feat: add Terraform and Jsonnet curated pre-commit hooks

Related to https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/issues/20 Adds standard pre-commit hooks for Terraform and Jsonnet projects.

feat: add Terraform and Jsonnet curated pre-commit hooks
a944b204 · Andrew Newdigate · d8332b1b · a944b204 · a944b204 · a944b204
Unverified Commit a944b204 authored 7 months ago by Andrew Newdigate
--- a/.pre-commit-hooks.yaml
+++ b/.pre-commit-hooks.yaml
@@ -3,6 +3,10 @@
 # for GitLab Infrastructure projects
 #########################################################
  
+#########################################################
+# Go Hooks
+#########################################################
+
 - id: golangci-lint
  name: "golangci-lint | common-ci-tasks"
  description: Fast linters runner for Go. Note that only modified files are linted, so linters like 'unused' that need to scan all files won't work as expected.
@@ -53,6 +57,10 @@
  pass_filenames: false
  stages: [commit]
  
+#########################################################
+# Shell Hooks
+#########################################################
+
 - id: shellcheck
  name: "shellcheck | common-ci-tasks"
  description: Static analysis tool for shell scripts
@@ -72,6 +80,10 @@
  exclude_types: [csh, tcsh, zsh]
  stages: [commit]
  
+#########################################################
+# Misc Hooks
+#########################################################
+
 - id: update-asdf-version-variables
  name: "update-asdf-version-variables | common-ci-tasks"
  description: "Update GitLab CI .gitlab-ci-asdf-versions.yml include to match .tool-versions"
@@ -79,3 +91,89 @@
  entry: scripts/pre-commit/update-asdf-version-variables.sh
  files: '^(\.gitlab-ci-asdf-versions\.yml|scripts/update-asdf-version-variables.sh|\.tool-versions)$'
  stages: [commit]
+
+- id: gitlint
+  name: "gitlint | common-ci-tasks"
+  description: Checks your git commit messages for style.
+  language: python
+  additional_dependencies:
+    - gitlint-core[trusted-deps]==0.19.1
+  entry: gitlint
+  args: [--staged, --msg-filename]
+  stages: [commit-msg]
+
+- id: gitleaks
+  name: "gitleaks | common-ci-tasks"
+  description: Detect hardcoded secrets using Gitleaks
+  additional_dependencies:
+    - github.com/zricethezav/gitleaks/v8@v8.18.4
+  entry: gitleaks protect --verbose --redact --staged
+  language: golang
+  pass_filenames: false
+
+- id: editorconfig
+  name: 'editorconfig | common-ci-tasks'
+  description: 'Validate text files against .editorconfig'
+  entry: editorconfig-checker
+  additional_dependencies:
+    - github.com/editorconfig-checker/editorconfig-checker/cmd/editorconfig-checker@latest
+  language: golang
+  types: [text]
+  require_serial: true
+
+- id: yamllint
+  name: "yamllint | common-ci-tasks"
+  description: "Validate YAML files using yamllint"
+  additional_dependencies:
+    - yamllint
+  entry: yamllint
+  args:
+    - "-c=.yamllint.yaml"
+  language: python
+  types: [yaml]
+
+#########################################################
+# Terraform Hooks
+#########################################################
+
+- id: terraform-fmt
+  name: "terraform fmt | common-ci-tasks"
+  description: "Apply terraform fmt across all changed terraform files"
+  language: system
+  entry: mise exec terraform -- terraform fmt
+  args: [-write, -check]
+  types: [terraform]
+  stages: [commit]
+
+- id: terraform-tflint
+  name: "tflint | common-ci-tasks"
+  description: "Run tflint on changed modules"
+  language: script
+  entry: scripts/pre-commit/terraform-tflint.sh
+  types: [terraform]
+  stages: [commit]
+
+- id: terra-transformer-validate-roots
+  name: "terra-transformer-validate-roots | common-ci-tasks"
+  description: "Run terra-transformer validate on root modules"
+  language: script
+  entry: scripts/pre-commit/terra-transformer-validate-roots.sh
+  args:
+    - "--ignore-missing-files"
+    - "--delete-dot-terraform-if-required"
+  types: [terraform]
+  stages: [commit]
+  pass_filenames: false
+
+#########################################################
