From ad5dccae65a1508497dd638c7b511099296edaf3 Mon Sep 17 00:00:00 2001 From: Manuel Vogel Date: Thu, 25 Feb 2021 17:03:46 +0100 Subject: [PATCH 01/27] docs: updates installs for macOS and ubuntu (#175) --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 03fcf00a9..31851120d 100644 --- a/README.md +++ b/README.md @@ -16,18 +16,17 @@ ##### MacOS ```bash -brew tap liamg/tfsec brew install pre-commit gawk terraform-docs tflint tfsec coreutils ``` ##### Ubuntu ```bash -sudo apt install python3-pip gawk &&\ +sudo apt install python3-pip gawk unzip &&\ pip3 install pre-commit -curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64")" > terraform-docs && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ +curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar xzf terraform-docs.tgz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/ -env GO111MODULE=on go get -u github.com/liamg/tfsec/cmd/tfsec +env GO111MODULE=on go get -u github.com/tfsec/tfsec/cmd/tfsec ``` ### 2. Install the pre-commit hook globally From 90d45213a304bb5b2f90876f6f2621e1a87c92da Mon Sep 17 00:00:00 2001 From: chopped pork Date: Thu, 25 Feb 2021 19:46:51 +0000 Subject: [PATCH 02/27] fix: remove sed postprocessing from the terraform_docs_replace hook to fix compatibility with terraform-docs 0.11.0+ (#176) --- CHANGELOG.md | 3 ++- pre_commit_hooks/terraform_docs_replace.py | 5 ++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8170d93fa..aa8f27c4c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +- fix: Removes sed post-processing from the `terraform_docs_replace` hook which was causing the last line to be missing when using `terraform-docs` 0.11.0+. Note: for older versions this change will result in an extra newline at the end of the file (making the pre-commit hook and `terraform-docs` output identical). @@ -123,7 +124,7 @@ All notable changes to this project will be documented in this file. - fix: Change terraform_validate hook functionality for subdirectories with terraform files ([#100](https://github.com/antonbabenko/pre-commit-terraform/issues/100)) -### +### configuration for the appropriate working directory. diff --git a/pre_commit_hooks/terraform_docs_replace.py b/pre_commit_hooks/terraform_docs_replace.py index e1777b306..a9cf6c9bc 100644 --- a/pre_commit_hooks/terraform_docs_replace.py +++ b/pre_commit_hooks/terraform_docs_replace.py @@ -29,7 +29,7 @@ def main(argv=None): dirs = [] for filename in args.filenames: - if (os.path.realpath(filename) not in dirs and \ + if (os.path.realpath(filename) not in dirs and (filename.endswith(".tf") or filename.endswith(".tfvars"))): dirs.append(os.path.dirname(filename)) @@ -43,9 +43,8 @@ def main(argv=None): procArgs.append('--sort-by-required') procArgs.append('md') procArgs.append("./{dir}".format(dir=dir)) - procArgs.append("| sed -e '$ d' -e 'N;/^\\n$/D;P;D'") procArgs.append('>') - procArgs.append("./{dir}/{dest}".format(dir=dir,dest=args.dest)) + procArgs.append("./{dir}/{dest}".format(dir=dir, dest=args.dest)) subprocess.check_call(" ".join(procArgs), shell=True) except subprocess.CalledProcessError as e: print(e) From 47b80ec9d58e38679bc6caae9253efa2d5325b0c Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 25 Feb 2021 20:47:19 +0100 Subject: [PATCH 03/27] Updated CHANGELOG --- CHANGELOG.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index aa8f27c4c..d5da4b95a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,13 @@ All notable changes to this project will be documented in this file. ## [Unreleased] -- fix: Removes sed post-processing from the `terraform_docs_replace` hook which was causing the last line to be missing when using `terraform-docs` 0.11.0+. Note: for older versions this change will result in an extra newline at the end of the file (making the pre-commit hook and `terraform-docs` output identical). + + + +## [v1.47.0] - 2021-02-25 + +- fix: remove sed postprocessing from the terraform_docs_replace hook to fix compatibility with terraform-docs 0.11.0+ ([#176](https://github.com/antonbabenko/pre-commit-terraform/issues/176)) +- docs: updates installs for macOS and ubuntu ([#175](https://github.com/antonbabenko/pre-commit-terraform/issues/175)) @@ -124,7 +130,7 @@ All notable changes to this project will be documented in this file. - fix: Change terraform_validate hook functionality for subdirectories with terraform files ([#100](https://github.com/antonbabenko/pre-commit-terraform/issues/100)) -### +### configuration for the appropriate working directory. @@ -388,7 +394,8 @@ https://github.com/antonbabenko/pre-commit-terraform/commit/35e0356188b64a4c5af9 - Initial commit -[Unreleased]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.46.0...HEAD +[Unreleased]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.47.0...HEAD +[v1.47.0]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.46.0...v1.47.0 [v1.46.0]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.45.0...v1.46.0 [v1.45.0]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.44.0...v1.45.0 [v1.44.0]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.43.1...v1.44.0 From 53de83359eb2426668266094f5f73ef7651921f9 Mon Sep 17 00:00:00 2001 From: Manuel Vogel Date: Fri, 12 Mar 2021 10:32:41 +0100 Subject: [PATCH 04/27] docs: Added checkov install (#182) --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 31851120d..36f6cec89 100644 --- a/README.md +++ b/README.md @@ -16,17 +16,21 @@ ##### MacOS ```bash -brew install pre-commit gawk terraform-docs tflint tfsec coreutils +brew install pre-commit gawk terraform-docs tflint tfsec coreutils checkov ``` -##### Ubuntu +##### Ubuntu 18.04 ```bash -sudo apt install python3-pip gawk unzip &&\ +sudo apt update +sudo apt install -y gawk unzip software-properties-common +sudo add-apt-repository ppa:deadsnakes/ppa +sudo apt install -y python3.7 python3-pip pip3 install pre-commit curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar xzf terraform-docs.tgz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/ env GO111MODULE=on go get -u github.com/tfsec/tfsec/cmd/tfsec +python3.7 -m pip install -U checkovpython3.7 -m pip install -U checkov ``` ### 2. Install the pre-commit hook globally From 36a269f1093a76a8ef6d603b35cb067380cac70f Mon Sep 17 00:00:00 2001 From: Manuel Vogel Date: Fri, 12 Mar 2021 15:35:21 +0100 Subject: [PATCH 05/27] chore: add dockerfile (#183) --- .dockerignore | 3 +++ Dockerfile | 47 +++++++++++++++++++++++++++++++++++++++++++++++ README.md | 12 ++++++++++++ 3 files changed, 62 insertions(+) create mode 100644 .dockerignore create mode 100644 Dockerfile diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 000000000..763bb31a8 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,3 @@ +* +!.dockerignore +!Dockerfile \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 000000000..2488ec41e --- /dev/null +++ b/Dockerfile @@ -0,0 +1,47 @@ +FROM ubuntu:18.04 + +ARG PRE_COMMIT_VERSION="2.11.1" +ARG GOLANG_VERSION="1.16" +ARG TERRAFORM_VERSION="0.14.8" +ARG TFSEC_VERSION="v0.39.6" +ARG TERRAFORM_DOCS_VERSION="latest" +ARG TFLINT_VERSION="latest" +ARG TFSEC_VERSION="v0.39.6" +ARG CHECKOV_VERSION="1.0.838" + +# Install general dependencies +RUN apt update && \ + apt install -y curl git gawk unzip software-properties-common + +# Install golang +RUN curl -L https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz > go${GOLANG_VERSION}.linux-amd64.tar.gz && \ + tar xzf go${GOLANG_VERSION}.linux-amd64.tar.gz && \ + rm -f go${GOLANG_VERSION}.linux-amd64.tar.gz +ENV GOPATH /go +RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" +ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH + +# Install tools +RUN add-apt-repository ppa:deadsnakes/ppa && \ + apt install -y python3.7 python3-pip && \ + pip3 install pre-commit==${PRE_COMMIT_VERSION} && \ + curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/${TERRAFORM_DOCS_VERSION} | grep -o -E "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar xzf terraform-docs.tgz && chmod +x terraform-docs && mv terraform-docs /usr/bin/ && \ + curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/${TFLINT_VERSION} | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && mv tflint /usr/bin/ && \ + python3.7 -m pip install -U checkov==${CHECKOV_VERSION} +RUN env GO111MODULE=on go get -u github.com/tfsec/tfsec/cmd/tfsec@${TFSEC_VERSION} + +# Install terraform because pre-commit needs it +RUN curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - && \ + apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" && \ + apt-get update && apt-get install terraform=${TERRAFORM_VERSION} + +# Checking all binaries are in the PATH +RUN go version +RUN terraform --help +RUN pre-commit --help +RUN terraform-docs --help +RUN tflint --help +RUN tfsec --help +RUN checkov --help + +ENTRYPOINT [ "pre-commit" ] \ No newline at end of file diff --git a/README.md b/README.md index 36f6cec89..9edd0c21c 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,8 @@ * [`coreutils`](https://formulae.brew.sh/formula/coreutils) required for `terraform_validate` hook on macOS (due to use of `realpath`). * [`checkov`](https://github.com/bridgecrewio/checkov) required for `checkov` hook. +or build and use the Docker image locally as mentioned below in the `Run` section. + ##### MacOS ```bash @@ -34,6 +36,7 @@ python3.7 -m pip install -U checkovpython3.7 -m pip install -U checkov ``` ### 2. Install the pre-commit hook globally +Note: not needed if you use the Docker image ```bash DIR=~/.git-template @@ -65,6 +68,15 @@ After pre-commit hook has been installed you can run it manually on all files in pre-commit run -a ``` +or you can also build and use the provided Docker container, which wraps all dependencies by +```bash +# first building it +docker build -t pre-commit . +# and then running it in the folder +# with the terraform code you want to check by executing +docker run -v $(pwd):/lint -w /lint pre-commit run -a +``` + ## Available Hooks There are several [pre-commit](https://pre-commit.com/) hooks to keep Terraform configurations (both `*.tf` and `*.tfvars`) and Terragrunt configurations (`*.hcl`) in a good shape: From 257824c637d2a4ef7843c792eb088dc8bc2c6140 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 12 Mar 2021 15:36:00 +0100 Subject: [PATCH 06/27] Updated CHANGELOG --- CHANGELOG.