-
-
Notifications
You must be signed in to change notification settings - Fork 541
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Check all directories with changes and pass all args in terrascan hook #305
fix: Check all directories with changes and pass all args in terrascan hook #305
Conversation
- Pass to the terrascan command all supplied arguments. - Allow inspecting each directory with TF config files for the current commit and fetch the final terrascan exit code. - Apply linter recommendations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
docs review: Please add a link to terrascan section ([Hook notes](#terrascan)
) in Available Hooks table
…pre-commit-terraform into fix/terrascan_hook
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@MaxymVlasov Code looks good to me.
Co-authored-by: George L. Yermulnik <yz@yz.kiev.ua>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, I tested performance, and the hook in this branch work 3 times slower than in v1.62.1 and 6 times slower than in v1.62.2
took 20s
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.62.1
hooks:
- id: terrascan
tag v1.62.2 (with require_serial: true
) took 9s.
took 1m 3s
repos:
- repo: https://github.com/carlosbustillordguez/pre-commit-terraform
rev: 5f9e0cce9974741a7dc1723c7625082a4c1cc904
hooks:
- id: terrascan
Try to add debug outputs to script and find what goes wrong
Still facing problems with performance. I will try to investigate why UPD. It is because v1.62.2 check only 1 directory, when this branch checks all. |
I tested the hooks following the CONTRIBUTING.md guide, against the following repos: repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.62.2
hooks:
- id: terrascan
repos:
- repo: https://github.com/carlosbustillordguez/pre-commit-terraform
rev: 0d1c7164a4cde2d8c8e3d71846a2a6a2bb4472dd
hooks:
- id: terrascan The tests result are: 20 runs '
20 runs '
The total time is practically the same for both repositories. Please, note that the current implementation for pre-commit-terraform/terrascan.sh Line 9 in 04ecd10
Because the argument is not passed as an array, in my PR I pass all arguments and files to the pre-commit-terraform/terrascan.sh Line 7 in 0d1c716
This can make the difference in bigger Terraform repositories because the root module and internal modules will be inspected. Can you share which tests are you using? |
I noted that if we inspect only the first directory, works fine with a module without internal modules. For a module with internal modules, if the changed files are in different internal modules only the first one in the For my tests I am using a Terraform module with the following structure: ├── LICENSE
├── README.md
├── aks-cluster.tf
├── main.tf
├── modules
│ ├── agic-internal
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ └── variables.tf
│ ├── cert-manager
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── templates
│ │ │ ├── clusterissuer-le-production.yaml.tpl
│ │ │ ├── clusterissuer-le-staging.yaml.tpl
│ │ └── variables.tf
│ ├── kv-certificates
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ └── variables.tf
│ └── managed-identities-apps
│ ├── main.tf
│ ├── outputs.tf
│ ├── templates
│ │ ├── azure-identity-binding.yaml.tpl
│ │ └── azure-identity.yaml.tpl
│ └── variables.tf
├── outputs.tf
├── scripts
│ ├── README.md
│ ├── add-ssl-cert-appgw.sh
│ └── custom-role.md
├── terraform.tfvars
└── variables.tf |
pre-commit automatically parallel checks to exiting cores, and I suppose you have >=4 CPU cores, when terrascan checks only 4 dirs in your repo. Try to run on bigger repo, like this one. .
