antonbabenko · MaxymVlasov · May 23, 2024 · May 4, 2024 · May 4, 2024 · May 9, 2024
@@ -29,6 +29,7 @@ If you are using `pre-commit-terraform` already or want to support its developme
 * [Table of content](#table-of-content)
 * [How to install](#how-to-install)
   * [1. Install dependencies](#1-install-dependencies)
+    * [1.1 Custom Terraform binaries and OpenTofu support](#11-custom-terraform-binaries-and-opentofu-support)
   * [2. Install the pre-commit hook globally](#2-install-the-pre-commit-hook-globally)
   * [3. Add configs and hooks](#3-add-configs-and-hooks)
   * [4. Run](#4-run)
@@ -67,7 +68,7 @@ If you are using `pre-commit-terraform` already or want to support its developme
 ### 1. Install dependencies
 
 * [`pre-commit`](https://pre-commit.com/#install),
-  <sub><sup>[`terraform`](https://www.terraform.io/downloads.html),
+  <sub><sup>[`terraform`](https://www.terraform.io/downloads.html) or [`opentofu`](https://opentofu.org/docs/intro/install/),
   <sub><sup>[`git`](https://git-scm.com/downloads),
   <sub><sup>[BASH `3.2.57` or newer](https://www.gnu.org/software/bash/#download),
   <sub><sup>Internet connection (on first run),
@@ -77,17 +78,31 @@ If you are using `pre-commit-terraform` already or want to support its developme
   <sub><sup>Some basic physical laws,
   <sub><sup>Hope that it all will work.
   </sup></sub></sup></sub></sup></sub></sup></sub></sup></sub></sup></sub></sup></sub></sup></sub></sup></sub><br><br>
-* [`checkov`](https://github.com/bridgecrewio/checkov) required for `terraform_checkov` hook.
-* [`terraform-docs`](https://github.com/terraform-docs/terraform-docs) required for `terraform_docs` hook.
-* [`terragrunt`](https://terragrunt.gruntwork.io/docs/getting-started/install/) required for `terragrunt_validate` hook.
-* [`terrascan`](https://github.com/tenable/terrascan) required for `terrascan` hook.
-* [`TFLint`](https://github.com/terraform-linters/tflint) required for `terraform_tflint` hook.
-* [`TFSec`](https://github.com/liamg/tfsec) required for `terraform_tfsec` hook.
-* [`Trivy`](https://github.com/aquasecurity/trivy) required for `terraform_trivy` hook.
-* [`infracost`](https://github.com/infracost/infracost) required for `infracost_breakdown` hook.
-* [`jq`](https://github.com/stedolan/jq) required for `terraform_validate` with `--retry-once-with-cleanup` flag, and for `infracost_breakdown` hook.
-* [`tfupdate`](https://github.com/minamijoyo/tfupdate) required for `tfupdate` hook.
-* [`hcledit`](https://github.com/minamijoyo/hcledit) required for `terraform_wrapper_module_for_each` hook.
+* [`checkov`](https://github.com/bridgecrewio/checkov) required for `terraform_checkov` hook
+* [`terraform-docs`](https://github.com/terraform-docs/terraform-docs) required for `terraform_docs` hook
+* [`terragrunt`](https://terragrunt.gruntwork.io/docs/getting-started/install/) required for `terragrunt_validate` hook
+* [`terrascan`](https://github.com/tenable/terrascan) required for `terrascan` hook
+* [`TFLint`](https://github.com/terraform-linters/tflint) required for `terraform_tflint` hook
+* [`TFSec`](https://github.com/liamg/tfsec) required for `terraform_tfsec` hook
+* [`Trivy`](https://github.com/aquasecurity/trivy) required for `terraform_trivy` hook
+* [`infracost`](https://github.com/infracost/infracost) required for `infracost_breakdown` hook
+* [`jq`](https://github.com/stedolan/jq) required for `terraform_validate` with `--retry-once-with-cleanup` flag, and for `infracost_breakdown` hook
+* [`tfupdate`](https://github.com/minamijoyo/tfupdate) required for `tfupdate` hook
+* [`hcledit`](https://github.com/minamijoyo/hcledit) required for `terraform_wrapper_module_for_each` hook
+
+
+#### 1.1 Custom Terraform binaries and OpenTofu support
+
+It is possible to set custom path to `terraform` binary.  
+This makes it possible to use [OpenTofu](https://opentofu.org) binary `tofu` instead of `terraform`.
+
+How binary discovery works and how you can redefine it:
+
+1. Check if set per hook configuration `--hook-config=--tf-path=<path_to_binary_or_binary_name>`
+2. Check if `PCT_TFPATH=<path_to_binary_or_binary_name>`  environment variable exist
+3. Check if `TERRAGRUNT_TFPATH=<path_to_binary_or_binary_name>` environment variable set
+4. Check if `terraform` binary can be found in the user's $PATH
+5. Check if `tofu` binary can be found in the user's $PATH
 
