From d1abce12531d06eb650eea0b13de95976c38c73b Mon Sep 17 00:00:00 2001 From: Andrii Veklychev Date: Wed, 21 Feb 2024 00:10:56 +0100 Subject: [PATCH 01/12] feat: add terragrunt_providers_lock hook --- .pre-commit-hooks.yaml | 8 ++++ hooks/terragrunt_providers_lock.sh | 70 ++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 hooks/terragrunt_providers_lock.sh diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index 40c2cb072..347c4604c 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -85,6 +85,14 @@ files: (\.hcl)$ exclude: \.terraform/.*$ +- id: terragrunt_providers_lock + name: Lock terraform provider versions with Terragrunt + description: Updates provider signatures in dependency lock files with terragrunt. + entry: hooks/terragrunt_providers_lock.sh + language: script + files: (\.terraform\.lock\.hcl)$ + exclude: \.terraform/.*$ + - id: terraform_tfsec name: Terraform validate with tfsec (deprecated, use "terraform_trivy") description: Static analysis of Terraform templates to spot potential security issues. diff --git a/hooks/terragrunt_providers_lock.sh b/hooks/terragrunt_providers_lock.sh new file mode 100644 index 000000000..f05a571c4 --- /dev/null +++ b/hooks/terragrunt_providers_lock.sh @@ -0,0 +1,70 @@ +#!/usr/bin/env bash +set -eo pipefail + +# globals variables +# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines +readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +# shellcheck source=_common.sh +. "$SCRIPT_DIR/_common.sh" + +function main { + common::initialize "$SCRIPT_DIR" + common::parse_cmdline "$@" + common::export_provided_env_vars "${ENV_VARS[@]}" + common::parse_and_export_env_vars + # JFYI: terragrunt providers lock color already suppressed via PRE_COMMIT_COLOR=never + + # shellcheck disable=SC2153 # False positive + common::per_dir_hook "$HOOK_ID" "${#ARGS[@]}" "${ARGS[@]}" "${FILES[@]}" +} + +####################################################################### +# Unique part of `common::per_dir_hook`. The function is executed in loop +# on each provided dir path. Run wrapped tool with specified arguments +# Arguments: +# dir_path (string) PATH to dir relative to git repo root. +# Can be used in error logging +# change_dir_in_unique_part (string/false) Modifier which creates +# possibilities to use non-common chdir strategies. +# Availability depends on hook. +# parallelism_disabled (bool) if true - skip lock mechanism +# args (array) arguments that configure wrapped tool behavior +# Outputs: +# If failed - print out hook checks status +####################################################################### +function per_dir_hook_unique_part { + # shellcheck disable=SC2034 # Unused var. + local -r dir_path="$1" + # shellcheck disable=SC2034 # Unused var. + local -r change_dir_in_unique_part="$2" + # shellcheck disable=SC2034 # Unused var. + local -r parallelism_disabled="$3" + shift 3 + local -a -r args=("$@") + + # pass the arguments to hook + terragrunt providers lock "${args[@]}" + + # return exit code to common::per_dir_hook + local exit_code=$? + return $exit_code +} + +####################################################################### +# Unique part of `common::per_dir_hook`. The function is executed one time +# in the root git repo +# Arguments: +# args (array) arguments that configure wrapped tool behavior +####################################################################### +function run_hook_on_whole_repo { + local -a -r args=("$@") + + # pass the arguments to hook + terragrunt run-all providers lock "${args[@]}" + + # return exit code to common::per_dir_hook + local exit_code=$? + return $exit_code +} + +[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@" From 78fb7a8945132866f79b5906bbab446b7c03a6b2 Mon Sep 17 00:00:00 2001 From: Andrii Veklychev Date: Wed, 21 Feb 2024 00:40:32 +0100 Subject: [PATCH 02/12] make executable --- .pre-commit-hooks.yaml | 2 +- hooks/terragrunt_providers_lock.sh | 0 2 files changed, 1 insertion(+), 1 deletion(-) mode change 100644 => 100755 hooks/terragrunt_providers_lock.sh diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index 347c4604c..eb59e3e9f 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -90,7 +90,7 @@ description: Updates provider signatures in dependency lock files with terragrunt. entry: hooks/terragrunt_providers_lock.sh language: script - files: (\.terraform\.lock\.hcl)$ + files: (\.hcl|\.terraform\.lock\.hcl)$ exclude: \.terraform/.