Describe the solution you'd like
Add a pre-commit hook for running sentinel fmt, similar to the hook for running terraform fmt

Describe alternatives you've considered
NA

Additional context
NA

Would be great to add support for creating documentation like here:
https://github.com/terraform-docs/terraform-docs

Describe the bug
Unable to provide my own configuration to markdown-link-check via pre-commit

To Reproduce

Expected behavior
I added the markdown-link-check hook to my .pre-commit-config.yaml, and ran pre-commit run -a but found that private links I'm trying to check give a 503. For my case, I am trying to check markdown in a private Gitlab repo. I found I can add a cookie header to the config in order to grant the tool access to check these links if I run markdown-link-check -c config.json README.md but if try to do it by adding -c config.json to the args as below in .pre-commit-config.yaml, then markdown-link-check fails to run properly and throws an error about the configuration:

  - id: markdown-link-check
    args:
    - -c config.json

So I did some checking and I found the script creates its own temp config and provides the -c flag itself to markdown-link-check, which seems to conflict with my -c flag in the args.

Nice to have

• Terminal output
• Screenshots

Additional context
Add any other context about the problem here.

Could this be added as an available hook?

Dear Team,

I think your pre-commit-collection is really great. I would like to use also the terraform validate pre-commit hook and this fails for plain vanilla terraform modules (without terragrunt), because e.g. arguments are not set (because it is a module).
Could we suppress tf validate if it is a module, meaning no backend definition is there or no provider is present?

Describe the bug
I want to be able to scan folders. I have tried these settings. All of these settings fail to scan JUST the folder I set:

#EXAMPLE 1

• repo: https://github.com/gruntwork-io/pre-commit
  rev: v0.1.18
  hooks:
  • id: tflint
    args: ["--chdir=IaC/environments/2-staging/"]

#EXAMPLE 2

• repo: https://github.com/gruntwork-io/pre-commit
  rev: v0.1.18
  hooks:
  • id: tflint
    args:

    • --chdir=IaC/environments/2-staging/

#EXAMPLE 3

• repo: https://github.com/gruntwork-io/pre-commit
  rev: v0.1.18
  hooks:
  • id: tflint
    args:
    • --chdir=IaC/environments/2-staging/

#EXAMPLE 4
#This fails as well

• repo: https://github.com/gruntwork-io/pre-commit
  rev: v0.1.18
  hooks:
  • id: tflint
    args:
    • --filter=IaC/environments/2-staging/*.tf

To Reproduce
Terraform version 1.3.9

// paste code snippets here
To Trip the linter I added this in my IaC/environments/1-test folder

variable "not_used" {
  description = "To trip linters"
  type        = string
  default     = null
}

tflint...................................................................Failed
- hook id: tflint
- exit code: 2

1 issue(s) found:

Warning: variable "not_used" is declared but not used (terraform_unused_declarations)

  on IaC/environments/1-test/compute-priv-variables.tf line 183:
 183: variable "not_used" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md

**Expected behavior**
Since I am setting a chdir argument to scan the IaC/environments/2-staging/ folder (I tried without the trailing slash, fails as well)

I would NOT expect the linter to find the issue in the IaC/environments/1-test folder.

I would expect no errors reported

**Nice to have**
- [ ] Terminal output
- [ ] Screenshots

**Additional context**
I want to be able to set different exclusion per environment.  I want production to have all rules applied with lower environments I want the ability to exclude rules.  I cannot do that, since chdir is not being honored.  I submitted this bug in the tflint repo, they it was not their issue.

Describe the solution you'd like
I don't want to see these warnings

WARNING: "tflint FILE/DIR" is deprecated and will error in a future version. Use --chdir or --filter instead.

Describe alternatives you've considered
Stop using gruntwork-io/pre-commit. Don't really want to go there.
Downgrade tflint. Don't want to do that either.

Additional context
tflint release notes on deprecation - https://github.com/terraform-linters/tflint/releases/tag/v0.46.0
Tested with gruntwork-io/pre-commit v0.1.19

Describe the solution you'd like

As a founding member of OpenTofu, it would be advantageous for Gruntworks very useful pre-commit hooks to support it.

