diff --git a/.github/workflows/static_analysis_pr.yml b/.github/workflows/static_analysis_pr.yml index 43ed462..35ccdeb 100644 --- a/.github/workflows/static_analysis_pr.yml +++ b/.github/workflows/static_analysis_pr.yml @@ -7,10 +7,92 @@ on: jobs: static_analysis: - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest steps: - - name: Static Analysis - uses: pagopa/eng-github-actions-iac-template/azure/terraform-static-analysis@59c12b7a846423d62c27c9905686a7a1fd71c003 # v1.7.0 - with: - precommit_version: 'v1.86.0@sha256:a1ffb8fff155934c1937580eeab8b3f68726485cd54025d2f911b0c21a9becba' + - name: ⚡ Checkout code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - uses: hashicorp/setup-terraform@v3 + with: + terraform_version: "1.6.6" + + - name: 🏁 Init terraform folders + id: init_terraform_folders + shell: bash + run: | + + echo -e "\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-" + echo "+ 🔨 CREATE CACHE FOLDER +" + echo -e "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n" + + export TF_PLUGIN_CACHE_DIR="/tmp/.terraform.d/plugin-cache" + mkdir -p ${TF_PLUGIN_CACHE_DIR} + ls -la ${TF_PLUGIN_CACHE_DIR} + + echo "📢 Show space" + df -h + du -h ${TF_PLUGIN_CACHE_DIR} + + echo -e "\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-" + echo "+ 🏁 INIT TERRAFORM FOLDERS 🏁 +" + echo -e "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n" + + FOLDERS=$(grep -rl --include='*.tf' --exclude-dir='.terraform' '^' . | xargs -I{} dirname {} | sort -u) + echo "FOLDERS=${FOLDERS}" + + pids=() + + TAG=$(cat .terraform-version) + docker pull hashicorp/terraform:$TAG + + for f in $FOLDERS; do + pushd "$(pwd)/${f}" + sed -i -e 's/ backend "azurerm" {}//g' 99_main.tf # use local backend + terraform init & + pids+=($!) + popd + + done + + # Wait for each specific process to terminate. + # Instead of this loop, a single call to 'wait' would wait for all the jobs + # to terminate, but it would not give us their exit status. + # + for pid in "${pids[@]}"; do + # + # Waiting on a specific PID makes the wait command return with the exit + # status of that process. Because of the 'set -e' setting, any exit status + # other than zero causes the current shell to terminate with that exit + # status as well. + # + wait "$pid" + done + + echo "📢 Show space 3" + df -h + ls -la /tmp/.terraform.d/plugin-cache + du -h -d 5 ${TF_PLUGIN_CACHE_DIR} + + - name: Show precommit version + shell: bash + run: | + echo -e "\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+" + echo "+ 1️⃣ SHOW PRECOMMIT VERSION 1️⃣ +" + echo -e "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n" + + TAG=v1.89.1 + docker run --rm --entrypoint cat ghcr.io/antonbabenko/pre-commit-terraform:$TAG /usr/bin/tools_versions_info + + - name: 🚨 Run precommit + id: run_precommit + shell: bash + run: | + echo -e "\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+" + echo "+- 🚨 PRECOMMIT TERRAFORM 🚨 -+" + echo -e "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n" + + export TF_PLUGIN_CACHE_DIR="/tmp/.terraform.d/plugin-cache" + + TAG=v1.89.1 + docker run -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5f8fd64..a6ef404 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,19 +1,20 @@ repos: ## terraform - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.86.0 + rev: v1.89.1 hooks: - - id: terraform_fmt - - id: terraform_docs - args: - - --hook-config=--path-to-file=README.md # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc. - - --hook-config=--add-to-existing-file=true # Boolean. true or false - - --hook-config=--create-file-if-not-exist=true # Boolean. true or false - - --args=--hide providers + # - id: terraform_fmt + # - id: terraform_docs + # args: + # - --hook-config=--path-to-file=README.md # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc. + # - --hook-config=--add-to-existing-file=true # Boolean. true or false + # - --hook-config=--create-file-if-not-exist=true # Boolean. true or false + # - --args=--hide providers # - id: terraform_tfsec - id: terraform_validate args: - --init-args=-lockfile=readonly + - --init-args=-plugin-dir=/tmp - --args=-json - --args=-no-color - --args=-compact-warnings @@ -24,23 +25,23 @@ repos: # - --args=-platform=darwin_arm64 # - --args=-platform=linux_amd64 ## general - - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.0.1 - hooks: - # Common errors - - id: end-of-file-fixer - exclude_types: [sql] - - id: trailing-whitespace - args: [--markdown-linebreak-ext=md] - exclude_types: [sql] - - id: check-yaml - - id: check-executables-have-shebangs - # Cross platform - - id: check-case-conflict - - id: mixed-line-ending - args: [--fix=lf] - exclude_types: [sql] - # Security - - id: detect-aws-credentials - args: ['--allow-missing-credentials'] - - id: detect-private-key + # - repo: https://github.com/pre-commit/pre-commit-hooks + # rev: v4.0.1 + # hooks: + # # Common errors + # - id: end-of-file-fixer + # exclude_types: [sql] + # - id: trailing-whitespace + # args: [--markdown-linebreak-ext=md] + # exclude_types: [sql] + # - id: check-yaml + # - id: check-executables-have-shebangs + # # Cross platform + # - id: check-case-conflict + # - id: mixed-line-ending + # args: [--fix=lf] + # exclude_types: [sql] + # # Security + # - id: detect-aws-credentials + # args: ['--allow-missing-credentials'] + # - id: detect-private-key