*$ - id: terraform_tfsec diff --git a/hooks/terragrunt_providers_lock.sh b/hooks/terragrunt_providers_lock.sh old mode 100644 new mode 100755 From 5b9e33a88fc3485f492ea249ccfa80410d9b5e35 Mon Sep 17 00:00:00 2001 From: Andrii Veklychev Date: Wed, 21 Feb 2024 01:02:31 +0100 Subject: [PATCH 03/12] update readme --- .pre-commit-hooks.yaml | 6 +++--- README.md | 16 ++++++++++++++++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index eb59e3e9f..5a3426bbd 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -86,11 +86,11 @@ exclude: \.terraform/.*$ - id: terragrunt_providers_lock - name: Lock terraform provider versions with Terragrunt - description: Updates provider signatures in dependency lock files with terragrunt. + name: Terragrunt providers lock + description: Updates provider signatures in dependency lock files using terragrunt. entry: hooks/terragrunt_providers_lock.sh language: script - files: (\.hcl|\.terraform\.lock\.hcl)$ + files: (\.hcl)$ exclude: \.terraform/.*$ - id: terraform_tfsec diff --git a/README.md b/README.md index df8c4d0b5..734e178d4 100644 --- a/README.md +++ b/README.md @@ -1058,6 +1058,22 @@ If the generated name is incorrect, set them by providing the `module-repo-short Check [`tfupdate` usage instructions](https://github.com/minamijoyo/tfupdate#usage) for other available options and usage examples. No need to pass `--recursive .` as it is added automatically. +### terragrunt_providers_lock + +Run updating of lock files in terragrunt workdirs. + +> [!WARNING] +> It invokes `terragrunt providers lock` that may be very slow. + + ```yaml + - id: terragrunt_providers_lock + name: Terragrunt providers lock + args: + - --args=-platform=darwin_arm64 + - --args=-platform=darwin_amd64 + - --args=-platform=linux_amd64 + ``` + ## Docker Usage ### File Permissions From 582d87b3681d4240edff71f633757c0757bc2382 Mon Sep 17 00:00:00 2001 From: Andrii Veklychev Date: Wed, 21 Feb 2024 20:29:19 +0100 Subject: [PATCH 04/12] adjust include exclude files --- .pre-commit-hooks.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index 5a3426bbd..aa0eeab5e 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -90,8 +90,8 @@ description: Updates provider signatures in dependency lock files using terragrunt. entry: hooks/terragrunt_providers_lock.sh language: script - files: (\.hcl)$ - exclude: \.terraform/.*$ + files: (terragrunt\.hcl|\.terraform\.lock\.hcl)$ + exclude: (\.terraform/.*|\.terragrunt-cache)$ - id: terraform_tfsec name: Terraform validate with tfsec (deprecated, use "terraform_trivy") From 3c974c439b58d46afb2e3c38661185ec0ee0dc20 Mon Sep 17 00:00:00 2001 From: Andrii Veklychev Date: Wed, 21 Feb 2024 21:51:38 +0100 Subject: [PATCH 05/12] remove trailing spaces --- README.md | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 734e178d4..22edb9b4c 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ All available tags [here](https://github.com/antonbabenko/pre-commit-terraform/p **Build from scratch**: > [!IMPORTANT] -> To build image you need to have [`docker buildx`](https://docs.docker.com/build/install-buildx/) enabled as default builder. +> To build image you need to have [`docker buildx`](https://docs.docker.com/build/install-buildx/) enabled as default builder. > Otherwise - provide `TARGETOS` and `TARGETARCH` as additional `--build-arg`'s to `docker build`. When hooks-related `--build-arg`s are not specified, only the latest version