├── README.md
├── aws-nuke.yaml
├── environment
│ ├── prd
│ │ ├── backends.tf
│ │ ├── data.tf
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ └── qa
│ ├── backends.tf
│ ├── data.tf
│ ├── main.tf
│ ├── outputs.tf
│ ├── providers.tf
│ ├── variables.tf
│ └── versions.tf
├── modules
│ ├── aws-acm-certificate
│ │ ├── acm.tf
│ │ ├── output.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-api-gateway
│ │ ├── output.tf
│ │ ├── rest.tf
│ │ ├── route53.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-chatbot
│ │ ├── README.md
│ │ ├── data.tf
│ │ ├── helm.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-dynamodb-table
│ │ ├── dynamodb.tf
│ │ ├── output.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-ecr-repo
│ │ ├── outputs.tf
│ │ ├── repo.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-eks-cluster
│ │ ├── cluster.tf
│ │ ├── data.tf
│ │ ├── iam.tf
│ │ ├── outputs.tf
│ │ ├── permissions.tf
│ │ ├── policies.tf
│ │ ├── providers.tf
│ │ ├── security.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-eks-node-group
│ │ ├── data.tf
│ │ ├── iam.tf
│ │ ├── instances.tf
│ │ ├── output.tf
│ │ ├── policies.tf
│ │ ├── security.tf
│ │ ├── user_data
│ │ │ └── userdata.sh.tpl
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-elasticache-cluster
│ │ ├── alarm.tf
│ │ ├── clusters.tf
│ │ ├── outputs.tf
│ │ ├── security.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-environment
│ │ ├── data.tf
│ │ ├── endpoints.tf
│ │ ├── flow_log.tf
│ │ ├── iam.tf
│ │ ├── instances.tf
│ │ ├── lambdas.tf
│ │ ├── network.tf
│ │ ├── outputs.tf
│ │ ├── policies.tf
│ │ ├── provisioner.tf
│ │ ├── route53.tf
│ │ ├── security.tf
│ │ ├── sns.tf
│ │ ├── templates
│ │ │ └── github-users-sync.tpl
│ │ ├── user_data
│ │ │ └── bastion.sh
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-gitlab-ec2-manager
│ │ ├── README.md
│ │ ├── ec2.tf
│ │ ├── iam.tf
│ │ ├── outputs.tf
│ │ ├── provisioner.tf
│ │ ├── s3.tf
│ │ ├── sg.tf
│ │ ├── templates
│ │ │ ├── config.sh
│ │ │ └── init.sh
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-grafana
│ │ ├── alarm.tf
│ │ ├── data.tf
│ │ ├── db.tf
│ │ ├── helm.tf
│ │ ├── iam.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-iam-group
│ │ ├── iam.tf
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-iam-role
│ │ ├── iam.tf
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-iam-user
│ │ ├── iam.tf
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-lambda-function
│ │ ├── cloudwatch.tf
│ │ ├── iam.tf
│ │ ├── lambda.tf
│ │ ├── output.tf
│ │ ├── permissions.tf
│ │ ├── policy.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-msk-cluster
│ │ ├── cloudwatch.tf
│ │ ├── kms.tf
│ │ ├── msk.tf
│ │ ├── outputs.tf
│ │ ├── security.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-rds-cluster
│ │ ├── alarm.tf
│ │ ├── iam.tf
│ │ ├── instances.tf
│ │ ├── outputs.tf
│ │ ├── policies.tf
│ │ ├── security.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-route53-zone
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ ├── versions.tf
│ │ └── zone.tf
│ ├── aws-s3-bucket
│ │ ├── iam.tf
│ │ ├── outputs.tf
│ │ ├── policy.tf
│ │ ├── s3.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── aws-sns-topic
│ │ ├── output.tf
│ │ ├── sns.tf
│ │ ├── variable.tf
│ │ └── versions.tf
│ ├── helm-release
│ │ ├── helm.tf
│ │ ├── namespace.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── kube-manifest
│ │ ├── manifest.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── postgresql-env
│ │ ├── db.tf
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ └── rapp-services
│ ├── aws-core-api
│ │ ├── README.md
│ │ ├── data.tf
│ │ ├── db.tf
│ │ ├── helm.tf
│ │ ├── iam.tf
│ │ ├── vars.tf
│ │ └── versions.tf
│ ├── aws-iot-segway-max-plus
│ │ ├── README.md
│ │ ├── data.tf
│ │ ├── helm.tf
│ │ ├── vars.tf
│ │ └── versions.tf
│ ├── aws-iot-segway-mock
│ │ ├── README.md
│ │ ├── data.tf
│ │ ├── db.tf
│ │ ├── helm.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ └── aws-ops-web
│ ├── README.md
│ ├── alarm.tf
│ ├── helm.tf
│ ├── providers.tf
│ ├── variables.tf
│ └── versions.tf
├── path
├── results.json
├── run-305.sh
├── run1.62.2.sh
├── run305-dir.sh
├── services
│ ├── alerting
│ │ └── us-east-1
│ │ ├── init.tf
│ │ ├── main.tf
│ │ └── vars.tf
│ ├── chatbot
│ │ └── global
│ │ ├── 0-init.tf
│ │ ├── 1-ssm-params.tf
│ │ ├── 2-eks.tf
│ │ ├── 3-api-gw.tf
│ │ ├── 3-iam.tf
│ │ ├── 3-lambda.tf
│ │ └── vars.tf
│ ├── dns
│ │ └── global
│ │ ├── backends.tf
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── docker-registry
│ │ └── global
│ │ ├── backends.tf
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── grafana
│ │ └── qa
│ │ ├── backends.tf
│ │ ├── data.tf
