add pre-commit + workflow

.github/git-chglog/CHANGELOG.tpl.md

@@ -13,4 +13,4 @@ Reverts
 {{- if .NoteGroups -}} {{ range .NoteGroups -}}
 
 {{ .Title }}
-{{ range .Notes }} {{ .Body }} {{ end }} {{ end -}} {{ end -}} {{ end -}}
+{{ range .Notes }} {{ .Body }} {{ end }} {{ end -}} {{ end -}} {{ end -}}

.github/git-chglog/config.yml

@@ -23,4 +23,4 @@ options:
       - Subject
   notes:
     keywords:
-      - BREAKING CHANGE
+      - BREAKING CHANGE

.github/workflows/ci-pull-request.yaml

@@ -51,4 +51,4 @@ jobs:
         run: |
           go install github.com/onsi/ginkgo/ginkgo@latest
       - name: Test
-        run: make test
+        run: make test

.github/workflows/pre-commit-check.yml

@@ -0,0 +1,32 @@
+name: Pre-commit Check
+
+on:
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Get changed files
+      uses: tj-actions/changed-files@v41
+      id: changed-files
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.x'
+
+    - name: Set up Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: latest
+
+    - name: Install pre-commit
+      run: pip install pre-commit
+
+    - name: Run pre-commit on changed files
+      run: |
+        pre-commit run --files ${{ steps.changed-files.outputs.all_changed_files }} --hook-stage push

.gitignore

@@ -31,4 +31,4 @@ crash.log
 .envrc
 .direnv
 .DS_Store
-.idea/
+.idea/

.pre-commit-config.yaml

@@ -0,0 +1,22 @@
+repos:
+  - repo: local
+    hooks:
+      - id: terraform_clean
+        name: "Terraform Cleanup"
+        pass_filenames: false
+        language: system
+        entry: bash -c "find . \( -iname ".terraform*" ! -iname ".terraform-docs*" ! -path "*/test/*" \) -print0 | xargs -0 rm -r; true"
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.88.4
+    hooks:
+      - id: terraform_fmt
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: no-commit-to-branch
+        args: [--branch, main, --pattern, ".*/.*"]

CONTRIBUTING.md

@@ -31,4 +31,4 @@ It's recommended to use an .envrc file to keep environment variables under contr
 
 ## Release
 
-- push a new tag and the Github Action will draft a release (with notes)
+- push a new tag and the Github Action will draft a release (with notes)

LICENSE.txt

@@ -198,4 +198,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.

Makefile

@@ -27,4 +27,4 @@ clean:
 
 .PHONY: test
 test:
-	$(MAKE) -C test test
+	$(MAKE) -C test test

modules/agentless-scanning/locals.tf

@@ -9,10 +9,10 @@ data "aws_organizations_organization" "org" {
 locals {
   # check if both old and new org parameters are provided, we fail early
   both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && (
-  length(var.include_ouids) > 0 ||
-  length(var.exclude_ouids) > 0 ||
-  length(var.include_accounts) > 0 ||
-  length(var.exclude_accounts) > 0
+    length(var.include_ouids) > 0 ||
+    length(var.exclude_ouids) > 0 ||
+    length(var.include_accounts) > 0 ||
+    length(var.exclude_accounts) > 0
   )
 
   # check if old org_units parameter is provided, for backwards compatibility we will always give preference to it
@@ -25,14 +25,14 @@ locals {
 
 check "validate_org_configuration_params" {
   assert {
-    condition     = length(var.org_units) == 0  # if this condition is false we throw warning
+    condition     = length(var.org_units) == 0 # if this condition is false we throw warning
     error_message = <<-EOT
     WARNING: TO BE DEPRECATED 'org_units' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead.
     EOT
   }
 