of `pre-commit` and `terraform` will be installed. @@ -205,7 +205,7 @@ Otherwise, you can follow [this gist](https://gist.github.com/etiennejeanneaurev Ensure your PATH environment variable looks for `bash.exe` in `C:\Program Files\Git\bin` (the one present in `C:\Windows\System32\bash.exe` does not work with `pre-commit.exe`) -For `checkov`, you may need to also set your `PYTHONPATH` environment variable with the path to your Python modules. +For `checkov`, you may need to also set your `PYTHONPATH` environment variable with the path to your Python modules. E.g. `C:\Users\USERNAME\AppData\Local\Programs\Python\Python39\Lib\site-packages` @@ -341,10 +341,10 @@ PRE_COMMIT_COLOR=never pre-commit run ### Many hooks: Parallelism -> All, except deprecated hooks: `checkov`, `terraform_docs_replace` and hooks which can't be paralleled this way: `infracost_breakdown`, `terraform_wrapper_module_for_each`. +> All, except deprecated hooks: `checkov`, `terraform_docs_replace` and hooks which can't be paralleled this way: `infracost_breakdown`, `terraform_wrapper_module_for_each`. > Also, there's a chance that parallelism have no effect on `terragrunt_fmt` and `terragrunt_validate` hooks -By default, parallelism is set to `number of logical CPUs - 1`. +By default, parallelism is set to `number of logical CPUs - 1`. If you'd like to disable parallelism, set it to `1` ```yaml @@ -400,7 +400,7 @@ args: - --hook-config=--parallelism-ci-cpu-cores=N ``` -If you don't see code above in your `pre-commit-config.yaml` or logs - you don't need it. +If you don't see code above in your `pre-commit-config.yaml` or logs - you don't need it. `--parallelism-ci-cpu-cores` used only in edge cases and is ignored in other situations. Check out its usage in [hooks/_common.sh](hooks/_common.sh) ### checkov (deprecated) and terraform_checkov @@ -548,7 +548,7 @@ Unlike most other hooks, this hook triggers once if there are any changed files * create a documentation file * extend existing documentation file by appending markers to the end of the file (see item 1 above) * use different filename for the documentation (default is `README.md`) - * use the same insertion markers as `terraform-docs` by default. It will be default in `v2.0`. + * use the same insertion markers as `terraform-docs` by default. It will be default in `v2.0`. To migrate to `terraform-docs` insertion markers, run in repo root: ```bash @@ -573,7 +573,7 @@ Unlike most other hooks, this hook triggers once if there are any changed files - --args=--config=.terraform-docs.yml ``` - > **Warning** + > **Warning** > Avoid use `recursive.enabled: true` in config file, that can cause unexpected behavior. 5. If you need some exotic settings, it can be done too. I.e. this one generates HCL files: @@ -672,7 +672,7 @@ To replicate functionality in `terraform_docs` hook: * `only-check-is-current-lockfile-cross-platform` with [terraform_validate hook](#terraform_validate) - make up-to-date lockfile by adding/removing providers and only then check that lockfile has all required SHAs. - > **Important** + > **Important** > Next `terraform_validate` flag requires additional dependency to be installed: `jq`. Also, it could run another slow and time consuming command - `terraform init` ```yaml @@ -724,7 +724,7 @@ To replicate functionality in `terraform_docs` hook: 3. `terraform_providers_lock` support passing custom arguments to its `terraform init`: - > **Warning** + > **Warning** > DEPRECATION NOTICE: This is available only in `no-mode` mode, which will be removed in v2.0. Please provide this keys to [`terraform_validate`](#terraform_validate) hook, which, to take effect, should be called before `terraform_providers_lock` ```yaml @@ -895,10 +895,10 @@ To replicate functionality in `terraform_docs` hook: - --hook-config=--retry-once-with-cleanup=true # Boolean. true or false ``` - > **Important** + > **Important** > The flag requires additional dependency