diff --git a/.dockerignore b/.dockerignore index e57569568..2c7b3950b 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,5 +1,8 @@ * !.dockerignore !Dockerfile +!hooks/*.sh +!lib_getopt +!src/ !tools/entrypoint.sh !tools/install/*.sh diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index cba0d4246..b5abb0e41 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -18,17 +18,23 @@ jobs: strategy: matrix: - arch: - - amd64 - - arm64 include: - os-name: Ubuntu x64 os: ubuntu-latest arch: amd64 - + dockerfile: Dockerfile - os-name: Ubuntu ARM os: ubuntu-24.04-arm arch: arm64 + dockerfile: Dockerfile + - os-name: Ubuntu x64 (tools) + os: ubuntu-latest + arch: amd64 + dockerfile: Dockerfile.tools + - os-name: Ubuntu ARM (tools) + os: ubuntu-24.04-arm + arch: arm64 + dockerfile: Dockerfile.tools name: ${{ matrix.os-name }} runs-on: ${{ matrix.os }} @@ -45,27 +51,29 @@ jobs: files: | .dockerignore .github/workflows/build-image-test.yaml - Dockerfile + ${{ matrix.dockerfile }} tools/entrypoint.sh tools/install/*.sh - name: Set IMAGE environment variable if: steps.changed-files-specific.outputs.any_changed == 'true' - # Lowercase the org/repo name to allow for workflow to run in forks, - # which owners have uppercase letters in username - run: >- - echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY@L}:${{ env.IMAGE_TAG }}" - >> $GITHUB_ENV + run: | + if [[ "${{ matrix.dockerfile }}" == "Dockerfile" ]]; then + echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY@L}:${{ env.IMAGE_TAG }}" >> $GITHUB_ENV + else + echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY@L}:${{ env.IMAGE_TAG }}-tools" >> $GITHUB_ENV + fi - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 if: steps.changed-files-specific.outputs.any_changed == 'true' - - name: Build if Dockerfile changed + - name: Build if "${{ matrix.dockerfile }}" changed if: steps.changed-files-specific.outputs.any_changed == 'true' uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . + file: ${{ matrix.dockerfile }} build-args: | INSTALL_ALL=true push: false @@ -98,8 +106,7 @@ jobs: IMAGE_NAME: ${{ env.IMAGE }} run: >- container-structure-test test - --config ${{ github.workspace - }}/.github/.container-structure-test-config.yaml + --config ${{ github.workspace }}/.github/.container-structure-test-config.yaml --image "${IMAGE_NAME}" - name: Dive - check image for waste files @@ -112,8 +119,9 @@ jobs: # Can't build both platforms and use --load at the same time # https://github.com/docker/buildx/issues/59#issuecomment-1433097926 - - name: Build Multi-arch docker-image - if: >- + # Build Multi-arch docker-image + - name: Build Multi-arch "${{ matrix.dockerfile }}" + if: > steps.changed-files-specific.outputs.any_changed == 'true' && matrix.os == 'ubuntu-latest' uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 @@ -128,3 +136,17 @@ jobs: provenance: false secrets: | "github_token=${{ secrets.GITHUB_TOKEN }}" + + # Only run smoke tests for the tools image + - name: Smoke test tools image + if: > + steps.changed-files-specific.outputs.any_changed == 'true' + && matrix.os == 'ubuntu-latest' + && matrix.dockerfile == 'Dockerfile.tools' + env: + TOOLS_IMAGE: ${{ env.IMAGE }} + run: | + echo "Testing tools image: $TOOLS_IMAGE" + docker run --rm "$TOOLS_IMAGE" terraform --version + docker run --rm "$TOOLS_IMAGE" terraform-docs --version + docker run --rm "$TOOLS_IMAGE" tflint --version diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 53530320c..321b7f50a 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -2,22 +2,35 @@ name: Publish container image on: workflow_dispatch: + push: + paths: + - .github/workflows/build-image.yaml + - Dockerfile* release: types: - created schedule: - cron: 00 00 * * * -permissions: - contents: read +env: + REGISTRY: ghcr.io jobs: docker: + runs-on: ubuntu-latest permissions: - # for docker/build-push-action