   assert {
-    condition     = !local.both_org_configuration_params  # if this condition is false we throw error
+    condition     = !local.both_org_configuration_params # if this condition is false we throw error
     error_message = <<-EOT
     ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated,
     ONLY org_units will be considered. Please use only one of the two methods.
@@ -70,19 +70,19 @@ locals {
     # case1 - if old method is used where ONLY org_units is provided, use those
     local.check_old_ouid_param ? (
       "old_ouid_param"
-    ) : (
+      ) : (
       # case2 - if no include/exclude ous provided, include entire org
       var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? (
         "entire_org"
-      ) : (
+        ) : (
         # case3 - if only included ouids provided, include those ous only
         var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? (
           "included_ous_only"
-        ) : (
+          ) : (
           # case4 - if only excluded ouids provided, exclude their accounts from rest of org
           var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? (
             "excluded_ous_only"
-          ) : (
+            ) : (
             # case5 - if both include and exclude ouids are provided, includes override excludes
             var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? (
               "mixed_ous"
@@ -99,7 +99,7 @@ locals {
       org_units_to_deploy = var.org_units
     }
     entire_org = {
-       org_units_to_deploy = local.root_org_unit
+      org_units_to_deploy = local.root_org_unit
     }
     included_ous_only = {
       org_units_to_deploy = var.include_ouids
@@ -117,7 +117,7 @@ locals {
     }
   }
 
-  # final targets to deploy organizational resources in
+  # final targets to detargets to deploy organizational resources in
   deployment_targets_ous = lookup(local.deployment_options, local.org_configuration, local.deployment_options.default)
 
   // check if root is part of the excluded_ouids
@@ -140,15 +140,15 @@ locals {
     # case1 - if old method is used where ONLY org_units is provided, this configuration is a noop
     local.check_old_ouid_param ? (
       "NONE"
-    ) : (
+      ) : (
       # case2 - if only included accounts provided, include those accts as well
       var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? (
         "UNION"
-      ) : (
+        ) : (
         # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts
-        var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? (
+        var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? (
           "DIFFERENCE"
-        ) : (
+          ) : (
           # case4 - if both include and exclude accounts are provided, includes override excludes
           var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? (
             "MIXED"
@@ -158,30 +158,30 @@ locals {
     )
   )
 
-  ou_accounts_to_exclude = flatten([ for ou_accounts in data.aws_organizations_organizational_unit_descendant_accounts.ou_accounts_to_exclude: [ ou_accounts.accounts[*].id ] ])
-  accounts_to_exclude = setunion(local.ou_accounts_to_exclude, var.exclude_accounts)
+  ou_accounts_to_exclude = flatten([for ou_accounts in data.aws_organizations_organizational_unit_descendant_accounts.ou_accounts_to_exclude : [ou_accounts.accounts[*].id]])
+  accounts_to_exclude    = setunion(local.ou_accounts_to_exclude, var.exclude_accounts)
 
   # switch cases for various user provided accounts configuration to be onboarded
   deployment_account_options = {
     NONE = {
-      accounts_to_deploy = []
+      accounts_to_deploy  = []
       account_filter_type = "NONE"
     }
     UNION = {
-      accounts_to_deploy = var.include_accounts
+      accounts_to_deploy  = var.include_accounts
       account_filter_type = "UNION"
     }
     DIFFERENCE = {
-      accounts_to_deploy = local.accounts_to_exclude
+      accounts_to_deploy  = local.accounts_to_exclude
       account_filter_type = "DIFFERENCE"
     }
     MIXED = {
-      accounts_to_deploy = var.include_accounts
+      accounts_to_deploy  = var.include_accounts
       account_filter_type = "UNION"
     }
     default = {
       # default when neither of include/exclude accounts are provided
-      accounts_to_deploy = []
+      accounts_to_deploy  = []
       account_filter_type = "NONE"
     }
   }
@@ -198,6 +198,6 @@ locals {
   # XXX: due to AWS bug of not having UNION filter fully working, there is no way to add those extra accounts requested.
   # to not miss out on those extra accounts, deploy the cloud resources across entire org and noop the UNION filter.
   # i.e till we can't deploy UNION, we deploy it all
-  deployment_targets_org_units = local.deployment_targets_accounts.account_filter_type == "UNION" ? local.root_org_unit : local.deployment_targets_ous.org_units_to_deploy
+  deployment_targets_org_units       = local.deployment_targets_accounts.account_filter_type == "UNION" ? local.root_org_unit : local.deployment_targets_ous.org_units_to_deploy
   deployment_targets_accounts_filter = local.deployment_targets_accounts.account_filter_type == "UNION" ? "NONE" : local.deployment_targets_accounts.account_filter_type
-}
+}

