Enhancing Terraform Code Quality with Pre-Commit Tools
Written on
In a prior discussion, we highlighted the significance of coding standards and introduced the pre-commit framework. Today, we will focus on applying pre-commit to Terraform code, which will validate our scripts using various linters and scanners. This approach ensures that every new git commit maintains consistent quality and prevents regression.
To start, we will create a Terraform module that serves as a testing ground. Modules are beneficial for avoiding code duplication and should be rigorously tested for reliability. We will explore the pre-commit plugins best suited for Terraform.
After establishing the module, we will create a Docker image for pre-commit. This image will serve as a portable toolbox ready for use in CI/CD pipelines, specifically with CircleCI. The Terraform module will also have its own CircleCI project, allowing it to leverage the image for testing purposes.
Terraform Module Example
Terraform modules are ideal for code organization, making continuous testing a logical step. For illustration, we will develop a module designed to set up networking in AWS.
Module Version and Providers
Module Inputs
Module Outputs
Core Functionality of the Module
Pre-commit Configuration
The git repository contains the pre-commit configuration, which includes two pre-commit repositories: - gruntwork-io/pre-commit: This repository formats, validates, and lints the module code while also checking markdown files. - antonbabenko/pre-commit: This repository runs tfsec for security checks and automatically updates documentation.
The tflint rules are maintained in a separate file.
Pre-Commit Docker Image for CI/CD
Dockerfile
Next, we will create the Docker image. It will be designed to be lightweight and ready for immediate use, built from an Alpine base image. We aim to minimize the number of layers to expedite the build process, leading to a more efficient CI/CD workflow.
Testing and Building the Docker Image
The image testing and building process will be configured within a CircleCI project, which will utilize hadolint to ensure the image is clean. Following that, the image will be built and pushed to the DockerHub repository.
Terraform CI/CD Integration with Pre-Commit
CircleCI Configuration
The module repository features its own CircleCI setup. The workflow checks out the repository and executes the image to conduct pre-commit checks.
Outcome
Any modifications in git will trigger the workflow for review.
The results of the checks can be found in the workflow logs:
#!/bin/bash -eo pipefail docker run -v $PWD:/pre-commit --rm guivin/pre-commit-terraform
The logs illustrate the process of image retrieval, environment initialization, and the outcomes of various checks, including Terraform formatting and validation.
Resources
- pre-commit: [pre-commit.com](https://pre-commit.com)
- hadolint: A Dockerfile linter that helps create best practice Docker images. [GitHub](https://github.com/hadolint/hadolint)
- antonbabenko/pre-commit-terraform: Required for terraform_docs hooks. [GitHub](https://github.com/antonbabenko/pre-commit-terraform)
- gruntwork-io/pre-commit: A repository defining Git pre-commit hooks for use with pre-commit. [GitHub](https://github.com/gruntwork-io/pre-commit)