1e3
Binary files /dev/null and b/assets/env0.png differ
diff --git a/assets/infracost.png b/assets/infracost.png
new file mode 100644
index 000000000..bacbd0470
Binary files /dev/null and b/assets/infracost.png differ
diff --git a/hooks.yaml b/hooks.yaml
deleted file mode 100644
index 051e92d2b..000000000
--- a/hooks.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
-- id: terraform_fmt
- name: Terraform fmt
- description: Rewrites all Terraform configuration files to a canonical format.
- entry: terraform_fmt.sh
- language: script
- files: (\.tf|\.tfvars)$
- exclude: \.terraform\/.*$
-
-- id: terraform_docs
- name: Terraform Docs
- description: Creates readme for terraform modules.
- entry: terraform_docs.sh
- language: script
- files: (\.tf)$
- exclude: \.terraform\/.*$
-
-- id: terraform_readme
- name: Terraform Readme
- description: Creates a README for Terraform modules using `terraform_config_inspect`.
- entry: terraform_readme.sh
- language: script
- files: (\.tf)$
- exclude: \.terraform\/.*$
-
-- id: terraform_validate_no_variables
- name: Terraform validate without variables
- description: Validates all Terraform configuration files without checking whether all required variables were set (basic check).
- entry: terraform_validate_no_variables.sh
- language: script
- files: (\.tf|\.tfvars)$
- exclude: \.terraform\/.*$
-
-- id: terraform_validate_with_variables
- name: Terraform validate with variables
- description: Validates all Terraform configuration files and checks whether all required variables were specified.
- entry: terraform_validate_with_variables.sh
- language: script
- files: (\.tf|\.tfvars)$
- exclude: \.terraform\/.*$
diff --git a/hooks/__init__.py b/hooks/__init__.py
new file mode 100644
index 000000000..ff01067a9
--- /dev/null
+++ b/hooks/__init__.py
@@ -0,0 +1,4 @@
+print(
+ '`terraform_docs_replace` hook is DEPRECATED.'
+ 'For details, see https://github.com/antonbabenko/pre-commit-terraform/issues/248'
+)
diff --git a/hooks/_common.sh b/hooks/_common.sh
new file mode 100644
index 000000000..8011e45e1
--- /dev/null
+++ b/hooks/_common.sh
@@ -0,0 +1,189 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+#######################################################################
+# Init arguments parser
+# Arguments:
+# script_dir - absolute path to hook dir location
+#######################################################################
+function common::initialize {
+ local -r script_dir=$1
+ # source getopt function
+ # shellcheck source=../lib_getopt
+ . "$script_dir/../lib_getopt"
+}
+
+#######################################################################
+# Parse args and filenames passed to script and populate respective
+# global variables with appropriate values
+# Globals (init and populate):
+# ARGS (array) arguments that configure wrapped tool behavior
+# HOOK_CONFIG (array) arguments that configure hook behavior
+# FILES (array) filenames to check
+# Arguments:
+# $@ (array) all specified in `hooks.[].args` in
+# `.pre-commit-config.yaml` and filenames.
+#######################################################################
+function common::parse_cmdline {
+ # common global arrays.
+ # Populated via `common::parse_cmdline` and can be used inside hooks' functions
+ declare -g -a ARGS=() HOOK_CONFIG=() FILES=()
+
+ local argv
+ argv=$(getopt -o a:,h: --long args:,hook-config: -- "$@") || return
+ eval "set -- $argv"
+
+ for argv; do
+ case $argv in
+ -a | --args)
+ shift
+ ARGS+=("$1")
+ shift
+ ;;
+ -h | --hook-config)
+ shift
+ HOOK_CONFIG+=("$1;")
+ shift
+ ;;
+ --)
+ shift
+ # shellcheck disable=SC2034 # Variable is used
+ FILES=("$@")
+ break
+ ;;
+ esac
+ done
+}
+
+#######################################################################
+# This is a workaround to improve performance when all files are passed
+# See: https://github.com/antonbabenko/pre-commit-terraform/issues/309
+# Arguments:
+# hook_id (string) hook ID, see `- id` for details in .pre-commit-hooks.yaml file
+# files (array) filenames to check
+# Outputs:
+# Return 0 if `-a|--all` arg was passed to `pre-commit`
+#######################################################################
+function common::is_hook_run_on_whole_repo {
+ local -r hook_id="$1"
+ shift 1
+ local -a -r files=("$@")
+ # get directory containing `.pre-commit-hooks.yaml` file
+ local -r root_config_dir="$(dirname "$(dirname "$(realpath "${BASH_SOURCE[0]}")")")"
+ # get included and excluded files from .pre-commit-hooks.yaml file
+ local -r hook_config_block=$(sed -n "/^- id: $hook_id$/,/^$/p" "$root_config_dir/.pre-commit-hooks.yaml")
+ local -r included_files=$(awk '$1 == "files:" {print $2; exit}' <<< "$hook_config_block")
+ local -r excluded_files=$(awk '$1 == "exclude:" {print $2; exit}' <<< "$hook_config_block")
+ # sorted string with the files passed to the hook by pre-commit
+ local -r files_to_check=$(printf '%s\n' "${files[@]}" | sort | tr '\n' ' ')
+ # git ls-files sorted string
+ local all_files_that_can_be_checked
+
+ if [ -z "$excluded_files" ]; then
+ all_files_that_can_be_checked=$(git ls-files | sort | grep -e "$included_files" | tr '\n' ' ')
+ else
+ all_files_that_can_be_checked=$(git ls-files | sort | grep -e "$included_files" | grep -v -e "$excluded_files" | tr '\n' ' ')
+ fi
+
+ if [ "$files_to_check" == "$all_files_that_can_be_checked" ]; then
+ return 0
+ else
+ return 1
+ fi
+}
+
+#######################################################################
+# Hook execution boilerplate logic which is common to hooks, that run
+# on per dir basis.
+# 1. Because hook runs on whole dir, reduce file paths to uniq dir paths
+# 2. Run for each dir `per_dir_hook_unique_part`, on all paths
+# 2.1. If at least 1 check failed - change exit code to non-zero
+# 3. Complete hook execution and return exit code
+# Arguments:
+# args (string with array) arguments that configure wrapped tool behavior
+# hook_id (string) hook ID, see `- id` for details in .pre-commit-hooks.yaml file
+# files (array) filenames to check
+#######################################################################
+function common::per_dir_hook {
+ local -r args="$1"
+ local -r hook_id="$2"
+ shift 2
+ local -a -r files=("$@")
+
+ # check is (optional) function defined
+ if [ "$(type -t run_hook_on_whole_repo)" == function ] &&
+ # check is hook run via `pre-commit run --all`
+ common::is_hook_run_on_whole_repo "$hook_id" "${files[@]}"; then
+ run_hook_on_whole_repo "$args"
+ exit 0
+ fi
+
+ # consume modified files passed from pre-commit so that
+ # hook runs against only those relevant directories
+ local index=0
+ for file_with_path in "${files[@]}"; do
+ file_with_path="${file_with_path// /__REPLACED__SPACE__}"
+
+ dir_paths[index]=$(dirname "$file_with_path")
+
+ ((index += 1))
+ done
+
+ # preserve errexit status
+ shopt -qo errexit && ERREXIT_IS_SET=true
+ # allow hook to continue if exit_code is greater than 0
+ set +e
+ local final_exit_code=0
+
+ # run hook for each path
+ for dir_path in $(echo "${dir_paths[*]}" | tr ' ' '\n' | sort -u); do
+ dir_path="${dir_path//__REPLACED__SPACE__/ }"
+ pushd "$dir_path" > /dev/null || continue
+
+ per_dir_hook_unique_part "$args" "$dir_path"
+
+ local exit_code=$?
+ if [ $exit_code -ne 0 ]; then
+ final_exit_code=$exit_code
+ fi
+
+ popd > /dev/null
+ done
+
+ # restore errexit if it was set before the "for" loop
+ [[ $ERREXIT_IS_SET ]] && set -e
+ # return the hook final exit_code
+ exit $final_exit_code
+}
+
+#######################################################################
+# Colorize provided string and print it out to stdout
+# Environment variables:
+# PRE_COMMIT_COLOR (string) If set to `never` - do not colorize output
+# Arguments:
+# COLOR (string) Color name that will be used to colorize
+# TEXT (string)
+# Outputs:
+# Print out provided text to stdout
+#######################################################################
+function common::colorify {
+ # shellcheck disable=SC2034
+ local -r red="\e[0m\e[31m"
+ # shellcheck disable=SC2034
+ local -r green="\e[0m\e[32m"
+ # shellcheck disable=SC2034
+ local -r yellow="\e[0m\e[33m"
+ # Color reset
+ local -r RESET="\e[0m"
+
+ # Params start #
+ local COLOR="${!1}"
+ local -r TEXT=$2
+ # Params end #
+
+ if [ "$PRE_COMMIT_COLOR" = "never" ]; then
+ COLOR=$RESET
+ fi
+
+ echo -e "${COLOR}${TEXT}${RESET}"
+}
diff --git a/hooks/infracost_breakdown.sh b/hooks/infracost_breakdown.sh
new file mode 100755
index 000000000..86fa86499
--- /dev/null
+++ b/hooks/infracost_breakdown.sh
@@ -0,0 +1,142 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+# globals variables
+# hook ID, see `- id` for details in .pre-commit-hooks.yaml file
+# shellcheck disable=SC2034 # Unused var.
+readonly HOOK_ID='infracost_breakdown'
+# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
+readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
+# shellcheck source=_common.sh
+. "$SCRIPT_DIR/_common.sh"
+
+function main {
+ common::initialize "$SCRIPT_DIR"
+ common::parse_cmdline "$@"
+ # shellcheck disable=SC2153 # False positive
+ infracost_breakdown_ "${HOOK_CONFIG[*]}" "${ARGS[*]}"
+}
+
+#######################################################################
+# Wrapper around `infracost breakdown` tool which checks and compares
+# infra cost based on provided hook_config
+# Environment variables:
+# PRE_COMMIT_COLOR (string) If set to `never` - do not colorize output
+# Arguments:
+# hook_config (string with array) arguments that configure hook behavior
+# args (string with array) arguments that configure wrapped tool behavior
+# Outputs:
+# Print out hook checks status (Passed/Failed), total monthly cost and
+# diff, summary about infracost check (non-supported resources etc.)