 <details><summary><b>Docker</b></summary><br>
 

@@ -283,6 +283,8 @@ function common::per_dir_hook {
   # despite there's only one positional ARG left
   local -a -r files=("$@")
 
+  local -r tf_path=$(common::get_tf_binary_path)
+
   # check is (optional) function defined
   if [ "$(type -t run_hook_on_whole_repo)" == function ] &&
     # check is hook run via `pre-commit run --all`
@@ -383,7 +385,7 @@ function common::per_dir_hook {
         pushd "$dir_path" > /dev/null
       fi
 
-      per_dir_hook_unique_part "$dir_path" "$change_dir_in_unique_part" "$parallelism_disabled" "${args[@]}"
+      per_dir_hook_unique_part "$dir_path" "$change_dir_in_unique_part" "$parallelism_disabled" "$tf_path" "${args[@]}"
     } &
     pids+=("$!")
 
@@ -445,13 +447,66 @@ function common::colorify {
   echo -e "${COLOR}${TEXT}${RESET}" >&2
 }
 
+#######################################################################
+# Get Terraform/OpenTofu binary path
+# Allows user to set the path to custom Terraform or OpenTofu binary
+# Globals (init and populate):
+#   HOOK_CONFIG (array) arguments that configure hook behavior
+#   PCT_TFPATH (string) user defined env var with path to Terraform/OpenTofu binary
+#   TERRAGRUNT_TFPATH (string) user defined env var with path to Terraform/OpenTofu binary
+# Outputs:
+#   If failed - exit 1 with error message about missing Terraform/OpenTofu binary
+#######################################################################
+function common::get_tf_binary_path {
+  local hook_config_tf_path
+
+  for config in "${HOOK_CONFIG[@]}"; do
+    if [[ $config == --tf-path=* ]]; then
+      hook_config_tf_path=${config#*=}
+      hook_config_tf_path=${hook_config_tf_path%;}
+      break
+    fi
+  done
+
+  # direct hook config, has the highest precedence
+  if [[ $hook_config_tf_path ]]; then
+    echo "${hook_config_tf_path}"
+    return
+
+  # environment variable
+  elif [[ $PCT_TFPATH ]]; then
+    echo "${PCT_TFPATH}"
+    return
+
+  # Maybe there is a similar setting for Terragrunt already
+  elif [[ $TERRAGRUNT_TFPATH ]]; then
+    echo "${TERRAGRUNT_TFPATH}"
+    return
 terragrunt validate "${args[@]}" 
 terragrunt validate "${args[@]}" 
+
+  # check if Terraform binary is available
+  elif command -v terraform &> /dev/null; then
+    command -v terraform
+    return
+
+  # finally, check if Tofu binary is available
+  elif command -v tofu &> /dev/null; then
+    command -v tofu
+    return
+
+  else
+    common::colorify "red" "Neither Terraform nor OpenTofu binary could be found. Please either set the \"--tf-path\" hook configuration argument, or set the \"PCT_TFPATH\" environment variable, or set the \"TERRAGRUNT_TFPATH\" environment variable, or install Terraform or OpenTofu globally."
+    exit 1
+  fi
+}
+
 #######################################################################
 # Run terraform init command
 # Arguments:
 #   command_name (string) command that will tun after successful init
 #   dir_path (string) PATH to dir relative to git repo root.
 #     Can be used in error logging
 #   parallelism_disabled (bool) if true - skip lock mechanism
+#  tf_path (string) PATH to Terraform/OpenTofu binary
 # Globals (init and populate):
 #   TF_INIT_ARGS (array) arguments for `terraform init` command
 #   TF_PLUGIN_CACHE_DIR (string) user defined env var with name of the directory
@@ -464,6 +519,7 @@ function common::terraform_init {
   local -r command_name=$1
   local -r dir_path=$2
   local -r parallelism_disabled=$3
+  local -r tf_path=$4
 
