chore: synced file(s) with honestbank/.github

honestbank · Sep 5, 2024 · fa59550 · fa59550
1 parent de961b7
commit fa59550
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 27 deletions.
diff --git a/.checkov.yaml b/.checkov.yaml
@@ -1,12 +1,14 @@
 compact: true
 directory:
-- .
+  - .
 download-external-modules: true
 evaluate-variables: true
 external-modules-download-path: .external_modules
 framework:
-- all
+  - all
 quiet: true
 skip-path:
   - .external_modules
   - modules
+  - catalog-info.yml
+baseline: .checkov.baseline
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -8,25 +8,63 @@ repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.6.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
     hooks:
-      - id: trailing-whitespace
-      - id: end-of-file-fixer
       - id: check-yaml
+        args: ["--allow-multiple-documents"]
       - id: check-added-large-files
+      - id: detect-aws-credentials
+        args: ["--allow-missing-credentials"]
+  - repo: local
+    hooks:
+      - id: create-checkov-baseline
+        name: Create Checkov Baseline
+        entry: bash -c 'if [ ! -f .checkov.baseline ]; then echo "{}" > .checkov.baseline && touch baseline-created; fi'
+        language: system
+        stages: [commit]
+        pass_filenames: false
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.92.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    rev: v1.94.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       - id: terraform_fmt
-      - id: terraform_docs
       - id: terraform_validate
-        exclude: (test/|examples/)
+        args:
+          - --hook-config=--retry-once-with-cleanup=true
+          - --tf-init-args=-upgrade
       - id: terraform_tfsec
-        exclude: (test/|examples/)
+        exclude: "test/"
+        args:
+          - --args=--exclude-downloaded-modules
       - id: terraform_checkov
-        exclude: (test/|examples/)
+        exclude: "test/"
+        args:
+          - --args=--config-file __GIT_WORKING_DIR__/.checkov.yaml --baseline __GIT_WORKING_DIR__/.checkov.baseline
+  - repo: local
+    hooks:
+      - id: delete-checkov-baseline
+        name: Delete Checkov Baseline
+        entry: bash -c 'if [ -f baseline-created ]; then rm .checkov.baseline && rm baseline-created; fi'
+        language: system
+        stages: [commit]
+        pass_filenames: false
   - repo: https://github.com/gitguardian/ggshield
-    rev: v1.29.0 # Update to latest version by running `pre-commit autoupdate`
+    rev: v1.31.0
     hooks:
       - id: ggshield
         language: python
         stages: [commit]
-        args: [ 'secret', 'scan', 'pre-commit' ]
+        args: ["secret", "scan", "pre-commit"]
+  - repo: local
+    hooks:
+      - id: docs
+        name: docs
+        entry: make
+        args: ["docs"]
+        language: system
+        pass_filenames: false
+  # Run this at the end so that we don't end up in infinite loop
+  # where the end of line fixer runs first and then the docs and fmt
+  # and other hooks that modify files will break it again.
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
diff --git a/Makefile b/Makefile
@@ -1,23 +1,19 @@
-lint:
-	terraform fmt --recursive
-
-validate: lint
-	cd examples/create_mysql_instance_with_public_ip/; terraform init --upgrade; terraform validate
-	cd examples/create_mysql_instance_with_private_ip/; terraform init --upgrade; terraform validate
-	cd examples/mysql_instance_with_read_replica/; terraform init --upgrade; terraform validate
-	cd examples/postgres_instance_with_read_replica/; terraform init --upgrade; terraform validate
+commit: docs validate
 
 docs:
 	terraform-docs --lockfile=false -c .terraform-docs.yml .
-	cd examples/create_mysql_instance_with_public_ip/; terraform-docs --lockfile=false markdown . --output-file README.md --output-mode inject
-	cd examples/create_mysql_instance_with_private_ip/; terraform-docs --lockfile=false markdown . --output-file README.md --output-mode inject
-	cd examples/mysql_instance_with_read_replica/; terraform-docs --lockfile=false markdown . --output-file README.md --output-mode inject
-	cd examples/postgres_instance_with_read_replica/; terraform-docs --lockfile=false markdown . --output-file README.md --output-mode inject
 
-commit: docs validate
+init:
+	git submodule update --init --recursive
+	terraform init -upgrade
 
-apply_and_destroy:
-	 terraform apply -auto-approve && terraform apply -auto-approve -destroy
+lint:
+	terraform fmt --recursive
 
 tests:
-	cd test; go clean -testcache; ./test.sh
+# Super long timeout since this Makefile will be used in various repositories
+	cd test; go clean -testcache; go test -v -timeout 60m
+
+validate: lint
+	terraform init --upgrade
+	terraform validate