Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Print out the full path in tflint when run through pre-commit #357

Closed
wants to merge 4 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions hooks/_common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ function common::per_dir_hook {
# run hook for each path
for dir_path in $(echo "${dir_paths[*]}" | tr ' ' '\n' | sort -u); do
dir_path="${dir_path//__REPLACED__SPACE__/ }"
pushd "$dir_path" > /dev/null || continue
[ ! -d "$dir_path" ] && continue
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, not mention that. Lmc

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, with that change it can work, but need to check that all hooks will work properly

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TFLint can't find TF modules by relative source without pushd

Copy link
Collaborator

@MaxymVlasov MaxymVlasov Apr 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

repos:
- repo: https://github.com/thomaslast/pre-commit-terraform
  rev: afde258978090e4d2382fd90bb230347d0b349ac

✅ Work as expected
☑️ - Able to check only passed, not fail scenario
✖️ - work, but not print full path
❌ - failed to start
Not checked

checkov (python, not affected hook)
infracost_breakdown
terraform_docs_replace (deprecated, python, not affected hook)
✖️ terraform_docs_without_aggregate_type_defaults
✖️ terraform_docs
terraform_fmt
terraform_providers_lock
terraform_tflint
terraform_tfsec
☑️ terraform_validate
✖️ terragrunt_fmt
☑️ terragrunt_validate
terrascan


per_dir_hook_unique_part "$args" "$dir_path"

Expand All @@ -147,7 +147,6 @@ function common::per_dir_hook {
final_exit_code=$exit_code
fi

popd > /dev/null
done

# restore errexit if it was set before the "for" loop
Expand Down
5 changes: 2 additions & 3 deletions hooks/terraform_fmt.sh
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ function terraform_fmt_ {
# run hook for each path
for dir_path in $(echo "${dir_paths[*]}" | tr ' ' '\n' | sort -u); do
dir_path="${dir_path//__REPLACED__SPACE__/ }"
pushd "$dir_path" > /dev/null || continue
[ ! -d "$dir_path" ] && continue

per_dir_hook_unique_part "$args" "$dir_path"

Expand All @@ -67,7 +67,6 @@ function terraform_fmt_ {
final_exit_code=$exit_code
fi

popd > /dev/null
done

# TODO: Unique part
Expand Down Expand Up @@ -105,7 +104,7 @@ function per_dir_hook_unique_part {

# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
terraform fmt ${args[@]}
terraform fmt ${args[@]} "$dir_path"

# return exit code to common::per_dir_hook
local exit_code=$?
Expand Down
2 changes: 1 addition & 1 deletion hooks/terraform_providers_lock.sh
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ function per_dir_hook_unique_part {

# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
terraform providers lock ${args[@]}
terraform providers lock ${args[@]} "$dir_path"

# return exit code to common::per_dir_hook
local exit_code=$?
Expand Down
4 changes: 2 additions & 2 deletions hooks/terraform_tflint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,11 @@ function per_dir_hook_unique_part {

# Print checked PATH **only** if TFLint have any messages
# shellcheck disable=SC2091,SC2068 # Suppress error output
$(tflint ${args[@]} 2>&1) 2> /dev/null || {
$(tflint ${args[@]} "$dir_path" 2>&1) 2> /dev/null || {
common::colorify "yellow" "TFLint in $dir_path/:"

# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
tflint ${args[@]}
tflint ${args[@]} "$dir_path"
}

# return exit code to common::per_dir_hook
Expand Down
2 changes: 1 addition & 1 deletion hooks/terraform_tfsec.sh
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ function per_dir_hook_unique_part {

# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
tfsec ${args[@]}
tfsec ${args[@]} "$dir_path"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not quite sure since I don't use tfsec often, though its help page states that directory argument should come first:

> tfsec -h | head -5
tfsec is a simple tool to detect potential security vulnerabilities in your terraformed infrastructure.

Usage:
  tfsec [directory] [flags]

Could you please verify this hook and put dir arg before the rest of args to align with tfsec usage? Thanks.


# return exit code to common::per_dir_hook
local exit_code=$?
Expand Down
2 changes: 1 addition & 1 deletion hooks/terragrunt_fmt.sh
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ function per_dir_hook_unique_part {

# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
terragrunt hclfmt ${args[@]}
terragrunt hclfmt ${args[@]} "$dir_path"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on https://terragrunt.gruntwork.io/docs/reference/cli-options/#hclfmt this wouldn't work for terragrunt. The hclfmt recursively searches current working dir and isn't compatible with providing target working dir as a command line argument, hence the terragrunt hclfmt hook need an explicit pushd/popd workaround.


# return exit code to common::per_dir_hook
local exit_code=$?
Expand Down
2 changes: 1 addition & 1 deletion hooks/terragrunt_validate.sh
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ function per_dir_hook_unique_part {

# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
terragrunt validate ${args[@]}
terragrunt validate ${args[@]} "$dir_path"

# return exit code to common::per_dir_hook
local exit_code=$?
Expand Down
2 changes: 1 addition & 1 deletion hooks/terrascan.sh
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ function per_dir_hook_unique_part {

# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
terrascan scan -i terraform ${args[@]}
terrascan scan -i terraform ${args[@]} "$dir_path"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To provide target working directory to terrascan the -d, --iac-dir string command line flag must be provided:

> terrascan scan -h | fgrep -- --iac-dir
  -d, --iac-dir string            path to a directory containing one or more IaC files (default ".")

Please fix.


# return exit code to common::per_dir_hook
local exit_code=$?
Expand Down