│ │ ├── main.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── iam
│ │ └── global
│ │ ├── backends.tf
│ │ ├── data.tf
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── kafka
│ │ ├── prd
│ │ │ ├── init.tf
│ │ │ ├── main.tf
│ │ │ ├── outputs.tf
│ │ │ └── vars.tf
│ │ └── qa
│ │ ├── backends.tf
│ │ ├── data.tf
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── kubernetes
│ │ ├── README.md
│ │ ├── prd
│ │ │ ├── backends.tf
│ │ │ ├── data.tf
│ │ │ ├── kube-prometheus-stack.yaml
│ │ │ ├── main.tf
│ │ │ ├── outputs.tf
│ │ │ ├── providers.tf
│ │ │ ├── variables.tf
│ │ │ └── versions.tf
│ │ └── qa
│ │ ├── backends.tf
│ │ ├── data.tf
│ │ ├── kube-prometheus-stack.yaml
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── postgresql
│ │ └── qa
│ │ ├── backends.tf
│ │ ├── data.tf
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── rapp
│ │ ├── prd
│ │ │ └── p-1
│ │ │ ├── core-api
│ │ │ │ ├── init.tf
│ │ │ │ ├── main.tf
│ │ │ │ └── vars.tf
│ │ │ ├── iot-segway-max-plus
│ │ │ │ ├── init.tf
│ │ │ │ ├── main.tf
│ │ │ │ └── vars.tf
│ │ │ └── ops-web
│ │ │ ├── init.tf
│ │ │ ├── main.tf
│ │ │ └── vars.tf
│ │ └── qa
│ │ ├── README.md
│ │ ├── commons
│ │ │ ├── README.md
│ │ │ ├── backends.tf
│ │ │ ├── data.tf
│ │ │ ├── main.tf
│ │ │ ├── outputs.tf
│ │ │ ├── providers.tf
│ │ │ ├── variables.tf
│ │ │ └── versions.tf
│ │ ├── qa-1
│ │ │ ├── core-api.tf
│ │ │ ├── init.tf
│ │ │ ├── iot-segway-max-plus-mock.tf
│ │ │ ├── iot-segway-max-plus.tf
│ │ │ ├── main.tf
│ │ │ └── vars.tf
│ │ ├── qa-2
│ │ │ ├── core-api.tf
│ │ │ ├── init.tf
│ │ │ ├── iot-segway-max-plus-mock.tf
│ │ │ ├── iot-segway-max-plus.tf
│ │ │ ├── main.tf
│ │ │ └── vars.tf
│ │ ├── qa-3
│ │ │ ├── core-api.tf
│ │ │ ├── init.tf
│ │ │ ├── iot-segway-max-plus-mock.tf
│ │ │ ├── iot-segway-max-plus.tf
│ │ │ ├── main.tf
│ │ │ └── vars.tf
│ │ └── stg-1
│ │ ├── core-api.tf
│ │ ├── init.tf
│ │ ├── iot-segway-max-plus-mock.tf
│ │ ├── iot-segway-max-plus.tf
│ │ ├── main.tf
│ │ └── vars.tf
│ ├── redis
│ │ ├── prd
│ │ │ ├── init.tf
│ │ │ ├── main.tf
│ │ │ ├── outputs.tf
│ │ │ └── vars.tf
│ │ └── qa
│ │ ├── backends.tf
│ │ ├── data.tf
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ └── s3
│ ├── global
│ │ ├── backend
│ │ │ ├── backend.tf
│ │ │ ├── initial.tfstate
│ │ │ ├── initial.tfstate.backup
│ │ │ ├── main.tf
│ │ │ ├── providers.tf
│ │ │ ├── variables.tf
│ │ │ └── versions.tf
│ │ ├── backends.tf
│ │ ├── main.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ └── qa
│ ├── backends.tf
│ ├── main.tf
│ ├── providers.tf
│ ├── variables.tf
│ └── versions.tf
├── terraform.tfstate
└── test
And you will get result like this: 5 runs '
Run details
Memory info ( MemTotal: 12765352 kB
MemFree: 6649596 kB
MemAvailable: 9093208 kB
Buffers: 324424 kB
Cached: 2127924 kB
SwapCached: 0 kB CPU info: Real procs: 6
Virtual (hyper-threading) procs: 12
processor : 11
vendor_id : GenuineIntel
cpu family : 6
model : 165
model name : Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz
stepping : 2
microcode : 0xffffffff
cpu MHz : 2712.007
cache size : 12288 KB
physical id : 0
siblings : 12
core id : 5
cpu cores : 6
apicid : 11
initial apicid : 11
fpu : yes
fpu_exception : yes
cpuid level : 21
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves flush_l1d arch_capabilities
bugs : spectre_v1 spectre_v2 spec_store_bypass swapgs itlb_multihit
bogomips : 5424.01
clflush size : 64
cache_alignment : 64
address sizes : 39 bits physical, 48 bits virtual
power management: 5 runs '
Run details
Memory info ( MemTotal: 12765352 kB
MemFree: 6618580 kB
MemAvailable: 9065164 kB
Buffers: 326176 kB
Cached: 2128860 kB
SwapCached: 0 kB CPU info: Real procs: 6
Virtual (hyper-threading) procs: 12
processor : 11
vendor_id : GenuineIntel
cpu family : 6
model : 165
model name : Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz
stepping : 2
microcode : 0xffffffff
cpu MHz : 2712.007
cache size : 12288 KB
physical id : 0
siblings : 12
core id : 5
cpu cores : 6
apicid : 11
initial apicid : 11
fpu : yes
fpu_exception : yes
cpuid level : 21
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves flush_l1d arch_capabilities
bugs : spectre_v1 spectre_v2 spec_store_bypass swapgs itlb_multihit
bogomips : 5424.01
clflush size : 64
cache_alignment : 64
address sizes : 39 bits physical, 48 bits virtual
power management: |
I just changed the code to scan only one directory: pre-commit-terraform/terrascan.sh Lines 15 to 22 in 677912b
It will be good to catch if the Please, let me know if the new change has improved the performance for your repo. |
This reverts commit 677912b.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I little bit check how terrascan
works and what I found:
terrascan
recursively check all files in provided dir.
