Terraform Pre-Commit Hooks

On this page

Introduction
1. Prerequisite: pre-commit
2. Install third-party tools
3. Configuration
4. Test
5. Install
5. Run in CI

Introduction

There are many tools that can make sure your Terraform repo remains well-formated and tested. Using Git pre-commit hooks, one can easily incorporate these tools into everyday Terraform workflow.

1. Prerequisite: pre-commit

Install pre-commit
- Pip: pip install pre-commit
- Homebrew: brew install pre-commit
- Apt: apt install pre-commit
- Conda: conda install -c conda-forge pre-commit

2. Install third-party tools

tflint: A Pluggable Terraform Linter
tfsec: A static analysis security scanner
checkov: A static code analysis tool for infrastructure-as-code

3. Configuration

In the root of your Terraform repo, add a file called .pre-commit-config.yaml

 .pre-commit-config.yaml
default_stages: [commit]
repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.64.1
    hooks:
      - id: terraform_fmt
      - id: terraform_validate
      - id: terraform_tflint
      - id: terraform_tfsec
      - id: checkov
      - id: terraform_docs_replace
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.1.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
      - id: check-yaml
      - id: check-added-large-files

4. Test

Manually run hooks:

pre-commit run -a

5. Install

To install the pre-commit hook, simply run:

pre-commit install

That’s it! You’re good to go locally.

5. Run in CI

Local pre-commits are super useful but they’re even better in CI. With Terrateam you get all of these tests out of the box. No configuration required.

Native Terraform checks and trusted third-party tools run directly from the Terrateam GitHub Action to make sure your code is formatted properly, validated, and secure.