to be installed: `jq`. - > **Note** + > **Note** > Reinit can be very slow and require downloading data from remote Terraform registries, and not all of that downloaded data or meta-data is currently being cached by Terraform. When `--retry-once-with-cleanup=true`, in each failed directory the cached modules and providers from the `.terraform` directory will be deleted, before retrying once more. To avoid unnecessary deletion of this directory, the cleanup and retry will only happen if Terraform produces any of the following error messages: @@ -909,7 +909,7 @@ To replicate functionality in `terraform_docs` hook: * "Module not installed" * "Could not load plugin" - > **Warning** + > **Warning** > When using `--retry-once-with-cleanup=true`, problematic `.terraform/modules/` and `.terraform/providers/` directories will be recursively deleted without prompting for consent. Other files and directories will not be affected, such as the `.terraform/environment` file. **Option 2** @@ -928,7 +928,7 @@ To replicate functionality in `terraform_docs` hook: `terraform_validate` hook will try to reinitialize them before running the `terraform validate` command. - > **Caution** + > **Caution** > If you use Terraform workspaces, DO NOT use this option ([details](https://github.com/antonbabenko/pre-commit-terraform/issues/203#issuecomment-918791847)). Consider the first option, or wait for [`force-init`](https://github.com/antonbabenko/pre-commit-terraform/issues/224) option implementation. 1. `terraform_validate` in a repo with Terraform module, written using Terraform 0.15+ and which uses provider `configuration_aliases` ([Provider Aliases Within Modules](https://www.terraform.io/language/modules/develop/providers#provider-aliases-within-modules)), errors out. @@ -980,7 +980,7 @@ To replicate functionality in `terraform_docs` hook: [...] ``` - > **Tip** + > **Tip** > The latter method will leave an "aliased-providers.tf.json" file in your repo. You will either want to automate a way to clean this up or add it to your `.gitignore` or both. ### terraform_wrapper_module_for_each @@ -1004,8 +1004,8 @@ Sample configuration: - --args=--verbose # Verbose output ``` -**If you use hook inside Docker:** -The `terraform_wrapper_module_for_each` hook attempts to determine the module's short name to be inserted into the generated `README.md` files for the `source` URLs. Since the container uses a bind mount at a static location, it can cause this short name to be incorrect. +**If you use hook inside Docker:** +The `terraform_wrapper_module_for_each` hook attempts to determine the module's short name to be inserted into the generated `README.md` files for the `source` URLs. Since the container uses a bind mount at a static location, it can cause this short name to be incorrect. If the generated name is incorrect, set them by providing the `module-repo-shortname` option to the hook: ```yaml @@ -1055,7 +1055,7 @@ If the generated name is incorrect, set them by providing the `module-repo-short - --args=--version 2.5.0 # Will be pined to specified version ``` -Check [`tfupdate` usage instructions](https://github.com/minamijoyo/tfupdate#usage) for other available options and usage examples. +Check [`tfupdate` usage instructions](https://github.com/minamijoyo/tfupdate#usage) for other available options and usage examples. No need to pass `--recursive .` as it is added automatically. ### terragrunt_providers_lock @@ -1067,10 +1067,10 @@ Run updating of lock files in terragrunt workdirs. ```yaml - id: terragrunt_providers_lock - name: Terragrunt providers lock + name: Terragrunt providers lock args: - - --args=-platform=darwin_arm64 - - --args=-platform=darwin_amd64 + - --args=-platform=darwin_arm64 + - --args=-platform=darwin_amd64 - --args=-platform=linux_amd64 ``` From 8ccb5eff93c90abbd8f28d78041cc2177b8ab460 Mon Sep 17 00:00:00 2001 From: Andrii Veklychev Date: Wed, 21 Feb 2024 22:05:46 +0100 Subject: [PATCH 06/12] amend table of contents --- README.