Describe alternatives you've considered

No. It seems like a no-brainer.

Additional context

I have implemented this in #107

Would be great if tfsec would also be supported to do some static security scanning of the code: https://github.com/liamg/tfsec

We are currently integrating the pre-commit hooks into our projects.
We are mainly setup on Windows systems.
Using git bash, we found that "/bin/bash" could not be found.
If we change the shebang to "#!/usr/bin/env bash" in the shell scripts (fmt, validate, lint), then we can use the scripts normally.
Is it possible to adapt the terraform-based hooks with the more compatible shebang?
You have already made the adjustment for shellcheck.sh.

Many Thanks
Thorsten

Describe the bug
We utilize a monorepo for our terraform configurations and we have integrated into our CI pipline precommit checks with the tflint precommit plugin. What I've noticed is that ever since the release of chdir my .tflint.hcl file is no longer effective. It looks like because tflint is actually changing the current working directory (https://github.com/terraform-linters/tflint/blob/0e58cd19e334b6c1edfc4ba6d9f4778a28a3342e/cmd/inspect.go#L35C20-L35C20 and https://github.com/terraform-linters/tflint/blob/0e58cd19e334b6c1edfc4ba6d9f4778a28a3342e/cmd/cli.go#L178) and then loading the config file (https://github.com/terraform-linters/tflint/blob/0e58cd19e334b6c1edfc4ba6d9f4778a28a3342e/cmd/inspect.go#L110). The result is tflint failing on rules that I've called out as disabled in my base .tflint.hcl file.

To Reproduce

mkdir -pv tflint-demo/module
pushd tflint-demo >/dev/null
git init

cat <<EOF > .pre-commit-config.yaml
---
repos:
  - repo: https://github.com/gruntwork-io/pre-commit
    rev: v0.1.22
    hooks:
    - id: terragrunt-hclfmt
    - id: tflint
      args:
        - "--config=.tflint.hcl"
EOF

cat <<EOF > .tflint.hcl
rule "terraform_required_providers" {
  enabled = false
}
EOF

pushd module >/dev/null

cat <<EOF > main.tf
resource "null_resource" "foo" {
  triggers = {
    "coffee" = "sandwich"
  }
}
EOF

popd >/dev/null

git add .
pre-commit install
pre-commit run

Expected behavior
I'd expect the .tflint.hcl file to be honored from the repo root directory like it used to, but the functionality of tflint has changed.

Nice to have

• Terminal output

➜  project-scratch-space mkdir -pv tflint-demo/module
pushd tflint-demo >/dev/null
git init

cat <<EOF > .pre-commit-config.yaml
---
repos:
  - repo: https://github.com/gruntwork-io/pre-commit
    rev: v0.1.22
    hooks:
    - id: terragrunt-hclfmt
    - id: tflint
      args:
        - "--config=.tflint.hcl"
EOF

cat <<EOF > .tflint.hcl
rule "terraform_required_providers" {
  enabled = false
}
EOF

pushd module >/dev/null

cat <<EOF > main.tf
resource "null_resource" "foo" {
  triggers = {
    "coffee" = "sandwich"
  }
}
EOF

popd >/dev/null

git add .
pre-commit install
pre-commit run
tflint-demo
tflint-demo/module
Initialized empty Git repository in /Users/blowe/project-scratch-space/tflint-demo/.git/
pre-commit installed at .git/hooks/pre-commit
Terragrunt hclfmt........................................................Passed
tflint...................................................................Failed
- hook id: tflint
- exit code: 2

1 issue(s) found:

Warning: Missing version constraint for provider "null" in `required_providers` (terraform_required_providers)

  on module/main.tf line 1:
   1: resource "null_resource" "foo" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.4.0/docs/rules/terraform_required_providers.md

• Screenshots

Additional context
I realize this isn't a gruntwork problem pre-se, but there are other pre-commit hooks that do handle this.