   local exit_code=0
   local init_output
@@ -480,13 +536,13 @@ function common::terraform_init {
     # Plugin cache dir can't be written concurrently or read during write
     # https://github.com/hashicorp/terraform/issues/31964
     if [[ -z $TF_PLUGIN_CACHE_DIR || $parallelism_disabled == true ]]; then
-      init_output=$(terraform init -backend=false "${TF_INIT_ARGS[@]}" 2>&1)
+      init_output=$($tf_path init -backend=false "${TF_INIT_ARGS[@]}" 2>&1)
       exit_code=$?
     else
       # Locking just doesn't work, and the below works quicker instead. Details:
       # https://github.com/hashicorp/terraform/issues/31964#issuecomment-1939869453
       for i in {1..10}; do
-        init_output=$(terraform init -backend=false "${TF_INIT_ARGS[@]}" 2>&1)
+        init_output=$($tf_path init -backend=false "${TF_INIT_ARGS[@]}" 2>&1)
         exit_code=$?
 
         if [ $exit_code -eq 0 ]; then

@@ -36,6 +36,7 @@ function main {
 #     Availability depends on hook.
 #   parallelism_disabled (bool) if true - skip lock mechanism
 #   args (array) arguments that configure wrapped tool behavior
+#   tf_path (string) PATH to Terraform/OpenTofu binary
 # Outputs:
 #   If failed - print out hook checks status
 #######################################################################
@@ -46,7 +47,9 @@ function per_dir_hook_unique_part {
   local -r change_dir_in_unique_part="$2"
   # shellcheck disable=SC2034 # Unused var.
   local -r parallelism_disabled="$3"
-  shift 3
+  # shellcheck disable=SC2034 # Unused var.
+  local -r tf_path="$4"
+  shift 4
   local -a -r args=("$@")
 
   checkov -d . "${args[@]}"

@@ -33,6 +33,7 @@ function main {
 #     Availability depends on hook.
 #   parallelism_disabled (bool) if true - skip lock mechanism
 #   args (array) arguments that configure wrapped tool behavior
+#   tf_path (string) PATH to Terraform/OpenTofu binary
 # Outputs:
 #   If failed - print out hook checks status
 #######################################################################
@@ -43,11 +44,12 @@ function per_dir_hook_unique_part {
   local -r change_dir_in_unique_part="$2"
   # shellcheck disable=SC2034 # Unused var.
   local -r parallelism_disabled="$3"
-  shift 3
+  local -r tf_path="$4"
+  shift 4
   local -a -r args=("$@")
 