+#######################################################################
+function infracost_breakdown_ {
+ local -r hook_config="$1"
+ local args
+ read -r -a args <<< "$2"
+
+ # Get hook settings
+ IFS=";" read -r -a checks <<< "$hook_config"
+
+ if [ "$PRE_COMMIT_COLOR" = "never" ]; then
+ args+=("--no-color")
+ fi
+
+ local RESULTS
+ RESULTS="$(infracost breakdown "${args[@]}" --format json)"
+ local API_VERSION
+ API_VERSION="$(jq -r .version <<< "$RESULTS")"
+
+ if [ "$API_VERSION" != "0.2" ]; then
+ common::colorify "yellow" "WARNING: Hook supports Infracost API version \"0.2\", got \"$API_VERSION\""
+ common::colorify "yellow" " Some things may not work as expected"
+ fi
+
+ local dir
+ dir="$(jq '.projects[].metadata.vcsSubPath' <<< "$RESULTS")"
+ echo -e "\nRunning in $dir"
+
+ local have_failed_checks=false
+
+ for check in "${checks[@]}"; do
+ # $hook_config receives string like '1 > 2; 3 == 4;' etc.
+ # It gets split by `;` into array, which we're parsing here ('1 > 2' ' 3 == 4')
+ # Next line removes leading spaces, just for fancy output reason.
+ # shellcheck disable=SC2001 # Rule exception
+ check=$(echo "$check" | sed 's/^[[:space:]]*//')
+
+ # Drop quotes in hook args section. From:
+ # -h ".totalHourlyCost > 0.1"
+ # --hook-config='.currency == "USD"'
+ # To:
+ # -h .totalHourlyCost > 0.1
+ # --hook-config=.currency == "USD"
+ first_char=${check:0:1}
+ last_char=${check: -1}
+ if [ "$first_char" == "$last_char" ] && {
+ [ "$first_char" == '"' ] || [ "$first_char" == "'" ]
+ }; then
+ check="${check:1:-1}"
+ fi
+
+ mapfile -t operations < <(echo "$check" | grep -oE '[!<>=]{1,2}')
+ # Get the very last operator, that is used in comparison inside `jq` query.
+ # From the example below we need to pick the `>` which is in between `add` and `1000`,
+ # but not the `!=`, which goes earlier in the `jq` expression
+ # [.projects[].diff.totalMonthlyCost | select (.!=null) | tonumber] | add > 1000
+ operation=${operations[-1]}
+
+ IFS="$operation" read -r -a jq_check <<< "$check"
+ real_value="$(jq "${jq_check[0]}" <<< "$RESULTS")"
+ compare_value="${jq_check[1]}${jq_check[2]}"
+ # Check types
+ jq_check_type="$(jq -r "${jq_check[0]} | type" <<< "$RESULTS")"
+ compare_value_type="$(jq -r "$compare_value | type" <<< "$RESULTS")"
+ # Fail if comparing different types
+ if [ "$jq_check_type" != "$compare_value_type" ]; then
+ common::colorify "yellow" "Warning: Comparing values with different types may give incorrect result"
+ common::colorify "yellow" " Expression: $check"
+ common::colorify "yellow" " Types in the expression: [$jq_check_type] $operation [$compare_value_type]"
+ common::colorify "yellow" " Use 'tonumber' filter when comparing costs (e.g. '.totalMonthlyCost|tonumber')"
+ have_failed_checks=true
+ continue
+ fi
+ # Fail if string is compared not with `==` or `!=`
+ if [ "$jq_check_type" == "string" ] && {
+ [ "$operation" != '==' ] && [ "$operation" != '!=' ]
+ }; then
+ common::colorify "yellow" "Warning: Wrong comparison operator is used in expression: $check"
+ common::colorify "yellow" " Use 'tonumber' filter when comparing costs (e.g. '.totalMonthlyCost|tonumber')"
+ common::colorify "yellow" " Use '==' or '!=' when comparing strings (e.g. '.currency == \"USD\"')."
+ have_failed_checks=true
+ continue
+ fi
+
+ # Compare values
+ check_passed="$(echo "$RESULTS" | jq "$check")"
+
+ status="Passed"
+ color="green"
+ if ! $check_passed; then
+ status="Failed"
+ color="red"
+ have_failed_checks=true
+ fi
+
+ # Print check result
+ common::colorify $color "$status: $check\t\t$real_value $operation $compare_value"
+ done
+
+ # Fancy informational output
+ currency="$(jq -r '.currency' <<< "$RESULTS")"
+
+ echo -e "\nSummary: $(jq -r '.summary' <<< "$RESULTS")"
+
+ echo -e "\nTotal Monthly Cost: $(jq -r .totalMonthlyCost <<< "$RESULTS") $currency"
+ echo "Total Monthly Cost (diff): $(jq -r .projects[].diff.totalMonthlyCost <<< "$RESULTS") $currency"
+
+ if $have_failed_checks; then
+ exit 1
+ fi
+}
+
+[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"
diff --git a/hooks/terraform_docs.sh b/hooks/terraform_docs.sh
new file mode 100755
index 000000000..9bfc94003
--- /dev/null
+++ b/hooks/terraform_docs.sh
@@ -0,0 +1,375 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+# globals variables
+# hook ID, see `- id` for details in .pre-commit-hooks.yaml file
+# shellcheck disable=SC2034 # Unused var.
+readonly HOOK_ID='terraform_docs'
+# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
+readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
+# shellcheck source=_common.sh
+. "$SCRIPT_DIR/_common.sh"
+
+function main {
+ common::initialize "$SCRIPT_DIR"
+ common::parse_cmdline "$@"
+ # Support for setting relative PATH to .terraform-docs.yml config.
+ # shellcheck disable=SC2178 # It's the simplest syntax for that case
+ ARGS=${ARGS[*]/--config=/--config=$(pwd)\/}
+ # shellcheck disable=SC2128 # It's the simplest syntax for that case
+ # shellcheck disable=SC2153 # False positive
+ terraform_docs_ "${HOOK_CONFIG[*]}" "$ARGS" "${FILES[@]}"
+}
+
+#######################################################################
+# Function which prepares hacks for old versions of `terraform` and
+# `terraform-docs` that them call `terraform_docs`
+# Arguments:
+# hook_config (string with array) arguments that configure hook behavior
+# args (string with array) arguments that configure wrapped tool behavior
+# files (array) filenames to check
+#######################################################################
+function terraform_docs_ {
+ local -r hook_config="$1"
+ local -r args="$2"
+ shift 2
+ local -a -r files=("$@")
+
+ # Get hook settings
+ IFS=";" read -r -a configs <<< "$hook_config"
+
+ local hack_terraform_docs
+ hack_terraform_docs=$(terraform version | sed -n 1p | grep -c 0.12) || true
+
+ if [[ ! $(command -v terraform-docs) ]]; then
+ echo "ERROR: terraform-docs is required by terraform_docs pre-commit hook but is not installed or in the system's PATH."
+ exit 1
+ fi
+
+ local is_old_terraform_docs
+ is_old_terraform_docs=$(terraform-docs version | grep -o "v0.[1-7]\." | tail -1) || true
+
+ if [[ -z "$is_old_terraform_docs" ]]; then # Using terraform-docs 0.8+ (preferred)
+
+ terraform_docs "0" "${configs[*]}" "$args" "${files[@]}"
+
+ elif [[ "$hack_terraform_docs" == "1" ]]; then # Using awk script because terraform-docs is older than 0.8 and terraform 0.12 is used
+
+ if [[ ! $(command -v awk) ]]; then
+ echo "ERROR: awk is required for terraform-docs hack to work with Terraform 0.12."
+ exit 1
+ fi
+
+ local tmp_file_awk
+ tmp_file_awk=$(mktemp "${TMPDIR:-/tmp}/terraform-docs-XXXXXXXXXX")
+ terraform_docs_awk "$tmp_file_awk"
+ terraform_docs "$tmp_file_awk" "${configs[*]}" "$args" "${files[@]}"
+ rm -f "$tmp_file_awk"
+
+ else # Using terraform 0.11 and no awk script is needed for that
+
+ terraform_docs "0" "${configs[*]}" "$args" "${files[@]}"
+
+ fi
+}
+
+#######################################################################
+# Wrapper around `terraform-docs` tool that check and change/create
+# (depends on provided hook_config) terraform documentation in
+# markdown format
+# Arguments:
+# terraform_docs_awk_file (string) filename where awk hack for old
+# `terraform-docs` was written. Needed for TF 0.12+.
+# Hack skipped when `terraform_docs_awk_file == "0"`
+# hook_config (string with array) arguments that configure hook behavior
+# args (string with array) arguments that configure wrapped tool behavior
+# files (array) filenames to check
+#######################################################################
+function terraform_docs {
+ local -r terraform_docs_awk_file="$1"
+ local -r hook_config="$2"
+ local -r args="$3"
+ shift 3
+ local -a -r files=("$@")
+
+ declare -a paths
+
+ local index=0
+ local file_with_path
+ for file_with_path in "${files[@]}"; do
+ file_with_path="${file_with_path// /__REPLACED__SPACE__}"
+
+ paths[index]=$(dirname "$file_with_path")
+
+ ((index += 1))
+ done
+
+ local -r tmp_file=$(mktemp)
+
+ #
+ # Get hook settings
+ #
+ local text_file="README.md"
+ local add_to_existing=false
+ local create_if_not_exist=false
+
+ read -r -a configs <<< "$hook_config"
+
+ for c in "${configs[@]}"; do
+
+ IFS="=" read -r -a config <<< "$c"
+ key=${config[0]}
+ value=${config[1]}
+
+ case $key in
+ --path-to-file)
+ text_file=$value
+ ;;
+ --add-to-existing-file)
+ add_to_existing=$value
+ ;;
+ --create-file-if-not-exist)
+ create_if_not_exist=$value
+ ;;
+ esac
+ done
+
+ local dir_path
+ for dir_path in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do
+ dir_path="${dir_path//__REPLACED__SPACE__/ }"
+
+ pushd "$dir_path" > /dev/null || continue
+
+ #
+ # Create file if it not exist and `--create-if-not-exist=true` provided
+ #
+ if $create_if_not_exist && [[ ! -f "$text_file" ]]; then
+ dir_have_tf_files="$(
+ find . -maxdepth 1 -type f | sed 's|.*\.||' | sort -u | grep -oE '^tf$|^tfvars$' ||
+ exit 0
+ )"
+
+ # if no TF files - skip dir
+ [ ! "$dir_have_tf_files" ] && popd > /dev/null && continue
+
+ dir="$(dirname "$text_file")"
+
+ mkdir -p "$dir"
+ {
+ echo -e "# ${PWD##*/}\n"
+ echo ""
+ echo ""
+ } >> "$text_file"
+ fi
+
+ # If file still not exist - skip dir
+ [[ ! -f "$text_file" ]] && popd > /dev/null && continue
+
+ #
+ # If `--add-to-existing-file=true` set, check is in file exist "hook markers",
+ # and if not - append "hook markers" to the end of file.
