pre-commit-terraform icon indicating copy to clipboard operation
pre-commit-terraform copied to clipboard

Published 20 hours ago β€’ verified publisher icon antonbabenko

Easier execution via docker image

Open mtsulek opened this issue 1 year ago β€’ 5 comments

Hello,

I am trying to implement pre-commit-terraform tflint fmt and checkov but I am facing issues when trying to execute it when running everything on docker image.

To be a bit more specific I just build image with dependencies and created .git/hooks/pre-push script manually:

# Dockerfile
(...)
WORKDIR /pre-commit
CMD ["pre-commit", "run", "--hook-stage", "push"]

# .git/hooks/pre-push
(...)
docker run -t -v "$(pwd)":/pre-commit --name "$NAME" my-image:latest

This is how my .pre-commit-config.yamls looks like:

# .pre-commit-config.yaml
  repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.70.0
    hooks:
      - id: terraform_tflint
        stages: 
          - push
      - id: terraform_checkov
        stages: 
          - push

This surprisingly works very well when trying same solution for commit stage, but it sees no diff when its set push and its getting always "skipped". I saw there is a dedicated docker image but if I am correct there is no easy way for implementation in pre-commit-config.yaml to do the same but via docker image to get rid off dependencies.

How could pre-commit-terraform help solve your problem?

It would be great to have possibility to have hooks preconfigured with docker image and just run following without worrying about dependencies:

#.pre-commit-config.yamls
  repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.70.0
    hooks:
      - id: terraform_tflint_docker
      - id: terraform_checkov_docker

mtsulek avatar Jul 21 '22 10:07 mtsulek

but it sees no diff when its set push and its getting always "skipped".

That is expected, because there is no git diff on pre-push stage. And next is redundant:

        stages: 
          - push

https://pre-commit.com/#hooks-stages

You need manually detect differ files (GHA example) if you'd like to run pre-commit only on that files, otherwise, use pre-commit run -a

It would be great to have possibility to have hooks preconfigured with docker image and just run following without worrying about dependencies:

That already can be done via

TAG=latest
docker run -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG run

or if you need specific versions use --build-arg's as specified in 1. Install dependencies -> Docker

Also, it should not be a problem to create a shell or git alias to run the needed docker run command.

Running all that stuff as many separate containers will slow down hook executions compared to a usage of OS-native env, different teams prefer to use different versions of each tool (and sometimes, their dependencies) so to do what you ask good (and w/o big maintenance effort) will need some time.

Anyway, glad to review your PR that will implement that.

P.S. That may resolve #397 as not needed, if anyone with Mac will switch to docker

MaxymVlasov avatar Aug 02 '22 14:08 MaxymVlasov

#.pre-commit-config.yamls repos:

  • repo: https://github.com/antonbabenko/pre-commit-terraform rev: v1.70.0 hooks:
    • id: terraform_tflint_docker
    • id: terraform_checkov_docker

I would also love to have the above functionality and not have to install any dependencies on my CI/CD pipeline.

Below, there is a list of repos that already offer pre-commit hooks using Docker:

  • https://github.com/igorshubovych/markdownlint-cli/blob/master/.pre-commit-hooks.yaml#L15
  • https://github.com/igorshubovych/markdownlint-cli/blob/master/.pre-commit-hooks.yaml#L22
  • https://github.com/zricethezav/gitleaks/blob/master/.pre-commit-hooks.yaml#L7

karvounis avatar Aug 27 '22 11:08 karvounis

Note: TF_PLUGIN_CACHE_DIR should be exported and set inside most hooks. That may be related to other envs too.

Also, in case of TF_PLUGIN_CACHE_DIR usage, terraform init will need to run inside the container OR mount to the same path that is used outside. That need to have the right symlinks to cached dir in .terraform, if .terrafrom was generated outside the image.

Example

on host machine

➜ pwd
/home/vm/code/Oslo/modules/aws-environment/.terraform/providers/registry.terraform.io/hashicorp/random/3.4.3

➜ ls -lah
lrwxrwxrwx 1 vm vm   91 Oct  3 17:59 linux_amd64 -> /home/vm/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/random/3.4.3/linux_amd64

in container:

```bash
bash-5.1# pwd
/lint/modules/aws-environment/.terraform/providers/registry.terraform.io/hashicorp/random/3.4.3
bash-5.1# ls -lah
lrwxrwxrwx    1 root     root          68 Oct  3 14:55 linux_amd64 -> /tf_plugins/registry.terraform.io/hashicorp/random/3.4.3/linux_amd64

So, work command is

TAG=latest
docker run \
    -e "USERID=$(id -u):$(id -g)" \
    -v "$TF_PLUGIN_CACHE_DIR:$TF_PLUGIN_CACHE_DIR" -e TF_PLUGIN_CACHE_DIR="$TF_PLUGIN_CACHE_DIR" \
    -v $(pwd):/lint -w /lint \
    ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a

MaxymVlasov avatar Oct 03 '22 15:10 MaxymVlasov

Looks like https://github.com/antonbabenko/pre-commit-terraform/issues/622#issuecomment-1945725749 could be related to this issue

WORKDIR $PRE_COMMIT_CACHE

COPY .pre-commit-config.yaml .

RUN \
  git init . && \
  pre-commit install --install-hooks \
  && chmod -R a+rwX "$PRE_COMMIT_HOME"

MaxymVlasov avatar Feb 16 '24 22:02 MaxymVlasov

Also, it can be done in slightly different way: https://github.com/StyraInc/regal/blob/4d7cbe19ff5dacc51e957f8811d30e681ddc7ea9/.pre-commit-hooks.yaml#L15-L20 Could be implemented after: https://github.com/antonbabenko/pre-commit-terraform/pull/644

MaxymVlasov avatar Apr 05 '24 16:04 MaxymVlasov