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d5da4b95a..b3835136c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,13 @@ All notable changes to this project will be documented in this file. + +## [v1.48.0] - 2021-03-12 + +- chore: add dockerfile ([#183](https://github.com/antonbabenko/pre-commit-terraform/issues/183)) +- docs: Added checkov install ([#182](https://github.com/antonbabenko/pre-commit-terraform/issues/182)) + + ## [v1.47.0] - 2021-02-25 @@ -394,7 +401,8 @@ https://github.com/antonbabenko/pre-commit-terraform/commit/35e0356188b64a4c5af9 - Initial commit -[Unreleased]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.47.0...HEAD +[Unreleased]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.48.0...HEAD +[v1.48.0]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.47.0...v1.48.0 [v1.47.0]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.46.0...v1.47.0 [v1.46.0]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.45.0...v1.46.0 [v1.45.0]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.44.0...v1.45.0 From bec7b5d943953f0c19afb22cbe2eae4689d937f3 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 18 Mar 2021 09:13:10 +0100 Subject: [PATCH 07/27] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9edd0c21c..68ee995e7 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Collection of git hooks for Terraform to be used with [pre-commit framework](http://pre-commit.com/) -[![Github tag](https://img.shields.io/github/tag/antonbabenko/pre-commit-terraform.svg)](https://github.com/antonbabenko/pre-commit-terraform/releases) ![](https://img.shields.io/maintenance/yes/2020.svg) [![Help Contribute to Open Source](https://www.codetriage.com/antonbabenko/pre-commit-terraform/badges/users.svg)](https://www.codetriage.com/antonbabenko/pre-commit-terraform) +[![Github tag](https://img.shields.io/github/tag/antonbabenko/pre-commit-terraform.svg)](https://github.com/antonbabenko/pre-commit-terraform/releases) ![](https://img.shields.io/maintenance/yes/2021.svg) [![Help Contribute to Open Source](https://www.codetriage.com/antonbabenko/pre-commit-terraform/badges/users.svg)](https://www.codetriage.com/antonbabenko/pre-commit-terraform) ## How to install From fa3859e55f31a921152c0047f67edb62b564ebbc Mon Sep 17 00:00:00 2001 From: Sergio Kef Date: Wed, 24 Mar 2021 21:12:24 +0100 Subject: [PATCH 08/27] chore: Fix mistake on command (#185) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 68ee995e7..cd692e794 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ pip3 install pre-commit curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar xzf terraform-docs.tgz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/ env GO111MODULE=on go get -u github.com/tfsec/tfsec/cmd/tfsec -python3.7 -m pip install -U checkovpython3.7 -m pip install -U checkov +python3.7 -m pip install -U checkov ``` ### 2. Install the pre-commit hook globally From d27074b5a03fb4ccfb9261c9999411af2358a742 Mon Sep 17 00:00:00 2001 From: Manuel Vogel Date: Tue, 20 Apr 2021 12:13:25 +0200 Subject: [PATCH 09/27] fix: Fix and pin versions in Dockerfile (#193) --- Dockerfile | 25 +++++++------------------ README.md | 2 +- 2 files changed, 8 insertions(+), 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2488ec41e..1bc60ebbb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,34 +1,24 @@ FROM ubuntu:18.04 ARG PRE_COMMIT_VERSION="2.11.1" -ARG GOLANG_VERSION="1.16" -ARG TERRAFORM_VERSION="0.14.8" -ARG TFSEC_VERSION="v0.39.6" -ARG TERRAFORM_DOCS_VERSION="latest" -ARG TFLINT_VERSION="latest" -ARG TFSEC_VERSION="v0.39.6" +ARG TERRAFORM_VERSION="0.15.0" +ARG TFSEC_VERSION="v0.39.21" +ARG TERRAFORM_DOCS_VERSION="v0.12.0" +ARG TFLINT_VERSION="v0.27.0" ARG CHECKOV_VERSION="1.0.838" # Install general dependencies RUN apt update && \ apt install -y curl git gawk unzip software-properties-common -# Install golang -RUN curl -L https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz > go${GOLANG_VERSION}.linux-amd64.tar.gz && \ - tar xzf go${GOLANG_VERSION}.linux-amd64.tar.gz && \ - rm -f go${GOLANG_VERSION}.linux-amd64.tar.gz -ENV GOPATH /go -RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" -ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH - # Install tools RUN add-apt-repository ppa:deadsnakes/ppa && \ apt install -y python3.7 python3-pip && \ pip3 install pre-commit==${PRE_COMMIT_VERSION} && \ - curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/${TERRAFORM_DOCS_VERSION} | grep -o -E "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar xzf terraform-docs.tgz && chmod +x terraform-docs && mv terraform-docs /usr/bin/ && \ - curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/${TFLINT_VERSION} | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && mv tflint /usr/bin/ && \ + curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases | grep -o -E "https://.+?${TERRAFORM_DOCS_VERSION}-linux-amd64.tar.gz")" > terraform-docs.tgz && tar xzf terraform-docs.tgz && chmod +x terraform-docs && mv terraform-docs /usr/bin/ && \ + curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases | grep -o -E "https://.+?/${TFLINT_VERSION}/tflint_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && mv tflint /usr/bin/ && \ + curl -L "$(curl -s https://api.github.com/repos/tfsec/tfsec/releases | grep -o -E "https://.+?/${TFSEC_VERSION}/tfsec-linux-amd64")" > tfsec && chmod +x tfsec && mv tfsec /usr/bin/ && \ python3.7 -m pip install -U checkov==${CHECKOV_VERSION} -RUN env GO111MODULE=on go get -u github.com/tfsec/tfsec/cmd/tfsec@${TFSEC_VERSION} # Install terraform because pre-commit needs it RUN curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - && \ @@ -36,7 +26,6 @@ RUN curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - && \ apt-get update && apt-get install terraform=${TERRAFORM_VERSION} # Checking all binaries are in the PATH -RUN go version RUN terraform --help RUN pre-commit --help RUN terraform-docs --help diff --git a/README.md b/README.md index cd692e794..a939111b3 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ sudo apt install -y python3.7 python3-pip pip3 install pre-commit curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar xzf terraform-docs.tgz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/ -env GO111MODULE=on go get -u github.com/tfsec/tfsec/cmd/tfsec +curl -L "$(curl -s https://api.github.com/repos/tfsec/tfsec/releases/latest | grep -o -E "https://.+?tfsec-linux-amd64")" > tfsec && chmod +x tfsec && mv tfsec /usr/bin/ python3.7 -m pip install -U checkov ``` From 96346e74d90467918729f8acafccd56c47e1be68 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Tue, 20 Apr 2021 12:13:58 +0200 Subject: [PATCH 10/27] Updated CHANGELOG --- CHANGELOG.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b3835136c..5686d7243 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,14 @@ All notable changes to this project will be documented in this file. + +## [v1.49.0] - 2021-04-20 + +- fix: Fix and pin versions in Dockerfile ([#193](https://github.com/antonbabenko/pre-commit-terraform/issues/193)) +- chore: Fix mistake on command ([#185](https://github.com/antonbabenko/pre-commit-terraform/issues/185)) +- Update README.md + + ## [v1.48.0] - 2021-03-12 @@ -290,19 +298,23 @@ https://github.com/antonbabenko/pre-commit-terraform/commit/35e0356188b64a4c5af9 ## [v1.9.0] - 2019-02-18 +- Added CHANGELOG.md - Added chglog (hi [@robinbowes](https://github.com/robinbowes) :)) +- Merge pull request [#33](https://github.com/antonbabenko/pre-commit-terraform/issues/33) from chrisgilmerproj/run_terraform_docs_in_serial - Require terraform-docs runs in serial to avoid pre-commit doing parallel operations on similar file paths ## [v1.8.1] - 2018-12-15 +- Merge pull request [#30](https://github.com/antonbabenko/pre-commit-terraform/issues/30) from RothAndrew/feature/fix_issue_29 - Fix bug not letting terraform_docs_replace work in the root directory of a repo ## [v1.8.0] - 2018-12-14 +- Merge pull request [#27](https://github.com/antonbabenko/pre-commit-terraform/issues/27) from RothAndrew/feature/new_hook - fix typo - Address requested changes - Add `--dest` argument @@ -315,6 +327,7 @@ https://github.com/antonbabenko/pre-commit-terraform/commit/35e0356188b64a4c5af9 - Merge remote-tracking branch 'origin/master' into pr25 - Added followup after [#25](https://github.com/antonbabenko/pre-commit-terraform/issues/25) +- Merge pull request [#25](https://github.com/antonbabenko/pre-commit-terraform/issues/25) from getcloudnative/feat-pass-terraform-docs-opts - Add feature to pass options to terraform-docs. - Added license file (fixed [#21](https://github.com/antonbabenko/pre-commit-terraform/issues/21)) @@ -375,6 +388,8 @@ https://github.com/antonbabenko/pre-commit-terraform/commit/35e0356188b64a4c5af9 - Added badges - Added formatting for tfvars (fixes [#4](https://github.com/antonbabenko/pre-commit-terraform/issues/4)) ([#6](https://github.com/antonbabenko/pre-commit-terraform/issues/6)) +- Merge pull request [#5](https://github.com/antonbabenko/pre-commit-terraform/issues/5) from schneems/schneems/codetriage-badge +- [ci skip] Get more Open Source Helpers @@ -383,6 +398,7 @@ https://github.com/antonbabenko/pre-commit-terraform/commit/35e0356188b64a4c5af9 - Renamed shell script file to the correct one - Updated .pre-commit-hooks.yaml - Updated sha in README +- Merge pull request [#3](https://github.com/antonbabenko/pre-commit-terraform/issues/3) from pecigonzalo/master - Exclude .terraform even on subfolders @@ -401,7 +417,8 @@ https://github.com/antonbabenko/pre-commit-terraform/commit/35e0356188b64a4c5af9 - Initial commit -[Unreleased]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.48.0...HEAD +[Unreleased]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.49.0...HEAD +[v1.49.0]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.48.0...v1.49.0 [v1.48.0]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.47.0...v1.48.0 [v1.47.0]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.46.0...v1.47.0 [v1.46.0]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.45.0...v1.46.0 From fee2387b6ce595773cd3437ca2cc4081061f5fbb Mon Sep 17 00:00:00 2001 From: Cesar Rodriguez Date: Thu, 22 Apr 2021 16:15:00 -0400 Subject: [PATCH 11/27] feat: Adds support for Terrascan (#195) --- .pre-commit-hooks.yaml | 6 ++++ README.md | 9 ++++-- terrascan.sh | 73 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 85 insertions(+), 3 deletions(-) create mode 100755 terrascan.sh diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index d7b2d61d6..8796c4b9e 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -82,3 +82,9 @@ files: \.tf$ exclude: \.