Describe the bug
"pre-commit run terraform-validate --all-files" command fails until I follow Remove the spurious CR characters steps to use sed to remove "The ^M is a carriage return character":

To Reproduce
Steps to reproduce the behavior including the relevant Terraform/Terragrunt/Packer version number and any code snippets and module inputs you used.

1. Install pre-commit in Mac OS or some linux flavor OS (Ubuntu, etc.) & create a .pre-commit-config.yaml as defined in Pre-commit README.md > General Usage
2. Run pre-commit run terraform-validate --all-files
3. See failures, now run sed -i -e 's/\r$//' /Users/arriaga/.cache/pre-commit/repo57cjvft5/hooks/terraform-validate.sh
4. Re-try pre-commit run terraform-validate --all-files and see how errors g oaway

Expected behavior
Maybe pre-commit hooks should avoid having the "^M" carriage return character?

Additional context
Tried to follow "Step 3 - Static Analysis" steps of Getting Started with Terraform on Azure: Testing blog article

Unfortunately args currently only allows --enable.
This is problematic when other shellcheck options are necesarry.

Concrete use-case:
When sourcing files in scripts shellcheck requires the --external-sources / -x option to follow these. Otherwise it will fail with a SC1091 error.

Please enable passing all options through to shellcheck.

Describe the solution you'd like
helm supports the --strict option for failing on warnings when linting. It would be nice if the pre-commit hook also supported this. I've tried messing around with it but it looks like the only way to support this is a change in the helmlint.sh file.

Describe alternatives you've considered
Not sure if there are any alternatives, as the helm command is called directly in the script

Additional context
Add any other context or screenshots about the feature request here.

I thought it could be handy to be able to validate packer files. Would you accept a PR for this?

Describe the bug
The gofmt check fails if Go code is stored in a subdirectory of the repository:

gofmt....................................................................Failed
- hook id: gofmt
- exit code: 1

go: cannot find main module, but found .git/config in /Users/gchappel/code/sample-directory
	to create a module there, run:
	go mod init

To Reproduce

• Create an empty directory
• git init .
• Configure .pre-commit-config.yaml with the Gruntwork pre-commit repo and enable the gofmt hook
• Create a subdirectory
• In this subdirectory run go mod init test
• In the subdirectory write a deliberately-malformed Go file, for example using spaces instead of tabs:

package main

import (
  "fmt" // this line starts with two spaces
)

func main() {
  fmt.Println("test")  // this line starts with two spaces
}

• git add . to add the Go code and the .pre-commit-config.yaml to the staging area
• run pre-commit run gofmt
• see error

Expected behavior
The malformed Go file has its spaces replaced with tabs

Nice to have

• Terminal output
• Screenshots

Additional context
Add any other context about the problem here.

Failures in root terragrunt.hcl terragrunt validate.
Consider the following dir structure

├── dev
│   └── eu-west-1
│       └── project
│           └── terragrunt.hcl
└── terragrunt.hcl
└── common.hcl

Where the child includes the parent via find_in_parent_folders().

If the parent has many read_terraform_config(find_in_parent_folders("common.hcl")) type includes it will fail when terragrunt validate runs against it in singular. As the dir traversal fails to find the file.

Anything that can be done about this?

Describe the solution you'd like
Add a pre-commit hook for running packer fmt, similar to the hook for running terraform fmt

Describe alternatives you've considered
NA

Additional context
NA

The custom regex check will fail if the shebang is in the format of #! /usr/bin/bash and only work when removing the space e.g #!/usr/bin/bash.

Spaces in shebangs are valid.

Describe the solution you'd like
I would like to be able to use terraform-fmt on pre-commit.ci, the hosted CI pre-commit service, but unfortunately I cannot because terraform doesn't come pre-installed, and the hooks here do not install/bundle it.

Terraform fmt............................................................Failed
- hook id: terraform-fmt
- exit code: 127

/pc/clone/RKgVfIZxQCiSAX665qKF9Q/hooks/terraform-fmt.sh: line 15: terraform: command not found

It'd be nice if there was a way to say that you need terraform installed as part of the hook.