to publish docker image + contents: read packages: write - - runs-on: ubuntu-latest + attestations: write + id-token: write + strategy: + fail-fast: false + matrix: + include: + - dockerfile: Dockerfile + image_name: ${{ github.repository }} + - dockerfile: Dockerfile.tools + image_name: ${{ github.repository }}-tools steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -26,60 +39,120 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + - name: Login to GitHub Container Registry uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: - registry: ghcr.io - username: ${{ github.repository_owner }} + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Set tag for image - env: - REF_TYPE: ${{ github.ref_type }} - REF_NAME: ${{ github.ref_name }} - run: >- - echo IMAGE_TAG=$( - [ $REF_TYPE == 'tag' ] - && echo $REF_NAME - || echo 'latest' - ) >> $GITHUB_ENV - - - name: Set IMAGE_REPO environment variable - # Lowercase the org/repo name to allow for workflow to run in forks, - # which owners have uppercase letters in username - run: >- - echo "IMAGE_REPO=ghcr.io/${GITHUB_REPOSITORY@L}" >> $GITHUB_ENV - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Build and Push release - if: github.event_name != 'schedule' - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f with: - context: . - build-args: | - INSTALL_ALL=true - platforms: linux/amd64,linux/arm64 - push: true + images: ${{ env.REGISTRY }}/${{ matrix.image_name }} tags: | - ${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }} - ${{ env.IMAGE_REPO }}:latest - # Fix multi-platform: https://github.com/docker/buildx/issues/1533 - provenance: false - secrets: | - "github_token=${{ secrets.GITHUB_TOKEN }}" + type=ref,event=branch + type=ref,event=pr + type=sha + type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} + type=raw,value=${{ github.ref_name }},enable=${{ github.ref_type == 'tag' }} + type=raw,value=nightly,enable=${{ github.event_name == 'schedule' }} - - name: Build and Push nightly - if: github.event_name == 'schedule' + - name: Build and Push release uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . + file: ${{ matrix.dockerfile }} build-args: | INSTALL_ALL=true platforms: linux/amd64,linux/arm64 push: true - tags: | - ${{ env.IMAGE_REPO }}:nightly + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} # Fix multi-platform: https://github.com/docker/buildx/issues/1533 provenance: false - secrets: | - "github_token=${{ secrets.GITHUB_TOKEN }}" + + - name: Test tools image + if: matrix.dockerfile == 'Dockerfile.tools' && github.event_name != 'schedule' + env: + IMAGE_TAGS: ${{ steps.meta.outputs.tags }} + run: | + set -euo pipefail + IMAGE_TAG=$(echo "$IMAGE_TAGS" | head -n1) + echo "Testing tools image: $IMAGE_TAG" + + # Version checks + docker run --rm "$IMAGE_TAG" terraform --version + docker run --rm "$IMAGE_TAG" terraform-docs --version + docker run --rm "$IMAGE_TAG" tflint --version + + # Optional extra versions (quick smoke) + docker run --rm "$IMAGE_TAG" checkov --version || true + docker run --rm "$IMAGE_TAG" trivy --version || true + + # Create a minimal, self-contained Terraform module for functional tests + TMP_DIR="$(mktemp -d)" + trap 'rm -rf "$TMP_DIR"' EXIT + cat > "$TMP_DIR/main.tf" << 'EOF' + terraform { + required_version = ">= 1.3.0" + } + variable "example_var" { + description = "An example variable" + type = string + default = "test" + } + output "example_output" { + description = "An example output" + value = var.example_var + } + EOF + echo "# Test Module" > "$TMP_DIR/README.md" + + echo "Testing terraform fmt..." + + docker run --rm \ + -v "$TMP_DIR:/workspace" \ + -w /workspace \ + "$IMAGE_TAG" \ + terraform fmt -check -diff + + echo "Testing terraform init/validate..." + + docker run --rm \ + -v "$TMP_DIR:/workspace" \ + -w /workspace \ + "$IMAGE_TAG" \ + terraform init -backend=false + + docker run --rm \ + -v "$TMP_DIR:/workspace" \ + -w /workspace \ + "$IMAGE_TAG" \ + terraform validate + + echo "Testing terraform-docs..." + + docker run --rm \ + -v "$TMP_DIR:/workspace" \ + -w /workspace \ + "$IMAGE_TAG" \ + terraform-docs markdown table . --output-file README.md + + echo "Testing tflint..." + + docker run --rm \ + -v "$TMP_DIR:/workspace" \ + -w /workspace \ + "$IMAGE_TAG" \ + tflint --init + + docker run --rm \ + -v "$TMP_DIR:/workspace" \ + -w /workspace \ + "$IMAGE_TAG" \ + tflint + + echo "All functional tests passed!" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c99fd3674..186dd848c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -14,6 +14,7 @@ name: CodeQL on: push: branches: + - main - master merge_group: pull_request: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 63498c9df..d75a081e0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,8 +4,10 @@ on: workflow_dispatch: push: branches: + - main - master paths: + - .github/workflows/release.yml - '**/*.py' - '**/*.sh' - Dockerfile @@ -46,4 +48,4 @@ jobs: # Custom token for triggering Docker image build GH Workflow on release # created by cycjimmy/semantic-release-action. Events created by # workflows with default GITHUB_TOKEN not trigger other GH Workflow. - GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index bb901e8f8..a110c8ba7 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -13,6 +13,7 @@ on: - cron: 20 7 * * 2 push: branches: + - main - master # Declare default permissions as read only. diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index f99971ee5..3aadc0af4 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -18,6 +18,17 @@ files: \.(tf|tofu|tfvars|tftest\.hcl|tfmock\.hcl)$ exclude: \.terraform/.*$ +- id: terraform_fmt_docker + name: Terraform fmt + description: >- + Rewrites all Terraform configuration files to a canonical format using Docker. + # TODO: There will be ghcr.io/antonbabenko/pre-commit-terraform:latest. + # TODO: pre-commit-terraform:latest is build locally from this branch + entry: --entrypoint terraform_fmt.sh pre-commit-terraform:latest + language: docker_image + files: \.(tf|tofu|tfvars|tftest\.hcl|tfmock\.hcl)$ + exclude: \.terraform/.*$ + - id: terraform_docs name: Terraform docs description: >- @@ -178,3 +189,97 @@ - --args=terraform files: \.(tf|tofu)$ require_serial: true + +# Docker-based versions of hooks (non-breaking additions) +- id: terraform_validate_docker + name: Terraform validate (Docker) + description: >- + Validates all Terraform configuration files using Docker. + Automatically runs 'terraform init' and retries validation if provider/module + errors are detected. + NOTE: Requires Docker to be available. Use 'skip' in .pre-commit-config.yaml + if running on pre-commit.ci or other environments without Docker. + require_serial: true + entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest + language: docker_image + args: + - /usr/bin/hooks/terraform_validate.sh + - --hook-config=--retry-once-with-cleanup=true + - --hook-config=--parallelism-ci-cpu-cores=2 + - -- + - . + pass_filenames: false + files: \.(tf|tofu|tfvars|terraform\.lock\.hcl)$ + exclude: \.terraform/.*$ + +- id: terraform_tflint_docker + name: Terraform validate with tflint (Docker) + description: >- + Validates all Terraform configuration files with TFLint using Docker. + NOTE: Requires Docker to be available. Use 'skip' in .pre-commit-config.yaml + if running on pre-commit.ci or other environments without Docker. + require_serial: true + entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest + language: docker_image + args: [tflint, --chdir=.] + pass_filenames: false + files: \.(tf|tofu|tfvars)$ + exclude: \.terraform/.