Merge branch 'master' into feat/GH-303/add_unit_tests

.dockerignore

@@ -2,3 +2,4 @@
 !.dockerignore
 !Dockerfile
 !tools/entrypoint.sh
+!tools/install/*.sh

.github/.container-structure-test-config.yaml

@@ -10,10 +10,10 @@ commandTests:
     args: ["-V"]
     expectedOutput: ["^pre-commit ([0-9]+\\.){2}[0-9]+\\n$"]
 
-  - name: "terraform"
-    command: "terraform"
-    args: ["-version"]
-    expectedOutput: ["^Terraform v([0-9]+\\.){2}[0-9]+\\non linux_amd64\\n$"]
+  - name: "gcc"
+    command: "gcc"
+    args: ["--version"]
+    expectedOutput: ["^gcc \\(Alpine 12\\."]
 
   - name: "checkov"
     command: "checkov"
@@ -23,12 +23,22 @@ commandTests:
   - name: "infracost"
     command: "infracost"
     args: ["--version"]
-    expectedOutput: ["^Infracost v([0-9]+\\.){2}[0-9]+\\n$"]
+    expectedOutput: ["^Infracost v([0-9]+\\.){2}[0-9]+"]
+
+  - name: "opentofu"
+    command: "tofu"
+    args: ["-version"]
+    expectedOutput: ["^OpenTofu v([0-9]+\\.){2}[0-9]+\\n"]
+
+  - name: "terraform"
+    command: "terraform"
+    args: ["-version"]
+    expectedOutput: ["^Terraform v([0-9]+\\.){2}[0-9]+\\n"]
 
   - name: "terraform-docs"
     command: "terraform-docs"
     args: ["--version"]
-    expectedOutput: ["^terraform-docs version v([0-9]+\\.){2}[0-9]+ [a-z0-9]+ linux/amd64\\n$"]
+    expectedOutput: ["^terraform-docs version v([0-9]+\\.){2}[0-9]+ [a-z0-9]+"]
 
   - name: "terragrunt"
     command: "terragrunt"
@@ -43,13 +53,18 @@ commandTests:
   - name: "tflint"
     command: "tflint"
     args: [ "--version" ]
-    expectedOutput: [ "TFLint version ([0-9]+\\.){2}[0-9]+\\n$" ]
+    expectedOutput: [ "TFLint version ([0-9]+\\.){2}[0-9]+\\n" ]
 
   - name: "tfsec"
     command: "tfsec"
     args: [ "--version" ]
     expectedOutput: [ "([0-9]+\\.){2}[0-9]+\\n$" ]
 
+  - name: "trivy"
+    command: "trivy"
+    args: [ "--version" ]
+    expectedOutput: [ "Version: ([0-9]+\\.){2}[0-9]+\\n" ]
+
   - name: "tfupdate"
     command: "tfupdate"
     args: [ "--version" ]
@@ -73,6 +88,11 @@ commandTests:
     command: "su-exec"
     expectedOutput: ["^Usage: su-exec user-spec command \\[args\\]\\n$"]
 
+  - name: "ssh"
+    command: "ssh"
+    args: [ "-V" ]
+    expectedError: ["^OpenSSH_9\\.[0-9]+"]
+
 fileExistenceTests:
   - name: 'terrascan init'
     path: '/root/.terrascan/pkg/policies/opa/rego/github/github_repository/privateRepoEnabled.rego'

.github/.dive-ci.yaml

@@ -1,13 +1,13 @@
 rules:
   # If the efficiency is measured below X%, mark as failed.
   # Expressed as a ratio between 0-1.
-  lowestEfficiency: 0.99
+  lowestEfficiency: 0.981
 
   # If the amount of wasted space is at least X or larger than X, mark as failed.
   # Expressed in B, KB, MB, and GB.
-  highestWastedBytes: 12MB
+  highestWastedBytes: 32MB
 
   # If the amount of wasted space makes up for X% or more of the image, mark as failed.
   # Note: the base image layer is NOT included in the total image size.
   # Expressed as a ratio between 0-1; fails if the threshold is met or crossed.
-  highestUserWastedPercent: 0.02
+  highestUserWastedPercent: 0.036

