forked from antonbabenko/pre-commit-terraform
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.pre-commit-hooks.yaml
More file actions
286 lines (261 loc) · 9.15 KB
/
.pre-commit-hooks.yaml
File metadata and controls
286 lines (261 loc) · 9.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
- id: infracost_breakdown
name: Infracost breakdown
description: Check terraform infrastructure cost
entry: hooks/infracost_breakdown.sh
language: script
require_serial: true
files: \.(tf|tofu|tfvars|hcl)$
exclude: \.terraform/.*$
- id: terraform_fmt
name: Terraform fmt
description: >-
Rewrites all Terraform configuration files to a canonical format.
entry: hooks/terraform_fmt.sh
language: script
# Supported extensions by Terraform specified in
# https://github.com/hashicorp/terraform/blob/0c63fb2b097edcd5cb1a91322765a414206fbea2/internal/command/fmt.go#L30-L35
files: \.(tf|tofu|tfvars|tftest\.hcl|tfmock\.hcl)$
exclude: \.terraform/.*$
- id: terraform_docs
name: Terraform docs
description: >-
Inserts input and output documentation into README.md
(using terraform-docs).
require_serial: true
entry: hooks/terraform_docs.sh
language: script
files: \.(tf|tofu|terraform\.lock\.hcl)$
exclude: \.terraform/.*$
- id: terraform_docs_without_aggregate_type_defaults
name: Terraform docs (without aggregate type defaults)
description: >-
Inserts input and output documentation into README.md
(using terraform-docs). Identical to terraform_docs.
require_serial: true
entry: hooks/terraform_docs.sh
language: script
files: \.(tf|tofu)$
exclude: \.terraform/.*$
- id: terraform_docs_replace
name: Terraform docs (overwrite README.md)
description: Overwrite content of README.md with terraform-docs.
require_serial: true
entry: python -Im pre_commit_terraform replace-docs
language: python
files: \.(tf|tofu)$
exclude: \.terraform/.*$
- id: terraform_validate
name: Terraform validate
description: Validates all Terraform configuration files.
require_serial: true
entry: hooks/terraform_validate.sh
language: script
files: \.(tf|tofu|tfvars|terraform\.lock\.hcl)$
exclude: \.terraform/.*$
- id: terraform_providers_lock
name: Lock terraform provider versions
description: Updates provider signatures in dependency lock files.
require_serial: true
entry: hooks/terraform_providers_lock.sh
language: script
files: (\.terraform\.lock\.hcl)$
exclude: \.terraform/.*$
- id: terraform_tflint
name: Terraform validate with tflint
description: Validates all Terraform configuration files with TFLint.
require_serial: true
entry: hooks/terraform_tflint.sh
language: script
files: \.(tf|tofu|tfvars)$
exclude: \.terraform/.*$
- id: terragrunt_fmt
name: Terragrunt fmt
description: >-
Rewrites all Terragrunt configuration files to a canonical format.
entry: hooks/terragrunt_fmt.sh
language: script
files: (\.hcl)$
exclude: \.terraform/.*$
- id: terragrunt_validate
name: Terragrunt validate
description: Validates all Terragrunt configuration files.
entry: hooks/terragrunt_validate.sh
language: script
files: (\.hcl)$
exclude: \.terraform/.*$
- id: terragrunt_validate_inputs
name: Terragrunt validate inputs
description: Validates Terragrunt unused and undefined inputs.
entry: hooks/terragrunt_validate_inputs.sh
language: script
files: (\.hcl)$
exclude: \.terraform/.*$
- id: terragrunt_providers_lock
name: Terragrunt providers lock
description: >-
Updates provider signatures in dependency lock files using terragrunt.
entry: hooks/terragrunt_providers_lock.sh
language: script
files: (terragrunt|\.terraform\.lock)\.hcl$
exclude: \.(terraform/.*|terragrunt-cache)$
- id: terraform_tfsec
name: Terraform validate with tfsec (deprecated, use "terraform_trivy")
description: >-
Static analysis of Terraform templates to spot potential security issues.
require_serial: true
entry: hooks/terraform_tfsec.sh
files: \.(tf|tofu|tfvars)$
language: script
- id: terraform_trivy
name: Terraform validate with trivy
description: >-
Static analysis of Terraform templates to spot potential security issues.
require_serial: true
entry: hooks/terraform_trivy.sh
files: \.(tf|tofu|tfvars)$
language: script
- id: checkov
name: checkov (deprecated, use "terraform_checkov")
description: Runs checkov on Terraform templates.
entry: checkov -d .
language: python
pass_filenames: false
always_run: false
files: \.(tf|tofu)$
exclude: \.terraform/.*$
require_serial: true
- id: terraform_checkov
name: Checkov
description: Runs checkov on Terraform templates.