+ #
+ if $add_to_existing; then
+ HAVE_MARKER=$(grep -o '' "$text_file" || exit 0)
+
+ if [ ! "$HAVE_MARKER" ]; then
+ echo "" >> "$text_file"
+ echo "" >> "$text_file"
+ fi
+ fi
+
+ if [[ "$terraform_docs_awk_file" == "0" ]]; then
+ # shellcheck disable=SC2086
+ terraform-docs md $args ./ > "$tmp_file"
+ else
+ # Can't append extension for mktemp, so renaming instead
+ local tmp_file_docs
+ tmp_file_docs=$(mktemp "${TMPDIR:-/tmp}/terraform-docs-XXXXXXXXXX")
+ mv "$tmp_file_docs" "$tmp_file_docs.tf"
+ local tmp_file_docs_tf
+ tmp_file_docs_tf="$tmp_file_docs.tf"
+
+ awk -f "$terraform_docs_awk_file" ./*.tf > "$tmp_file_docs_tf"
+ # shellcheck disable=SC2086
+ terraform-docs md $args "$tmp_file_docs_tf" > "$tmp_file"
+ rm -f "$tmp_file_docs_tf"
+ fi
+
+ # Replace content between markers with the placeholder - https://stackoverflow.com/questions/1212799/how-do-i-extract-lines-between-two-line-delimiters-in-perl#1212834
+ perl -i -ne 'if (/BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK/../END OF PRE-COMMIT-TERRAFORM DOCS HOOK/) { print $_ if /BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK/; print "I_WANT_TO_BE_REPLACED\n$_" if /END OF PRE-COMMIT-TERRAFORM DOCS HOOK/;} else { print $_ }' "$text_file"
+
+ # Replace placeholder with the content of the file
+ perl -i -e 'open(F, "'"$tmp_file"'"); $f = join "", ; while(<>){if (/I_WANT_TO_BE_REPLACED/) {print $f} else {print $_};}' "$text_file"
+
+ rm -f "$tmp_file"
+
+ popd > /dev/null
+ done
+}
+
+#######################################################################
+# Function which creates file with `awk` hacks for old versions of
+# `terraform-docs`
+# Arguments:
+# output_file (string) filename where hack will be written to
+#######################################################################
+function terraform_docs_awk {
+ local -r output_file=$1
+
+ cat << "EOF" > "$output_file"
+# This script converts Terraform 0.12 variables/outputs to something suitable for `terraform-docs`
+# As of terraform-docs v0.6.0, HCL2 is not supported. This script is a *dirty hack* to get around it.
+# https://github.com/terraform-docs/terraform-docs/
+# https://github.com/terraform-docs/terraform-docs/issues/62
+# Script was originally found here: https://github.com/cloudposse/build-harness/blob/master/bin/terraform-docs.awk
+{
+ if ( $0 ~ /\{/ ) {
+ braceCnt++
+ }
+ if ( $0 ~ /\}/ ) {
+ braceCnt--
+ }
+ # ----------------------------------------------------------------------------------------------
+ # variable|output "..." {
+ # ----------------------------------------------------------------------------------------------
+ # [END] variable/output block
+ if (blockCnt > 0 && blockTypeCnt == 0 && blockDefaultCnt == 0) {
+ if (braceCnt == 0 && blockCnt > 0) {
+ blockCnt--
+ print $0
+ }
+ }
+ # [START] variable or output block started
+ if ($0 ~ /^[[:space:]]*(variable|output)[[:space:]][[:space:]]*"(.*?)"/) {
+ # Normalize the braceCnt and block (should be 1 now)
+ braceCnt = 1
+ blockCnt = 1
+ # [CLOSE] "default" and "type" block
+ blockDefaultCnt = 0
+ blockTypeCnt = 0
+ # Print variable|output line
+ print $0
+ }
+ # ----------------------------------------------------------------------------------------------
+ # default = ...
+ # ----------------------------------------------------------------------------------------------
+ # [END] multiline "default" continues/ends
+ if (blockCnt > 0 && blockTypeCnt == 0 && blockDefaultCnt > 0) {
+ print $0
+ # Count opening blocks
+ blockDefaultCnt += gsub(/\(/, "")
+ blockDefaultCnt += gsub(/\[/, "")
+ blockDefaultCnt += gsub(/\{/, "")
+ # Count closing blocks
+ blockDefaultCnt -= gsub(/\)/, "")
+ blockDefaultCnt -= gsub(/\]/, "")
+ blockDefaultCnt -= gsub(/\}/, "")
+ }
+ # [START] multiline "default" statement started
+ if (blockCnt > 0 && blockTypeCnt == 0 && blockDefaultCnt == 0) {
+ if ($0 ~ /^[[:space:]][[:space:]]*(default)[[:space:]][[:space:]]*=/) {
+ if ($3 ~ "null") {
+ print " default = \"null\""
+ } else {
+ print $0
+ # Count opening blocks
+ blockDefaultCnt += gsub(/\(/, "")
+ blockDefaultCnt += gsub(/\[/, "")
+ blockDefaultCnt += gsub(/\{/, "")
+ # Count closing blocks
+ blockDefaultCnt -= gsub(/\)/, "")
+ blockDefaultCnt -= gsub(/\]/, "")
+ blockDefaultCnt -= gsub(/\}/, "")
+ }
+ }
+ }
+ # ----------------------------------------------------------------------------------------------
+ # type = ...
+ # ----------------------------------------------------------------------------------------------
+ # [END] multiline "type" continues/ends
+ if (blockCnt > 0 && blockTypeCnt > 0 && blockDefaultCnt == 0) {
+ # The following 'print $0' would print multiline type definitions
+ #print $0
+ # Count opening blocks
+ blockTypeCnt += gsub(/\(/, "")
+ blockTypeCnt += gsub(/\[/, "")
+ blockTypeCnt += gsub(/\{/, "")
+ # Count closing blocks
+ blockTypeCnt -= gsub(/\)/, "")
+ blockTypeCnt -= gsub(/\]/, "")
+ blockTypeCnt -= gsub(/\}/, "")
+ }
+ # [START] multiline "type" statement started
+ if (blockCnt > 0 && blockTypeCnt == 0 && blockDefaultCnt == 0) {
+ if ($0 ~ /^[[:space:]][[:space:]]*(type)[[:space:]][[:space:]]*=/ ) {
+ if ($3 ~ "object") {
+ print " type = \"object\""
+ } else {
+ # Convert multiline stuff into single line
+ if ($3 ~ /^[[:space:]]*list[[:space:]]*\([[:space:]]*$/) {
+ type = "list"
+ } else if ($3 ~ /^[[:space:]]*string[[:space:]]*\([[:space:]]*$/) {
+ type = "string"
+ } else if ($3 ~ /^[[:space:]]*map[[:space:]]*\([[:space:]]*$/) {
+ type = "map"
+ } else {
+ type = $3
+ }
+ # legacy quoted types: "string", "list", and "map"
+ if (type ~ /^[[:space:]]*"(.*?)"[[:space:]]*$/) {
+ print " type = " type
+ } else {
+ print " type = \"" type "\""
+ }
+ }
+ # Count opening blocks
+ blockTypeCnt += gsub(/\(/, "")
+ blockTypeCnt += gsub(/\[/, "")
+ blockTypeCnt += gsub(/\{/, "")
+ # Count closing blocks
+ blockTypeCnt -= gsub(/\)/, "")
+ blockTypeCnt -= gsub(/\]/, "")
+ blockTypeCnt -= gsub(/\}/, "")
+ }
+ }
+ # ----------------------------------------------------------------------------------------------
+ # description = ...
+ # ----------------------------------------------------------------------------------------------
+ # [PRINT] single line "description"
+ if (blockCnt > 0 && blockTypeCnt == 0 && blockDefaultCnt == 0) {
+ if ($0 ~ /^[[:space:]][[:space:]]*description[[:space:]][[:space:]]*=/) {
+ print $0
+ }
+ }
+ # ----------------------------------------------------------------------------------------------
+ # value = ...
+ # ----------------------------------------------------------------------------------------------
+ ## [PRINT] single line "value"
+ #if (blockCnt > 0 && blockTypeCnt == 0 && blockDefaultCnt == 0) {
+ # if ($0 ~ /^[[:space:]][[:space:]]*value[[:space:]][[:space:]]*=/) {
+ # print $0
+ # }
+ #}
+ # ----------------------------------------------------------------------------------------------
+ # Newlines, comments, everything else
+ # ----------------------------------------------------------------------------------------------
+ #if (blockTypeCnt == 0 && blockDefaultCnt == 0) {
+ # Comments with '#'
+ if ($0 ~ /^[[:space:]]*#/) {
+ print $0
+ }
+ # Comments with '//'
+ if ($0 ~ /^[[:space:]]*\/\//) {
+ print $0
+ }
+ # Newlines
+ if ($0 ~ /^[[:space:]]*$/) {
+ print $0
+ }
+ #}
+}
+EOF
+
+}
+
+[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"
diff --git a/hooks/terraform_docs_replace.py b/hooks/terraform_docs_replace.py
new file mode 100644
index 000000000..a9cf6c9bc
--- /dev/null
+++ b/hooks/terraform_docs_replace.py
@@ -0,0 +1,56 @@
+import argparse
+import os
+import subprocess
+import sys
+
+
+def main(argv=None):
+ parser = argparse.ArgumentParser(
+ description="""Run terraform-docs on a set of files. Follows the standard convention of
+ pulling the documentation from main.tf in order to replace the entire
+ README.md file each time."""