.github/CONTRIBUTING.md

@@ -12,6 +12,7 @@ Enjoy the clean, valid, and documented code!
   * [Run via Docker](#run-via-docker)
   * [Check results](#check-results)
   * [Cleanup](#cleanup)
+* [Required tools and plugins to simplify review process](#required-tools-and-plugins-to-simplify-review-process)
 * [Add new hook](#add-new-hook)
   * [Before write code](#before-write-code)
   * [Prepare basic documentation](#prepare-basic-documentation)
@@ -98,6 +99,13 @@ Results will be located at `./test/results` dir.
 sudo rm -rf tests/results
 ```
 
+## Required tools and plugins to simplify review process
+
+1. [editorconfig.org](https://editorconfig.org/) (preinstalled in some IDE)
+2. [pre-commit](https://pre-commit.com/#install)
+3. (Optional) If you use VS Code - feel free to install all recommended extensions
+
+
 ## Add new hook
 
 You can use [this PR](https://github.com/antonbabenko/pre-commit-terraform/pull/252) as an example.
@@ -106,13 +114,18 @@ You can use [this PR](https://github.com/antonbabenko/pre-commit-terraform/pull/
 
 1. Try to figure out future hook usage.
 2. Confirm the concept with [Anton Babenko](https://github.com/antonbabenko).
+3. Install [required tools and plugins](#required-tools-and-plugins-to-simplify-review-process)
+
 
 ### Prepare basic documentation
 
 1. Identify and describe dependencies in [Install dependencies](../README.md#1-install-dependencies) and [Available Hooks](../README.md#available-hooks) sections
 
 ### Add code
 
+> [!TIP]
+> Here is a screencast of [how to add new dependency in `tools/install/`](https://github.com/antonbabenko/pre-commit-terraform/assets/11096782/8fc461e9-f163-4592-9497-4a18fa89c0e8) - used in Dockerfile
+
 1. Based on prev. block, add hook dependencies installation to [Dockerfile](../Dockerfile).  
     Check that works:
     * `docker build -t pre-commit --build-arg INSTALL_ALL=true .`

.github/ISSUE_TEMPLATE/bug_report_docker.md

@@ -74,7 +74,7 @@ INSERT_OUTPUT_HERE
 
 <details><summary>file content</summary>
 
-```bash
+```yaml
 INSERT_FILE_CONTENT_HERE
 ```
 

.github/ISSUE_TEMPLATE/bug_report_local_install.md

@@ -78,17 +78,20 @@ Linux DESKTOP-C7315EF 5.4.72-microsoft-standard-WSL2 #1 SMP Wed Oct 28 23:40:43
 bash << EOF
 bash --version | head -n 1                2>/dev/null || echo "bash SKIPPED"
 pre-commit --version                      2>/dev/null || echo "pre-commit SKIPPED"
+tofu --version | head -n 1                2>/dev/null || echo "opentofu SKIPPED"
 terraform --version | head -n 1           2>/dev/null || echo "terraform SKIPPED"
 python --version                          2>/dev/null || echo "python SKIPPED"
 python3 --version                         2>/dev/null || echo "python3 SKIPPED"
-echo -n "checkov " && checkov --version   2>/dev/null || echo "checkov SKIPPED"
+echo -n "checkov " && checkov --version   2>/dev/null || echo "SKIPPED"
+infracost --version                       2>/dev/null || echo "infracost SKIPPED"
 terraform-docs --version                  2>/dev/null || echo "terraform-docs SKIPPED"
 terragrunt --version                      2>/dev/null || echo "terragrunt SKIPPED"
-echo -n "terrascan " && terrascan version 2>/dev/null || echo "terrascan SKIPPED"
+echo -n "terrascan " && terrascan version 2>/dev/null || echo "SKIPPED"
 tflint --version                          2>/dev/null || echo "tflint SKIPPED"
-echo -n "tfsec " && tfsec --version       2>/dev/null || echo "tfsec SKIPPED"
-echo -n "tfupdate " && tfupdate --version 2>/dev/null || echo "tfupdate SKIPPED"
-echo -n "hcledit " && hcledit version     2>/dev/null || echo "hcledit SKIPPED"
+echo -n "tfsec " && tfsec --version       2>/dev/null || echo "SKIPPED"
+echo -n "trivy " && trivy --version       2>/dev/null || echo "SKIPPED"
+echo -n "tfupdate " && tfupdate --version 2>/dev/null || echo "SKIPPED"
+echo -n "hcledit " && hcledit version     2>/dev/null || echo "SKIPPED"
 EOF
 