entry: hooks/terraform_checkov.sh
language: script
always_run: false
files: \.(tf|tofu)$
exclude: \.terraform/.*$
require_serial: true
- id: terraform_wrapper_module_for_each
name: Terraform wrapper with for_each in module
description: Generate Terraform wrappers with for_each in module.
entry: hooks/terraform_wrapper_module_for_each.sh
language: script
pass_filenames: false
always_run: false
require_serial: true
files: \.(tf|tofu)$
exclude: \.terraform/.*$
- id: terrascan
name: terrascan
description: Runs terrascan on Terraform templates.
language: script
entry: hooks/terrascan.sh
files: \.(tf|tofu)$
exclude: \.terraform/.*$
require_serial: true
- id: tfupdate
name: tfupdate
description: Runs tfupdate on Terraform templates.
language: script
entry: hooks/tfupdate.sh
args:
- --args=terraform
files: \.(tf|tofu)$
require_serial: true
# Docker-based versions of hooks (non-breaking additions)
- id: terraform_fmt_docker
name: Terraform fmt (Docker)
description: >-
Rewrites all Terraform configuration files to a canonical format using Docker.
NOTE: Requires Docker to be available. Use 'skip' in .pre-commit-config.yaml
if running on pre-commit.ci or other environments without Docker.
entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
language: docker_image
args: [terraform, fmt]
files: \.(tf|tofu|tfvars|tftest\.hcl|tfmock\.hcl)$
exclude: \.terraform/.*$
- id: terraform_validate_docker
name: Terraform validate (Docker)
description: >-
Validates all Terraform configuration files using Docker.
Automatically runs 'terraform init' and retries validation if provider/module
errors are detected.
NOTE: Requires Docker to be available. Use 'skip' in .pre-commit-config.yaml
if running on pre-commit.ci or other environments without Docker.
require_serial: true
entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
language: docker_image
args:
- /usr/bin/hooks/terraform_validate.sh
- --hook-config=--retry-once-with-cleanup=true
- --hook-config=--parallelism-ci-cpu-cores=2
- --
- .
pass_filenames: false
files: \.(tf|tofu|tfvars|terraform\.lock\.hcl)$
exclude: \.terraform/.*$
- id: terraform_tflint_docker
name: Terraform validate with tflint (Docker)
description: >-
Validates all Terraform configuration files with TFLint using Docker.
NOTE: Requires Docker to be available. Use 'skip' in .pre-commit-config.yaml
if running on pre-commit.ci or other environments without Docker.
require_serial: true
entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
language: docker_image
args: [tflint, --chdir=.]
pass_filenames: false
files: \.(tf|tofu|tfvars)$
exclude: \.terraform/.*$
- id: terraform_docs_docker
name: Terraform docs (Docker)
description: >-
Inserts input and output documentation into README.md using Docker.
NOTE: Requires Docker to be available. Use 'skip' in .pre-commit-config.yaml
if running on pre-commit.ci or other environments without Docker.
require_serial: true
entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
language: docker_image
args: [terraform-docs, markdown, table, ., --output-file, README.md]
pass_filenames: false
files: \.(tf|tofu|terraform\.lock\.hcl)$
exclude: \.terraform/.*$
- id: terraform_checkov_docker
name: Checkov (Docker)
description: >-
Runs checkov on Terraform templates using Docker.
NOTE: Requires Docker to be available. Use 'skip' in .pre-commit-config.yaml
if running on pre-commit.ci or other environments without Docker.
entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
language: docker_image
args: [checkov, -d, .]
pass_filenames: false
always_run: false
files: \.(tf|tofu)$
exclude: \.terraform/.*$
require_serial: true
- id: terraform_trivy_docker
name: Terraform validate with trivy (Docker)
description: >-
Static analysis of Terraform templates to spot potential security issues
using Docker.
NOTE: Requires Docker to be available. Use 'skip' in .pre-commit-config.yaml
if running on pre-commit.ci or other environments without Docker.
require_serial: true
entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
language: docker_image
args: [trivy, config, .]
pass_filenames: false
files: \.(tf|tofu|tfvars)$
exclude: \.terraform/.*$
- id: infracost_breakdown_docker
name: Infracost breakdown (Docker)
description: >-
Check terraform infrastructure cost using Docker.
NOTE: Requires Docker to be available. Use 'skip' in .pre-commit-config.yaml
if running on pre-commit.ci or other environments without Docker.
entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
language: docker_image
args: [infracost, breakdown, --path, .]
pass_filenames: false
require_serial: true
files: \.(tf|tofu|tfvars|hcl)$
exclude: \.terraform/.*$