Describe alternatives you've considered
Not running terraform hooks on pre-commit.ci.

Describe the solution you'd like
Need support for the cloud stanza in the terraform block. See https://www.terraform.io/cli/cloud/settings Currently it errors out saying cloud is an "Unsupported block type" so we have to disable tflint

Describe alternatives you've considered
There are no alternatives, other than disabling tflint

Additional context
This is relatively new syntax from HashiCorp, but it does need to be addressed.

Execution of hook in 0.1.5

Terraform validate.......................................................Failed
- hook id: terraform-validate
- exit code: 1

Initializing modules...

Initializing provider plugins...
- Checking for available provider plugins...
- Downloading plugin for provider "null" (hashicorp/null) 2.1.2...
- Downloading plugin for provider "aws" (hashicorp/aws) 2.65.0...

The following providers do not have any version constraints in configuration,
so the latest version was installed.

To prevent automatic upgrades to new major versions that may contain breaking
changes, it is recommended to add version = "..." constraints to the
corresponding provider blocks in configuration, with the constraint strings
suggested below.

* provider.null: version = "~> 2.1"
* provider.template: version = "~> 2.1"

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Error: Error in function call

  on terraform/modules/nsqd/data.tf line 2, in data "template_file" "opt_nsqd_etc_nsqd_config":
   2:   template = file(
   3: 
   4: 
    |----------------
    | path.module is "terraform/modules/nsqd"

Call to function "file" failed: no file exists at
terraform/templates/nsqd/nsqd_config.tpl.

Execution of hook in 0.1.8

Terraform validate.......................................................Failed
- hook id: terraform-validate
- exit code: 1

Terraform initialized in an empty directory!

The directory has no Terraform configuration files. You may begin working
with Terraform immediately by creating Terraform configuration files.

Error: Failed to read module directory

Module directory terraform does not exist or cannot be read.

Directory structure:

tree -L 2                                                                                                                                                    
.
├── README.md
└── terraform
    ├── bin
    ├── config
    ├── main.tf
    ├── Makefile
    ├── modules
    ├── templates
    ├── variables.tf
    └── versions.tf

Describe the bug
helmlint doesn't really lint

the folder structure looks like

tree test-hook
test-hook
└── test
    ├── Chart.yaml
    ├── charts
    ├── templates
    │   ├── NOTES.txt
    │   ├── _helpers.tpl
    │   ├── deployment.yaml
    │   ├── hpa.yaml
    │   ├── ingress.yaml
    │   ├── service.yaml
    │   ├── serviceaccount.yaml
    │   └── tests
    │       └── test-connection.yaml
    └── values.yaml

4 directories, 10 files

To Reproduce
Steps to reproduce the behavior including the relevant Terraform/Terragrunt/Packer version number and any code snippets and module inputs you used.

a default helm lint test run looks like

helm lint test 
==> Linting test
[INFO] Chart.yaml: icon is recommended
[ERROR] values.yaml: unable to parse YAML: error converting YAML to JSON: yaml: line 79: did not find expected key
[ERROR] templates/: cannot load values.yaml: error converting YAML to JSON: yaml: line 79: did not find expected key
[ERROR] : unable to load chart
        cannot load values.yaml: error converting YAML to JSON: yaml: line 79: did not find expected key

Error: 1 chart(s) linted, 1 chart(s) failed

But the pre-commit run looks like

pre-commit run --all-files
helmlint.................................................................Passed

here is the pre-commit config

repos:
  - repo: https://github.com/gruntwork-io/pre-commit
    rev: v0.1.17 # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases
    hooks:
      - id: helmlint

Expected behavior
The helmlint should give the same result as helm lint

Additional context
Add any other context about the problem here.

Describe the solution you'd like
A simple README.md update is needed to clarify that in addition to the --enable flag, the .shellcheckrc can be used to configure additional entries.