   # pass the arguments to hook
-  terraform fmt "${args[@]}"
+  $tf_path fmt "${args[@]}"
 
   # return exit code to common::per_dir_hook
   local exit_code=$?

@@ -87,15 +87,19 @@ function lockfile_contains_all_needed_sha {
 #     Availability depends on hook.
 #   parallelism_disabled (bool) if true - skip lock mechanism
 #   args (array) arguments that configure wrapped tool behavior
+#   tf_path (string) PATH to Terraform/OpenTofu binary
 # Outputs:
 #   If failed - print out hook checks status
 #######################################################################
 function per_dir_hook_unique_part {
+  # shellcheck disable=SC2034 # Unused var.
   local -r dir_path="$1"
   # shellcheck disable=SC2034 # Unused var.
   local -r change_dir_in_unique_part="$2"
+  # shellcheck disable=SC2034 # Unused var.
   local -r parallelism_disabled="$3"
-  shift 3
+  local -r tf_path="$4"
+  shift 4
   local -a -r args=("$@")
 
   local platforms_count=0
@@ -138,7 +142,7 @@ function per_dir_hook_unique_part {
     common::colorify "yellow" "DEPRECATION NOTICE: We introduced '--mode' flag for this hook.
 Check migration instructions at https://github.com/antonbabenko/pre-commit-terraform#terraform_providers_lock
 "
-    common::terraform_init 'terraform providers lock' "$dir_path" "$parallelism_disabled" || {
+    common::terraform_init 'terraform providers lock' "$dir_path" "$parallelism_disabled" "$tf_path" || {
       exit_code=$?
       return $exit_code
     }
@@ -153,7 +157,7 @@ Check migration instructions at https://github.com/antonbabenko/pre-commit-terra
   #? Don't require `tf init` for providers, but required `tf init` for modules
   #? Mitigated by `function match_validate_errors` from terraform_validate hook
   # pass the arguments to hook
-  terraform providers lock "${args[@]}"
+  $tf_path providers lock "${args[@]}"
 
   # return exit code to common::per_dir_hook
   exit_code=$?

@@ -46,15 +46,20 @@ function main {
 #     Availability depends on hook.
 #   parallelism_disabled (bool) if true - skip lock mechanism
 #   args (array) arguments that configure wrapped tool behavior
+#   tf_path (string) PATH to Terraform/OpenTofu binary
 # Outputs:
 #   If failed - print out hook checks status
 #######################################################################
 function per_dir_hook_unique_part {
+  # shellcheck disable=SC2034 # Unused var.
   local -r dir_path="$1"
+  # shellcheck disable=SC2034 # Unused var.
   local -r change_dir_in_unique_part="$2"
   # shellcheck disable=SC2034 # Unused var.
   local -r parallelism_disabled="$3"
-  shift 3
+  # shellcheck disable=SC2034 # Unused var.
+  local -r tf_path="$4"
+  shift 4
   local -a -r args=("$@")
 
   if [ "$change_dir_in_unique_part" == "delegate_chdir" ]; then

@@ -39,6 +39,7 @@ function main {
 #     Availability depends on hook.
 #   parallelism_disabled (bool) if true - skip lock mechanism
 #   args (array) arguments that configure wrapped tool behavior
+#   tf_path (string) PATH to Terraform/OpenTofu binary
 # Outputs:
 #   If failed - print out hook checks status
 #######################################################################
@@ -49,7 +50,9 @@ function per_dir_hook_unique_part {
   local -r change_dir_in_unique_part="$2"
   # shellcheck disable=SC2034 # Unused var.
   local -r parallelism_disabled="$3"
-  shift 3
+  # shellcheck disable=SC2034 # Unused var.
+  local -r tf_path="$4"
+  shift 4
   local -a -r args=("$@")
 
   # pass the arguments to hook

@@ -31,6 +31,7 @@ function main {
 #     Availability depends on hook.
 #   parallelism_disabled (bool) if true - skip lock mechanism
 #   args (array) arguments that configure wrapped tool behavior
+#   tf_path (string) PATH to Terraform/OpenTofu binary
 # Outputs:
 #   If failed - print out hook checks status
 #######################################################################
@@ -41,7 +42,9 @@ function per_dir_hook_unique_part {
   local -r change_dir_in_unique_part="$2"
   # shellcheck disable=SC2034 # Unused var.
   local -r parallelism_disabled="$3"
-  shift 3
+  # shellcheck disable=SC2034 # Unused var.
+  local -r tf_path="$4"
+  shift 4
   local -a -r args=("$@")
 