+ )
+ parser.add_argument(
+ '--dest', dest='dest', default='README.md',
+ )
+ parser.add_argument(
+ '--sort-inputs-by-required', dest='sort', action='store_true',
+ help='[deprecated] use --sort-by-required instead',
+ )
+ parser.add_argument(
+ '--sort-by-required', dest='sort', action='store_true',
+ )
+ parser.add_argument(
+ '--with-aggregate-type-defaults', dest='aggregate', action='store_true',
+ help='[deprecated]',
+ )
+ parser.add_argument('filenames', nargs='*', help='Filenames to check.')
+ args = parser.parse_args(argv)
+
+ dirs = []
+ for filename in args.filenames:
+ if (os.path.realpath(filename) not in dirs and
+ (filename.endswith(".tf") or filename.endswith(".tfvars"))):
+ dirs.append(os.path.dirname(filename))
+
+ retval = 0
+
+ for dir in dirs:
+ try:
+ procArgs = []
+ procArgs.append('terraform-docs')
+ if args.sort:
+ procArgs.append('--sort-by-required')
+ procArgs.append('md')
+ procArgs.append("./{dir}".format(dir=dir))
+ procArgs.append('>')
+ procArgs.append("./{dir}/{dest}".format(dir=dir, dest=args.dest))
+ subprocess.check_call(" ".join(procArgs), shell=True)
+ except subprocess.CalledProcessError as e:
+ print(e)
+ retval = 1
+ return retval
+
+
+if __name__ == '__main__':
+ sys.exit(main())
diff --git a/hooks/terraform_fmt.sh b/hooks/terraform_fmt.sh
new file mode 100755
index 000000000..62e70810e
--- /dev/null
+++ b/hooks/terraform_fmt.sh
@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+# globals variables
+# hook ID, see `- id` for details in .pre-commit-hooks.yaml file
+# shellcheck disable=SC2034 # Unused var.
+readonly HOOK_ID='terraform_fmt'
+# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
+readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
+# shellcheck source=_common.sh
+. "$SCRIPT_DIR/_common.sh"
+
+function main {
+ common::initialize "$SCRIPT_DIR"
+ common::parse_cmdline "$@"
+ # shellcheck disable=SC2153 # False positive
+ terraform_fmt_ "${ARGS[*]}" "${FILES[@]}"
+}
+
+#######################################################################
+# Hook execution boilerplate logic which is common to hooks, that run
+# on per dir basis. Little bit extended than `common::per_dir_hook`
+# 1. Because hook runs on whole dir, reduce file paths to uniq dir paths
+# (unique) 1.1. Collect paths to *.tfvars files in a separate variable
+# 2. Run for each dir `per_dir_hook_unique_part`, on all paths
+# (unique) 2.1. Run `terraform fmt` on each *.tfvars file
+# 2.2. If at least 1 check failed - change exit code to non-zero
+# 3. Complete hook execution and return exit code
+# Arguments:
+# args (string with array) arguments that configure wrapped tool behavior
+# files (array) filenames to check
+#######################################################################
+function terraform_fmt_ {
+ local -r args="$1"
+ shift 1
+ local -a -r files=("$@")
+ # consume modified files passed from pre-commit so that
+ # hook runs against only those relevant directories
+ local index=0
+ for file_with_path in "${files[@]}"; do
+ file_with_path="${file_with_path// /__REPLACED__SPACE__}"
+
+ dir_paths[index]=$(dirname "$file_with_path")
+ # TODO Unique part
+ if [[ "$file_with_path" == *".tfvars" ]]; then
+ tfvars_files+=("$file_with_path")
+ fi
+ #? End for unique part
+ ((index += 1))
+ done
+
+ # preserve errexit status
+ shopt -qo errexit && ERREXIT_IS_SET=true
+ # allow hook to continue if exit_code is greater than 0
+ set +e
+ local final_exit_code=0
+
+ # run hook for each path
+ for dir_path in $(echo "${dir_paths[*]}" | tr ' ' '\n' | sort -u); do
+ dir_path="${dir_path//__REPLACED__SPACE__/ }"
+ pushd "$dir_path" > /dev/null || continue
+
+ per_dir_hook_unique_part "$args" "$dir_path"
+
+ local exit_code=$?
+ if [ $exit_code -ne 0 ]; then
+ final_exit_code=$exit_code
+ fi
+
+ popd > /dev/null
+ done
+
+ # TODO: Unique part
+ # terraform.tfvars are excluded by `terraform fmt`
+ for tfvars_file in "${tfvars_files[@]}"; do
+ tfvars_file="${tfvars_file//__REPLACED__SPACE__/ }"
+
+ terraform fmt "${ARGS[@]}" "$tfvars_file"
+ local exit_code=$?
+ if [ $exit_code -ne 0 ]; then
+ final_exit_code=$exit_code
+ fi
+ done
+ #? End for unique part
+ # restore errexit if it was set before the "for" loop
+ [[ $ERREXIT_IS_SET ]] && set -e
+ # return the hook final exit_code
+ exit $final_exit_code
+
+}
+
+#######################################################################
+# Unique part of `common::per_dir_hook`. The function is executed in loop
+# on each provided dir path. Run wrapped tool with specified arguments
+# Arguments:
+# args (string with array) arguments that configure wrapped tool behavior
+# dir_path (string) PATH to dir relative to git repo root.
+# Can be used in error logging
+# Outputs:
+# If failed - print out hook checks status
+#######################################################################
+function per_dir_hook_unique_part {
+ local -r args="$1"
+ local -r dir_path="$2"
+
+ # pass the arguments to hook
+ # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
+ terraform fmt ${args[@]}
+
+ # return exit code to common::per_dir_hook
+ local exit_code=$?
+ return $exit_code
+}
+
+[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"
diff --git a/hooks/terraform_providers_lock.sh b/hooks/terraform_providers_lock.sh
new file mode 100755
index 000000000..011ee45eb
--- /dev/null
+++ b/hooks/terraform_providers_lock.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+# globals variables
+# hook ID, see `- id` for details in .pre-commit-hooks.yaml file
+readonly HOOK_ID='terraform_providers_lock'
+# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
+readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
+# shellcheck source=_common.sh
+. "$SCRIPT_DIR/_common.sh"
+
+function main {
+ common::initialize "$SCRIPT_DIR"
+ common::parse_cmdline "$@"
+ # shellcheck disable=SC2153 # False positive
+ common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"
+}
+
+#######################################################################
+# Unique part of `common::per_dir_hook`. The function is executed in loop
+# on each provided dir path. Run wrapped tool with specified arguments
+# Arguments:
+# args (string with array) arguments that configure wrapped tool behavior
+# dir_path (string) PATH to dir relative to git repo root.
+# Can be used in error logging
+# Outputs:
+# If failed - print out hook checks status
+#######################################################################
+function per_dir_hook_unique_part {
+ local -r args="$1"
+ local -r dir_path="$2"
+
+ if [ ! -d ".terraform" ]; then
+ init_output=$(terraform init -backend=false 2>&1)
+ init_code=$?
+
+ if [ $init_code -ne 0 ]; then
+ common::colorify "red" "Init before validation failed: $dir_path"
+ common::colorify "red" "$init_output"
+ exit $init_code
+ fi
+ fi
+
+ # pass the arguments to hook
+ # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
+ terraform providers lock ${args[@]}
+
+ # return exit code to common::per_dir_hook
+ local exit_code=$?
+ return $exit_code
+}
+
+[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"
diff --git a/hooks/terraform_tflint.sh b/hooks/terraform_tflint.sh
new file mode 100755
index 000000000..f89ab58bf
--- /dev/null
+++ b/hooks/terraform_tflint.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+# globals variables
+# hook ID, see `- id` for details in .pre-commit-hooks.yaml file
+readonly HOOK_ID='terraform_tflint'
+# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
+readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
+# shellcheck source=_common.sh
+. "$SCRIPT_DIR/_common.sh"
+
+function main {
+ common::initialize "$SCRIPT_DIR"
+ common::parse_cmdline "$@"
+ # Support for setting PATH to repo root.
+ # shellcheck disable=SC2178 # It's the simplest syntax for that case
+ ARGS=${ARGS[*]/__GIT_WORKING_DIR__/$(pwd)\/}
+ # shellcheck disable=SC2128 # It's the simplest syntax for that case
+ common::per_dir_hook "$ARGS" "$HOOK_ID" "${FILES[@]}"
+}
+
+#######################################################################
+# Unique part of `common::per_dir_hook`. The function is executed in loop
+# on each provided dir path. Run wrapped tool with specified arguments
+# Arguments:
+# args (string with array) arguments that configure wrapped tool behavior
+# dir_path (string) PATH to dir relative to git repo root.
+# Can be used in error logging
+# Outputs:
+# If failed - print out hook checks status
+#######################################################################
+function per_dir_hook_unique_part {
+ local -r args="$1"
+ local -r dir_path="$2"
+
+ # Print checked PATH **only** if TFLint have any messages
+ # shellcheck disable=SC2091,SC2068 # Suppress error output
+ $(tflint ${args[@]} 2>&1) 2> /dev/null || {
+ common::colorify "yellow" "TFLint in $dir_path/:"
+
+ # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
+ tflint ${args[@]}
+ }
+
+ # return exit code to common::per_dir_hook
+ local exit_code=$?
+ return $exit_code
+}
+
+[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"
diff --git a/hooks/terraform_tfsec.sh b/hooks/terraform_tfsec.sh
new file mode 100755
index 000000000..b9273827a
--- /dev/null
+++ b/hooks/terraform_tfsec.sh
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+# globals variables
+# hook ID, see `- id` for details in .pre-commit-hooks.yaml file
+readonly HOOK_ID='terraform_tfsec'
+# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
+readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
+# shellcheck source=_common.sh
+. "$SCRIPT_DIR/_common.sh"
+
+function main {
+ common::initialize "$SCRIPT_DIR"
+ common::parse_cmdline "$@"
+ # Support for setting PATH to repo root.
+ # shellcheck disable=SC2178 # It's the simplest syntax for that case
+ ARGS=${ARGS[*]/__GIT_WORKING_DIR__/$(pwd)\/}
+ # shellcheck disable=SC2128 # It's the simplest syntax for that case
+ common::per_dir_hook "$ARGS" "$HOOK_ID" "${FILES[@]}"
+}
+
+#######################################################################
+# Unique part of `common::per_dir_hook`. The function is executed in loop
+# on each provided dir path. Run wrapped tool with specified arguments
+# Arguments:
+# args (string with array) arguments that configure wrapped tool behavior
+# dir_path (string) PATH to dir relative to git repo root.