Describe alternatives you've considered
Linking directly to the shellcheck documentation

Additional context
Allow for passing cli args directly through to shellcheck

Other shellcheck flags can not be passed through.

Which is true, but is misleading to those looking for an option to set disable entries.

Describe the bug
The --filter argument to tflint is too restrictive.

This is the relevant code:

for file in "${FILES[@]}"
do
  tflint "${ARGS[@]}" --chdir "$(dirname "$file")" --filter "$(basename "$file")"
done

tflint runs for each file and then shows only the issues in that file. However some issues don't reference specific files, namely those issues where something is missing, like a missing required_version or provider declaration.

To Reproduce
Run the hook with a terraform file like this:

terraform {
  # required_version = "~>1.6.6"
}

which should find this issue

1 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

but this is filtered out, because it does not reference a specific source code file.

Expected behavior
The issue should be found and the hook should fail.

Additional context
Finding issues like this requires that tflint no longer runs for each changed file, but for all files at once.
I think this trade-off should be taken in order to find all issues.

Previously the terraform-fmt hook made changes to the files, whereas now it only shows the difference and errors out. I did some digging and found that it was an intentional change as part of this PR: #46

It would be nice to have the old behaviour as an option. Generally my terraform files are syntactically valid, but incorrectly formatted, the previous behaviour took away the pain point of needing to run terraform fmt after every change. The differences don't need to be analysed, so there's no need for the --diff --check.

Thanks for providing these hooks, they've been super useful!

Golint is apparently deprecated and frozen. We should replace the pre-commit hook with another linting tool for Go. The Golint GitHub page itself recommends https://staticcheck.io/.

Hey,

Wondering if there's a reason why this repo doesn't supply a hook for running tests written with terratest (perhaps by default expecting to run go test from an expected test/ subdirectory)?

Sorta like:

- id: terratest
          name: terratest
          description: "Run terratest unit tests"
          entry: sh -c "cd test; go test -count=1 -timeout 30m -tags=unit"
          language: system
          files: '\.tf$'
          pass_filenames: false

Thanks!

Hello,

I'm receiving the following error:

MacBook-Pro$ pre-commit run terraform-fmt --all-files
[INFO] Initializing environment for https://github.com/gruntwork-io/pre-commit.
An unexpected error has occurred: CalledProcessError: command: ('/usr/local/bin/git', 'checkout', '0.1.10')
return code: 1
expected return code: 0
stdout: (none)
stderr:
    error: pathspec '0.1.10' did not match any file(s) known to git.

My yaml:

# This configuration file allows our pre-commit hooks to be used with pre-commit: http://pre-commit.com/
repos:
  -   repo: https://github.com/pre-commit/pre-commit-hooks
      rev: v2.3.0
      hooks:
        -   id: check-yaml
        -   id: end-of-file-fixer
        -   id: trailing-whitespace
  -   repo: https://github.com/psf/black
      rev: 19.3b0
      hooks:
        -   id: black
  - repo: https://github.com/gruntwork-io/pre-commit
    rev: "0.1.10" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases
    hooks:
      - id: terraform-fmt
      - id: terraform-validate
      - id: tflint
      - id: shellcheck
      - id: gofmt
      - id: golint

Describe the solution you'd like

It would be nice to have a hook which locks versions in .terraform.lock.hcl file automatically. For example, terragrunt-providers-lock hook which runs terragrunt providers lock command for specified platforms under the hood.

Describe alternatives you've considered

Write a local hook, something like:

  - repo: local
    hooks:
      - id: terragrunt-providers-lock
        name: Terragrunt providers lock
        entry: terragrunt providers lock -platform=darwin_amd64 -platform=darwin_arm64 -platform=linux_amd64
        language: script
        files: '\.hcl$'

Additional context

A similar terraform_providers_lock hook for Terraform is provided by pre-commit-terraform project.

The code in #58 runs

$ packer validate -syntax-only
Usage: packer validate [options] TEMPLATE

  Checks the template is valid by parsing the template and also
  checking the configuration with the various builders, provisioners, etc.