+# Jsonnet Hooks
+#########################################################
+
+- id: jsonnet-fmt
+  name: "jsonnet fmt | common-ci-tasks"
+  description: "Apply jsonnetfmt across all changed jsonnet files"
+  language: system
+  entry: mise exec go-jsonnet -- jsonnetfmt
+  args: [-i, --string-style, s, -n, "2"]
+  types: [jsonnet]
+  stages: [commit]
--- a/docs/pre-commit.md
+++ b/docs/pre-commit.md
@@ -60,5 +60,12 @@ repos:
      - id: golangci-lint  # Run golangci-lint for changed Go files
      - id: shellcheck  # Run shellcheck for changed Shell files
      - id: shfmt  # Run shellcheck for changed Shell files
-      - id: update-asdf-version-variables  # Update .gitlab-ci-asdf-versions.yml if .tool-versions has changed.
+      - id: update-asdf-version-variables  # Update .gitlab-ci-asdf-versions.yml if .tool-versions has changed
+      - id: gitlint  # Checks your git commit messages for style
+      - id: gitleaks  #  Detect hardcoded secrets using Gitleaks
+      - id: editorconfig  # Validate text files against .editorconfig
+      - id: yamllint  # Validate YAML files using yamllint
+      - id: terraform-fmt  # Apply terraform fmt across all changed terraform files
+      - id: terraform-tflint  # Run tflint on changed modules
+      - id: jsonnet-fmt  # Apply jsonnetfmt across all changed jsonnet files
 ```
--- a/go.mod
+++ b/go.mod
+module gitlab.com/gitlab-com/gl-infra/common-ci-tasks
+
+go 1.21.0
+
+// Note: this file is only here to allow golang pre-commit hooks to be installed via this repository
--- a/poetry.lock
+++ b/poetry.lock
+# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand.
+package = []
+
+[metadata]
+lock-version = "2.0"
+python-versions = "*"
+content-hash = "115cf985d932e9bf5f540555bbdd75decbb62cac81e399375fc19f6277f8c1d8"
--- a/pyproject.toml
+++ b/pyproject.toml
+[tool.poetry]
+name = "common-ci-tasks"
+version = "0.1.0"
+description = "This file only exists so that pre-commit python dependencies can be installed."
+authors = ["Andrew Newdigate <andrew@gitlab.com>"]
+readme = "README.md"
+packages = [
+  { include = "pre_commit", from = "src" },
+]
+
+[build-system]
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"
--- a/scripts/pre-commit/terra-transformer-validate-roots.sh
+++ b/scripts/pre-commit/terra-transformer-validate-roots.sh
+#!/usr/bin/env bash
+
+#
+# Run terra-transformer validate on root modules
+#
+
+set -euo pipefail
+IFS=$'\n\t'
+
+(mise plugin list | grep -q terra-transformer) || {
+  mise plugins install --yes terra-transformer https://gitlab.com/gitlab-com/gl-infra/asdf-gl-infra.git
+}
+
+mise install terra-transformer
+
+eval "$(mise activate bash --shims)"
+
+main() {
+  local failed=false
+
+  while read -r lockfile_path; do
+    local terraform_module_path
+    terraform_module_path=$(dirname "$lockfile_path")
+
+    echo "Validating root module ${terraform_module_path}"
+    terra-transformer validate --chdir="${terraform_module_path}" "$@" || {
+      failed=true
+    }
+  done <<<"$(git ls-files | grep '.terraform.lock.hcl$')"
+
+  if [[ $failed == true ]]; then
+    exit 1
+  fi
+
+}
+
+main "$@"
--- a/scripts/pre-commit/terraform-tflint.sh
+++ b/scripts/pre-commit/terraform-tflint.sh
+#!/usr/bin/env bash
+
+#
+# Run tflint
+#
+
+set -euo pipefail
+IFS=$'\n\t'
+
+eval "$(mise activate bash --shims)"
+
+# Note: pre-commit will always run in the root directory of the project
+root_dir=${PWD}
+
+main() {
+  tflint --init --config "${root_dir}/.tflint.hcl"
+
+  local tflint_failed=false
+  while read -r module; do
+    # We use --call-module-type=none since each module is validated independently for performance reasons
+    tflint --config "${root_dir}/.tflint.hcl" --chdir="${module}" --call-module-type=none --fix || {
+      tflint_failed=true
+    }
+  done < <(list_modules "$@")
+
+  if [[ ${tflint_failed} == true ]]; then
+    exit 1
+  fi
+}
+
+list_modules() {
+  for i in "$@"; do
+    dirname "$i"
+  done | sort -u
+}
+
+main "$@"
--- a/src/pre_commit/__init__.py
+++ b/src/pre_commit/__init__.py