modules/agentless-scanning/main.tf

@@ -124,8 +124,8 @@ EOF
 }
 
 resource "aws_iam_role_policy_attachments_exclusive" "scanning_stackset_execution_role_managed_policy" {
-  count       = !var.auto_create_stackset_roles ? 0 : 1
-  role_name   = aws_iam_role.scanning_stackset_execution_role[0].id
+  count     = !var.auto_create_stackset_roles ? 0 : 1
+  role_name = aws_iam_role.scanning_stackset_execution_role[0].id
   policy_arns = [
     "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser",
     "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess",
@@ -182,7 +182,7 @@ Resources:
           Statement:
           - Sid: "Read"
             Effect: "Allow"
-            Action: 
+            Action:
             - "ec2:Describe*"
             Resource: "*"
             Condition:
@@ -273,7 +273,7 @@ Resources:
         - Sid: "SysdigAllowKms"
           Effect: "Allow"
           Principal:
-            AWS: 
+            AWS:
             - "arn:aws:iam::${data.sysdig_secure_agentless_scanning_assets.assets.aws.account_id}:root"
             - !GetAtt ScanningRole.Arn
           Action:
@@ -288,7 +288,7 @@ Resources:
         - Sid: "AllowCustomerManagement"
           Effect: "Allow"
           Principal:
-            AWS: 
+            AWS:
             - "arn:aws:iam::${local.account_id}:root"
             - "${local.caller_arn}"
             - "arn:aws:iam::${local.account_id}:role/${local.execution_role_name}"
@@ -310,8 +310,8 @@ TEMPLATE
 
 # stackset instance to deploy resources for agentless scanning, in all regions of given account
 resource "aws_cloudformation_stack_set_instance" "primary_acc_stackset_instance" {
-  for_each = local.region_set
-  stack_set_instance_region   = each.key
+  for_each                  = local.region_set
+  stack_set_instance_region = each.key
 
   stack_set_name = aws_cloudformation_stack_set.primary_acc_stackset.name
   operation_preferences {
@@ -365,4 +365,4 @@ resource "sysdig_secure_cloud_auth_account_component" "aws_crypto_key" {
       }
     }
   })
-}
+}

modules/agentless-scanning/organizational.tf

@@ -59,7 +59,7 @@ Resources:
           Statement:
           - Sid: "Read"
             Effect: "Allow"
-            Action: 
+            Action:
             - "ec2:Describe*"
             Resource: "*"
             Condition:
@@ -150,7 +150,7 @@ Resources:
         - Sid: "SysdigAllowKms"
           Effect: "Allow"
           Principal:
-            AWS: 
+            AWS:
             - "arn:aws:iam::${data.sysdig_secure_agentless_scanning_assets.assets.aws.account_id}:root"
             - !GetAtt ScanningRole.Arn
           Action:
@@ -165,7 +165,7 @@ Resources:
         - Sid: "AllowCustomerManagement"
           Effect: "Allow"
           Principal:
-            AWS: 
+            AWS:
             - !Sub "arn:aws:iam::$${AWS::AccountId}:root"
             - "${local.caller_arn}"
             - !Sub "arn:aws:iam::$${AWS::AccountId}:role/aws-service-role/member.org.stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgMember"
@@ -188,8 +188,8 @@ resource "aws_cloudformation_stack_set_instance" "ou_stackset_instance" {
     "${pair[0]}-${pair[1]}" => pair
   } : {}
 
-  stack_set_instance_region         = each.value[0]
-  stack_set_name = aws_cloudformation_stack_set.ou_resources_stackset[0].name
+  stack_set_instance_region = each.value[0]
+  stack_set_name            = aws_cloudformation_stack_set.ou_resources_stackset[0].name
   deployment_targets {
     organizational_unit_ids = [each.value[1]]
     accounts                = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)

modules/agentless-scanning/outputs.tf

@@ -8,4 +8,4 @@ output "crypto_key_component_id" {
   value       = "${sysdig_secure_cloud_auth_account_component.aws_crypto_key.type}/${sysdig_secure_cloud_auth_account_component.aws_crypto_key.instance}"
   description = "Component identifier of KMS crypto key created in Sysdig Backend for Agentless Scanning"
   depends_on  = [sysdig_secure_cloud_auth_account_component.aws_crypto_key]
-}
+}

modules/agentless-scanning/variables.tf

@@ -109,4 +109,4 @@ variable "exclude_accounts" {
   description = "(Optional) accounts to exclude for organization"
   type        = set(string)
   default     = []
-}
+}