*$ + +- id: terraform_docs_docker + name: Terraform docs (Docker) + description: >- + Inserts input and output documentation into README.md using Docker. + NOTE: Requires Docker to be available. Use 'skip' in .pre-commit-config.yaml + if running on pre-commit.ci or other environments without Docker. + require_serial: true + entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest + language: docker_image + args: [terraform-docs, markdown, table, ., --output-file, README.md] + pass_filenames: false + files: \.(tf|tofu|terraform\.lock\.hcl)$ + exclude: \.terraform/.*$ + +- id: terraform_checkov_docker + name: Checkov (Docker) + description: >- + Runs checkov on Terraform templates using Docker. + NOTE: Requires Docker to be available. Use 'skip' in .pre-commit-config.yaml + if running on pre-commit.ci or other environments without Docker. + entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest + language: docker_image + args: [checkov, -d, .] + pass_filenames: false + always_run: false + files: \.(tf|tofu)$ + exclude: \.terraform/.*$ + require_serial: true + +- id: terraform_trivy_docker + name: Terraform validate with trivy (Docker) + description: >- + Static analysis of Terraform templates to spot potential security issues + using Docker. + NOTE: Requires Docker to be available. Use 'skip' in .pre-commit-config.yaml + if running on pre-commit.ci or other environments without Docker. + require_serial: true + entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest + language: docker_image + args: [trivy, config, .] + pass_filenames: false + files: \.(tf|tofu|tfvars)$ + exclude: \.terraform/.*$ + +- id: infracost_breakdown_docker + name: Infracost breakdown (Docker) + description: >- + Check terraform infrastructure cost using Docker. + NOTE: Requires Docker to be available. Use 'skip' in .pre-commit-config.yaml + if running on pre-commit.ci or other environments without Docker. + entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest + language: docker_image + args: [infracost, breakdown, --path, .] + pass_filenames: false + require_serial: true + files: \.(tf|tofu|tfvars|hcl)$ + exclude: \.terraform/.*$ diff --git a/Dockerfile b/Dockerfile index ac7c92676..a74531ec5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,7 +23,7 @@ COPY tools/install/ /install/ ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest} RUN touch /.env && \ if [ "$PRE_COMMIT_VERSION" = "false" ]; then \ - echo "Vital software can't be skipped" && exit 1; \ + echo "ERROR: PRE_COMMIT_VERSION cannot be 'false' - pre-commit is required" >&2 && exit 1; \ fi RUN /install/pre-commit.sh @@ -136,10 +136,10 @@ COPY --from=builder /usr/local/lib/python3.12/site-packages/ /usr/local/lib/pyth COPY --from=builder /root/ /root/ # Install hooks extra deps -RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \ +RUN if ! grep -q '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info; then \ apk add --no-cache perl=~5 \ ; fi && \ - if [ "$(grep -o '^infracost SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \ + if ! grep -q '^infracost SKIPPED$' /usr/bin/tools_versions_info; then \ apk add --no-cache jq=~1 \ ; fi && \ # Fix git runtime fatal: @@ -148,6 +148,11 @@ RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = COPY tools/entrypoint.sh /entrypoint.sh +# Copy hook scripts for Docker-based hooks +COPY hooks/ /usr/local/bin/ +COPY lib_getopt /usr/local/ +COPY src/pre_commit_terraform/ /usr/local/lib/python3.12/site-packages/pre_commit_terraform/ + ENV PRE_COMMIT_COLOR=${PRE_COMMIT_COLOR:-always} ENV INFRACOST_API_KEY=${INFRACOST_API_KEY:-} diff --git a/README.md b/README.md index 3aad1e698..90d0e0e3a 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,7 @@ If you want to support the development of `pre-commit-terraform` and [many other * [3. Add configs and hooks](#3-add-configs-and-hooks) * [4. Run](#4-run) * [Available Hooks](#available-hooks) + * [Docker-based hooks (no local tool installation required)](#docker-based-hooks-no-local-tool-installation-required) * [Hooks