Best Practices for Using Pre-Commit with Terraform Code
Written on
Chapter 1: Introduction to Pre-Commit and Terraform
In an earlier article, we discussed the significance of coding standards and the pre-commit framework. Today, we will delve into how to effectively implement pre-commit for Terraform code. This framework helps validate code by utilizing various linters and scanners, ensuring that each new git commit maintains consistent quality and prevents regressions.
To kick things off, we will create a Terraform module that serves as a foundation for our tests. Utilizing modules helps avoid code duplication and ensures that our code is thoroughly tested for reliability. Next, we will explore the appropriate pre-commit plugins to utilize for Terraform.
The video "pre-commit-terraform - Keep your Terraform code nice and clean" provides insights into maintaining clean Terraform code with pre-commit hooks.
Section 1.1: Creating a Terraform Module
With the module established, we will generate a Docker image for pre-commit. Our aim is to create a portable, ready-to-use toolbox that integrates seamlessly with CI/CD processes, specifically using CircleCI. The Terraform module will also have its dedicated CircleCI project, leveraging this image for testing.
Subsection 1.1.1: Benefits of Terraform Modules
Terraform modules are ideal for encapsulating code, making continuous testing not only sensible but essential. As an illustration, we will create a module to configure networking in AWS, focusing on:
- Module version and providers
- Module inputs
- Module outputs
- Core configurations for pre-commit
The Git repository will include the pre-commit configuration, which integrates two pre-commit repositories: gruntwork-io/pre-commit, which formats, validates, and lints the module code, as well as checks markdown, and antonbabenko/pre-commit, which runs tfsec for security assessments and automatically updates documentation.
Section 1.2: Setting Up the Pre-Commit Docker Image
Next, we will construct the Docker image. It should come pre-equipped with all necessary dependencies while remaining lightweight. We will base it on an Alpine image, minimizing the number of layers to expedite recovery and build times for a more efficient CI/CD workflow.
The video "Quick Tech - pre-commit-terraform" outlines quick tips for setting up pre-commit with Terraform, making it easier to adhere to best practices.
Chapter 2: Building and Testing the Docker Image
To test and build the Docker image, we will configure it within a CircleCI project. This setup will run hadolint to ensure the image is clean before proceeding to build and push it to DockerHub.
The CircleCI configuration for the module repository will check out the repository and execute the image to perform pre-commit checks. Every change made in Git will trigger a workflow for inspection, with results available in the workflow logs.
#!/bin/bash -eo pipefail
docker run -v $PWD:/pre-commit --rm guivin/pre-commit-terraform
If the image isn't found locally, it will be pulled from the repository:
latest: Pulling from guivin/pre-commit-terraform
The logs will indicate the initialization of the environment for both gruntwork-io/pre-commit and antonbabenko/pre-commit-terraform.
The outcome of various checks, including terraform fmt, terraform validate, and tflint, will be displayed, offering insights into areas that may need adjustments.
Final thoughts on integrating pre-commit into your Terraform workflow will ensure that your code remains clean, secure, and compliant with best practices.