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 22edb9b4c..07f9a15d7 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,7 @@ If you are using `pre-commit-terraform` already or want to support its developme * [terraform\_wrapper\_module\_for\_each](#terraform_wrapper_module_for_each) * [terrascan](#terrascan) * [tfupdate](#tfupdate) + * [terragrunt_providers_lock](#terragrunt_providers_lock) * [Docker Usage](#docker-usage) * [File Permissions](#file-permissions) * [Download Terraform modules from private GitHub repositories](#download-terraform-modules-from-private-github-repositories) @@ -1060,19 +1061,19 @@ No need to pass `--recursive .` as it is added automatically. ### terragrunt_providers_lock -Run updating of lock files in terragrunt workdirs. +Runs lock files update in terragrunt workdirs. > [!WARNING] > It invokes `terragrunt providers lock` that may be very slow. - ```yaml - - id: terragrunt_providers_lock - name: Terragrunt providers lock - args: - - --args=-platform=darwin_arm64 - - --args=-platform=darwin_amd64 - - --args=-platform=linux_amd64 - ``` +```yaml +- id: terragrunt_providers_lock + name: Terragrunt providers lock + args: + - --args=-platform=darwin_arm64 + - --args=-platform=darwin_amd64 + - --args=-platform=linux_amd64 +``` ## Docker Usage From 796df1a16f322c6b2efb693f9e4fb5ed155b0f4a Mon Sep 17 00:00:00 2001 From: Andrii Veklychev Date: Wed, 21 Feb 2024 22:14:18 +0100 Subject: [PATCH 07/12] optimize hook regexp Co-authored-by: George L. Yermulnik --- .pre-commit-hooks.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index aa0eeab5e..0942ddfa7 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -90,8 +90,8 @@ description: Updates provider signatures in dependency lock files using terragrunt. entry: hooks/terragrunt_providers_lock.sh language: script - files: (terragrunt\.hcl|\.terraform\.lock\.hcl)$ - exclude: (\.terraform/.*|\.terragrunt-cache)$ + files: (terragrunt|\.terraform\.lock)\.hcl$ + exclude: \.(terraform/.*|terragrunt-cache)$ - id: terraform_tfsec name: Terraform validate with tfsec (deprecated, use "terraform_trivy") From 056083a838488f08960ad532f8d5cd5951ca3e30 Mon Sep 17 00:00:00 2001 From: Andrii Veklychev Date: Wed, 21 Feb 2024 22:21:48 +0100 Subject: [PATCH 08/12] Revert "remove trailing spaces" This reverts commit 3c974c439b58d46afb2e3c38661185ec0ee0dc20. --- README.md | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 07f9a15d7..ae4be7608 100644 --- a/README.md +++ b/README.md @@ -101,7 +101,7 @@ All available tags [here](https://github.com/antonbabenko/pre-commit-terraform/p **Build from scratch**: > [!IMPORTANT] -> To build image you need to have [`docker buildx`](https://docs.docker.com/build/install-buildx/) enabled as default builder. +> To build image you need to have [`docker buildx`](https://docs.docker.com/build/install-buildx/) enabled as default builder. > Otherwise - provide `TARGETOS` and `TARGETARCH` as additional `--build-arg`'s to `docker build`. When hooks-related `--build-arg`s are not specified, only the latest version of `pre-commit` and `terraform` will be installed. @@ -206,7 +206,7 @@ Otherwise, you can follow [this gist](https://gist.github.com/etiennejeanneaurev Ensure your PATH environment variable looks for `bash.exe` in `C:\Program Files\Git\bin` (the one present in `C:\Windows\System32\bash.exe` does not work with `pre-commit.exe`) -For `checkov`, you may need to also set your `PYTHONPATH` environment variable with the path to your Python modules. +For `checkov`, you may need to also set your `PYTHONPATH` environment variable with the path to your Python modules. E.g. `C:\Users\USERNAME\AppData\Local\Programs\Python\Python39\Lib\site-packages` @@ -342,10 +342,10 @@ PRE_COMMIT_COLOR=never pre-commit run ### Many hooks: Parallelism -> All, except deprecated hooks: `checkov`, `terraform_docs_replace` and hooks