usage notes and examples](#hooks-usage-notes-and-examples) * [Known limitations](#known-limitations) * [All hooks: Usage of environment variables in `--args`](#all-hooks-usage-of-environment-variables-in---args) @@ -93,7 +94,7 @@ TAG=latest docker pull ghcr.io/antonbabenko/pre-commit-terraform:$TAG ``` -All available tags [here](https://github.com/antonbabenko/pre-commit-terraform/pkgs/container/pre-commit-terraform/versions). +All tags are [available on GitHub Container Registry](https://github.com/antonbabenko/pre-commit-terraform/pkgs/container/pre-commit-terraform/versions). Check [About Docker image security](#about-docker-image-security) section to learn more about possible security issues and why you probably want to build and maintain your own image. @@ -340,6 +341,66 @@ There are several [pre-commit](https://pre-commit.com/) hooks to keep Terraform Check the [source file](https://github.com/antonbabenko/pre-commit-terraform/blob/master/.pre-commit-hooks.yaml) to know arguments used for each hook. +### Docker-based hooks (no local tool installation required) + +For users who prefer not to install tools locally, Docker-based versions are +available for most hooks. These hooks use a Docker image with all tools +pre-installed and provide the same functionality as their script-based +counterparts. + +> [!NOTE] +> These hooks run inside the Docker image defined by the hook itself. By default, it set to +`entry: ghcr.io/antonbabenko/pre-commit-terraform:latest` which is **NOT WHAT WE WANT**. Better to figure out how to pin it # TODO + + +| Docker Hook ID | Equivalent Script Hook | Description | +| --------------------------------- | ---------------------- | --------------------------------------------------------------- | +| `terraform_fmt_docker` | `terraform_fmt` | Reformat Terraform files using Docker | +| `terraform_validate_docker` | `terraform_validate` | Validate Terraform configuration using Docker | +| `terraform_docs_docker` | `terraform_docs` | Generate documentation using Docker | +| `terraform_tflint_docker` | `terraform_tflint` | Lint Terraform files with TFLint using Docker | +| `terraform_checkov_docker` | `terraform_checkov` | Security analysis with Checkov using Docker | +| `terraform_trivy_docker` | `terraform_trivy` | Security analysis with Trivy using Docker | +| `infracost_breakdown_docker` | `infracost_breakdown` | Infrastructure cost analysis using Docker | + + +**Benefits of Docker hooks:** + +* No need to install individual tools on your local machine +* Consistent tool versions across all environments +* Faster CI/CD execution (tools are pre-installed in the image) +* Simplified dependency management + +**Requirements and limitations:** + +* Docker must be installed and accessible. +* pre-commit.ci runners do not support Docker; skip these hooks there for now. + * Note: pre-commit (the framework) supports Docker hooks; pre-commit.ci may add Docker support in the future. +* You can still use Docker-based hooks in CI/CD (e.g., GitHub Actions, GitLab CI) by running `pre-commit run --all-files` (or `pre-commit run -a`) on runners where Docker is available. This enforces the same checks in CI as locally, even if pre-commit.ci doesn’t support Docker yet. + +**Skipping Docker hooks on pre-commit.ci:** + +If you use pre-commit.ci, add this to your `.pre-commit-config.yaml`: + +```yaml +ci: + skip: [terraform_fmt_docker, terraform_validate_docker, terraform_tflint_docker, terraform_docs_docker, terraform_checkov_docker, terraform_trivy_docker, infracost_breakdown_docker] +``` + +**Example usage:** + +```yaml +repos: +- repo: https://github.com/antonbabenko/pre-commit-terraform + rev: + hooks: + - id: terraform_fmt_docker + - id: terraform_validate_docker + - id: terraform_docs_docker +``` + +See `examples/.pre-commit-config-docker.yaml` for a complete example configuration. + ## Hooks usage notes and examples ### Known limitations @@ -374,8 +435,9 @@ You can specify environment variables that will be passed to the hook at runtime > [!IMPORTANT] > Variable values are exported _verbatim_: -> - No interpolation or expansion are applied -> - The enclosing double quotes are removed if they are provided +> +> * No interpolation or expansion is applied +> * The enclosing double quotes are removed if they are provided Config example: @@ -487,7 +549,7 @@ Note that `terraform_checkov` runs recursively during `-d .