  If it is not valid, the errors will be shown and the command will exit
  with a non-zero exit status. If it is valid, it will exit with a zero
  exit status.

Options:

  -syntax-only           Only check syntax. Do not verify config of the template.
  -except=foo,bar,baz    Validate all builds other than these.
  -machine-readable      Produce machine-readable output.
  -only=foo,bar,baz      Validate only these builds.
  -var 'key=value'       Variable for templates, can be used multiple times.
  -var-file=path         JSON or HCL2 file containing user variables.

in the directory of a template. As shown above, you need to actually specify a file or a directory such as

packer validate -syntax-only .

A problem here generally is that TEMPLATE can either be a directory or the path to a specific file. For example, you can put multiple distinct .pkr.hcl files in a directory (not like a Terraform module) OR you can treat all the files in a directory as a template to merge together (like a Terraform module). I will submit a PR that operates under the assumption that every directory is a discrete Packer template like Terraform modules. IMHO this is best practice, although not the only practice.

Additionally, the files filter matches too many files (e.g. *.pkr0). The PR will cover that, too.

Describe the bug
A clear and concise description of what the bug is.
The README docs state that the tflint hook uses a __GIT_DIR__ placeholder to be substituted with the actual Git repository root. However, the script instead looks for a __GIT_ROOT__ placeholder.

To Reproduce
Steps to reproduce the behavior including the relevant Terraform/Terragrunt/Packer version number and any code snippets and module inputs you used.

// paste code snippets here

Expected behavior
A clear and concise description of what you expected to happen.

Nice to have

• Terminal output
• Screenshots

Additional context
Add any other context about the problem here.

Describe the solution you'd like
The terraform lock file is causing issues with terraform validate being run in an automated job. Terraform init is updating the hashes in the lockfile and thus failing the job because it detects changes were made to files.

For now this can be fixed by not checking in the lock file but this is outside of what hashicorp is recommending.

I'm curious, does Gruntwork uses linting to ensure comment blocks as explained here?
https://docs.gruntwork.io/guides/style/terraform-style-guide/#comments

I'm trying to find a linting tool to check for this but till now I haven't found something yet.

Describe the solution you'd like
I need to be able to set the dir via the global terraform argument -chdir=... before running validate:

repos:
- repo: https://github.com/gruntwork-io/pre-commit
  rev: v0.1.23
  hooks:
      - id: terraform-validate
        args: [-chdir=whatever]

However, what the above configuration actually does is attempt to pass -chidr=whatever to the validate subcommand. In other words, it executes this:

terraform validate -chdir=whatever

But that's an error because -chdir is not a valid argument for terraform validate.

What I need is a way to execute this:

terraform -chdir=whatever validate

Describe alternatives you've considered
I haven't found a way to set the working directory via some other means.

Either

1)add "tofu-" equivalents for existing hooks "terraform-"
2) or rename "terraform-" to for example "tf-" and autodetect whether tofu is present

For example:
Rename:
terraform-validate
to
tf-validate

and detect tofu or terraform binary similarly like terragrunt does it today.

It might be worth adding this repo to the pre-commit website for discoverability

https://pre-commit.com/hooks.html

https://github.com/pre-commit/pre-commit.com

Describe the solution you'd like
To manage multiple environment tiers we often have base values.yaml file and then environment specific files:

• values.dev.yaml,
• values.uat.yaml,
• values.prod.yaml,
  etc. These are then used as e.g.

helm upgrade myApp . -f values.prod.yaml

The Helm linter has a support for the same arguments:

helm lint . -f values.prod.yaml

It would be great if the helmlint pre-commit hook would support a list of values.yaml files as well.

The way shellcheck.sh works causes it to fail when a file has a space in the filename. $files should probably be an array which each element is appended to:

https://github.com/gruntwork-io/pre-commit/blob/master/hooks/shellcheck.sh#L29

I am looking to include some terragrunt formatting checks both for local commits and as part of ci verification.