Run pre-commit in CI

dominodatalab · Jan 3, 2023 · 64e79c9 · 64e79c9
1 parent 00508df
commit 64e79c9
Show file tree

Hide file tree

Showing 13 changed files with 106 additions and 22 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,27 +1,47 @@
-version: "2.1"
+version: 2.1
 
 orbs:
   terraform: circleci/terraform@3.2.0
 
 jobs:
-  build:
+  pre-commit:
+    docker:
+      - image: cimg/python:3.11.1
+    parameters:
+      terraform_version:
+        type: string
+
+    steps:
+      - checkout
+
+      - terraform/install:
+          terraform_version: <<parameters.terraform_version>>
+      - run:
+          name: pre-commit
+          command: |
+            curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash
+            curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
+            curl -L https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz | tar -C /tmp -xzf - && chmod +x /tmp/terraform-docs && sudo mv /tmp/terraform-docs /usr/local/bin
+            pip3 install checkov pre-commit
+            SKIP=no-commit-to-branch,circleci-validate pre-commit run --all-files
+
+  test:
     docker:
       - image: cimg/aws:2022.11
     parameters:
       workspace:
         type: string
         default: circleci-<< pipeline.number >>
+      terraform_version:
+        type: string
     environment:
       WORKSPACE: << parameters.workspace >>
 
     steps:
       - checkout
 
       - terraform/install:
-          terraform_version: '1.3.6'
-
-      - terraform/fmt:
-          path: .
+          terraform_version: <<parameters.terraform_version>>
 
       - run:
           name: Configure test cluster env
@@ -54,3 +74,18 @@ jobs:
           command: |
             terraform workspace select default
             terraform workspace delete ${WORKSPACE}
+
+parameters:
+  terraform_version:
+    default: "1.3.6"
+    type: string
+
+workflows:
+  build:
+    jobs:
+      - pre-commit:
+          terraform_version: << pipeline.parameters.terraform_version >>
+      - test:
+          terraform_version: << pipeline.parameters.terraform_version >>
+          requires:
+            - pre-commit
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -12,21 +12,20 @@ repos:
     -   id: circleci-validate
         args: [--org-slug, github/cerebrotech]
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.75.0
+    rev: v1.77.0
     hooks:
       - id: terraform_providers_lock
         args:
          - --tf-init-args=-upgrade
-      - id: terraform_fmt
-      - id: terraform_validate
       - id: terraform_docs
         args:
+          - '--args=--lockfile=false'
           - '--hook-config=--path-to-file=README.md'
           - '--hook-config=--add-to-existing-file=true'
           - '--hook-config=--create-file-if-not-exist=true'
           - '--hook-config=--recursive.enabled=true'
           - '--hook-config=--recursive.path=submodules'
-          - '--hook-config=--lockfile=false'
+      - id: terraform_fmt
       - id: terraform_tflint
         args:
           - '--args=--config=__GIT_WORKING_DIR__/.tflint.hcl'
@@ -46,6 +45,11 @@ repos:
           - '--args=--enable-rule=aws_iam_policy_document_gov_friendly_arns'
           - '--args=--enable-rule=aws_iam_policy_gov_friendly_arns'
           - '--args=--enable-rule=aws_iam_role_policy_gov_friendly_arns'
+      - id: terraform_checkov
+        args:
+          - '--args=--compact'
+          - '--args=--quiet'
+          - '--args=--skip-check CKV_CIRCLECIPIPELINES_2,CKV_CIRCLECIPIPELINES_6,CKV2_AWS_11,CKV2_AWS_12,CKV2_AWS_6,CKV_AWS_109,CKV_AWS_111,CKV_AWS_135,CKV_AWS_144,CKV_AWS_145,CKV_AWS_158,CKV_AWS_18,CKV_AWS_184,CKV_AWS_19,CKV_AWS_21,CKV_AWS_66,CKV_AWS_88'
       # - id: terrascan # Skipping until they update lifecycle block; Data resources do not have lifecycle settings, so a lifecycle block is not allowed.
         # args:
         #   - '--args=--non-recursive'

diff --git a/.tflint.hcl b/.tflint.hcl
@@ -1,6 +1,6 @@
 plugin "aws" {
     enabled = true
     deep_check = true
-    version = "0.21.0"
+    version = "0.21.1"
     source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
diff --git a/README.md b/README.md
@@ -76,8 +76,8 @@ aws s3 rb s3://"${AWS_TERRAFORM_REMOTE_STATE_BUCKET}" --force
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.40.0 |
-| <a name="provider_tls"></a> [tls](#provider\_tls) | 4.0.4 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
+| <a name="provider_tls"></a> [tls](#provider\_tls) | >= 3.4.0 |
 
 ## Modules
 

diff --git a/iam-bootstrap/README.md b/iam-bootstrap/README.md
@@ -0,0 +1,45 @@
+# iam-bootstrap
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_caller_identity.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_deploy_id"></a> [deploy\_id](#input\_deploy\_id) | Domino Deployment ID | `string` | n/a | yes |
+| <a name="input_iam_policy_paths"></a> [iam\_policy\_paths](#input\_iam\_policy\_paths) | IAM policies to provision and use for deployment role, can be terraform templates | `list(any)` | `[]` | no |
+| <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration for role in seconds | `number` | `43200` | no |
+| <a name="input_region"></a> [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
+| <a name="input_template_config"></a> [template\_config](#input\_template\_config) | Variables to use for any templating in the IAM policies. AWS account ID (as 'account\_id'), deploy\_id, region and partition are automatically included. | `map(any)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | ARN of bootstrap role |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/iam-bootstrap/iam.tf → iam-bootstrap/main.tf b/iam-bootstrap/iam.tf → iam-bootstrap/main.tf
diff --git a/iam-bootstrap/variables.tf b/iam-bootstrap/variables.tf
@@ -20,7 +20,7 @@ variable "iam_policy_paths" {
 }
 
 variable "template_config" {
-  type        = map
+  type        = map(any)
   description = "Variables to use for any templating in the IAM policies. AWS account ID (as 'account_id'), deploy_id, region and partition are automatically included."
   default     = {}
 }

diff --git a/submodules/bastion/README.md b/submodules/bastion/README.md
@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.32.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
 
 ## Modules
 

diff --git a/submodules/eks/README.md b/submodules/eks/README.md
@@ -13,8 +13,8 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.32.0 |
-| <a name="provider_null"></a> [null](#provider\_null) | 3.1.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | >= 3.1.0 |
 
 ## Modules
 

diff --git a/submodules/k8s/README.md b/submodules/k8s/README.md
@@ -14,8 +14,8 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_local"></a> [local](#provider\_local) | 2.2.3 |
-| <a name="provider_null"></a> [null](#provider\_null) | 3.1.1 |
+| <a name="provider_local"></a> [local](#provider\_local) | >= 2.2.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | >= 3.1.0 |
 
 ## Modules
 

diff --git a/submodules/network/README.md b/submodules/network/README.md
@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.32.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
 
 ## Modules
 

diff --git a/submodules/storage/README.md b/submodules/storage/README.md
@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.32.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
 
 ## Modules
 

diff --git a/tests/README.md b/tests/README.md
@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws.local"></a> [aws.local](#provider\_aws.local) | 4.40.0 |
+| <a name="provider_aws.local"></a> [aws.local](#provider\_aws.local) | >= 4.0 |
 
 ## Modules