which can't be paralleled this way: `infracost_breakdown`, `terraform_wrapper_module_for_each`. +> All, except deprecated hooks: `checkov`, `terraform_docs_replace` and hooks which can't be paralleled this way: `infracost_breakdown`, `terraform_wrapper_module_for_each`. > Also, there's a chance that parallelism have no effect on `terragrunt_fmt` and `terragrunt_validate` hooks -By default, parallelism is set to `number of logical CPUs - 1`. +By default, parallelism is set to `number of logical CPUs - 1`. If you'd like to disable parallelism, set it to `1` ```yaml @@ -401,7 +401,7 @@ args: - --hook-config=--parallelism-ci-cpu-cores=N ``` -If you don't see code above in your `pre-commit-config.yaml` or logs - you don't need it. +If you don't see code above in your `pre-commit-config.yaml` or logs - you don't need it. `--parallelism-ci-cpu-cores` used only in edge cases and is ignored in other situations. Check out its usage in [hooks/_common.sh](hooks/_common.sh) ### checkov (deprecated) and terraform_checkov @@ -549,7 +549,7 @@ Unlike most other hooks, this hook triggers once if there are any changed files * create a documentation file * extend existing documentation file by appending markers to the end of the file (see item 1 above) * use different filename for the documentation (default is `README.md`) - * use the same insertion markers as `terraform-docs` by default. It will be default in `v2.0`. + * use the same insertion markers as `terraform-docs` by default. It will be default in `v2.0`. To migrate to `terraform-docs` insertion markers, run in repo root: ```bash @@ -574,7 +574,7 @@ Unlike most other hooks, this hook triggers once if there are any changed files - --args=--config=.terraform-docs.yml ``` - > **Warning** + > **Warning** > Avoid use `recursive.enabled: true` in config file, that can cause unexpected behavior. 5. If you need some exotic settings, it can be done too. I.e. this one generates HCL files: @@ -673,7 +673,7 @@ To replicate functionality in `terraform_docs` hook: * `only-check-is-current-lockfile-cross-platform` with [terraform_validate hook](#terraform_validate) - make up-to-date lockfile by adding/removing providers and only then check that lockfile has all required SHAs. - > **Important** + > **Important** > Next `terraform_validate` flag requires additional dependency to be installed: `jq`. Also, it could run another slow and time consuming command - `terraform init` ```yaml @@ -725,7 +725,7 @@ To replicate functionality in `terraform_docs` hook: 3. `terraform_providers_lock` support passing custom arguments to its `terraform init`: - > **Warning** + > **Warning** > DEPRECATION NOTICE: This is available only in `no-mode` mode, which will be removed in v2.0. Please provide this keys to [`terraform_validate`](#terraform_validate) hook, which, to take effect, should be called before `terraform_providers_lock` ```yaml @@ -896,10 +896,10 @@ To replicate functionality in `terraform_docs` hook: - --hook-config=--retry-once-with-cleanup=true # Boolean. true or false ``` - > **Important** + > **Important** > The flag requires additional dependency to be installed: `jq`. - > **Note** + > **Note** > Reinit can be very slow and require downloading data from remote Terraform registries, and not all of that downloaded data or meta-data is currently being cached by Terraform. When `--retry-once-with-cleanup=true`, in each failed directory the cached modules and providers from the `.terraform` directory will be deleted, before retrying once more. To avoid unnecessary deletion of this directory, the cleanup and retry will only happen if Terraform produces any of the following error messages: @@ -910,7 +910,7 @@ To replicate functionality in `terraform_docs` hook: * "Module not installed" * "Could not load plugin" - > **Warning** + > **Warning** > When using `--retry-once-with-cleanup=true`, problematic `.terraform/modules/` and `.terraform/providers/` directories