So performance degradation exists only in the pre-commit run --all
situation, because it will provide all existing files to hook:
pre-commit-terraform/terrascan.sh
Lines 15 to 19 in e6ffbcd
# consume modified files passed from pre-commit so that | |
# terrascan runs against only those relevant directories | |
for file_with_path in "${files[@]}"; do | |
file_with_path="${file_with_path// /__REPLACED__SPACE__}" | |
paths[index]=$(dirname "$file_with_path") |
Then, unique paths are found and run terrascan
for each folder:
pre-commit-terraform/terrascan.sh
Lines 29 to 30 in e6ffbcd
# for each path run terrascan | |
for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do |
It works literally how it should work: checks only diffs.
At the same time, need to know when the --all
(-a
) argument passed to pre-commit
and just run terrascan -d GIT_REPO_ROOT
.
Because it is not very related to this PR, I propose to merge that PR as is, and open issue for improving performance during pre-commit -a
run.
Because for now
only the first directory of the FILES array is only analyzed with
terrascan
.
And that is not a performance issue in day-to-day usage cases, it's a bug that should be fixed.
@carlosbustillordguez if you'd like to fix that too, you're welcome to fix #309, right after this PR merge.
@antonbabenko ready to merge
@MaxymVlasov Could you please write a bit more descriptive title for the PRs? What exactly does this PR fix in the hook? It will be used in CHANGELOG and release notes. |
terrascan
] Check all directories with changes, not only first. Pass all arguments to hook, not only first
@antonbabenko done |
terrascan
] Check all directories with changes, not only first. Pass all arguments to hook, not only first
Keep in mind the length. :) |
## [1.62.3](v1.62.2...v1.62.3) (2021-12-22) ### Bug Fixes * Check all directories with changes and pass all args in terrascan hook ([#305](#305)) ([66401d9](66401d9))
This PR is included in version 1.62.3 🎉 |
@carlosbustillordguez thank you for help during debugging. |
* Added terraform-docs integration (#13) * Add hook to create readme * Updated README * Run terraform_docs only if README.md is present * Run terraform_docs only if README.md is present * Fixes use of md5 for tempfile name (#16) * Replace terraform_docs use of GNU sed with perl (#15) * Fix ShellCheck warning 2219 https://github.com/koalaman/shellcheck/wiki/SC2219 * Replace GNU sed commands with perl This replaces the sed commands which required GNU sed be installed with perl versions. This should make this script more universally usable (e.g., on macOS) without installing additional tools. * Only run validate if .tf files exist in the directory. (antonbabenko#20) * Only run validate if .tf files exist in the directory. * Same fix, different script :) * Updated README * Added license file (fixed antonbabenko#21) * Add feature to pass options to terraform-docs. * Added followup after antonbabenko#25 * Add new hook for running terraform-docs with replacing README.md from doc in main.tf * Address requested changes * Add `--dest` argument * Address requested changes * fix typo * Fix bug not letting terraform_docs_replace work in the root directory of a repo * Require terraform-docs runs in serial to avoid pre-commit doing parallel operations on similar file paths * Added chglog (hi @robinbowes :)) * Added CHANGELOG.md * Add exit code for 'terraform validate' so pre-commit check fails (antonbabenko#34) * Bump new version * fix check for errors at the end (antonbabenko#35) * Updated changelog * Update README.md (antonbabenko#36) * Fixed broken "maintained badge" * Added note about incompatibility of terraform-docs with Terraform 0.12 (antonbabenko#41) * Updated CHANGELOG * Added support for terraform_docs for Terraform 0.12 (antonbabenko#45) * Updated CHANGELOG * Upgraded to work with Terraform >= 0.12 (antonbabenko#44) * Updated CHANGELOG * Fix version in README.md (antonbabenko#46) * Fixed awk script for terraform-docs (kudos @cytopia) and mktemp on Mac (closes antonbabenko#47, antonbabenko#48, antonbabenko#49) * Updated CHANGELOG * Add