This repo defines Git pre-commit hooks intended for use with pre-commit. The currently supported hooks are:
- terraform-fmt: Automatically run
terraform fmt
on all Terraform code (*.tf
files). - terraform-validate: Automatically run
terraform validate
on all Terraform code (*.tf
files). - packer-validate: Automatically run
packer validate
on all Packer code (*.pkr.*
files). - terragrunt-hclfmt: Automatically run
terragrunt hclfmt
on all Terragrunt configurations. - tflint: Automatically run
tflint
on all Terraform code (*.tf
files). - shellcheck: Run
shellcheck
to lint files that contain a bash shebang. - gofmt: Automatically run
gofmt
on all Golang code (*.go
files). - goimports: Automatically run
goimports
on all Golang code (*.go
files). - golint: Automatically run
golint
on all Golang code (*.go
files). [DEPRECATED]: Please usegolangci-lint
below. - golangci-lint: Automatically run
golangci-lint
on all Golang code (*.go
files). - yapf: Automatically run
yapf
on all python code (*.py
files). - helmlint Automatically run
helm lint
on your Helm chart files. See caveats here. - markdown-link-check Automatically run markdown-link-check on markdown doc files.
- sentinel-fmt: Automatically run
sentinel fmt
on all Sentinel code (*.sentinel.*
files).
In each of your repos, add a file called .pre-commit-config.yaml
with the following contents:
repos:
- repo: https://github.com/gruntwork-io/pre-commit
rev: <VERSION> # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases
hooks:
- id: terraform-fmt
- id: terraform-validate
- id: tflint
- id: shellcheck
- id: gofmt
- id: golint
Next, have every developer:
- Install pre-commit. E.g.
brew install pre-commit
. - Run
pre-commit install
in the repo.
That’s it! Now every time you commit a code change (.tf
file), the hooks in the hooks:
config will execute.
If you'd like to format all of your code at once (rather than one file at a time), you can run:
pre-commit run terraform-fmt --all-files
If you'd like to enforce all your hooks, you can configure your CI build to fail if the code doesn't pass checks by adding the following to your build scripts:
pip install pre-commit
pre-commit install
pre-commit run --all-files
If all the hooks pass, the last command will exit with an exit code of 0. If any of the hooks make changes (e.g., because files are not formatted), the last command will exit with a code of 1, causing the build to fail.
The helmlint
pre-commit hook runs helm lint
on the charts that have been changed by the commit. It will run once per
changed chart that it detects.
Note that charts are detected by walking up the directory tree of the changed file and looking for a Chart.yaml
file
that exists on the path.
helm lint
requires input values to look for configuration errors in your helm chart. However, this means that the
linter needs a complete values file. Because we want to develop charts that define required values that the operator
should provide, we don't want to specify defaults for all the values the chart expects in the default values.yaml
file.
Therefore, to support this, this pre-commit hook looks for a special linter_values.yaml
file defined in the chart
path. This will be combined with the values.yaml
file before running helm lint
. In your charts, you should define
the required values in linter_values.yaml
.
For example, suppose you had a helm chart that defined two input values: containerImage
and containerTag
. Suppose
that your chart required containerImage
to be defined, but not containerTag
. To enforce this, you created the
following values.yaml
file for your chart:
# values.yaml
# containerImage is required and defines which image to use
# containerTag specifies the image tag to use. Defaults to latest.
containerTag: latest
If you run helm lint
on this chart, it will fail because somewhere in your chart you will reference
.Values.containerImage
which will be undefined with this values.yaml
file. To handle this, you can define a
linter_values.yaml
file that defines containerImage
:
# linter_values.yaml
containerImage: nginx
Now when the pre-commit hook runs, it will call helm lint
with both linter_values.yaml
and values.yaml
:
helm lint -f values.yaml -f linter_values.yaml .
To enable optional shellcheck features you can use the --enable
flag.
Other shellcheck flags can not be passed through.
repos:
- repo: https://github.com/gruntwork-io/pre-commit
rev: <VERSION>
hooks:
- id: shellcheck
args: ["--enable require-variable-braces,deprecate-which"]
With the introduction of --chdir
into tflint, the --config
argument is now bound to whatever subdirectory you are
running the check against. For mono-repos this isn't ideal as you may have a central configuration file you'd like to
use. If this matches your use-case, you can specify the placeholder __GIT_ROOT__
value in the --config
argument
that will evaluate to the root of the repository you are in.
repos:
- repo: https://github.com/gruntwork-io/pre-commit
rev: <VERSION>
hooks:
- id: tflint
args:
- "--config=__GIT_ROOT__/.tflint.hcl"
You can change the value of the placeholder by populating the PRECOMMIT_TFLINT_REPO_ROOT_KEYWORD
environment variable.
export PRECOMMIT_TFLINT_REPO_ROOT_KEYWORD=__foo__
cat <<EOF > .pre-commit-config.yaml
---
repos:
- repo: https://github.com/gruntwork-io/pre-commit
rev: v0.1.22
hooks:
- id: terragrunt-hclfmt
- id: tflint
args:
- "--config=__foo__/.tflint.hcl"
EOF
pre-commit run
This code is released under the Apache 2.0 License. Please see LICENSE and NOTICE for more details.
Copyright © 2019 Gruntwork, Inc.