+# Can be used in error logging
+# Outputs:
+# If failed - print out hook checks status
+#######################################################################
+function per_dir_hook_unique_part {
+ local -r args="$1"
+ # shellcheck disable=SC2034 # Unused var.
+ local -r dir_path="$2"
+
+ # pass the arguments to hook
+ # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
+ tfsec ${args[@]}
+
+ # return exit code to common::per_dir_hook
+ local exit_code=$?
+ return $exit_code
+}
+
+#######################################################################
+# Unique part of `common::per_dir_hook`. The function is executed one time
+# in the root git repo
+# Arguments:
+# args (string with array) arguments that configure wrapped tool behavior
+#######################################################################
+function run_hook_on_whole_repo {
+ local -r args="$1"
+
+ # pass the arguments to hook
+ # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
+ tfsec "$(pwd)" ${args[@]}
+
+ # return exit code to common::per_dir_hook
+ local exit_code=$?
+ return $exit_code
+}
+
+[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"
diff --git a/hooks/terraform_validate.sh b/hooks/terraform_validate.sh
new file mode 100755
index 000000000..13db4b060
--- /dev/null
+++ b/hooks/terraform_validate.sh
@@ -0,0 +1,155 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+# globals variables
+# hook ID, see `- id` for details in .pre-commit-hooks.yaml file
+# shellcheck disable=SC2034 # Unused var.
+readonly HOOK_ID='terraform_validate'
+# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
+readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
+# shellcheck source=_common.sh
+. "$SCRIPT_DIR/_common.sh"
+
+# `terraform validate` requires this env variable to be set
+export AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION:-us-east-1}
+
+function main {
+ common::initialize "$SCRIPT_DIR"
+ parse_cmdline_ "$@"
+ terraform_validate_
+}
+
+#######################################################################
+# Parse args and filenames passed to script and populate respective
+# global variables with appropriate values
+# Globals (init and populate):
+# ARGS (array) arguments that configure wrapped tool behavior
+# INIT_ARGS (array) arguments to `terraform init` command
+# ENVS (array) environment variables that will be used with
+# `terraform` commands
+# FILES (array) filenames to check
+# Arguments:
+# $@ (array) all specified in `hooks.[].args` in
+# `.pre-commit-config.yaml` and filenames.
+#######################################################################
+function parse_cmdline_ {
+ declare argv
+ argv=$(getopt -o e:i:a: --long envs:,init-args:,args: -- "$@") || return
+ eval "set -- $argv"
+
+ for argv; do
+ case $argv in
+ -a | --args)
+ shift
+ ARGS+=("$1")
+ shift
+ ;;
+ -i | --init-args)
+ shift
+ INIT_ARGS+=("$1")
+ shift
+ ;;
+ -e | --envs)
+ shift
+ ENVS+=("$1")
+ shift
+ ;;
+ --)
+ shift
+ FILES=("$@")
+ break
+ ;;
+ esac
+ done
+}
+
+#######################################################################
+# Wrapper around `terraform validate` tool that checks if code is valid
+# 1. Export provided env var K/V pairs to environment
+# 2. Because hook runs on whole dir, reduce file paths to uniq dir paths
+# 3. In each dir that have *.tf files:
+# 3.1. Check if `.terraform` dir exists and if not - run `terraform init`
+# 3.2. Run `terraform validate`
+# 3.3. If at least 1 check failed - change exit code to non-zero
+# 4. Complete hook execution and return exit code
+# Globals:
+# ARGS (array) arguments that configure wrapped tool behavior
+# INIT_ARGS (array) arguments for `terraform init` command`
+# ENVS (array) environment variables that will be used with
+# `terraform` commands
+# FILES (array) filenames to check
+# Outputs:
+# If failed - print out hook checks status
+#######################################################################
+function terraform_validate_ {
+
+ # Setup environment variables
+ local var var_name var_value
+ for var in "${ENVS[@]}"; do
+ var_name="${var%%=*}"
+ var_value="${var#*=}"
+ # shellcheck disable=SC2086
+ export $var_name="$var_value"
+ done
+
+ declare -a paths
+ local index=0
+ local error=0
+
+ local file_with_path
+ for file_with_path in "${FILES[@]}"; do
+ file_with_path="${file_with_path// /__REPLACED__SPACE__}"
+
+ paths[index]=$(dirname "$file_with_path")
+ ((index += 1))
+ done
+
+ local dir_path
+ for dir_path in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do
+ dir_path="${dir_path//__REPLACED__SPACE__/ }"
+
+ if [[ -n "$(find "$dir_path" -maxdepth 1 -name '*.tf' -print -quit)" ]]; then
+
+ pushd "$(realpath "$dir_path")" > /dev/null
+
+ if [ ! -d .terraform ]; then
+ set +e
+ init_output=$(terraform init -backend=false "${INIT_ARGS[@]}" 2>&1)
+ init_code=$?
+ set -e
+
+ if [ $init_code -ne 0 ]; then
+ error=1
+ echo "Init before validation failed: $dir_path"
+ echo "$init_output"
+ popd > /dev/null
+ continue
+ fi
+ fi
+
+ set +e
+ validate_output=$(terraform validate "${ARGS[@]}" 2>&1)
+ validate_code=$?
+ set -e
+
+ if [ $validate_code -ne 0 ]; then
+ error=1
+ echo "Validation failed: $dir_path"
+ echo "$validate_output"
+ echo
+ fi
+
+ popd > /dev/null
+ fi
+ done
+
+ if [ $error -ne 0 ]; then
+ exit 1
+ fi
+}
+
+# global arrays
+declare -a INIT_ARGS
+declare -a ENVS
+
+[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"
diff --git a/hooks/terragrunt_fmt.sh b/hooks/terragrunt_fmt.sh
new file mode 100755
index 000000000..b2a5b0684
--- /dev/null
+++ b/hooks/terragrunt_fmt.sh
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+# globals variables
+# hook ID, see `- id` for details in .pre-commit-hooks.yaml file
+readonly HOOK_ID='terragrunt_fmt'
+# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
+readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
+# shellcheck source=_common.sh
+. "$SCRIPT_DIR/_common.sh"
+
+function main {
+ common::initialize "$SCRIPT_DIR"
+ common::parse_cmdline "$@"
+ # shellcheck disable=SC2153 # False positive
+ common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"
+}
+
+#######################################################################
+# Unique part of `common::per_dir_hook`. The function is executed in loop
+# on each provided dir path. Run wrapped tool with specified arguments
+# Arguments:
+# args (string with array) arguments that configure wrapped tool behavior
+# dir_path (string) PATH to dir relative to git repo root.
+# Can be used in error logging
+# Outputs:
+# If failed - print out hook checks status
+#######################################################################
+function per_dir_hook_unique_part {
+ local -r args="$1"
+ # shellcheck disable=SC2034 # Unused var.
+ local -r dir_path="$2"
+
+ # pass the arguments to hook
+ # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
+ terragrunt hclfmt ${args[@]}
+
+ # return exit code to common::per_dir_hook
+ local exit_code=$?
+ return $exit_code
+}
+
+#######################################################################
+# Unique part of `common::per_dir_hook`. The function is executed one time
+# in the root git repo
+# Arguments:
+# args (string with array) arguments that configure wrapped tool behavior
+#######################################################################
+function run_hook_on_whole_repo {
+ local -r args="$1"
+
+ # pass the arguments to hook
+ # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
+ terragrunt hclfmt "$(pwd)" ${args[@]}
+
+ # return exit code to common::per_dir_hook
+ local exit_code=$?
+ return $exit_code
+}
+
+[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"
diff --git a/hooks/terragrunt_validate.sh b/hooks/terragrunt_validate.sh
new file mode 100755
index 000000000..589b823c8
--- /dev/null
+++ b/hooks/terragrunt_validate.sh
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+# globals variables
+# hook ID, see `- id` for details in .pre-commit-hooks.yaml file
+readonly HOOK_ID='terragrunt_validate'
+# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
+readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
+# shellcheck source=_common.sh
+. "$SCRIPT_DIR/_common.sh"
+
+function main {
+ common::initialize "$SCRIPT_DIR"
+ common::parse_cmdline "$@"
+ # shellcheck disable=SC2153 # False positive
+ common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"
+}
+
+#######################################################################
+# Unique part of `common::per_dir_hook`. The function is executed in loop
+# on each provided dir path. Run wrapped tool with specified arguments
+# Arguments:
+# args (string with array) arguments that configure wrapped tool behavior
+# dir_path (string) PATH to dir relative to git repo root.
+# Can be used in error logging
+# Outputs:
+# If failed - print out hook checks status
+#######################################################################
+function per_dir_hook_unique_part {
+ local -r args="$1"
+ # shellcheck disable=SC2034 # Unused var.
+ local -r dir_path="$2"
+
+ # pass the arguments to hook
+ # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
+ terragrunt validate ${args[@]}
+
+ # return exit code to common::per_dir_hook
+ local exit_code=$?
+ return $exit_code
+}
+
+#######################################################################
+# Unique part of `common::per_dir_hook`. The function is executed one time
+# in the root git repo
+# Arguments:
+# args (string with array) arguments that configure wrapped tool behavior
+#######################################################################
+function run_hook_on_whole_repo {
+ local -r args="$1"
+
+ # pass the arguments to hook
+ # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
+ terragrunt run-all validate ${args[@]}
+
+ # return exit code to common::per_dir_hook
+ local exit_code=$?
+ return $exit_code
+}
+
+[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"
diff --git a/hooks/terrascan.sh b/hooks/terrascan.sh
new file mode 100755
index 000000000..5c6415456
--- /dev/null
+++ b/hooks/terrascan.sh
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+# globals variables
+# hook ID, see `- id` for details in .pre-commit-hooks.yaml file
+readonly HOOK_ID='terrascan'
+# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
+readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
+# shellcheck source=_common.sh
+. "$SCRIPT_DIR/_common.sh"
+
+function main {
+ common::initialize "$SCRIPT_DIR"
+ common::parse_cmdline "$@"
+ # shellcheck disable=SC2153 # False positive
+ common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"
+}
+
+#######################################################################
+# Unique part of `common::per_dir_hook`. The function is executed in loop
+# on each provided dir path. Run wrapped tool with specified arguments
+# Arguments:
+# args (string with array) arguments that configure wrapped tool behavior
+# dir_path (string) PATH to dir relative to git repo root.