will be recursively deleted without prompting for consent. Other files and directories will not be affected, such as the `.terraform/environment` file. **Option 2** @@ -929,7 +929,7 @@ To replicate functionality in `terraform_docs` hook: `terraform_validate` hook will try to reinitialize them before running the `terraform validate` command. - > **Caution** + > **Caution** > If you use Terraform workspaces, DO NOT use this option ([details](https://github.com/antonbabenko/pre-commit-terraform/issues/203#issuecomment-918791847)). Consider the first option, or wait for [`force-init`](https://github.com/antonbabenko/pre-commit-terraform/issues/224) option implementation. 1. `terraform_validate` in a repo with Terraform module, written using Terraform 0.15+ and which uses provider `configuration_aliases` ([Provider Aliases Within Modules](https://www.terraform.io/language/modules/develop/providers#provider-aliases-within-modules)), errors out. @@ -981,7 +981,7 @@ To replicate functionality in `terraform_docs` hook: [...] ``` - > **Tip** + > **Tip** > The latter method will leave an "aliased-providers.tf.json" file in your repo. You will either want to automate a way to clean this up or add it to your `.gitignore` or both. ### terraform_wrapper_module_for_each @@ -1005,8 +1005,8 @@ Sample configuration: - --args=--verbose # Verbose output ``` -**If you use hook inside Docker:** -The `terraform_wrapper_module_for_each` hook attempts to determine the module's short name to be inserted into the generated `README.md` files for the `source` URLs. Since the container uses a bind mount at a static location, it can cause this short name to be incorrect. +**If you use hook inside Docker:** +The `terraform_wrapper_module_for_each` hook attempts to determine the module's short name to be inserted into the generated `README.md` files for the `source` URLs. Since the container uses a bind mount at a static location, it can cause this short name to be incorrect. If the generated name is incorrect, set them by providing the `module-repo-shortname` option to the hook: ```yaml @@ -1056,7 +1056,7 @@ If the generated name is incorrect, set them by providing the `module-repo-short - --args=--version 2.5.0 # Will be pined to specified version ``` -Check [`tfupdate` usage instructions](https://github.com/minamijoyo/tfupdate#usage) for other available options and usage examples. +Check [`tfupdate` usage instructions](https://github.com/minamijoyo/tfupdate#usage) for other available options and usage examples. No need to pass `--recursive .` as it is added automatically. ### terragrunt_providers_lock From 75a05e83518f5c1cebeee0f785c74a306c5114ba Mon Sep 17 00:00:00 2001 From: Andrii Veklychev Date: Wed, 21 Feb 2024 22:27:49 +0100 Subject: [PATCH 09/12] amend available hooks section --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ae4be7608..1b80f84e4 100644 --- a/README.md +++ b/README.md @@ -282,6 +282,7 @@ There are several [pre-commit](https://pre-commit.com/) hooks to keep Terraform | `terraform_validate` | Validates all Terraform configuration files. [Hook notes](#terraform_validate) | `jq`, only for `--retry-once-with-cleanup` flag | | `terragrunt_fmt` | Reformat all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) to a canonical format. | `terragrunt` | | `terragrunt_validate` | Validates all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) | `terragrunt` | +| `terragrunt_providers_lock` | Generates `.terraform.lock.hcl` files using [Terragrunt](https://github.com/gruntwork-io/terragrunt). | `terragrunt` | | `terraform_wrapper_module_for_each` | Generates Terraform wrappers with `for_each` in module. [Hook notes](#terraform_wrapper_module_for_each) | `hcledit` | | `terrascan` | [terrascan](https://github.com/tenable/terrascan) Detect compliance and security violations. [Hook notes](#terrascan) | `terrascan` | | `tfupdate` | [tfupdate](https://github.com/minamijoyo/tfupdate) Update version constraints of Terraform core, providers, and modules. [Hook notes](#tfupdate) | `tfupdate` | From 97a352fd06a9dc0ce3389369930b845456a8a0f3 Mon Sep 17 00:00:00 2001 From: Andrii Veklychev Date: Wed, 21 Feb 2024 22:55:37 +0100 Subject: [PATCH 10/12] amend hook usage section --- README.