+.terraform\/.*$ require_serial: true + +- id: terrascan + name: terrascan + description: Runs terrascan on Terraform templates. + language: script + entry: terrascan.sh diff --git a/README.md b/README.md index a939111b3..462e25fdb 100644 --- a/README.md +++ b/README.md @@ -12,13 +12,14 @@ * [`TFSec`](https://github.com/liamg/tfsec) required for `terraform_tfsec` hook. * [`coreutils`](https://formulae.brew.sh/formula/coreutils) required for `terraform_validate` hook on macOS (due to use of `realpath`). * [`checkov`](https://github.com/bridgecrewio/checkov) required for `checkov` hook. +* [`terrascan`](https://github.com/accurics/terrascan) required for `terrascan` hook. or build and use the Docker image locally as mentioned below in the `Run` section. ##### MacOS ```bash -brew install pre-commit gawk terraform-docs tflint tfsec coreutils checkov +brew install pre-commit gawk terraform-docs tflint tfsec coreutils checkov terrascan ``` ##### Ubuntu 18.04 @@ -32,6 +33,7 @@ pip3 install pre-commit curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar xzf terraform-docs.tgz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/ curl -L "$(curl -s https://api.github.com/repos/tfsec/tfsec/releases/latest | grep -o -E "https://.+?tfsec-linux-amd64")" > tfsec && chmod +x tfsec && mv tfsec /usr/bin/ +curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz && tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz && sudo mv terrascan /usr/bin/ python3.7 -m pip install -U checkov ``` @@ -72,9 +74,9 @@ or you can also build and use the provided Docker container, which wraps all dep ```bash # first building it docker build -t pre-commit . -# and then running it in the folder +# and then running it in the folder # with the terraform code you want to check by executing -docker run -v $(pwd):/lint -w /lint pre-commit run -a +docker run -v $(pwd):/lint -w /lint pre-commit run -a ``` ## Available Hooks @@ -93,6 +95,7 @@ There are several [pre-commit](https://pre-commit.com/) hooks to keep Terraform | `terragrunt_validate` | Validates all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) | | `terraform_tfsec` | [TFSec](https://github.com/liamg/tfsec) static analysis of terraform templates to spot potential security issues. | | `checkov` | [checkov](https://github.com/bridgecrewio/checkov) static analysis of terraform templates to spot potential security issues. | +| `terrascan` | [terrascan](https://github.com/accurics/terrascan) Detect compliance and security violations. | Check the [source file](https://github.com/antonbabenko/pre-commit-terraform/blob/master/.pre-commit-hooks.yaml) to know arguments used for each hook. diff --git a/terrascan.sh b/terrascan.sh new file mode 100755 index 000000000..d8233068b --- /dev/null +++ b/terrascan.sh @@ -0,0 +1,73 @@ +#!/usr/bin/env bash +set -eo pipefail + +main() { + initialize_ + parse_cmdline_ "$@" + + # propagate $FILES to custom function + terrascan_ "$ARGS" "$FILES" +} + +terrascan_() { + # consume modified files passed from pre-commit so that + # terrascan runs against only those relevant directories + for file_with_path in $FILES; do + file_with_path="${file_with_path// /__REPLACED__SPACE__}" + paths[index]=$(dirname "$file_with_path") + + let "index+=1" + done + + for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do + path_uniq="${path_uniq//__REPLACED__SPACE__/ }" + pushd "$path_uniq" > /dev/null + terrascan scan -i terraform $ARGS + popd > /dev/null + done +} + +initialize_() { + # get directory containing this script + local dir + local source + source="${BASH_SOURCE[0]}" + while [[ -L $source ]]; do # resolve $source until the file is no longer a symlink + dir="$(cd -P "$(dirname "$source")" > /dev/null && pwd)" + source="$(readlink "$source")" + # if $source was a relative symlink, we need to resolve it relative to the path where the symlink file was located + [[ $source != /* ]] && source="$dir/$source" + done + _SCRIPT_DIR="$(dirname "$source")" + + # source getopt function + # shellcheck source=lib_getopt + . "$_SCRIPT_DIR/lib_getopt" +} + +parse_cmdline_() { + declare argv + argv=$(getopt -o a: --long args: -- "$@") || return + eval "set -- $argv" + + for argv; do + case $argv in + -a | --args) + shift + ARGS+=("$1") + shift + ;; + --) + shift + FILES+=("$@") + break + ;; + esac + done +} + +# global arrays +declare -a ARGS=() +declare -a FILES=() + +[[ ${BASH_SOURCE[0]} != "$0" ]] || main "$@" From 9b84f70efef7419e53c9526dff2e4a7d6bc9c78d Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 22 Apr 2021 22:16:26 +0200 Subject: [PATCH 12/27] Updated CHANGELOG --- CHANGELOG.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5686d7243..33739006a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,12 @@ All notable changes to this project will be documented in this file. + +## [v1.50.0] - 2021-04-22 + +- feat: Adds support for Terrascan ([#195](https://github.com/antonbabenko/pre-commit-terraform/issues/195)) + + ## [v1.49.0] - 2021-04-20 @@ -417,7 +423,8 @@ https://github.com/antonbabenko/pre-commit-terraform/commit/35e0356188b64a4c5af9 - Initial commit -[Unreleased]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.49.0...HEAD +[Unreleased]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.50.0...HEAD +[v1.50.0]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.49.0...v1.50.0 [v1.49.0]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.48.0...v1.49.0 [v1.48.0]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.47.0...v1.48.0 [v1.47.0]: https://github.com/antonbabenko/pre-commit-terraform/compare/v1.46.0...v1.47.0 From c7d6d002ed510c1a3e63af6d0e132e8abf2448d4 Mon Sep 17 00:00:00 2001 From: Lorenz Vanthillo Date: Tue, 4 May 2021 16:41:28 +0200 Subject: [PATCH 13/27] chore: Update Ubuntu install method (#198) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 462e25fdb..6e43ade5a 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ sudo apt install -y python3.7 python3-pip pip3 install pre-commit curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar xzf terraform-docs.tgz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/ -curl -L "$(curl -s https://api.github.com/repos/tfsec/tfsec/releases/latest | grep -o -E "https://.+?tfsec-linux-amd64")" > tfsec && chmod +x tfsec && mv tfsec /usr/bin/ +curl -L "$(curl -s https://api.github.com/repos/tfsec/tfsec/releases/latest | grep -o -E "https://.+?tfsec-linux-amd64")" > tfsec && chmod +x tfsec && sudo mv tfsec /usr/bin/ curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz && tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz && sudo mv terrascan /usr/bin/ python3.7 -m pip install -U checkov ``` From 5daffe87271a154e9199c5113540e5ef6438a65a Mon Sep 17 00:00:00 2001 From: Maksym Vlasov Date: Thu, 9 Sep 2021 12:38:43 +0300 Subject: [PATCH 14/27] docs: Initial docs improvement (#218) --- .dockerignore | 2 +- .editorconfig | 14 ++++ .pre-commit-config.yaml | 24 +++++- CHANGELOG.md | 2 +- Dockerfile | 4 +- README.md | 160 ++++++++++++++++++++++++++++------------ 6 files changed, 153 insertions(+), 53 deletions(-) create mode 100644 .editorconfig diff --git a/.dockerignore b/.dockerignore index 763bb31a8..50c8ea340 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,3 +1,3 @@ * !.dockerignore -!Dockerfile \ No newline at end of file +!Dockerfile diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 000000000..74f9834a3 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,14 @@ +root = true + +[*] +indent_style = space +indent_size = 2 +charset = utf-8 +trim_trailing_whitespace = true +insert_final_newline = true + +[{*.{sh,py,md},Dockerfile}] +indent_size = 4 + +[*.md] +trim_trailing_whitespace = false diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a0304e23e..354e538dc 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,13 +1,31 @@ repos: - repo: git://github.com/pre-commit/pre-commit-hooks - rev: v3.4.0 + rev: v4.0.1 hooks: - - id: check-yaml + # Git style + - id: check-added-large-files + - id: check-merge-conflict + - id: check-vcs-permalinks + - id: forbid-new-submodules + - id: no-commit-to-branch + + # Common errors - id: end-of-file-fixer - id: trailing-whitespace - - id: check-case-conflict + args: [--markdown-linebreak-ext=md] + - id: check-yaml - id: check-merge-conflict - id: check-executables-have-shebangs + + # Cross platform + - id: check-case-conflict + + # Security + - id: detect-aws-credentials + args: ['--allow-missing-credentials'] + - id: detect-private-key + + - repo: git://github.com/jumanjihouse/pre-commit-hooks rev: 2.1.5 hooks: diff --git a/CHANGELOG.md b/CHANGELOG.md index 33739006a..722de3489 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -151,7 +151,7 @@ All notable changes to this project will be documented in this file. - fix: Change terraform_validate hook functionality for subdirectories with terraform files ([#100](https://github.com/antonbabenko/pre-commit-terraform/issues/100)) -### +### configuration for the appropriate working directory. diff --git a/Dockerfile b/Dockerfile index 1bc60ebbb..5d3f8906b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM ubuntu:18.04 ARG PRE_COMMIT_VERSION="2.11.1" ARG TERRAFORM_VERSION="0.15.0" -ARG TFSEC_VERSION="v0.39.21" +ARG TFSEC_VERSION="v0.39.21" ARG TERRAFORM_DOCS_VERSION="v0.12.0" ARG TFLINT_VERSION="v0.27.0" ARG CHECKOV_VERSION="1.0.838" @@ -33,4 +33,4 @@ RUN tflint --help RUN tfsec --help RUN checkov --help -ENTRYPOINT [ "pre-commit" ] \ No newline at end of file +ENTRYPOINT [ "pre-commit" ] diff --git a/README.md b/README.md index 6e43ade5a..8852df7d1 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,25 @@ # Collection of git hooks for Terraform to