 -->
@@ -102,7 +105,7 @@ INSERT_TOOLS_VERSIONS_HERE
 
 <details><summary>file content</summary>
 
-```bash
+```yaml
 INSERT_FILE_CONTENT_HERE
 ```
 

.github/workflows/build-image-test.yaml

@@ -7,44 +7,83 @@ env:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
+        arch: [amd64, arm64]
+
+    runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
 
-      - name: Get changed Dockerfile
+      - name: Get changed Docker related files
         id: changed-files-specific
-        uses: tj-actions/changed-files@v13.1
+        uses: tj-actions/changed-files@d6babd6899969df1a11d14c368283ea4436bca78 # v44.5.2
         with:
           files: |
             Dockerfile
             .dockerignore
             tools/entrypoint.sh
+            .github/workflows/build-image-test.yaml
+            tools/*.sh
+
+      - name: Set up QEMU
+        if: matrix.os != 'ubuntu-latest' || matrix.arch != 'amd64'
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+        with:
+          platforms: 'arm64'
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
       - name: Build if Dockerfile changed
         if: steps.changed-files-specific.outputs.any_changed == 'true'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@94f8f8c2eec4bc3f1d78c1755580779804cb87b2 # v6.0.1
         with:
           context: .
           build-args: |
             INSTALL_ALL=true
-          platforms: linux/amd64
+          platforms: linux/${{ matrix.arch }} # Only one allowed here, see https://github.com/docker/buildx/issues/59#issuecomment-1433097926
           push: false
+          load: true
           tags: |
             ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}
+          # Fix multi-platform: https://github.com/docker/buildx/issues/1533
+          provenance: false
+          secrets: |
+            "github_token=${{ secrets.GITHUB_TOKEN }}"
 
       - name: Run structure tests
         if: steps.changed-files-specific.outputs.any_changed == 'true'
-        uses: plexsystems/container-structure-test-action@v0.1.0
+        uses: plexsystems/container-structure-test-action@c0a028aa96e8e82ae35be556040340cbb3e280ca # v0.3.0
         with:
           image: ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}
           config: .github/.container-structure-test-config.yaml
 
       - name: Dive - check image for waste files
         if: steps.changed-files-specific.outputs.any_changed == 'true'
-        uses: MaxymVlasov/dive-action@v0.1.0
+        uses: MaxymVlasov/dive-action@379af3fc636888ada5899c997e8b52db6ad45023 # v1.0.1
         with:
           image: ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}
           config-file: ${{ github.workspace }}/.github/.dive-ci.yaml
           github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      # Can't build both platforms and use --load at the same time
+      # https://github.com/docker/buildx/issues/59#issuecomment-1433097926
+      - name: Build Multi-arch docker-image
+        if: steps.changed-files-specific.outputs.any_changed == 'true' && matrix.os == 'ubuntu-latest' && matrix.arch == 'amd64'
+        uses: docker/build-push-action@94f8f8c2eec4bc3f1d78c1755580779804cb87b2 # v6.0.1
+        with:
+          context: .
+          build-args: |
+            INSTALL_ALL=true
+          platforms: linux/amd64,linux/arm64
+          push: false
+          tags: |
+            ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}
+          # Fix multi-platform: https://github.com/docker/buildx/issues/1533
+          provenance: false
+          secrets: |
+            "github_token=${{ secrets.GITHUB_TOKEN }}"

.github/workflows/build-image.yaml

@@ -13,40 +13,53 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Set tag for image
         run: |
           echo IMAGE_TAG=$([ ${{ github.ref_type }} == 'tag' ] && echo ${{ github.ref_name }} || echo 'latest') >> $GITHUB_ENV
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+
       - name: Build and Push release
         if: github.event_name != 'schedule'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@94f8f8c2eec4bc3f1d78c1755580779804cb87b2 # v6.0.1
         with:
           context: .
           build-args: |
             INSTALL_ALL=true
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: |
             ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}
             ghcr.io/${{ github.repository }}:latest
+          # Fix multi-platform: https://github.com/docker/buildx/issues/1533
+          provenance: false
+          secrets: |
+            "github_token=${{ secrets.GITHUB_TOKEN }}"
+
       - name: Build and Push nightly
         if: github.event_name == 'schedule'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@94f8f8c2eec4bc3f1d78c1755580779804cb87b2 # v6.0.1
         with:
           context: .
           build-args: |
             INSTALL_ALL=true
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: |
             ghcr.io/${{ github.repository }}:nightly
+          # Fix multi-platform: https://github.com/docker/buildx/issues/1533
+          provenance: false
+          secrets: |
+            "github_token=${{ secrets.GITHUB_TOKEN }}"

.github/workflows/pr-title.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       # Please look up the latest version from
       # https://github.com/amannn/action-semantic-pull-request/releases
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: amannn/action-semantic-pull-request@cfb60706e18bc85e8aec535e3c577abe8f70378e # v5.5.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/pre-commit.yaml

@@ -6,7 +6,7 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
     - run: |
         git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
 
@@ -31,16 +31,16 @@ jobs:
         curl -L "$(curl -s https://api.github.com/repos/hadolint/hadolint/releases/latest | grep -o -E -m 1 "https://.+?/hadolint-Linux-x86_64")" > hadolint \
         && chmod +x hadolint && sudo mv hadolint /usr/bin/
     # Need to success pre-commit fix push
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         fetch-depth: 0
         ref: ${{ github.event.pull_request.head.sha }}
     # Skip terraform_tflint which interferes to commit pre-commit auto-fixes
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
       with:
         python-version: '3.9'
     - name: Execute pre-commit
-      uses: pre-commit/[email protected].0
+      uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # v2.0.3
       env:
         SKIP: no-commit-to-branch,hadolint
       with:
@@ -49,7 +49,7 @@ jobs:
     # Run only skipped checks
     - name: Execute pre-commit check that have no auto-fixes
       if: always()
-      uses: pre-commit/[email protected].0
+      uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # v2.0.3
       env:
         SKIP: check-added-large-files,check-merge-conflict,check-vcs-permalinks,forbid-new-submodules,no-commit-to-branch,end-of-file-fixer,trailing-whitespace,check-yaml,check-merge-conflict,check-executables-have-shebangs,check-case-conflict,mixed-line-ending,detect-aws-credentials,detect-private-key,shfmt,shellcheck
       with:

.github/workflows/release.yml

@@ -18,13 +18,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Release
-        uses: cycjimmy/semantic-release-action@v2
+        uses: cycjimmy/semantic-release-action@cb425203a562475bca039ba4dbf90c7f9ac790f4 # v4.1.0
         with:
           semantic_version: 18.0.0
           extra_plugins: |