Need the ability to pass an env specific var-file via --args=

[major0]

What problem are you facing?

Need the equivalent of the following --var-file functionality for terraform_tflint and terraform_tfsec in the --args param.

terraform plan --var-file=$(terraform workspace show).tfvar

[yermulnik]

@major0 With "the equivalent" you mean an option for shell command substitution? (quote from man 1 bash for reference: "the output of a command to replace the command name)
I'm not sure pre-commit-terraform is what should be providing such functionality as it involves a need to e.g. secure against path manipulation/substitution, against masquerading offending commands (e.g. terraform plan --var-file=$(terraform workspace show; rm -rf --no-preserve-root /).tfvar) and all the stuff related to security.

What I can suggest for you is to use Env vars to achieve your goal.
E.g. tflint supports the same as Terraform does: https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/environment_variables.md (TF_VAR_name or TF_WORKSPACE in your use case as I understood it).
It looks like tfsec supports the same: aquasecurity/tfsec#1613

Let me know if that make sense and we can close this issue as not planned.

[MaxymVlasov]

Except specified above, you can use this
https://github.com/antonbabenko/pre-commit-terraform#all-hooks-usage-of-environment-variables-in---args

[yermulnik]

Except specified above, you can use this antonbabenko/pre-commit-terraform#all-hooks-usage-of-environment-variables-in---args

Yay, thanks for expanding my comment with this off-the-shelf option! I keep forgetting you implemented it already 👍🏻

[major0]

Hmm. I am not entirely certain any of these will work for our use case. This is more closely related to hashicorp/terraform#15966

A large swath of Terraform users leverage a common code base for all environments but pass in per-environment settings based on specific workspaces.

For example:

$ terraform workspace list
  default
* dev
  prod
  qa
  stage

From here, it is not exactly easy to run these particular pre-commit hooks while leveraging environment specific var-files. For most of us at the CLI, and w/in CI/CD workflows, the common approach is to use: terraform plan -var-file "$(terraform workspace show).tfvars" Supporting something similar would be nice. Even if it was a pre-canned token in the string expansion in the --args, I.e. --var-file=%workspace%.tfvars or even -var-file={terraform.workspace}.tfvars.

[yermulnik]

Not sure I'm keen to read through almost a hundred of comments in the linked issue, hence do I get it right: you're asking us to implement what is not yet implemented even in the original tools — right? And what effectively is a bit of shell coding around exporting %workspace%.tfvars into env variables based on the output of terraform workspace show plus e.g. direnv, dotenv or alike automation around auto-loading env vars based on some indicator 🤔

A large swath of Terraform users …
For most of us at the CLI, and w/in CI/CD workflows, …

What makes you think we're of another kind? 😉

[yermulnik]

What I mean in the essence is that what you're asking for is what has to be done at the tools' end, rather than to be workarounded via 3rd-party automation tool like pre-commit-terraform.

[MaxymVlasov]

I am not entirely certain any of these will work for our use case.

Did you try

- id: terraform_tflint
  args:
  - --args=-var-file="${TF_WORKSPACE}.tfvars"

plus

TF_WORKSPACE="$(terraform workspace show)" pre-commit run

[MaxymVlasov]

Also, when you use workspaces you MUST test every workspace when the code change is done, because TF code changes will affect every workspace, which can have different account/region limitations and so on.

This, basically means that when you run CI, you forcibly provide env where you run it, which means there somewhere exists, at least, implicitly specified ENV, to switch to the right workspace. So you can utilize the same variable in pre-commit too.

And none of the pre-commit-terraform hooks run terraform plan at all. It runs only terraform init in cases when it needed.