be used with [pre-commit framework](http://pre-commit.com/) -[![Github tag](https://img.shields.io/github/tag/antonbabenko/pre-commit-terraform.svg)](https://github.com/antonbabenko/pre-commit-terraform/releases) ![](https://img.shields.io/maintenance/yes/2021.svg) [![Help Contribute to Open Source](https://www.codetriage.com/antonbabenko/pre-commit-terraform/badges/users.svg)](https://www.codetriage.com/antonbabenko/pre-commit-terraform) +[![Github tag](https://img.shields.io/github/tag/antonbabenko/pre-commit-terraform.svg)](https://github.com/antonbabenko/pre-commit-terraform/releases) ![maintenance status](https://img.shields.io/maintenance/yes/2021.svg) [![Help Contribute to Open Source](https://www.codetriage.com/antonbabenko/pre-commit-terraform/badges/users.svg)](https://www.codetriage.com/antonbabenko/pre-commit-terraform) + +* [How to install](#how-to-install) + * [1. Install dependencies](#1-install-dependencies) + * [MacOS](#macos) + * [Ubuntu 18.04](#ubuntu-1804) + * [Ubuntu 20.04](#ubuntu-2004) + * [2. Install the pre-commit hook globally](#2-install-the-pre-commit-hook-globally) + * [3. Add configs and hooks](#3-add-configs-and-hooks) + * [4. Run](#4-run) +* [Available Hooks](#available-hooks) +* [Hooks notes](#hooks-notes) + * [terraform_docs](#terraform_docs) + * [terraform_tflint](#terraform_tflint) + * [terraform_tfsec](#terraform_tfsec) + * [terraform_validate](#terraform_validate) +* [Notes for contributors](#notes-for-contributors) + * [Run and debug hooks locally](#run-and-debug-hooks-locally) +* [Authors](#authors) +* [License](#license) ## How to install @@ -16,28 +35,46 @@ or build and use the Docker image locally as mentioned below in the `Run` section. -##### MacOS +#### MacOS ```bash brew install pre-commit gawk terraform-docs tflint tfsec coreutils checkov terrascan ``` -##### Ubuntu 18.04 +#### Ubuntu 18.04 ```bash sudo apt update sudo apt install -y gawk unzip software-properties-common sudo add-apt-repository ppa:deadsnakes/ppa sudo apt install -y python3.7 python3-pip +python3 -m pip install --upgrade pip pip3 install pre-commit curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar xzf terraform-docs.tgz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/ -curl -L "$(curl -s https://api.github.com/repos/tfsec/tfsec/releases/latest | grep -o -E "https://.+?tfsec-linux-amd64")" > tfsec && chmod +x tfsec && sudo mv tfsec /usr/bin/ +curl -L "$(curl -s https://api.github.com/repos/aquasecurity/tfsec/releases/latest | grep -o -E "https://.+?tfsec-linux-amd64" | head -n 1)" > tfsec && chmod +x tfsec && sudo mv tfsec /usr/bin/ curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz && tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz && sudo mv terrascan /usr/bin/ python3.7 -m pip install -U checkov ``` +##### Ubuntu 20.04 + +```bash +sudo apt update +sudo apt install -y gawk unzip software-properties-common +sudo apt install -y python3 python3-pip +python3 -m pip install --upgrade pip +pip3 install pre-commit +curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar -xzf terraform-docs.tgz terraform-docs && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ +curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/ +curl -L "$(curl -s https://api.github.com/repos/aquasecurity/tfsec/releases/latest | grep -o -E "https://.+?tfsec-linux-amd64" | head -n 1)" > tfsec && chmod +x tfsec && sudo mv tfsec /usr/bin/ +curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz && tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz && sudo mv terrascan /usr/bin/ +pip3 install -U checkov +``` + + ### 2. Install the pre-commit hook globally + Note: not needed if you use the Docker image ```bash @@ -71,6 +108,7 @@ pre-commit run -a ``` or you can also build and use the provided Docker container, which wraps all dependencies by + ```bash # first building it docker build -t pre-commit . @@ -83,48 +121,54 @@ docker run -v $(pwd):/lint -w /lint pre-commit run -a There are several [pre-commit](https://pre-commit.com/) hooks to keep Terraform configurations (both `*.tf` and `*.tfvars`) and Terragrunt configurations (`*.hcl`) in a good shape: -| Hook name | Description | -| ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------- | -| `terraform_fmt` | Rewrites all Terraform configuration files to a canonical format. | -| `terraform_validate` | Validates all Terraform configuration files. | -| `terraform_docs` | Inserts input and output documentation into `README.md`. Recommended. | -| `terraform_docs_without_aggregate_type_defaults` | Inserts input and output documentation into `README.md` without aggregate type defaults. | -| `terraform_docs_replace` | Runs `terraform-docs` and pipes the output directly to README.md (requires terraform-docs v0.10.0 or later) | -| `terraform_tflint` | Validates all Terraform configuration files with [TFLint](https://github.com/terraform-linters/tflint). | -| `terragrunt_fmt` | Rewrites all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) to a canonical format. | -| `terragrunt_validate` | Validates all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) | -| `terraform_tfsec` | [TFSec](https://github.com/liamg/tfsec) static analysis of terraform templates to spot potential security issues. | -| `checkov` | [checkov](https://github.com/bridgecrewio/checkov) static analysis of terraform templates to spot potential security issues. | -| `terrascan` | [terrascan](https://github.com/accurics/terrascan) Detect compliance and security violations. | +| Hook name | Description | +| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ | +| `terraform_fmt` | Rewrites all Terraform configuration files to a canonical format. [Hook notes](#terraform_docs) | +| `terraform_validate` | Validates all Terraform configuration files. [Hook notes](#terraform_validate) | +| `terraform_docs` | Inserts input and output documentation into `README.md`. Recommended. | +| `terraform_docs_without_aggregate_type_defaults` | Inserts input and output documentation into `README.md` without aggregate type defaults. | +| `terraform_docs_replace` | Runs `terraform-docs` and pipes the output directly to README.md | +| `terraform_tflint` | Validates all Terraform configuration files with [TFLint](https://github.com/terraform-linters/tflint). [Hook notes](#terraform_tflint). | +| `terragrunt_fmt` | Rewrites all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) to a canonical format. | +| `terragrunt_validate` | Validates all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) | +| `terraform_tfsec` | [TFSec](https://github.com/liamg/tfsec) static analysis of terraform templates to spot potential security issues. [Hook notes](#terraform_tfsec) | +| `checkov` | [checkov](https://github.com/bridgecrewio/checkov) static analysis of terraform templates to spot potential security issues. | +| `terrascan` | [terrascan](https://github.com/accurics/terrascan) Detect compliance and security violations. | Check the [source file](https://github.com/antonbabenko/pre-commit-terraform/blob/master/.pre-commit-hooks.yaml) to know arguments used for each hook. -## Notes about terraform_docs hooks +## Hooks notes + +### terraform_docs 1. `terraform_docs` and `terraform_docs_without_aggregate_type_defaults` will insert/update documentation generated by [terraform-docs](https://github.com/terraform-docs/terraform-docs) framed by markers: -```txt - - -``` -if they are present in `README.md`. + ```txt + + + + ``` + + if they are present in `README.md`. -1. `terraform_docs_replace` replaces the entire README.md rather than doing string replacement between markers. Put your additional documentation at the top of your `main.tf` for it to be pulled in. The optional `--dest` argument lets you change the name of the file that gets created/modified. This hook requires terraform-docs v0.10.0 or later. +2. `terraform_docs_replace` replaces the entire README.md rather than doing string replacement between markers. Put your additional documentation at the top of your `main.tf` for it to be pulled in. The optional `--dest` argument lets you change the name of the file that gets created/modified. + + Example: - 1. Example: ```yaml hooks: - id: terraform_docs_replace args: ['--sort-by-required', '--dest=TEST.md'] ``` -1. It is possible to pass additional arguments to shell scripts when using `terraform_docs` and `terraform_docs_without_aggregate_type_defaults`. Send pull-request with the new hook if there is something missing. +3. It is possible to pass additional arguments to shell scripts when using `terraform_docs` and `terraform_docs_without_aggregate_type_defaults`. Send pull-request with the new hook if there is something missing. -## Notes about terraform_tflint hooks +### terraform_tflint 1. `terraform_tflint` supports custom arguments so you can enable module inspection, deep check mode etc. - 1. Example: + Example: + ```yaml hooks: - id: terraform_tflint @@ -132,6 +176,7 @@ if they are present in `README.md`. ``` In order to pass multiple args, try the following: + ```yaml - id: terraform_tflint args: @@ -139,24 +184,25 @@ if they are present in `README.md`. - '--args=--enable-rule=terraform_documented_variables' ``` -1. When you have multiple directories and want to run `tflint` in all of them and share single config file it is impractical to hard-code the path to `.tflint.hcl` file. The solution is to use `__GIT_WORKING_DIR__` placeholder which will be replaced by `terraform_tflint` hooks with Git working directory (repo root) at run time. For example: +3. When you have multiple directories and want to run `tflint` in all of them and share single config file it is impractical to hard-code the path to `.tflint.hcl` file. The solution is to use `__GIT_WORKING_DIR__` placeholder which will be replaced by `terraform_tflint` hooks with Git working directory (repo root) at run time. For example: - ```yaml - hooks: - - id: terraform_tflint - args: - - '--args=--config=__GIT_WORKING_DIR__/.tflint.hcl' - ``` + ```yaml + hooks: + - id: terraform_tflint + args: + - '--args=--config=__GIT_WORKING_DIR__/.tflint.hcl' + ``` -## Notes about terraform_tfsec hooks +### terraform_tfsec 1. `terraform_tfsec` will consume