This repo defines Git pre-commit hooks intended for use with pre-commit. The currently supported hooks are:
- terraform-fmt: Automatically run
terraform fmton all Terraform code (
- terraform-validate: Automatically run
terraform validateon all Terraform code (
- terragrunt-hclfmt: Automatically run
terragrunt hclfmton all Terragrunt configurations.
- tflint: Automatically run
tflinton all Terraform code (
- shellcheck: Run
shellcheckto lint files that contain a bash shebang.
- gofmt: Automatically run
gofmton all Golang code (
- goimports: Automatically run
goimportson all Golang code (
- golint: Automatically run
golinton all Golang code (
- yapf: Automatically run
yapfon all python code (
- helmlint Automatically run
helm linton your Helm chart files. See caveats here.
- markdown-link-check Automatically run markdown-link-check on markdown doc files.
In each of your repos, add a file called
.pre-commit-config.yaml with the following contents:
repos: - repo: https://github.com/gruntwork-io/pre-commit rev: <VERSION> # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases hooks: - id: terraform-fmt - id: terraform-validate - id: tflint - id: shellcheck - id: gofmt - id: golint
Next, have every developer:
- Install pre-commit. E.g.
brew install pre-commit.
pre-commit installin the repo.
That’s it! Now every time you commit a code change (
.tf file), the hooks in the
hooks: config will execute.
Running Against All Files At Once
Example: Formatting all files
If you'd like to format all of your code at once (rather than one file at a time), you can run:
pre-commit run terraform-fmt --all-files
Example: Enforcing in CI
If you'd like to enforce all your hooks, you can configure your CI build to fail if the code doesn't pass checks by adding the following to your build scripts:
pip install pre-commit pre-commit install pre-commit run --all-files
If all the hooks pass, the last command will exit with an exit code of 0. If any of the hooks make changes (e.g., because files are not formatted), the last command will exit with a code of 1, causing the build to fail.
Helm Lint Caveats
helmlint pre-commit hook runs
helm lint on the charts that have been changed by the commit. It will run once per
changed chart that it detects.
Note that charts are detected by walking up the directory tree of the changed file and looking for a
that exists on the path.
helm lint requires input values to look for configuration errors in your helm chart. However, this means that the
linter needs a complete values file. Because we want to develop charts that define required values that the operator
should provide, we don't want to specify defaults for all the values the chart expects in the default
Therefore, to support this, this pre-commit hook looks for a special
linter_values.yaml file defined in the chart
path. This will be combined with the
values.yaml file before running
helm lint. In your charts, you should define
the required values in
For example, suppose you had a helm chart that defined two input values:
that your chart required
containerImage to be defined, but not
containerTag. To enforce this, you created the
values.yaml file for your chart:
# values.yaml # containerImage is required and defines which image to use # containerTag specifies the image tag to use. Defaults to latest. containerTag: latest
If you run
helm lint on this chart, it will fail because somewhere in your chart you will reference
.Values.containerImage which will be undefined with this
values.yaml file. To handle this, you can define a
linter_values.yaml file that defines
# linter_values.yaml containerImage: nginx
Now when the pre-commit hook runs, it will call
helm lint with both
helm lint -f values.yaml -f linter_values.yaml .
To enable optional shellcheck features you can use the
Other shellcheck flags can not be passed through.
repos: - repo: https://github.com/gruntwork-io/pre-commit rev: <VERSION> hooks: - id: shellcheck args: ["--enable require-variable-braces,deprecate-which"]
Copyright © 2019 Gruntwork, Inc.