slash to mktemp dir (fixed antonbabenko#50) * Updated CHANGELOG * Fix typo in README (antonbabenko#51) * Fixed enquoted types in terraform_docs (fixed antonbabenko#52) * Updated CHANGELOG * Formatter for Terragrunt HCL files (antonbabenko#60) * Formatter for Terragrunt HCL files * Adding Terragrunt documentation * Updated README with terragrunt_fmt hook * Updated CHANGELOG * Added support for TFLint with --deep parameter (antonbabenko#53) Added support for TFLint (https://github.com/wata727/tflint). Signed-off-by: Costin Galan <costin.galan@mambu.com> * Updated README with terraform_tflint hook * Updated CHANGELOG * Update rev in README.md (antonbabenko#70) Updating the version in the README. In order for `terraform_tflint`, the rev must be at least `v1.19.0`. * Improve installation instructions and make README more readable (antonbabenko#72) * Added FUNDING.yml * Fixes antonbabenko#65: terraform-docs should not fail if complex types contain 'description' keyword (antonbabenko#73) * Updated CHANGELOG * use getopt for args in the tflint hook, following the approach in terraform-docs (antonbabenko#75) * Updated CHANGELOG * move terraform-docs args after markdown command (antonbabenko#83) * Updated CHANGELOG * Added support for terraform-docs 0.8.0 with proper support for Terraform 0.12 syntax (bye-bye awk) (antonbabenko#85) * Updated CHANGELOG * Added shfmt to autoformat shell scripts (antonbabenko#86) * Updated CHANGELOG * Fixed tflint hook to iterate over files (antonbabenko#77) * Updated CHANGELOG * Fixed exit code for terraform 0.11 branch in terraform_docs (antonbabenko#94) * Updated pre-commit-hooks * Updated CHANGELOG * corrected tflint documentation (antonbabenko#95) * Updated CHANGELOG * Update installation instructions (antonbabenko#79) - Fix package name misspell - TFlint migrate to another organization * Allow passing multiple args to terraform-docs (antonbabenko#98) * Updated CHANGELOG * fix: Change terraform_validate hook functionality for subdirectories with terraform files (antonbabenko#100) * Update terraform_validate.sh: -Change to the directory before running terraform validate to use the Terraform configuration for the appropriate working directory. * Neglected to change the terraform validate call to use the default of the current directory. * Several changes to improve functionality: - Switch to checking the path for '*.tf' instead of always checking the current directory. - Try to find a '.terraform' directory (which indicates a `terraform init`) and change to that directory before running `terraform validate`. * Fix the description for the terraform_validate hook to reflect changes that were made in: antonbabenko@35e0356 * - Clean up comments. - Adjust variable names to better reflect what they are holding. * Updated CHANGELOG * feat: Support for TFSec (antonbabenko#103) * Updated pre-commit deps * Updated CHANGELOG * docs: Added coreutils as requirements in README.md (antonbabenko#105) * docs: Fixed the docs to use the latest config syntax(antonbabenko#106) * fix: Updated formatting in README (closes antonbabenko#113) * Updated CHANGELOG * feat: add terragrunt validate hook (antonbabenko#134) * Updated CHANGELOG * docs: Update terraform-docs link pointing to new organization (antonbabenko#130) * fix: Pass args and env vars to terraform validate (antonbabenko#125) * Updated CHANGELOG * chore: Use lib_getopt for all hooks and some style tweaks (antonbabenko#137) * Updated CHANGELOG * fix: Squash terraform_docs bug (antonbabenko#138) * Updated CHANGELOG * feat: have option for terraform_tfsec hook to only run in relevant modified directories (antonbabenko#135) * Updated CHANGELOG * fix: make terraform_tfsec.sh executable (antonbabenko#140) * Updated CHANGELOG * fix: Correctly handle arrays in terraform_docs.sh (antonbabenko#141) * Updated CHANGELOG * feat: Add checkov support (antonbabenko#143) * Updated CHANGELOG * feat: Add possibility to share tflint config file for subdirs (antonbabenko#149) * Updated CHANGELOG * fix: terraform-docs version 0.10 removed with-aggregate-type-defaults (antonbabenko#150) * Updated