modified files that pre-commit passes to it, so you can perform whitelisting of directories or files to run against via [files](https://pre-commit.com/#config-files) pre-commit flag - 1. Example: + Example: + ```yaml hooks: - id: terraform_tfsec @@ -167,9 +213,11 @@ if they are present in `README.md`. only such that the underlying `tfsec` tool can run against changed files in this directory, ignoring any other folders at the root level -1. To ignore specific warnings, follow the convention from the +2. To ignore specific warnings, follow the convention from the [documentation](https://github.com/liamg/tfsec#ignoring-warnings). - 1. Example: + + Example: + ```hcl resource "aws_security_group_rule" "my-rule" { type = "ingress" @@ -177,11 +225,12 @@ if they are present in `README.md`. } ``` -## Notes about terraform_validate hooks +### terraform_validate 1. `terraform_validate` supports custom arguments so you can pass supported no-color or json flags. - 1. Example: + Example: + ```yaml hooks: - id: terraform_validate @@ -189,15 +238,18 @@ if they are present in `README.md`. ``` In order to pass multiple args, try the following: + ```yaml - id: terraform_validate args: - '--args=-json' - '--args=-no-color' ``` -1. `terraform_validate` also supports custom environment variables passed to the pre-commit runtime - 1. Example: +2. `terraform_validate` also supports custom environment variables passed to the pre-commit runtime + + Example: + ```yaml hooks: - id: terraform_validate @@ -205,6 +257,7 @@ if they are present in `README.md`. ``` In order to pass multiple args, try the following: + ```yaml - id: terraform_validate args: @@ -213,7 +266,7 @@ if they are present in `README.md`. - '--envs=AWS_SECRET_ACCESS_KEY="asecretkey"' ``` -1. It may happen that Terraform working directory (`.terraform`) already exists but not in the best condition (eg, not initialized modules, wrong version of Terraform, etc). To solve this problem you can find and delete all `.terraform` directories in your repository using this command: +3. It may happen that Terraform working directory (`.terraform`) already exists but not in the best condition (eg, not initialized modules, wrong version of Terraform, etc). To solve this problem you can find and delete all `.terraform` directories in your repository using this command: ```shell find . -type d -name ".terraform" -print0 | xargs -0 rm -r @@ -221,14 +274,29 @@ if they are present in `README.md`. `terraform_validate` hook will try to reinitialize them before running `terraform validate` command. -## Notes for developers +## Notes for contributors 1. Python hooks are supported now too. All you have to do is: 1. add a line to the `console_scripts` array in `entry_points` in `setup.py` - 1. Put your python script in the `pre_commit_hooks` folder + 2. Put your python script in the `pre_commit_hooks` folder Enjoy the clean, valid, and documented code! +### Run and debug hooks locally + +```bash +pre-commit try-repo {-a} /path/to/local/pre-commit-terraform/repo {hook_name} +``` + +I.e. + +```bash +pre-commit try-repo /mnt/c/Users/tf/pre-commit-terraform terraform_fmt # Run only `terraform_fmt` check +pre-commit try-repo -a ~/pre-commit-terraform # run all existing checks from repo +``` + +Running `pre-commit` with `try-repo` ignores all arguments specified in `.pre-commit-config.yaml`. + ## Authors This repository is managed by [Anton Babenko](https://github.com/antonbabenko) with help from [these awesome contributors](https://github.com/antonbabenko/pre-commit-terraform/graphs/contributors). From ce02f94e46635b23087e29e746f0461c6993fee2 Mon Sep 17 00:00:00 2001 From: Maksym Vlasov Date: Thu, 9 Sep 2021 22:29:33 +0300 Subject: [PATCH 15/27] fix: Dockerized pre-commit-terraform (#219) Co-authored-by: Anton Babenko --- Dockerfile | 182 +++++++++++++++++++++++++++++++++++++++++++++-------- README.md | 126 +++++++++++++++++++++++++------------ 2 files changed, 243 insertions(+), 65 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5d3f8906b..239994448 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,36 +1,166 @@ -FROM ubuntu:18.04 - -ARG PRE_COMMIT_VERSION="2.11.1" -ARG TERRAFORM_VERSION="0.15.0" -ARG TFSEC_VERSION="v0.39.21" -ARG TERRAFORM_DOCS_VERSION="v0.12.0" -ARG TFLINT_VERSION="v0.27.0" -ARG CHECKOV_VERSION="1.0.838" +FROM ubuntu:20.04 as builder # Install general dependencies RUN apt update && \ - apt install -y curl git gawk unzip software-properties-common + DEBIAN_FRONTEND=noninteractive apt install -y \ + # Needed for pre-commit in next build stage + git \ + libpcre2-8-0 \ + # Builder deps + unzip \ + software-properties-common \ + curl \ + python3 \ + python3-pip && \ + # Upgrade pip for be able get latest Checkov + python3 -m pip install --upgrade pip && \ + # Cleanup + rm -rf /var/lib/apt/lists/* -# Install tools -RUN add-apt-repository ppa:deadsnakes/ppa && \ - apt install -y python3.7 python3-pip && \ - pip3 install pre-commit==${PRE_COMMIT_VERSION} && \ - curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases | grep -o -E "https://.+?${TERRAFORM_DOCS_VERSION}-linux-amd64.tar.gz")" > terraform-docs.tgz && tar xzf terraform-docs.tgz && chmod +x terraform-docs && mv terraform-docs /usr/bin/ && \ - curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases | grep -o -E "https://.+?/${TFLINT_VERSION}/tflint_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && mv tflint /usr/bin/ && \ - curl -L "$(curl -s https://api.github.com/repos/tfsec/tfsec/releases | grep -o -E "https://.+?/${TFSEC_VERSION}/tfsec-linux-amd64")" > tfsec && chmod +x tfsec && mv tfsec /usr/bin/ && \ - python3.7 -m pip install -U checkov==${CHECKOV_VERSION} +ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest} +ARG TERRAFORM_VERSION=${TERRAFORM_VERSION:-latest} + +# Install pre-commit +RUN [ ${PRE_COMMIT_VERSION} = "latest" ] && pip3 install --no-cache-dir pre-commit \ + || pip3 install --no-cache-dir pre-commit==${PRE_COMMIT_VERSION} # Install terraform because pre-commit needs it RUN curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - && \ apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" && \ - apt-get update && apt-get install terraform=${TERRAFORM_VERSION} - -# Checking all binaries are in the PATH -RUN terraform --help -RUN pre-commit --help -RUN terraform-docs --help -RUN tflint --help -RUN tfsec --help -RUN checkov --help + apt update && \ + ( \ + [ "$TERRAFORM_VERSION" = "latest" ] && apt install -y terraform \ + || apt install -y terraform=${TERRAFORM_VERSION} \ + ) && \ + # Cleanup + rm -rf /var/lib/apt/lists/* + +# +# Install tools +# +WORKDIR /bin_dir + +ARG CHECKOV_VERSION=${CHECKOV_VERSION:-false} +ARG TERRAFORM_DOCS_VERSION=${TERRAFORM_DOCS_VERSION:-false} +ARG TERRAGRUNT_VERSION=${TERRAGRUNT_VERSION:-false} +ARG TERRASCAN_VERSION=${TERRASCAN_VERSION:-false} +ARG TFLINT_VERSION=${TFLINT_VERSION:-false} +ARG TFSEC_VERSION=${TFSEC_VERSION:-false} + + +# Tricky thing to install all tools by set only one arg. +# In RUN command below used `. /.env` <- this is sourcing vars that +# specified in step below +ARG INSTALL_ALL=${INSTALL_ALL:-false} +RUN if [ "$INSTALL_ALL" != "false" ]; then \ + echo "export CHECKOV_VERSION=latest" >> /.env && \ + echo "export TERRAFORM_DOCS_VERSION=latest" >> /.env && \ + echo "export TERRAGRUNT_VERSION=latest" >> /.env && \ + echo "export TERRASCAN_VERSION=latest" >> /.env && \ + echo "export TFLINT_VERSION=latest" >> /.env && \ + echo "export TFSEC_VERSION=latest" >> /.env \ + ; fi + + +# Checkov +RUN . /.env && \ + if [ "$CHECKOV_VERSION" != "false" ]; then \ + ( \ + [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \ + || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION} \ + ) \ + ; fi + +# Terraform docs +RUN . /.env && \ + if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then \ + ( \ + TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" && \ + [ "$TERRAFORM_DOCS_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz \ + || curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-linux-amd64.tar.gz")" > terraform-docs.tgz \ + ) && tar -xzf terraform-docs.tgz terraform-docs && chmod +x terraform-docs \ + ; fi + +# Terragrunt +RUN . /.env \ + && if [ "$TERRAGRUNT_VERSION" != "false" ]; then \ + ( \ + TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" && \ + [ "$TERRAGRUNT_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E "https://.+?/terragrunt_linux_amd64" | head -n 1)" > terragrunt \ + || curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64" | head -n 1)" > terragrunt \ + ) && chmod +x terragrunt \ + ; fi + + +# Terrascan +RUN . /.env && \ + if [ "$TERRASCAN_VERSION" != "false" ]; then \ + ( \ + TERRASCAN_RELEASES="https://api.github.com/repos/accurics/terrascan/releases" && \ + [ "$TERRASCAN_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz \ + || curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_Linux_x86_64.tar.gz")" > terrascan.tar.gz \ + ) && tar -xzf terrascan.tar.gz terrascan && rm terrascan.tar.gz && \ + ./terrascan init \ + ; fi + +# TFLint +RUN . /.env && \ + if [ "$TFLINT_VERSION" != "false" ]; then \ + ( \ + TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" && \ + [ "$TFLINT_VERSION" = "latest" ] && curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip \ + || curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_linux_amd64.zip")" > tflint.zip \ + ) && unzip tflint.zip && rm tflint.zip \ + ; fi + +# TFSec +RUN . /.env && \ + if [ "$TFSEC_VERSION" != "false" ]; then \ + ( \ + TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" && \ + [ "$TFSEC_VERSION" = "latest" ] && curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E "https://.+?/tfsec-linux-amd64" | head -n 1)" > tfsec \ + || curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E "https://.