There are many tools that can make sure your Terraform repo remains well-formated and tested. Using Git pre-commit hooks, one can easily incorporate these tools into everyday Terraform workflow.
1. Prerequisite: pre-commit
- Install pre-commit
- Pip: $ pip install pre-commit
- Homebrew: $ brew install pre-commit
- Apt: $ apt install pre-commit
- Conda: $ conda install -c conda-forge pre-commit
2. Install third-party tools
- tflint: A Pluggable Terraform Linter
- tfsec: A static analysis security scanner
- checkov: A static code analysis tool for infrastructure-as-code
3. Configuration
In the root of your Terraform repo, add a file called .pre-commit-config.yaml
1# .pre-commit-config.yaml
2default_stages: [commit]
3repos:
4 - repo: https://github.com/antonbabenko/pre-commit-terraform
5 rev: v1.64.1
6 hooks:
7 - id: terraform_fmt
8 - id: terraform_validate
9 - id: terraform_tflint
10 - id: terraform_tfsec
11 - id: checkov
12 - id: terraform_docs_replace
13 - repo: https://github.com/pre-commit/pre-commit-hooks
14 rev: v4.1.0
15 hooks:
16 - id: trailing-whitespace
17 - id: end-of-file-fixer
18 - id: check-yaml
19 - id: check-added-large-files
20
4. Test
Manually run hooks:
$ pre-commit run -a
5. Install
To install the pre-commit hook, simply run:
$ pre-commit install
That's it! You're good to go locally.
5. Run in CI
Local pre-commits are super useful but they're even better in CI. With Terrateam you get all of these tests out of the box. No configuration required.
Native terraform checks and trusted third-party tools run directly from the Terrateam GitHub Action to make sure your code is formatted properly, validated, and secure.
Sign up free here