+# Can be used in error logging
+# Outputs:
+# If failed - print out hook checks status
+#######################################################################
+function per_dir_hook_unique_part {
+ local -r args="$1"
+ # shellcheck disable=SC2034 # Unused var.
+ local -r dir_path="$2"
+
+ # pass the arguments to hook
+ # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
+ terrascan scan -i terraform ${args[@]}
+
+ # return exit code to common::per_dir_hook
+ local exit_code=$?
+ return $exit_code
+}
+
+#######################################################################
+# Unique part of `common::per_dir_hook`. The function is executed one time
+# in the root git repo
+# Arguments:
+# args (string with array) arguments that configure wrapped tool behavior
+#######################################################################
+function run_hook_on_whole_repo {
+ local -r args="$1"
+
+ # pass the arguments to hook
+ # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
+ terrascan scan -i terraform ${args[@]}
+
+ # return exit code to common::per_dir_hook
+ local exit_code=$?
+ return $exit_code
+}
+
+[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"
diff --git a/lib_getopt b/lib_getopt
new file mode 100644
index 000000000..c4b21fa80
--- /dev/null
+++ b/lib_getopt
@@ -0,0 +1,494 @@
+#!/bin/bash
+
+getopt() {
+ # pure-getopt, a drop-in replacement for GNU getopt in pure Bash.
+ # version 1.4.4
+ #
+ # Copyright 2012-2020 Aron Griffis
+ #
+ # Permission is hereby granted, free of charge, to any person obtaining
+ # a copy of this software and associated documentation files (the
+ # "Software"), to deal in the Software without restriction, including
+ # without limitation the rights to use, copy, modify, merge, publish,
+ # distribute, sublicense, and/or sell copies of the Software, and to
+ # permit persons to whom the Software is furnished to do so, subject to
+ # the following conditions:
+ #
+ # The above copyright notice and this permission notice shall be included
+ # in all copies or substantial portions of the Software.
+ #
+ # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ # IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ # CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ # TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+ _getopt_main() {
+ # Returns one of the following statuses:
+ # 0 success
+ # 1 error parsing parameters
+ # 2 error in getopt invocation
+ # 3 internal error
+ # 4 reserved for -T
+ #
+ # For statuses 0 and 1, generates normalized and shell-quoted
+ # "options -- parameters" on stdout.
+
+ declare parsed status
+ declare short long='' name flags=''
+ declare have_short=false
+
+ # Synopsis from getopt man-page:
+ #
+ # getopt optstring parameters
+ # getopt [options] [--] optstring parameters
+ # getopt [options] -o|--options optstring [options] [--] parameters
+ #
+ # The first form can be normalized to the third form which
+ # _getopt_parse() understands. The second form can be recognized after
+ # first parse when $short hasn't been set.
+
+ if [[ -n ${GETOPT_COMPATIBLE+isset} || $1 == [^-]* ]]; then
+ # Enable compatibility mode
+ flags=c$flags
+ # Normalize first to third synopsis form
+ set -- -o "$1" -- "${@:2}"
+ fi
+
+ # First parse always uses flags=p since getopt always parses its own
+ # arguments effectively in this mode.
+ parsed=$(_getopt_parse getopt ahl:n:o:qQs:TuV \
+ alternative,help,longoptions:,name:,options:,quiet,quiet-output,shell:,test,version \
+ p "$@")
+ status=$?
+ if [[ $status != 0 ]]; then
+ if [[ $status == 1 ]]; then
+ echo "Try \`getopt --help' for more information." >&2
+ # Since this is the first parse, convert status 1 to 2
+ status=2
+ fi
+ return $status
+ fi
+ eval "set -- $parsed"
+
+ while [[ $# -gt 0 ]]; do
+ case $1 in
+ (-a|--alternative)
+ flags=a$flags ;;
+
+ (-h|--help)
+ _getopt_help
+ return 2 # as does GNU getopt
+ ;;
+
+ (-l|--longoptions)
+ long="$long${long:+,}$2"
+ shift ;;
+
+ (-n|--name)
+ name=$2
+ shift ;;
+
+ (-o|--options)
+ short=$2
+ have_short=true
+ shift ;;
+
+ (-q|--quiet)
+ flags=q$flags ;;
+
+ (-Q|--quiet-output)
+ flags=Q$flags ;;
+
+ (-s|--shell)
+ case $2 in
+ (sh|bash)
+ flags=${flags//t/} ;;
+ (csh|tcsh)
+ flags=t$flags ;;
+ (*)
+ echo 'getopt: unknown shell after -s or --shell argument' >&2
+ echo "Try \`getopt --help' for more information." >&2
+ return 2 ;;
+ esac
+ shift ;;
+
+ (-u|--unquoted)
+ flags=u$flags ;;
+
+ (-T|--test)
+ return 4 ;;
+
+ (-V|--version)
+ echo "pure-getopt 1.4.4"
+ return 0 ;;
+
+ (--)
+ shift
+ break ;;
+ esac
+
+ shift
+ done
+
+ if ! $have_short; then
+ # $short was declared but never set, not even to an empty string.
+ # This implies the second form in the synopsis.
+ if [[ $# == 0 ]]; then
+ echo 'getopt: missing optstring argument' >&2
+ echo "Try \`getopt --help' for more information." >&2
+ return 2
+ fi
+ short=$1
+ have_short=true
+ shift
+ fi
+
+ if [[ $short == -* ]]; then
+ # Leading dash means generate output in place rather than reordering,
+ # unless we're already in compatibility mode.
+ [[ $flags == *c* ]] || flags=i$flags
+ short=${short#?}
+ elif [[ $short == +* ]]; then
+ # Leading plus means POSIXLY_CORRECT, unless we're already in
+ # compatibility mode.
+ [[ $flags == *c* ]] || flags=p$flags
+ short=${short#?}
+ fi
+
+ # This should fire if POSIXLY_CORRECT is in the environment, even if
+ # it's an empty string. That's the difference between :+ and +
+ flags=${POSIXLY_CORRECT+p}$flags
+
+ _getopt_parse "${name:-getopt}" "$short" "$long" "$flags" "$@"
+ }
+
+ _getopt_parse() {
+ # Inner getopt parser, used for both first parse and second parse.
+ # Returns 0 for success, 1 for error parsing, 3 for internal error.
+ # In the case of status 1, still generates stdout with whatever could
+ # be parsed.
+ #
+ # $flags is a string of characters with the following meanings:
+ # a - alternative parsing mode
+ # c - GETOPT_COMPATIBLE
+ # i - generate output in place rather than reordering
+ # p - POSIXLY_CORRECT
+ # q - disable error reporting
+ # Q - disable normal output
+ # t - quote for csh/tcsh
+ # u - unquoted output
+
+ declare name="$1" short="$2" long="$3" flags="$4"
+ shift 4
+
+ # Split $long on commas, prepend double-dashes, strip colons;
+ # for use with _getopt_resolve_abbrev
+ declare -a longarr
+ _getopt_split longarr "$long"
+ longarr=( "${longarr[@]/#/--}" )
+ longarr=( "${longarr[@]%:}" )
+ longarr=( "${longarr[@]%:}" )
+
+ # Parse and collect options and parameters
+ declare -a opts params
+ declare o alt_recycled=false error=0
+
+ while [[ $# -gt 0 ]]; do
+ case $1 in
+ (--)
+ params=( "${params[@]}" "${@:2}" )
+ break ;;
+
+ (--*=*)
+ o=${1%%=*}
+ if ! o=$(_getopt_resolve_abbrev "$o" "${longarr[@]}"); then
+ error=1
+ elif [[ ,"$long", == *,"${o#--}"::,* ]]; then
+ opts=( "${opts[@]}" "$o" "${1#*=}" )
+ elif [[ ,"$long", == *,"${o#--}":,* ]]; then
+ opts=( "${opts[@]}" "$o" "${1#*=}" )
+ elif [[ ,"$long", == *,"${o#--}",* ]]; then
+ if $alt_recycled; then o=${o#-}; fi
+ _getopt_err "$name: option '$o' doesn't allow an argument"
+ error=1
+ else
+ echo "getopt: assertion failed (1)" >&2
+ return 3
+ fi
+ alt_recycled=false
+ ;;
+
+ (--?*)
+ o=$1
+ if ! o=$(_getopt_resolve_abbrev "$o" "${longarr[@]}"); then
+ error=1
+ elif [[ ,"$long", == *,"${o#--}",* ]]; then
+ opts=( "${opts[@]}" "$o" )
+ elif [[ ,"$long", == *,"${o#--}::",* ]]; then
+ opts=( "${opts[@]}" "$o" '' )
+ elif [[ ,"$long", == *,"${o#--}:",* ]]; then
+ if [[ $# -ge 2 ]]; then
+ shift
+ opts=( "${opts[@]}" "$o" "$1" )
+ else
+ if $alt_recycled; then o=${o#-}; fi
+ _getopt_err "$name: option '$o' requires an argument"
+ error=1
+ fi
+ else
+ echo "getopt: assertion failed (2)" >&2
+ return 3
+ fi
+ alt_recycled=false
+ ;;
+
+ (-*)
+ if [[ $flags == *a* ]]; then
+ # Alternative parsing mode!
+ # Try to handle as a long option if any of the following apply:
+ # 1. There's an equals sign in the mix -x=3 or -xy=3
+ # 2. There's 2+ letters and an abbreviated long match -xy
+ # 3. There's a single letter and an exact long match
+ # 4. There's a single letter and no short match
+ o=${1::2} # temp for testing #4
+ if [[ $1 == *=* || $1 == -?? || \
+ ,$long, == *,"${1#-}"[:,]* || \
+ ,$short, != *,"${o#-}"[:,]* ]]; then
+ o=$(_getopt_resolve_abbrev "${1%%=*}" "${longarr[@]}" 2>/dev/null)
+ case $? in
+ (0)
+ # Unambiguous match. Let the long options parser handle
+ # it, with a flag to get the right error message.
+ set -- "-$1" "${@:2}"
+ alt_recycled=true
+ continue ;;
+ (1)
+ # Ambiguous match, generate error and continue.
+ _getopt_resolve_abbrev "${1%%=*}" "${longarr[@]}" >/dev/null
+ error=1
+ shift
+ continue ;;
+ (2)
+ # No match, fall through to single-character check.