+?v${TFSEC_VERSION}/tfsec-linux-amd64" | head -n 1)" > tfsec \ + ) && chmod +x tfsec \ + ; fi + +# Checking binaries versions +RUN . /.env && \ + echo "\n\n" && \ + pre-commit --version && \ + terraform --version | head -n 1 && \ + (if [ "$CHECKOV_VERSION" != "false" ]; then echo -n "checkov " && checkov --version; else echo "checkov SKIPPED" ; fi) && \ + (if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then ./terraform-docs --version; else echo "terraform-docs SKIPPED"; fi) && \ + (if [ "$TERRAGRUNT_VERSION" != "false" ]; then ./terragrunt --version; else echo "terragrunt SKIPPED" ; fi) && \ + (if [ "$TERRASCAN_VERSION" != "false" ]; then echo -n "terrascan " && ./terrascan version; else echo "terrascan SKIPPED" ; fi) && \ + (if [ "$TFLINT_VERSION" != "false" ]; then ./tflint --version; else echo "tflint SKIPPED" ; fi) && \ + (if [ "$TFSEC_VERSION" != "false" ]; then echo -n "tfsec " && ./tfsec --version; else echo "tfsec SKIPPED" ; fi) && \ + echo "\n\n" + +# based on debian:buster-slim +# https://github.com/docker-library/python/blob/master/3.9/buster/slim/Dockerfile +FROM python:3.9-slim-buster + +# Python 3.8 (ubuntu 20.04) -> Python3.9 hacks +COPY --from=builder /usr/local/lib/python3.8/dist-packages/ /usr/local/lib/python3.9/site-packages/ +COPY --from=builder /usr/lib/python3/dist-packages /usr/local/lib/python3.9/site-packages +RUN mkdir /usr/lib/python3 && \ + ln -s /usr/local/lib/python3.9/site-packages /usr/lib/python3/site-packages && \ + ln -s /usr/local/bin/python3 /usr/bin/python3 +# Copy binaries needed for pre-commit +COPY --from=builder /usr/lib/git-core/ /usr/lib/git-core/ +COPY --from=builder /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0 /usr/lib/x86_64-linux-gnu/ +# Copy tools +COPY --from=builder \ + /bin_dir/ \ + /usr/bin/terraform \ + /usr/local/bin/checkov* \ + /usr/local/bin/pre-commit \ + /usr/bin/git \ + /usr/bin/git-shell \ + /usr/bin/ +# Copy terrascan policies +COPY --from=builder /root/ /root/ + +ENV PRE_COMMIT_COLOR=${PRE_COMMIT_COLOR:-always} ENTRYPOINT [ "pre-commit" ] diff --git a/README.md b/README.md index 8852df7d1..19901f3d9 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,6 @@ * [How to install](#how-to-install) * [1. Install dependencies](#1-install-dependencies) - * [MacOS](#macos) - * [Ubuntu 18.04](#ubuntu-1804) - * [Ubuntu 20.04](#ubuntu-2004) * [2. Install the pre-commit hook globally](#2-install-the-pre-commit-hook-globally) * [3. Add configs and hooks](#3-add-configs-and-hooks) * [4. Run](#4-run) @@ -25,23 +22,69 @@ ### 1. Install dependencies -* [`pre-commit`](https://pre-commit.com/#install) -* [`terraform-docs`](https://github.com/terraform-docs/terraform-docs) required for `terraform_docs` hooks. `GNU awk` is required if using `terraform-docs` older than 0.8.0 with Terraform 0.12. -* [`TFLint`](https://github.com/terraform-linters/tflint) required for `terraform_tflint` hook. -* [`TFSec`](https://github.com/liamg/tfsec) required for `terraform_tfsec` hook. -* [`coreutils`](https://formulae.brew.sh/formula/coreutils) required for `terraform_validate` hook on macOS (due to use of `realpath`). + + +* [`pre-commit`](https://pre-commit.com/#install), + [`terraform`](https://www.terraform.io/downloads.html), + [`git`](https://git-scm.com/downloads), + POSIX compatible shell, + Internet connection (on first run), + x86_64 compatible operation system, + Some hardware where this OS will run, + Electricity for hardware and internet connection, + Some basic physical laws, + Hope that it all will works. +

* [`checkov`](https://github.com/bridgecrewio/checkov) required for `checkov` hook. +* [`terraform-docs`](https://github.com/terraform-docs/terraform-docs) required for `terraform_docs` hooks. * [`terrascan`](https://github.com/accurics/terrascan) required for `terrascan` hook. +* [`TFLint`](https://github.com/terraform-linters/tflint) required for `terraform_tflint` hook. +* [`TFSec`](https://github.com/liamg/tfsec) required for `terraform_tfsec` hook. + +
Docker
+ +If no `--build-arg` is specified, then the latest versions of `pre-commit` and `terraform` will be installed. + +```bash +git clone git@github.com:antonbabenko/pre-commit-terraform.git +cd pre-commit-terraform +# Install all tools with latest versions: +docker build -t pre-commit --build-arg INSTALL_ALL=true . +``` + +You can specify needed tool versions by providing `--build-arg`'s. +If you'd like you can use the `latest` versions: + +```bash +docker build -t pre-commit \ + --build-arg PRE_COMMIT_VERSION=latest \ + --build-arg TERRAFORM_VERSION=latest \ + --build-arg CHECKOV_VERSION=2.0.405 \ + --build-arg TERRAFORM_DOCS_VERSION=0.15.0 \ + --build-arg TERRAGRUNT_VERSION=latest \ + --build-arg TERRASCAN_VERSION=1.10.0 \ + --build-arg TFLINT_VERSION=0.31.0 \ + --build-arg TFSEC_VERSION=latest \ + . +``` -or build and use the Docker image locally as mentioned below in the `Run` section. +To disable pre-commit color output set `-e PRE_COMMIT_COLOR=never`. -#### MacOS +
+ + +
MacOS
+ +[`coreutils`](https://formulae.brew.sh/formula/coreutils) required for `terraform_validate` hook on macOS (due to use of `realpath`). ```bash brew install pre-commit gawk terraform-docs tflint tfsec coreutils checkov terrascan +terrascan init ``` -#### Ubuntu 18.04 +
+ +
Ubuntu 18.04
```bash sudo apt update @@ -49,33 +92,40 @@ sudo apt install -y gawk unzip software-properties-common sudo add-apt-repository ppa:deadsnakes/ppa sudo apt install -y python3.7 python3-pip python3 -m pip install --upgrade pip -pip3 install pre-commit +pip3 install --no-cache-dir pre-commit +python3.7 -m pip install -U checkov curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar xzf terraform-docs.tgz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/ curl -L "$(curl -s https://api.github.com/repos/aquasecurity/tfsec/releases/latest | grep -o -E "https://.+?tfsec-linux-amd64" | head -n 1)" > tfsec && chmod +x tfsec && sudo mv tfsec /usr/bin/ curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz && tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz && sudo mv terrascan /usr/bin/ -python3.7 -m pip install -U checkov +terrascan init ``` -##### Ubuntu 20.04 +
+ + +
Ubuntu 20.04
```bash sudo apt update -sudo apt install -y gawk unzip software-properties-common -sudo apt install -y python3 python3-pip +sudo apt install -y gawk unzip software-properties-common python3 python3-pip python3 -m pip install --upgrade pip -pip3 install pre-commit +pip3 install --no-cache-dir pre-commit +pip3 install --no-cache-dir checkov curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar -xzf terraform-docs.tgz terraform-docs && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ +curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz && tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz && sudo mv terrascan /usr/bin/ +terrascan init curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/ curl -L "$(curl -s https://api.github.com/repos/aquasecurity/tfsec/releases/latest | grep -o -E "https://.+?tfsec-linux-amd64" | head -n 1)" > tfsec && chmod +x tfsec && sudo mv tfsec /usr/bin/ -curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz && tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz && sudo mv terrascan /usr/bin/ -pip3 install -U checkov ``` +
+ + ### 2. Install the pre-commit hook globally -Note: not needed if you use the Docker image +> Note: not needed if you use the Docker image ```bash DIR=~/.git-template @@ -101,19 +151,17 @@ EOF ### 4. Run -After pre-commit hook has been installed you can run it manually on all files in the repository +After pre-commit hook has been installed you can run it manually on all files in the repository. + +Local installation: ```bash pre-commit run -a ``` -or you can also build and use the provided Docker container, which wraps all dependencies by +Docker: ```bash -# first building it -docker build -t pre-commit . -# and then running it in the folder -# with the terraform code you want to check by executing docker run -v $(pwd):/lint -w /lint pre-commit run -a ``` @@ -121,19 +169,19 @@ docker run -v $(pwd):/lint -w /lint pre-commit run -a There are several [pre-commit](https://pre-commit.com/) hooks to keep Terraform configurations (both `*.tf` and `*.tfvars`) and Terragrunt configurations (`*.hcl`) in a good shape: -| Hook name | Description | -| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ | -| `terraform_fmt` | Rewrites all Terraform configuration files to a canonical format. [Hook notes](#terraform_docs) | -| `terraform_validate` | Validates all Terraform configuration files. [Hook notes](#terraform_validate) | -| `terraform_docs` | Inserts input and output documentation into `README.md`. Recommended. | -| `terraform_docs_without_aggregate_type_defaults` | Inserts input and output documentation into `README.md` without aggregate type defaults. | -| `terraform_docs_replace` | Runs `terraform-docs` and pipes the output directly to README.md | -| `terraform_tflint` | Validates all Terraform configuration files with [TFLint](https://github.com/terraform-linters/tflint). [Hook notes](#terraform_tflint). | -| `terragrunt_fmt` | Rewrites all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) to a canonical format. | -| `terragrunt_validate` | Validates all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) | -| `terraform_tfsec` | [TFSec](https://github.com/liamg/tfsec) static analysis of terraform templates to spot potential security issues. [Hook notes](#terraform_tfsec) | -| `checkov` | [checkov](https://github.com/bridgecrewio/checkov) static analysis of terraform templates to spot potential security issues. | -| `terrascan` | [terrascan](https://github.com/accurics/terrascan) Detect compliance and security violations. | +| Hook name | Description | +| ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `terraform_fmt` | Rewrites all Terraform configuration files to a canonical format. [Hook notes](#terraform_docs) | +| `terraform_validate` | Validates all Terraform configuration files. [Hook notes](#terraform_validate) | +| `terraform_docs` | Inserts input and output documentation into `README.md`. Recommended. | +| `terraform_docs_without_aggregate_type_defaults` | Inserts input and output documentation into `README.md` without aggregate type defaults. | +| `terraform_docs_replace` | Runs `terraform-docs` and pipes the output directly to README.md | +| `terraform_tflint` | Validates all Terraform configuration files with [TFLint](https://github.com/terraform-linters/tflint). [Available TFLint rules](https://github.com/terraform-linters/tflint/tree/master/docs/rules#rules). [Hook