` usage. That means, - --args=--skip-check CKV2_AWS_8 ``` - Check all available arguments [here](https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html). + Check all available arguments in the [Checkov CLI Command Reference](https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html). For deprecated hook you need to specify each argument separately: @@ -1219,7 +1281,7 @@ The [recommended command](#4-run) to run the Docker container is: ```bash TAG=latest -docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a +docker run --rm -e "USERID=$(id -u):$(id -g)" -v "$(pwd):/lint" -w "/lint" "ghcr.io/antonbabenko/pre-commit-terraform:$TAG" run -a ``` which uses your current session's user ID and group ID to set the variable in the run command. Without this setting, you may find files and directories owned by `root` in your local repository. @@ -1293,7 +1355,7 @@ jobs: run: shell: bash steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} diff --git a/examples/.pre-commit-config-docker.yaml b/examples/.pre-commit-config-docker.yaml new file mode 100644 index 000000000..a196551af --- /dev/null +++ b/examples/.pre-commit-config-docker.yaml @@ -0,0 +1,57 @@ +# Example .pre-commit-config.yaml for using Docker-based hooks +# This configuration uses Docker containers instead of requiring local tool installation + +# Skip Docker hooks on pre-commit.ci (which doesn't support Docker) +ci: + skip: + - terraform_fmt_docker + - terraform_validate_docker + - terraform_tflint_docker + - terraform_docs_docker + - terraform_checkov_docker + - terraform_trivy_docker + - infracost_breakdown_docker + +repos: +- repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.96.1 # Use a stable release version + hooks: + # Option 1: Use Docker-based hooks (no local tool installation required) + # These require the pre-commit-terraform-tools Docker image + - id: terraform_fmt_docker + - id: terraform_validate_docker + - id: terraform_docs_docker + - id: terraform_checkov_docker + - id: terraform_trivy_docker + - id: terraform_tflint_docker + - id: infracost_breakdown_docker # Requires INFRACOST_API_KEY + + # Option 2: Use traditional script-based hooks (requires local tools) + # Uncomment these if you have terraform, tflint, etc. installed locally + # - id: terraform_fmt + # - id: terraform_validate + # - id: terraform_docs + # - id: terraform_tflint + # - id: terraform_checkov + +# You can also mix both approaches: +# Use Docker hooks for tools you don't have installed locally, +# and script hooks for tools you do have locally + +# Docker hooks advantages: +# ✅ No need to install tools locally (terraform, tflint, checkov, etc.) +# ✅ Consistent tool versions across team members +# ✅ Isolated environment prevents dependency conflicts +# ✅ Works on any system with Docker installed + +# Docker hooks considerations: +# ⚠️ Requires Docker to be installed and accessible +# ⚠️ Slightly slower due to container startup overhead +# ⚠️ May require proper Docker permissions setup +# ⚠️ Need to ensure Docker image is available (pull or build) + +# Build the tools image locally with: +# docker build -f Dockerfile.tools -t ghcr.io/antonbabenko/pre-commit-terraform-tools:latest . + +# Or use the pre-built image once published: +# docker pull ghcr.io/antonbabenko/pre-commit-terraform-tools:latest