+ true ;;
+ (*)
+ echo "getopt: assertion failed (3)" >&2
+ return 3 ;;
+ esac
+ fi
+ fi
+
+ o=${1::2}
+ if [[ "$short" == *"${o#-}"::* ]]; then
+ if [[ ${#1} -gt 2 ]]; then
+ opts=( "${opts[@]}" "$o" "${1:2}" )
+ else
+ opts=( "${opts[@]}" "$o" '' )
+ fi
+ elif [[ "$short" == *"${o#-}":* ]]; then
+ if [[ ${#1} -gt 2 ]]; then
+ opts=( "${opts[@]}" "$o" "${1:2}" )
+ elif [[ $# -ge 2 ]]; then
+ shift
+ opts=( "${opts[@]}" "$o" "$1" )
+ else
+ _getopt_err "$name: option requires an argument -- '${o#-}'"
+ error=1
+ fi
+ elif [[ "$short" == *"${o#-}"* ]]; then
+ opts=( "${opts[@]}" "$o" )
+ if [[ ${#1} -gt 2 ]]; then
+ set -- "$o" "-${1:2}" "${@:2}"
+ fi
+ else
+ if [[ $flags == *a* ]]; then
+ # Alternative parsing mode! Report on the entire failed
+ # option. GNU includes =value but we omit it for sanity with
+ # very long values.
+ _getopt_err "$name: unrecognized option '${1%%=*}'"
+ else
+ _getopt_err "$name: invalid option -- '${o#-}'"
+ if [[ ${#1} -gt 2 ]]; then
+ set -- "$o" "-${1:2}" "${@:2}"
+ fi
+ fi
+ error=1
+ fi ;;
+
+ (*)
+ # GNU getopt in-place mode (leading dash on short options)
+ # overrides POSIXLY_CORRECT
+ if [[ $flags == *i* ]]; then
+ opts=( "${opts[@]}" "$1" )
+ elif [[ $flags == *p* ]]; then
+ params=( "${params[@]}" "$@" )
+ break
+ else
+ params=( "${params[@]}" "$1" )
+ fi
+ esac
+
+ shift
+ done
+
+ if [[ $flags == *Q* ]]; then
+ true # generate no output
+ else
+ echo -n ' '
+ if [[ $flags == *[cu]* ]]; then
+ printf '%s -- %s' "${opts[*]}" "${params[*]}"
+ else
+ if [[ $flags == *t* ]]; then
+ _getopt_quote_csh "${opts[@]}" -- "${params[@]}"
+ else
+ _getopt_quote "${opts[@]}" -- "${params[@]}"
+ fi
+ fi
+ echo
+ fi
+
+ return $error
+ }
+
+ _getopt_err() {
+ if [[ $flags != *q* ]]; then
+ printf '%s\n' "$1" >&2
+ fi
+ }
+
+ _getopt_resolve_abbrev() {
+ # Resolves an abbrevation from a list of possibilities.
+ # If the abbreviation is unambiguous, echoes the expansion on stdout
+ # and returns 0. If the abbreviation is ambiguous, prints a message on
+ # stderr and returns 1. (For first parse this should convert to exit
+ # status 2.) If there is no match at all, prints a message on stderr
+ # and returns 2.
+ declare a q="$1"
+ declare -a matches=()
+ shift
+ for a; do
+ if [[ $q == "$a" ]]; then
+ # Exact match. Squash any other partial matches.
+ matches=( "$a" )
+ break
+ elif [[ $flags == *a* && $q == -[^-]* && $a == -"$q" ]]; then
+ # Exact alternative match. Squash any other partial matches.
+ matches=( "$a" )
+ break
+ elif [[ $a == "$q"* ]]; then
+ # Abbreviated match.
+ matches=( "${matches[@]}" "$a" )
+ elif [[ $flags == *a* && $q == -[^-]* && $a == -"$q"* ]]; then
+ # Abbreviated alternative match.
+ matches=( "${matches[@]}" "${a#-}" )
+ fi
+ done
+ case ${#matches[@]} in
+ (0)
+ [[ $flags == *q* ]] || \
+ printf "$name: unrecognized option %s\\n" >&2 \
+ "$(_getopt_quote "$q")"
+ return 2 ;;
+ (1)
+ printf '%s' "${matches[0]}"; return 0 ;;
+ (*)
+ [[ $flags == *q* ]] || \
+ printf "$name: option %s is ambiguous; possibilities: %s\\n" >&2 \
+ "$(_getopt_quote "$q")" "$(_getopt_quote "${matches[@]}")"
+ return 1 ;;
+ esac
+ }
+
+ _getopt_split() {
+ # Splits $2 at commas to build array specified by $1
+ declare IFS=,
+ eval "$1=( \$2 )"
+ }
+
+ _getopt_quote() {
+ # Quotes arguments with single quotes, escaping inner single quotes
+ declare s space='' q=\'
+ for s; do
+ printf "$space'%s'" "${s//$q/$q\\$q$q}"
+ space=' '
+ done
+ }
+
+ _getopt_quote_csh() {
+ # Quotes arguments with single quotes, escaping inner single quotes,
+ # bangs, backslashes and newlines
+ declare s i c space
+ for s; do
+ echo -n "$space'"
+ for ((i=0; i<${#s}; i++)); do
+ c=${s:i:1}
+ case $c in
+ (\\|\'|!)
+ echo -n "'\\$c'" ;;
+ ($'\n')
+ echo -n "\\$c" ;;
+ (*)
+ echo -n "$c" ;;
+ esac
+ done
+ echo -n \'
+ space=' '
+ done
+ }
+
+ _getopt_help() {
+ cat <<-EOT >&2
+
+ Usage:
+ getopt
+ getopt [options] [--]
+ getopt [options] -o|--options [options] [--]
+
+ Parse command options.
+
+ Options:
+ -a, --alternative allow long options starting with single -
+ -l, --longoptions the long options to be recognized
+ -n, --name the name under which errors are reported
+ -o, --options the short options to be recognized
+ -q, --quiet disable error reporting by getopt(3)
+ -Q, --quiet-output no normal output
+ -s, --shell set quoting conventions to those of
+ -T, --test test for getopt(1) version
+ -u, --unquoted do not quote the output
+
+ -h, --help display this help and exit
+ -V, --version output version information and exit
+
+ For more details see getopt(1).
+ EOT
+ }
+
+ _getopt_version_check() {
+ if [[ -z $BASH_VERSION ]]; then
+ echo "getopt: unknown version of bash might not be compatible" >&2
+ return 1
+ fi
+
+ # This is a lexical comparison that should be sufficient forever.
+ if [[ $BASH_VERSION < 2.05b ]]; then
+ echo "getopt: bash $BASH_VERSION might not be compatible" >&2
+ return 1
+ fi
+
+ return 0
+ }
+
+ _getopt_version_check
+ _getopt_main "$@"
+ declare status=$?
+ unset -f _getopt_main _getopt_err _getopt_parse _getopt_quote \
+ _getopt_quote_csh _getopt_resolve_abbrev _getopt_split _getopt_help \
+ _getopt_version_check
+ return $status
+}
+
+# vim:sw=2
diff --git a/setup.py b/setup.py
new file mode 100644
index 000000000..2d88425b9
--- /dev/null
+++ b/setup.py
@@ -0,0 +1,33 @@
+from setuptools import find_packages
+from setuptools import setup
+
+
+setup(
+ name='pre-commit-terraform',
+ description='Pre-commit hooks for terraform_docs_replace',
+ url='https://github.com/antonbabenko/pre-commit-terraform',
+ version_format='{tag}+{gitsha}',
+
+ author='Contributors',
+
+ classifiers=[
+ 'License :: OSI Approved :: MIT License',
+ 'Programming Language :: Python :: 2',
+ 'Programming Language :: Python :: 2.7',
+ 'Programming Language :: Python :: 3',
+ 'Programming Language :: Python :: 3.6',
+ 'Programming Language :: Python :: 3.7',
+ 'Programming Language :: Python :: Implementation :: CPython',
+ 'Programming Language :: Python :: Implementation :: PyPy',
+ ],
+
+ packages=find_packages(exclude=('tests*', 'testing*')),
+ install_requires=[
+ 'setuptools-git-version',
+ ],
+ entry_points={
+ 'console_scripts': [
+ 'terraform_docs_replace = hooks.terraform_docs_replace:main',
+ ],
+ },
+)
diff --git a/terraform_docs.sh b/terraform_docs.sh
deleted file mode 100755
index 2e0eeca5c..000000000
--- a/terraform_docs.sh
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-declare -a paths
-declare -a tfvars_files
-
-index=0
-
-for file_with_path in "$@"; do
- file_with_path="${file_with_path// /__REPLACED__SPACE__}"
-
- paths[index]=$(dirname "$file_with_path")
-
- if [[ "$file_with_path" == *".tfvars" ]]; then
- tfvars_files+=("$file_with_path")
- fi
-
- let "index+=1"
-done
-
-for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do
- path_uniq="${path_uniq//__REPLACED__SPACE__/ }"
-
- pushd "$path_uniq" > /dev/null
- if [[ -f README.md ]]; then
- if grep -q "BEGINNING OF TERRAFORM-DOCS HOOK" README.md; then
- DOCS=$(terraform-docs md ./)
- perl -i -s0pe 's/().*()/\1\n$replacement\n\2/s' -- -replacement="$DOCS" README.md
- else
- # Assume there is content in the file we want to keep and append auto documentation
- echo "" >> README.md
- # Sed is used to remove the final newline
- terraform-docs md ./ | sed -e '$ d' >> README.md
- echo "" >> README.md
- echo "Updating README.md, please git add."
- exit 1
- fi
- else
- echo "" > README.md
- # Sed is used to remove the final newline
- terraform-docs md ./ | sed -e '$ d' >> README.md
- echo "" >> README.md
- echo "Creating README.md, please git add."