notes](#terraform_tflint). | +| `terragrunt_fmt` | Rewrites all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) to a canonical format. | +| `terragrunt_validate` | Validates all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) | +| `terraform_tfsec` | [TFSec](https://github.com/liamg/tfsec) static analysis of terraform templates to spot potential security issues. [Hook notes](#terraform_tfsec) | +| `checkov` | [checkov](https://github.com/bridgecrewio/checkov) static analysis of terraform templates to spot potential security issues. | +| `terrascan` | [terrascan](https://github.com/accurics/terrascan) Detect compliance and security violations. | Check the [source file](https://github.com/antonbabenko/pre-commit-terraform/blob/master/.pre-commit-hooks.yaml) to know arguments used for each hook. From c920368fb2485e0dde8cd9956adb2cf9fa230da0 Mon Sep 17 00:00:00 2001 From: Maksym Vlasov Date: Fri, 10 Sep 2021 22:33:03 +0300 Subject: [PATCH 16/27] feat: Add mixed line ending check to prevent possible errors (#221) --- .pre-commit-config.yaml | 2 ++ Dockerfile | 16 ++++++++-------- README.md | 24 +++++++++++------------- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 354e538dc..020f65f4c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -19,6 +19,8 @@ repos: # Cross platform - id: check-case-conflict + - id: mixed-line-ending + args: [--fix=lf] # Security - id: detect-aws-credentials diff --git a/Dockerfile b/Dockerfile index 239994448..5fa7552ac 100644 --- a/Dockerfile +++ b/Dockerfile @@ -76,9 +76,9 @@ RUN . /.env && \ if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then \ ( \ TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" && \ - [ "$TERRAFORM_DOCS_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz \ + [ "$TERRAFORM_DOCS_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz \ || curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-linux-amd64.tar.gz")" > terraform-docs.tgz \ - ) && tar -xzf terraform-docs.tgz terraform-docs && chmod +x terraform-docs \ + ) && tar -xzf terraform-docs.tgz terraform-docs && rm terraform-docs.tgz && chmod +x terraform-docs \ ; fi # Terragrunt @@ -86,8 +86,8 @@ RUN . /.env \ && if [ "$TERRAGRUNT_VERSION" != "false" ]; then \ ( \ TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" && \ - [ "$TERRAGRUNT_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E "https://.+?/terragrunt_linux_amd64" | head -n 1)" > terragrunt \ - || curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64" | head -n 1)" > terragrunt \ + [ "$TERRAGRUNT_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_linux_amd64")" > terragrunt \ + || curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64")" > terragrunt \ ) && chmod +x terragrunt \ ; fi @@ -97,7 +97,7 @@ RUN . /.env && \ if [ "$TERRASCAN_VERSION" != "false" ]; then \ ( \ TERRASCAN_RELEASES="https://api.github.com/repos/accurics/terrascan/releases" && \ - [ "$TERRASCAN_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz \ + [ "$TERRASCAN_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz \ || curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_Linux_x86_64.tar.gz")" > terrascan.tar.gz \ ) && tar -xzf terrascan.tar.gz terrascan && rm terrascan.tar.gz && \ ./terrascan init \ @@ -108,7 +108,7 @@ RUN . /.env && \ if [ "$TFLINT_VERSION" != "false" ]; then \ ( \ TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" && \ - [ "$TFLINT_VERSION" = "latest" ] && curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip \ + [ "$TFLINT_VERSION" = "latest" ] && curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_linux_amd64.zip")" > tflint.zip \ || curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_linux_amd64.zip")" > tflint.zip \ ) && unzip tflint.zip && rm tflint.zip \ ; fi @@ -118,8 +118,8 @@ RUN . /.env && \ if [ "$TFSEC_VERSION" != "false" ]; then \ ( \ TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" && \ - [ "$TFSEC_VERSION" = "latest" ] && curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E "https://.+?/tfsec-linux-amd64" | head -n 1)" > tfsec \ - || curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E "https://.+?v${TFSEC_VERSION}/tfsec-linux-amd64" | head -n 1)" > tfsec \ + [ "$TFSEC_VERSION" = "latest" ] && curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-linux-amd64")" > tfsec \ + || curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-linux-amd64")" > tfsec \ ) && chmod +x tfsec \ ; fi diff --git a/README.md b/README.md index 19901f3d9..aeeb9668c 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,7 @@ To disable pre-commit color output set `-e PRE_COMMIT_COLOR=never`. [`coreutils`](https://formulae.brew.sh/formula/coreutils) required for `terraform_validate` hook on macOS (due to use of `realpath`). ```bash -brew install pre-commit gawk terraform-docs tflint tfsec coreutils checkov terrascan +brew install pre-commit terraform-docs tflint tfsec coreutils checkov terrascan terrascan init ``` @@ -88,17 +88,16 @@ terrascan init ```bash sudo apt update -sudo apt install -y gawk unzip software-properties-common +sudo apt install -y unzip software-properties-common sudo add-apt-repository ppa:deadsnakes/ppa sudo apt install -y python3.7 python3-pip python3 -m pip install --upgrade pip pip3 install --no-cache-dir pre-commit python3.7 -m pip install -U checkov -curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar xzf terraform-docs.tgz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ -curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/ -curl -L "$(curl -s https://api.github.com/repos/aquasecurity/tfsec/releases/latest | grep -o -E "https://.+?tfsec-linux-amd64" | head -n 1)" > tfsec && chmod +x tfsec && sudo mv tfsec /usr/bin/ -curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz && tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz && sudo mv terrascan /usr/bin/ -terrascan init +curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E -m 1 "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar -xzf terraform-docs.tgz && rm terraform-docs.tgz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ +curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E -m 1 "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/ +curl -L "$(curl -s https://api.github.com/repos/aquasecurity/tfsec/releases/latest | grep -o -E -m 1 "https://.+?tfsec-linux-amd64")" > tfsec && chmod +x tfsec && sudo mv tfsec /usr/bin/ +curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E -m 1"https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz && tar -xzf terrascan.tar.gz terrascan && rm terrascan.tar.gz && sudo mv terrascan /usr/bin/ && terrascan init ``` @@ -108,15 +107,14 @@ terrascan init ```bash sudo apt update -sudo apt install -y gawk unzip software-properties-common python3 python3-pip +sudo apt install -y unzip software-properties-common python3 python3-pip python3 -m pip install --upgrade pip pip3 install --no-cache-dir pre-commit pip3 install --no-cache-dir checkov -curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar -xzf terraform-docs.tgz terraform-docs && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ -curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz && tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz && sudo mv terrascan /usr/bin/ -terrascan init -curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/ -curl -L "$(curl -s https://api.github.com/repos/aquasecurity/tfsec/releases/latest | grep -o -E "https://.+?tfsec-linux-amd64" | head -n 1)" > tfsec && chmod +x tfsec && sudo mv tfsec /usr/bin/ +curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E -m 1 "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar -xzf terraform-docs.tgz terraform-docs && rm terraform-docs.tgz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ +curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E -m 1"https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz && tar -xzf terrascan.tar.gz terrascan && rm terrascan.tar.gz && sudo mv terrascan /usr/bin/ && terrascan init +curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E -m 1 "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/ +curl -L "$(curl -s https://api.github.com/repos/aquasecurity/tfsec/releases/latest | grep -o -E -m 1 "https://.+?tfsec-linux-amd64")" > tfsec && chmod +x tfsec && sudo mv tfsec /usr/bin/ ``` From 53a866e7752885b8854a413fd76e397677050d4c Mon Sep 17 00:00:00 2001 From: Maksym Vlasov Date: Sat, 11 Sep 2021 10:47:56 +0300 Subject: [PATCH 17/27] feat: Add GH checks and templates (#222) --- .github/ISSUE_TEMPLATE/bug_report_docker.md | 81 +++++++++++++ .../bug_report_local_install.md | 106 ++++++++++++++++++ .github/ISSUE_TEMPLATE/feature_request.md | 29 +++++ .github/PULL_REQUEST_TEMPLATE.md | 31 +++++ .github/workflows/pre-commit.yaml | 27 +++++ .github/workflows/stale-actions.yaml | 34 ++++++ Dockerfile | 22 ++-- README.md | 7 ++ 8 files changed, 326 insertions(+), 11 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/bug_report_docker.md create mode 100644 .github/ISSUE_TEMPLATE/bug_report_local_install.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 .github/workflows/pre-commit.yaml create mode 100644 .github/workflows/stale-actions.yaml diff --git a/.github/ISSUE_TEMPLATE/bug_report_docker.md b/.github/ISSUE_TEMPLATE/bug_report_docker.md new file mode 100644 index 000000000..f1cddc738 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report_docker.md @@ -0,0 +1,81 @@ +--- +name: Local installation bug report +about: Create a bug report +labels: +- kind/bug +- area/docker +--- + + + +### Describe the bug + + + + +### How can we reproduce it? + + + + +### Environment information + +* OS: + + + +* `docker info`: + +
command output + +```bash +INSERT_OUTPUT_HERE +``` + +
+ +* Docker image tag/git commit: + +* Tools versions. Don't forget to specify right tag in command - + `TAG=latest && docker run --entrypoint cat pre-commit:$TAG /usr/bin/tools_versions_info` + +```bash +INSERT_OUTPUT_HERE +``` + +* `.pre-commit-config.yaml`: + +
file content + +```bash +INSERT_FILE_CONTENT_HERE +``` + +