CHANGELOG * fix: make terraform_docs Windows compatible (antonbabenko#129) * Updated CHANGELOG * fix: Fix regex considering terraform-docs v0.10.0 old (antonbabenko#151) * Updated CHANGELOG * feat: Make terraform_validate to run init if necessary (antonbabenko#158) * Updated CHANGELOG * fix: Correct deprecated parameter to terraform-docs (antonbabenko#156) * Updated CHANGELOG * update to upstream hooks * just report, do not error * fix: Terraform validate for submodules (antonbabenko#172) * Updated CHANGELOG * docs: updates installs for macOS and ubuntu (antonbabenko#175) * fix: remove sed postprocessing from the terraform_docs_replace hook to fix compatibility with terraform-docs 0.11.0+ (antonbabenko#176) * Updated CHANGELOG * docs: Added checkov install (antonbabenko#182) * chore: add dockerfile (antonbabenko#183) * Updated CHANGELOG * Update README.md * chore: Fix mistake on command (antonbabenko#185) * fix: Fix and pin versions in Dockerfile (antonbabenko#193) * Updated CHANGELOG * feat: Adds support for Terrascan (antonbabenko#195) * Updated CHANGELOG * chore: Update Ubuntu install method (antonbabenko#198) * docs: Initial docs improvement (antonbabenko#218) * fix: Dockerized pre-commit-terraform (antonbabenko#219) Co-authored-by: Anton Babenko <anton@antonbabenko.com> * feat: Add mixed line ending check to prevent possible errors (antonbabenko#221) * feat: Add GH checks and templates (antonbabenko#222) * chore: Updated GH stale action config (antonbabenko#223) * fix: label auto-adding after label rename (antonbabenko#226) * fix: trigger terraform-docs on changes in lock files (antonbabenko#228) * Updated CHANGELOG * fix: remove dead code from terraform-docs script (antonbabenko#229) * chore: Add shfmt to workflow (antonbabenko#231) * docs: Describe hooks usage and improve examples (antonbabenko#232) Co-authored-by: Anton Babenko <anton@antonbabenko.com> * fix: Dockerfile if INSTALL_ALL is not defined (antonbabenko#233) * feat: Add PATH outputs when TFLint found any problem (antonbabenko#234) * fix: terraform_tflint hook executes in a serial way to run less often (antonbabenko#211) * docs: Add contributing guide and docs about performance tests (antonbabenko#235) * docs: Make contributors more visible (antonbabenko#236) * docs: Document terraform_tfsec args usage (antonbabenko#238) * feat: Add new hook for `terraform providers lock` operation (antonbabenko#173) * Updated CHANGELOG * chore: Do not mark issues and PR's in milestone as stale (antonbabenko#241) * fix: TFSec outputs the same results multiple times (antonbabenko#237) * docs: Add terraform_fmt usage instructions and how-to debug script with args (antonbabenko#242) * feat: Allow passing of args to terraform_fmt (antonbabenko#147) * docs: Document hooks dependencies (antonbabenko#247) * feat: Add support for specify terraform-docs config file (antonbabenko#244) * fix: terrafrom_tflint ERROR output for files located in repo root (antonbabenko#243) * feat: Add `terraform_docs` hook settings (antonbabenko#245) * docs: fix deps (antonbabenko#249) * fix: execute tflint once in no errors (antonbabenko#250) * fix: command not found (antonbabenko#251) * docs: Add missing space in terrascan install cmd (antonbabenko#253) * feat: add __GIT_WORKING_DIR__ to tfsec (antonbabenko#255) * docs: fix protocol to prevent MITM (antonbabenko#257) * feat: Set up PR reviewers automatically (antonbabenko#258) * feat: Add infracost_breakdown hook (antonbabenko#252) * docs: Clarify docs for terraform_tfsec hook (antonbabenko#266) * docs: Pre-release 1.53 (antonbabenko#267) * Updated CHANGELOG * fix: Fixed args expand in terraform_docs (antonbabenko#260) * docs: Added notes about sponsors (antonbabenko#268) * feat: Add support for quoted values in `infracost_breakdown` `--hook-config` (antonbabenko#269) * Updated CHANGELOG * fix: Fixed 1.54.0 where `terraform_docs` was broken (antonbabenko#272) * Updated CHANGELOG * chore: Updated messages shown in terraform_tflint hook (antonbabenko#274) * feat: Updated Docker image from Ubuntu to Alpine (antonbabenko#278) * Updated CHANGELOG * chore: Add deprecation