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1b80f84e4..154c2b92b 100644 --- a/README.md +++ b/README.md @@ -1062,10 +1062,15 @@ No need to pass `--recursive .` as it is added automatically. ### terragrunt_providers_lock -Runs lock files update in terragrunt workdirs. +Hook produces same results as `terraform_providers_lock`, but for terragrunt root modules. + +It just invokes `terragrunt providers lock` under the hood and terragrunt [does its' own magic](https://terragrunt.gruntwork.io/docs/features/lock-file-handling/) for handling lock files. + +> [!TIP] +> Use this hook only in infrastructure repos managed solely by `terragrunt` and do not mix with `terraform_providers_lock` to avoid conflicts. > [!WARNING] -> It invokes `terragrunt providers lock` that may be very slow. +> Hook _may_ be very slow, because it invokes init under the hood. ```yaml - id: terragrunt_providers_lock From 2fda0002f1466191b63b45d0665730f8f414fbbe Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Thu, 22 Feb 2024 15:22:59 +0200 Subject: [PATCH 11/12] Minor docs changes --- README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 154c2b92b..b22f37fb9 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,7 @@ If you are using `pre-commit-terraform` already or want to support its developme * [terraform\_wrapper\_module\_for\_each](#terraform_wrapper_module_for_each) * [terrascan](#terrascan) * [tfupdate](#tfupdate) - * [terragrunt_providers_lock](#terragrunt_providers_lock) + * [terragrunt\_providers\_lock](#terragrunt_providers_lock) * [Docker Usage](#docker-usage) * [File Permissions](#file-permissions) * [Download Terraform modules from private GitHub repositories](#download-terraform-modules-from-private-github-repositories) @@ -1062,15 +1062,16 @@ No need to pass `--recursive .` as it is added automatically. ### terragrunt_providers_lock -Hook produces same results as `terraform_providers_lock`, but for terragrunt root modules. - -It just invokes `terragrunt providers lock` under the hood and terragrunt [does its' own magic](https://terragrunt.gruntwork.io/docs/features/lock-file-handling/) for handling lock files. - > [!TIP] -> Use this hook only in infrastructure repos managed solely by `terragrunt` and do not mix with `terraform_providers_lock` to avoid conflicts. +> Use this hook only in infrastructure repos managed solely by `terragrunt` and do not mix with [`terraform_providers_lock`](#terraform_providers_lock) to avoid conflicts. > [!WARNING] -> Hook _may_ be very slow, because it invokes init under the hood. +> Hook _may_ be very slow, because terragrunt invokes `t init` under the hood. + +Hook produces same results as [`terraform_providers_lock`](#terraform_providers_lock), but for terragrunt root modules. + +It invokes `terragrunt providers lock` under the hood and terragrunt [does its' own magic](https://terragrunt.gruntwork.io/docs/features/lock-file-handling/) for handling lock files. + ```yaml - id: terragrunt_providers_lock From 4828847fe5ea40fe48a300036ee3714640de93c2 Mon Sep 17 00:00:00 2001 From: Maksym Vlasov Date: Thu, 22 Feb 2024 23:44:39 +0200 Subject: [PATCH 12/12] Apply suggestions from code review --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b22f37fb9..2c1c46163 100644 --- a/README.md +++ b/README.md @@ -1075,8 +1075,8 @@ It invokes `terragrunt providers lock` under the hood and terragrunt [does its' ```yaml - id: terragrunt_providers_lock - name: Terragrunt providers lock - args: + name: Terragrunt providers lock + args: - --args=-platform=darwin_arm64 - --args=-platform=darwin_amd64 - --args=-platform=linux_amd64