diff --git a/.github/ISSUE_TEMPLATE/bug_report_local_install.md b/.github/ISSUE_TEMPLATE/bug_report_local_install.md new file mode 100644 index 000000000..f0798db1f --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report_local_install.md @@ -0,0 +1,106 @@ +--- +name: Docker bug report +about: Create a bug report +labels: +- kind/bug +- area/local_installation +--- + + + +### Describe the bug + + + + +### How can we reproduce it? + + + + +### Environment information + +* OS: + + +* `uname -a` and/or `systeminfo | Select-String "^OS"` output: + +```bash +INSERT_OUTPUT_HERE +``` + + + +* Tools availability and versions: + + + +```bash +INSERT_TOOLS_VERSIONS_HERE +``` + + +* `.pre-commit-config.yaml`: + +
file content + +```bash +INSERT_FILE_CONTENT_HERE +``` + +
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 000000000..8d9f73189 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,29 @@ +--- +name: Feature request +about: Suggest an idea for this project +labels: +- kind/feature +--- + + + +### What problem are you facing? + + + + +### How could pre-commit-terraform help solve your problem? + + diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 000000000..a7af18c5b --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,31 @@ + + +Put an `x` into the box if that apply: + +- [ ] This PR introduces breaking change. +- [ ] This PR fixes a bug. +- [ ] This PR adds new functionality. +- [ ] This PR enhances existing functionality. + +### Description of your changes + + + + + +### How has this code been tested + + diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml new file mode 100644 index 000000000..773ff8e09 --- /dev/null +++ b/.github/workflows/pre-commit.yaml @@ -0,0 +1,27 @@ +name: Common issues check + +on: [pull_request] + +jobs: + pre-commit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - run: | + git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* + - name: Get changed files + id: file_changes + run: | + export DIFF=$(git diff --name-only origin/${{ github.base_ref }} ${{ github.sha }}) + echo "Diff between ${{ github.base_ref }} and ${{ github.sha }}" + echo "::set-output name=files::$( echo "$DIFF" | xargs echo )" + - uses: actions/setup-python@v2 + with: + python-version: '3.9' + - name: Execute pre-commit + uses: pre-commit/action@v2.0.0 + env: + SKIP: no-commit-to-branch + with: + token: ${{ secrets.GITHUB_TOKEN }} + extra_args: --color=always --show-diff-on-failure --files ${{ steps.file_changes.outputs.files }} diff --git a/.github/workflows/stale-actions.yaml b/.github/workflows/stale-actions.yaml new file mode 100644 index 000000000..0000f4075 --- /dev/null +++ b/.github/workflows/stale-actions.yaml @@ -0,0 +1,34 @@ +name: "Mark or close stale issues and PRs" +on: + schedule: + - cron: "0 0 * * *" + +jobs: + stale: + runs-on: ubuntu-latest + steps: + - uses: actions/stale@v3 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + # Staling issues and PR's + days-before-stale: 30 + stale-issue-label: lifecycle/stale + stale-pr-label: lifecycle/stale + stale-issue-message: | + This issue has been automatically marked as stale because it has been open 30 days + with no activity. Remove stale label or comment or this issue will be closed in 10 days + stale-pr-message: | + This PR has been automatically marked as stale because it has been open 30 days + with no activity. Remove stale label or comment or this PR will be closed in 10 days + # Not stale if have this labels + exempt-issue-labels: kind/bug,lifecycle/active,lifecycle/frozen + exempt-pr-labels: kind/bug,lifecycle/active,lifecycle/frozen + # If unstale + labels-to-remove-when-unstale: lifecycle/stale + # Close issue operations + # Label will be automatically removed if the issues are no longer closed nor locked. + days-before-close: 10 + close-issue-label: lifecycle/rotten + delete-branch: true + close-issue-message: This issue was automatically closed because of stale in 10 days + close-pr-message: This PR was automatically closed because of stale in 10 days diff --git a/Dockerfile b/Dockerfile index 5fa7552ac..0af14e304 100644 --- a/Dockerfile +++ b/Dockerfile @@ -123,18 +123,18 @@ RUN . /.env && \ ) && chmod +x tfsec \ ; fi -# Checking binaries versions +# Checking binaries versions and write it to debug file RUN . /.env && \ - echo "\n\n" && \ - pre-commit --version && \ - terraform --version | head -n 1 && \ - (if [ "$CHECKOV_VERSION" != "false" ]; then echo -n "checkov " && checkov --version; else echo "checkov SKIPPED" ; fi) && \ - (if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then ./terraform-docs --version; else echo "terraform-docs SKIPPED"; fi) && \ - (if [ "$TERRAGRUNT_VERSION" != "false" ]; then ./terragrunt --version; else echo "terragrunt SKIPPED" ; fi) && \ - (if [ "$TERRASCAN_VERSION" != "false" ]; then echo -n "terrascan " && ./terrascan version; else echo "terrascan SKIPPED" ; fi) && \ - (if [ "$TFLINT_VERSION" != "false" ]; then ./tflint --version; else echo "tflint SKIPPED" ; fi) && \ - (if [ "$TFSEC_VERSION" != "false" ]; then echo -n "tfsec " && ./tfsec --version; else echo "tfsec SKIPPED" ; fi) && \ - echo "\n\n" + F=tools_versions_info && \ + pre-commit --version >> $F && \ + terraform --version | head -n 1 >> $F && \ + (if [ "$CHECKOV_VERSION" != "false" ]; then echo "checkov $(checkov --version)" >> $F; else echo "checkov SKIPPED" >> $F ; fi) && \ + (if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then ./terraform-docs --version >> $F; else echo "terraform-docs SKIPPED" >> $F; fi) && \ + (if [ "$TERRAGRUNT_VERSION" != "false" ]; then ./terragrunt --version >> $F; else echo "terragrunt SKIPPED" >> $F ; fi) && \ + (if [ "$TERRASCAN_VERSION" != "false" ]; then echo "terrascan $(./terrascan version)" >> $F; else echo "terrascan SKIPPED" >> $F ; fi) && \ + (if [ "$TFLINT_VERSION" != "false" ]; then ./tflint --version >> $F; else echo "tflint SKIPPED" >> $F ; fi) && \ + (if [ "$TFSEC_VERSION" != "false" ]; then echo "tfsec $(./tfsec --version)" >> $F; else echo "tfsec SKIPPED" >> $F ; fi) && \ + echo "\n\n" && cat $F && echo "\n\n" # based on debian:buster-slim # https://github.com/docker-library/python/blob/master/3.9/buster/slim/Dockerfile diff --git a/README.md b/README.md index aeeb9668c..bd848d5fa 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,7 @@

* [`checkov`](https://github.com/bridgecrewio/checkov) required for `checkov` hook. * [`terraform-docs`](https://github.com/terraform-docs/terraform-docs) required for `terraform_docs` hooks. +* [`terragrunt`](https://terragrunt.gruntwork.io/docs/getting-started/install/) required for `terragrunt_validate` hook. * [`terrascan`](https://github.com/accurics/terrascan) required for `terrascan` hook. * [`TFLint`](https://github.com/terraform-linters/tflint) required for `terraform_tflint` hook. * [`TFSec`](https://github.com/liamg/tfsec) required for `terraform_tfsec` hook. @@ -163,6 +164,12 @@ Docker: docker run -v $(pwd):/lint -w /lint pre-commit run -a ``` +> You be able list tools versions when needed +> +> ```bash +> TAG=latest && docker run --entrypoint cat pre-commit:$TAG /usr/bin/tools_versions_info +> ``` + ## Available Hooks There are several [pre-commit](https://pre-commit.com/) hooks to keep Terraform configurations (both `*.tf` and `*.tfvars`) and Terragrunt configurations (`*.hcl`) in a good shape: From 7a8c6e109e1a321dfddfd9617bbe1c50bf440e6d Mon Sep 17 00:00:00 2001 From: Maksym Vlasov Date: Tue, 14 Sep 2021 13:37:22 +0200 Subject: [PATCH 18/27] chore: Updated GH stale action config (#223) --- .github/workflows/stale-actions.yaml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/workflows/stale-actions.yaml b/.github/workflows/stale-actions.yaml index 0000f4075..f769925dc 100644 --- a/.github/workflows/stale-actions.yaml +++ b/.github/workflows/stale-actions.yaml @@ -12,8 +12,8 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} # Staling issues and PR's days-before-stale: 30 - stale-issue-label: lifecycle/stale - stale-pr-label: lifecycle/stale + stale-issue-label: stale + stale-pr-label: stale stale-issue-message: | This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days @@ -21,14 +21,11 @@ jobs: This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days # Not stale if have this labels - exempt-issue-labels: kind/bug,lifecycle/active,lifecycle/frozen - exempt-pr-labels: kind/bug,lifecycle/active,lifecycle/frozen - # If unstale - labels-to-remove-when-unstale: lifecycle/stale + exempt-issue-labels: bug,wip,on-hold + exempt-pr-labels: bug,wip,on-hold # Close issue operations # Label will be automatically removed if the issues are no longer closed nor locked. days-before-close: 10 - close-issue-label: lifecycle/rotten delete-branch: true close-issue-message: This issue was automatically closed because of stale in 10 days close-pr-message: This PR was automatically closed because of stale in 10 days From 4faee7b12b741f9c58de438e082571ebe72883da Mon Sep 17 00:00:00 2001 From: Maksym Vlasov Date: Wed, 15 Sep 2021 13:57:58 +0200 Subject: [PATCH 19/27] fix: label auto-adding after label rename (#226) --- .github/ISSUE_TEMPLATE/bug_report_docker.md | 4 ++-- .github/ISSUE_TEMPLATE/bug_report_local_install.md | 4 ++-- .github/ISSUE_TEMPLATE/feature_request.md | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report_docker.md b/.github/ISSUE_TEMPLATE/bug_report_docker.md index f1cddc738..a47e30657 100644 --- a/.github/ISSUE_TEMPLATE/bug_report_docker.md +++ b/.github/ISSUE_TEMPLATE/bug_report_docker.md @@ -1,8 +1,8 @@ --- -name: Local installation bug report +name: Docker bug report about: Create a bug report labels: -- kind/bug +- bug - area/docker --- diff --git a/.github/ISSUE_TEMPLATE/bug_report_local_install.md b/.github/ISSUE_TEMPLATE/bug_report_local_install.md index f0798db1f..329a3ae88 100644 --- a/.github/ISSUE_TEMPLATE/bug_report_local_install.md +++ b/.github/ISSUE_TEMPLATE/bug_report_local_install.md @@ -1,8 +1,8 @@ --- -name: Docker bug report +name: Local installation bug report about: Create a bug report labels: -- kind/bug +- bug - area/local_installation --- diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index 8d9f73189..d1b4b6424 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -2,7 +2,7 @@ name: Feature request about: Suggest an idea for this project labels: -- kind/feature +- feature ---