   # pass the arguments to hook

@@ -77,15 +77,19 @@ function match_validate_errors {
 #     Availability depends on hook.
 #   parallelism_disabled (bool) if true - skip lock mechanism
 #   args (array) arguments that configure wrapped tool behavior
+#   tf_path (string) PATH to Terraform/OpenTofu binary
 # Outputs:
 #   If failed - print out hook checks status
 #######################################################################
 function per_dir_hook_unique_part {
+  # shellcheck disable=SC2034 # Unused var.
   local -r dir_path="$1"
   # shellcheck disable=SC2034 # Unused var.
   local -r change_dir_in_unique_part="$2"
+  # shellcheck disable=SC2034 # Unused var.
   local -r parallelism_disabled="$3"
-  shift 3
+  local -r tf_path="$4"
+  shift 4
   local -a -r args=("$@")
 
   local exit_code
@@ -116,25 +120,25 @@ function per_dir_hook_unique_part {
   # First try `terraform validate` with the hope that all deps are
   # pre-installed. That is needed for cases when `.terraform/modules`
   # or `.terraform/providers` missed AND that is expected.
-  terraform validate "${args[@]}" &> /dev/null && {
+  $tf_path validate "${args[@]}" &> /dev/null && {
     exit_code=$?
     return $exit_code
   }
 
   # In case `terraform validate` failed to execute
   # - check is simple `terraform init` will help
-  common::terraform_init 'terraform validate' "$dir_path" "$parallelism_disabled" || {
+  common::terraform_init "$tf_path validate" "$dir_path" "$parallelism_disabled" "$tf_path" || {
     exit_code=$?
     return $exit_code
   }
 
   if [ "$retry_once_with_cleanup" != "true" ]; then
     # terraform validate only
-    validate_output=$(terraform validate "${args[@]}" 2>&1)
+    validate_output=$($tf_path validate "${args[@]}" 2>&1)
     exit_code=$?
   else
     # terraform validate, plus capture possible errors
-    validate_output=$(terraform validate -json "${args[@]}" 2>&1)
+    validate_output=$($tf_path validate -json "${args[@]}" 2>&1)
     exit_code=$?
 
     # Match specific validation errors
@@ -152,12 +156,12 @@ function per_dir_hook_unique_part {
 
       common::colorify "yellow" "Re-validating: $dir_path"
 
-      common::terraform_init 'terraform validate' "$dir_path" "$parallelism_disabled" || {
+      common::terraform_init "$tf_path validate" "$dir_path" "$parallelism_disabled" "$tf_path" || {
         exit_code=$?
         return $exit_code
       }
 
-      validate_output=$(terraform validate "${args[@]}" 2>&1)
+      validate_output=$($tf_path validate "${args[@]}" 2>&1)
       exit_code=$?
     fi
   fi

@@ -29,6 +29,7 @@ function main {
 #     Availability depends on hook.
 #   parallelism_disabled (bool) if true - skip lock mechanism
 #   args (array) arguments that configure wrapped tool behavior
+#   tf_path (string) PATH to Terraform/OpenTofu binary
 # Outputs:
 #   If failed - print out hook checks status
 #######################################################################
@@ -39,7 +40,9 @@ function per_dir_hook_unique_part {
   local -r change_dir_in_unique_part="$2"
   # shellcheck disable=SC2034 # Unused var.
   local -r parallelism_disabled="$3"
-  shift 3
+  # shellcheck disable=SC2034 # Unused var.
+  local -r tf_path="$4"
+  shift 4
   local -a -r args=("$@")
 
   # pass the arguments to hook