fix: Print out the full path in tflint when run through pre-commit #357
Conversation
thomaslast
changed the title
thomaslast
changed the title
hooks/_common.sh
Outdated
| @@ -138,7 +138,7 @@ function common::per_dir_hook { | |||
| # run hook for each path | |||
| for dir_path in $(echo "${dir_paths[*]}" | tr ' ' '\n' | sort -u); do | |||
| dir_path="${dir_path//__REPLACED__SPACE__/ }" | |||
| pushd "$dir_path" > /dev/null || continue | |||
| [ -f "$dir_path" ] || continue | |||
There was a problem hiding this comment.
- the
[ -f "$dir_path" ] || continueshould be[ ! -d "$dir_path" ] && continue - The
pushd/popdcommands add/remove directories to/from stack, which allows command in betweenpushd/popdexecute inside the directory. By removingpushd/popdyou introduce breakage of essential logic of thecommon::per_dir_hookfunction.
There was a problem hiding this comment.
- Fair enough I can change
- I have tried manually with tflint and this would work with a full path passed as an argument. Which hooks would be a problem? Could we make this configurable instead?
There was a problem hiding this comment.
I took tflint hook as this seems to be what you're trying to amend and you can see that per_dir_hook_unique_part function doesn't take into account the dir path and doesn't change working directory to the dest dir: https://github.com/antonbabenko/pre-commit-terraform/blob/master/hooks/terraform_tflint.sh#L33-L49
The same function in other hooks seem to behave the same, which means your change would break all those functions.
Please feel free to take a look and try and re-work these per_dir_hook_unique_part functions in all hooks, which have it, to respect the dir_path (the 2nd) parameter passed to them instead of changing directory in parent function.
There was a problem hiding this comment.
I've added in the dir_path so that it should run against the file for each hook
There was a problem hiding this comment.
I added some more comments re the new portion of changes — please take a look.
Also could you please test-run all hooks you're requesting changes too and provide the output, so that we are sure there's no breakage of existing functionality which may impact other consumers of pre-commit-terraform. Thank you.
@MaxymVlasov Could you please take a look into this PR when you've got a chance so that we all agree upon this kind of changes? Thanks.
| @@ -36,7 +36,7 @@ function per_dir_hook_unique_part { | |||
|
|
|||
| # pass the arguments to hook | |||
| # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]") | |||
| tfsec ${args[@]} | |||
| tfsec ${args[@]} "$dir_path" | |||
There was a problem hiding this comment.
I'm not quite sure since I don't use tfsec often, though its help page states that directory argument should come first:
> tfsec -h | head -5
tfsec is a simple tool to detect potential security vulnerabilities in your terraformed infrastructure.
Usage:
tfsec [directory] [flags]
Could you please verify this hook and put dir arg before the rest of args to align with tfsec usage? Thanks.
| @@ -33,7 +33,7 @@ function per_dir_hook_unique_part { | |||
|
|
|||
| # pass the arguments to hook | |||
| # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]") | |||
| terragrunt hclfmt ${args[@]} | |||
| terragrunt hclfmt ${args[@]} "$dir_path" | |||
There was a problem hiding this comment.
Based on https://terragrunt.gruntwork.io/docs/reference/cli-options/#hclfmt this wouldn't work for terragrunt. The hclfmt recursively searches current working dir and isn't compatible with providing target working dir as a command line argument, hence the terragrunt hclfmt hook need an explicit pushd/popd workaround.
| @@ -33,7 +33,7 @@ function per_dir_hook_unique_part { | |||
|
|
|||
| # pass the arguments to hook | |||
| # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]") | |||
| terrascan scan -i terraform ${args[@]} | |||
| terrascan scan -i terraform ${args[@]} "$dir_path" | |||
There was a problem hiding this comment.
To provide target working directory to terrascan the -d, --iac-dir string command line flag must be provided:
> terrascan scan -h | fgrep -- --iac-dir
-d, --iac-dir string path to a directory containing one or more IaC files (default ".")
Please fix.
There was a problem hiding this comment.
Good try, but that will not work, because you are already in $dir_path. Usage of "$(pwd)" will not help too:
Oslo/environment/qa ➜ terraform fmt "$(pwd)"
main.tfYou need to show an error msg like "that was changed in next dir" but not show it if exit code == 0
| @@ -138,7 +138,7 @@ function common::per_dir_hook { | |||
| # run hook for each path | |||
| for dir_path in $(echo "${dir_paths[*]}" | tr ' ' '\n' | sort -u); do | |||
| dir_path="${dir_path//__REPLACED__SPACE__/ }" | |||
| pushd "$dir_path" > /dev/null || continue | |||
| [ ! -d "$dir_path" ] && continue | |||
There was a problem hiding this comment.
Hmm, not mention that. Lmc
There was a problem hiding this comment.
Yeah, with that change it can work, but need to check that all hooks will work properly
There was a problem hiding this comment.
TFLint can't find TF modules by relative source without pushd
There was a problem hiding this comment.
repos:
- repo: https://github.com/thomaslast/pre-commit-terraform
rev: afde258978090e4d2382fd90bb230347d0b349ac✅ Work as expected
☑️ - Able to check only passed, not fail scenario
✖️ - work, but not print full path
❌ - failed to start
Not checked
✅ checkov (python, not affected hook)
✅ infracost_breakdown
✅ terraform_docs_replace (deprecated, python, not affected hook)
✖️ terraform_docs_without_aggregate_type_defaults
✖️ terraform_docs
✅ terraform_fmt
❌ terraform_providers_lock
❌ terraform_tflint
✅ terraform_tfsec
☑️ terraform_validate
✖️ terragrunt_fmt
☑️ terragrunt_validate
❌ terrascan
|
Hmm, it does not print changed files at all, interesting ➜ pre-commit run
Terraform docs...........................................................Failed
- hook id: terraform_docs
- files were modified by this hookrepos:
- repo: https://github.com/thomaslast/pre-commit-terraform
rev: afde258978090e4d2382fd90bb230347d0b349ac
hooks:
- id: terraform_docs |
|
Sorry I've gone AWOL on this, thanks @MaxymVlasov and @yermulnik for your help. This seems to be a breaking change for something that could be quite simple. Is it worth making another version of |
it's called We need a solution that will be DRY, easy to maintain, and fix #54 at the same time.
Here is no place for a "quick fix", because who will do as it should be after you got what you ask? |
|
This PR has been automatically marked as stale because it has been open 30 days |
github-actions
bot
added
the
stale
|
This PR was automatically closed because of stale in 10 days |
Put an
xinto the box if that apply:Description of your changes
This PR aims to fix the issue here: #54
The issue for tflint is resolved by running the pre-commit at the repo level and the full path is then displayed on an error.
How can we test changes
✅ Work as expected
☑️ - Able to check only passed, not fail scenario
✖️ - work, but not print full path
❌ - failed to start
Not checked
✅
checkov(python, not affected hook)✅
infracost_breakdown✅
terraform_docs_replace(deprecated, python, not affected hook)✖️
terraform_docs_without_aggregate_type_defaults✖️
terraform_docs✅
terraform_fmt❌
terraform_providers_lock❌
terraform_tflint✅
terraform_tfsec☑️
terraform_validate✖️
terragrunt_fmt☑️
terragrunt_validate❌
terrascan