- exit 1
- fi
- popd > /dev/null
-done
diff --git a/terraform_fmt.sh b/terraform_fmt.sh
deleted file mode 100755
index e1383f230..000000000
--- a/terraform_fmt.sh
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-declare -a paths
-declare -a tfvars_files
-
-TERRAFORM=${TERRAFORM:=terraform}
-
-index=0
-
-for file_with_path in "$@"; do
- file_with_path="${file_with_path// /__REPLACED__SPACE__}"
-
- paths[index]=$(dirname "$file_with_path")
-
- if [[ "$file_with_path" == *".tfvars" ]]; then
- tfvars_files+=("$file_with_path")
- fi
-
- let "index+=1"
-done
-
-for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do
- path_uniq="${path_uniq//__REPLACED__SPACE__/ }"
-
- pushd "$path_uniq" > /dev/null
- ${TERRAFORM} fmt
- popd > /dev/null
-done
-
-# terraform.tfvars are excluded by `terraform fmt`
-for tfvars_file in "${tfvars_files[@]}"; do
- tfvars_file="${tfvars_file//__REPLACED__SPACE__/ }"
-
- ${TERRAFORM} fmt "$tfvars_file"
-done
diff --git a/terraform_tfsec_test.sh b/terraform_tfsec_test.sh
new file mode 100755
index 000000000..8b16044f0
--- /dev/null
+++ b/terraform_tfsec_test.sh
@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+main() {
+ initialize_
+ parse_cmdline_ "$@"
+
+ # propagate $FILES to custom function
+ tfsec_ "$ARGS" "$FILES"
+}
+
+tfsec_() {
+ # consume modified files passed from pre-commit so that
+ # tfsec runs against only those relevant directories
+ for file_with_path in $FILES; do
+ file_with_path="${file_with_path// /__REPLACED__SPACE__}"
+ paths[index]=$(dirname "$file_with_path")
+
+ let "index+=1"
+ done
+
+ for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do
+ path_uniq="${path_uniq//__REPLACED__SPACE__/ }"
+ pushd "$path_uniq" > /dev/null
+ tfsec $ARGS || true
+ popd > /dev/null
+ done
+}
+
+initialize_() {
+ # get directory containing this script
+ local dir
+ local source
+ source="${BASH_SOURCE[0]}"
+ while [[ -L $source ]]; do # resolve $source until the file is no longer a symlink
+ dir="$(cd -P "$(dirname "$source")" > /dev/null && pwd)"
+ source="$(readlink "$source")"
+ # if $source was a relative symlink, we need to resolve it relative to the path where the symlink file was located
+ [[ $source != /* ]] && source="$dir/$source"
+ done
+ _SCRIPT_DIR="$(dirname "$source")"
+
+ # source getopt function
+ # shellcheck source=lib_getopt
+ . "$_SCRIPT_DIR/lib_getopt"
+}
+
+parse_cmdline_() {
+ declare argv
+ argv=$(getopt -o a: --long args: -- "$@") || return
+ eval "set -- $argv"
+
+ for argv; do
+ case $argv in
+ -a | --args)
+ shift
+ ARGS+=("$1")
+ shift
+ ;;
+ --)
+ shift
+ FILES+=("$@")
+ break
+ ;;
+ esac
+ done
+}
+
+# global arrays
+declare -a ARGS=()
+declare -a FILES=()
+
+[[ ${BASH_SOURCE[0]} != "$0" ]] || main "$@"
diff --git a/terraform_validate_no_variables.sh b/terraform_validate_no_variables.sh
deleted file mode 100755
index 21975ca7b..000000000
--- a/terraform_validate_no_variables.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-declare -a paths
-index=0
-
-for file_with_path in "$@"; do
- file_with_path="${file_with_path// /__REPLACED__SPACE__}"
-
- paths[index]=$(dirname "$file_with_path")
- let "index+=1"
-done
-
-for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do
- path_uniq="${path_uniq//__REPLACED__SPACE__/ }"
-
- pushd "$path_uniq" > /dev/null
-
- set +e
- terraform validate -check-variables=false
-
- if [[ "$?" -ne 0 ]]; then
- >&2 echo
- >&2 echo "Failed path: $path_uniq"
- >&2 echo "================================"
- exit 1
- fi
-
- set -e
- popd > /dev/null
-done
diff --git a/terraform_validate_with_variables.sh b/terraform_validate_with_variables.sh
deleted file mode 100755
index 42f1b5452..000000000
--- a/terraform_validate_with_variables.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-declare -a paths
-index=0
-
-for file_with_path in "$@"; do
- file_with_path="${file_with_path// /__REPLACED__SPACE__}"
-
- paths[index]=$(dirname "$file_with_path")
- let "index+=1"
-done
-
-for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do
- path_uniq="${path_uniq//__REPLACED__SPACE__/ }"
-
- pushd "$path_uniq" > /dev/null
- terraform validate -check-variables=true
-
- if [[ "$?" -ne 0 ]]; then
- echo
- echo "Failed path: $path_uniq"
- echo "================================"
- fi
- popd > /dev/null
-done
diff --git a/tests/Dockerfile b/tests/Dockerfile
new file mode 100644
index 000000000..ec77d18af
--- /dev/null
+++ b/tests/Dockerfile
@@ -0,0 +1,11 @@
+FROM pre-commit-terraform:latest
+
+RUN apt update && \
+ apt install -y \
+ datamash \
+ time && \
+ # Cleanup
+ rm -rf /var/lib/apt/lists/*
+
+WORKDIR /pct
+ENTRYPOINT [ "/pct/tests/hooks_performance_test.sh" ]
diff --git a/tests/hooks_performance_test.sh b/tests/hooks_performance_test.sh
new file mode 100755
index 000000000..4f35fce23
--- /dev/null
+++ b/tests/hooks_performance_test.sh
@@ -0,0 +1,127 @@
+#!/usr/bin/env bash
+
+TEST_NUM=$1 # 1000
+TEST_COMMAND=$2 # 'pre-commit try-repo -a /tmp/159/pre-commit-terraform terraform_tfsec'
+TEST_DIR=$3 # '/tmp/infrastructure'
+TEST_DESCRIPTION="$TEST_NUM runs '$4'" # '`terraform_tfsec` PR #123:'
+RAW_TEST_RESULTS_FILE_NAME=$5 # terraform_tfsec_pr123
+
+function run_tests {
+ local TEST_NUM=$1
+ local TEST_DIR=$2
+ local TEST_COMMAND
+ IFS=" " read -r -a TEST_COMMAND <<< "$3"
+ local FILE_NAME_TO_SAVE_TEST_RESULTS=$4
+
+ local RESULTS_DIR
+ RESULTS_DIR="$(pwd)/tests/results"
+
+ cd "$TEST_DIR" || { echo "Specified TEST_DIR does not exist" && exit 1; }
+ # Cleanup
+ rm "$RESULTS_DIR/$FILE_NAME_TO_SAVE_TEST_RESULTS"
+
+ for ((i = 1; i <= TEST_NUM; i++)); do
+ {
+ echo -e "\n\nTest run $i times\n\n"
+ /usr/bin/time --quiet -f '%U user %S system %P cpu %e total' \
+ "${TEST_COMMAND[@]}"
+ } 2>> "$RESULTS_DIR/$FILE_NAME_TO_SAVE_TEST_RESULTS"
+ done
+ # shellcheck disable=2164 # Always exist
+ cd - > /dev/null
+}
+
+function generate_table {
+ local FILE_PATH="tests/results/$1"
+
+ local users_seconds system_seconds cpu total_time
+ users_seconds=$(awk '{ print $1; }' "$FILE_PATH")
+ system_seconds=$(awk '{ print $3; }' "$FILE_PATH")
+ cpu=$(awk '{ gsub("%","",$5); print $5; }' "$FILE_PATH")
+ total_time=$(awk '{ print $7; }' "$FILE_PATH")
+
+ echo "
+| time command | max | min | mean | median |
+| -------------- | ------ | ------ | -------- | ------ |
+| users seconds | $(
+ printf %"s\n" "$users_seconds" | datamash max 1
+ ) | $(
+ printf %"s\n" "$users_seconds" | datamash min 1
+ ) | $(
+ printf %"s\n" "$users_seconds" | datamash mean 1
+ ) | $(printf %"s\n" "$users_seconds" | datamash median 1) |
+| system seconds | $(
+ printf %"s\n" "$system_seconds" | datamash max 1
+ ) | $(
+ printf %"s\n" "$system_seconds" | datamash min 1
+ ) | $(
+ printf %"s\n" "$system_seconds" | datamash mean 1
+ ) | $(printf %"s\n" "$system_seconds" | datamash median 1) |
+| CPU % | $(
+ printf %"s\n" "$cpu" | datamash max 1
+ ) | $(
+ printf %"s\n" "$cpu" | datamash min 1
+ ) | $(
+ printf %"s\n" "$cpu" | datamash mean 1
+ ) | $(printf %"s\n" "$cpu" | datamash median 1) |
+| Total time | $(
+ printf %"s\n" "$total_time" | datamash max 1
+ ) | $(
+ printf %"s\n" "$total_time" | datamash min 1
+ ) | $(
+ printf %"s\n" "$total_time" | datamash mean 1
+ ) | $(printf %"s\n" "$total_time" | datamash median 1) |
+"
+}
+
+function save_result {
+ local DESCRIPTION=$1
+ local TABLE=$2
+ local TEST_RUN_START_TIME=$3
+ local TEST_RUN_END_TIME=$4
+
+ local FILE_NAME=${5:-"tests_result.md"}
+
+ echo -e "\n$DESCRIPTION\n$TABLE" >> "tests/results/$FILE_NAME"
+ # shellcheck disable=SC2016,SC2128 # Irrelevant
+ echo -e '
+Run details
+
+* Test Start: '"$TEST_RUN_START_TIME"'
+* Test End: '"$TEST_RUN_END_TIME"'
+
+| Variable name | Value |
+| ---------------------------- | --- |
+| `TEST_NUM` | '"$TEST_NUM"' |
+| `TEST_COMMAND` | '"$TEST_COMMAND"' |
+| `TEST_DIR` | '"$TEST_DIR"' |
+| `TEST_DESCRIPTION` | '"$TEST_DESCRIPTION"' |
+| `RAW_TEST_RESULTS_FILE_NAME` | '"$RAW_TEST_RESULTS_FILE_NAME"' |
+
+Memory info (`head -n 6 /proc/meminfo`):
+
+```bash
+'"$(head -n 6 /proc/meminfo)"'
+```
+
+CPU info:
+
+```bash
+Real procs: '"$(grep ^cpu\\scores /proc/cpuinfo | uniq | awk '{print $4}')"'
+Virtual (hyper-threading) procs: '"$(grep -c ^processor /proc/cpuinfo)"'
+'"$(tail -n 28 /proc/cpuinfo)"'
+```
+
+