notice to `terraform_docs_replace` (antonbabenko#280) * fix: typo in arg name for terraform-docs (antonbabenko#283) * Updated CHANGELOG * chore: Fix master merge to working branch on pre-commit autofixes (antonbabenko#286) * chore: Publish container image on release (antonbabenko#285) * Updated CHANGELOG * fix: Fixed docker build (antonbabenko#288) * Updated CHANGELOG * fix: pre-build docker image (antonbabenko#292) * Updated CHANGELOG * fix: analyse all folders with tflint and don't stop on first execution (antonbabenko#289) * feat: Pass custom arguments to terraform init in `terraform_validate` hook (antonbabenko#293) * Updated CHANGELOG * feat: Added semantic release (antonbabenko#296) * chore(release): version 1.62.0 [skip ci] # [1.62.0](antonbabenko/pre-commit-terraform@v1.61.0...v1.62.0) (2021-12-12) ### Features * Added semantic release ([antonbabenko#296](antonbabenko#296)) ([1bcca44](antonbabenko@1bcca44)) * chore: Validate PR title (antonbabenko#297) * chore: Updated validation PR title types (antonbabenko#298) * chore: Fixed allowed types for PR titles * chore: Publish container image only after the release * fix(terraform_tflint): Restore current working directory behavior (antonbabenko#302) * chore: Use valid token for the Release GHA * chore(release): version 1.62.1 [skip ci] ## [1.62.1](antonbabenko/pre-commit-terraform@v1.62.0...v1.62.1) (2021-12-18) ### Bug Fixes * **terraform_tflint:** Restore current working directory behavior ([antonbabenko#302](antonbabenko#302)) ([93029dc](antonbabenko@93029dc)) * fix: Properly exclude .terraform directory with checkov hook (antonbabenko#306) * fix: Speedup `terrascan` hook up to x3 times in big repos (antonbabenko#307) * chore: Release action should track hooks configuration changes (antonbabenko#308) * chore(release): version 1.62.2 [skip ci] ## [1.62.2](antonbabenko/pre-commit-terraform@v1.62.1...v1.62.2) (2021-12-21) ### Bug Fixes * Properly exclude .terraform directory with checkov hook ([antonbabenko#306](antonbabenko#306)) ([b431a43](antonbabenko@b431a43)) * Speedup `terrascan` hook up to x3 times in big repos ([antonbabenko#307](antonbabenko#307)) ([2e8dcf9](antonbabenko@2e8dcf9)) * fix: Check all directories with changes and pass all args in terrascan hook (antonbabenko#305) * chore(release): version 1.62.3 [skip ci] ## [1.62.3](antonbabenko/pre-commit-terraform@v1.62.2...v1.62.3) (2021-12-22) ### Bug Fixes * Check all directories with changes and pass all args in terrascan hook ([antonbabenko#305](antonbabenko#305)) ([66401d9](antonbabenko@66401d9)) * chore: Refactor all hooks (antonbabenko#310) * chore: Cleanup file with test data (antonbabenko#311) * chore: Add shellcheck and make checks passing (antonbabenko#315) Co-authored-by: Anton Babenko <anton@antonbabenko.com> * chore: Improved code structure (moved hooks into a separate dir) (antonbabenko#316) * chore: Specify what we exactly mean (antonbabenko#320) * chore: Document functions (based on google style guide) (antonbabenko#317) * chore: Add hadolint check for Dockerfiles (antonbabenko#322) Co-authored-by: Balazs Hamorszky <balihb@gmail.com> * chore: Add Github Actions Workflow to build if Dockerfile updated (antonbabenko#318) Co-authored-by: Maksym Vlasov <MaxymVlasov@users.noreply.github.com> * docs: Add workaround for configuration_aliases tf bug (antonbabenko#332) * chore: fix bug intoduced in antonbabenko#316 (antonbabenko#335) * feat: Improve performance during `pre-commit --all (-a)` run (antonbabenko#327) * chore(release): version 1.63.0 [skip ci] # [1.63.0](antonbabenko/pre-commit-terraform@v1.62.3...v1.63.0) (2022-02-10) ### Features * Improve performance during `pre-commit --all (-a)` run ([antonbabenko#327](antonbabenko#327)) ([7e7c916](antonbabenko@7e7c916)) * feat: Improved speed of `pre-commit run -a` for multiple hooks (antonbabenko#338) * chore(release): version 1.64.0 [skip ci] # [1.64.0](antonbabenko/pre-commit-terraform@v1.63.0...v1.64.0) (2022-02-10) ### Features * Improved speed of `pre-commit run -a` for multiple hooks ([antonbabenko#338](antonbabenko#338)) ([579dc45](antonbabenko@579dc45)) * chore: Fix docker test workflow (antonbabenko#340) * chore: Add Docker latest and nightly tag (antonbabenko#343) Co-authored-by: Anton Babenko <anton@antonbabenko.com> Co-authored-by: jeremy avnet <162998+brainsik@users.noreply.github.com> Co-authored-by: Robin Bowes <robin.bowes@yo61.com> Co-authored-by: Martin Etmajer <metmajer@getcloudnative.io> Co-authored-by: rothandrew <roth.andy@gmail.com> Co-authored-by: Chris Gilmer <chris@truss.works> Co-authored-by: Josiah Halme <josiahhalme@users.noreply.github.com> Co-authored-by: Tyler Christiansen <code@tylerc.me> Co-authored-by: Guido Dobboletta <guidodobboletta@gmail.com> Co-authored-by: Paweł Szczepaniak <krzyzakp@users.noreply.github.com> Co-authored-by: Leonhardt Wille <lwille@users.noreply.github.com> Co-authored-by: Eric Gonzales <eric-gonzales@users.noreply.github.com> Co-authored-by: Scott Crooks <sc250024@users.noreply.github.com> Co-authored-by: Costin GALAN <info@cogala.eu> Co-authored-by: Dave Gallant <davegallant@gmail.com> Co-authored-by: Maksym Vlasov <MaxymVlasov@users.noreply.github.com> Co-authored-by: cytopia <cytopia@everythingcli.org> Co-authored-by: chopped pork <solidek@gmail.com> Co-authored-by: Thierno IB. BARRY <ibrahima.br@gmail.com> Co-authored-by: Konstantin Kirpichnikov <56006844+konstantin-recurly@users.noreply.github.com> Co-authored-by: Robson Roberto Souza Peixoto <124390+robsonpeixoto@users.noreply.github.com> Co-authored-by: Martin Coxall <martincoxall@bmlltech.com> Co-authored-by: Sergei Ivanov <sergei-ivanov@users.noreply.github.com> Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> Co-authored-by: Jon Proietti <45764555+jon-proietti-nutrien@users.noreply.github.com> Co-authored-by: gchappell99 <44392051+gchappell99@users.noreply.github.com> Co-authored-by: snolan-uturn <50503078+snolan-uturn@users.noreply.github.com> Co-authored-by: Prahalad Ramji <prahaladramji@gmail.com> Co-authored-by: Khosrow Moossavi <khos2ow@gmail.com> Co-authored-by: nkazarian-spokeo <51686594+nkazarian-spokeo@users.noreply.github.com> Co-authored-by: Matias Zilli <matiaszilli@gmail.com> Co-authored-by: Evan Stoddard <evanstoddard23@gmail.com> Co-authored-by: Shawn <shawn.tolidano@gmail.com> Co-authored-by: Manuel Vogel <mavogel@posteo.de> Co-authored-by: Sergio Kef <sergios.kefalas@blacklane.com> Co-authored-by: Cesar Rodriguez <cesar@accurics.com> Co-authored-by: Lorenz Vanthillo <lorenz.vanthillo@outlook.com> Co-authored-by: balihb <balihb@gmail.com> Co-authored-by: Javier Collado <javier.collado@tutanota.com> Co-authored-by: Dan Arnold <dan-arnold@users.noreply.github.com> Co-authored-by: gravitybacklight <2327204+gravitybacklight@users.noreply.github.com> Co-authored-by: Milos Jajac <milosjajac13@gmail.com> Co-authored-by: Birger J. Nordølum <contact@mindtooth.no> Co-authored-by: sg70 <sven.geisler@gmail.com> Co-authored-by: Bruno Ferreira <bmibferreira@gmail.com> Co-authored-by: Maxime Brunet <max@brnt.mx> Co-authored-by: semantic-release-bot <semantic-release-bot@martynus.net> Co-authored-by: Maxime Brunet <maxime.brunet@paytm.com> Co-authored-by: Carlos Miguel Bustillo Rodríguez <20931458+carlosbustillordguez@users.noreply.github.com> Co-authored-by: Mohit Saxena <76725454+mohitsaxenaknoldus@users.noreply.github.com> Co-authored-by: Mark Bainter <mbainter+github@gmail.com> Co-authored-by: Pasquale De Vita <59291437+pasqualedevita@users.noreply.github.com>
Put an
x
into the box if that apply:Description of your changes
This PR introduces the following changes:
terrascan
hook to run only with Terraform config files.terrascan
command all supplied arguments.terrascan
exit code.terrascan
.How has this code been tested
The current implementation of
terrascan.sh
only adds to theterrascan
command the first argument of theARGS
array. Try to use the following configuration to reproduce the problem (the--policy-type azure
is never passed as an argument toterrascan
):terrascan
is executed over all committed files, which produce errors on subdirectories without Terraform config files:Also, only the first directory of the
FILES
array is only analyzed withterrascan
.