refactor: use pre-commit in GitHub

.github/workflows/pr-title.yaml

@@ -22,6 +22,7 @@ jobs:
             docs
             ci
             chore
+            refactor
           requireScope: false
           # Configure additional validation for the subject based on a regex.
           # This example ensures the subject doesn't start with an uppercase character.

.github/workflows/static-checks.yaml

@@ -0,0 +1,58 @@
+name: static checks
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  terraformVersions:
+    name: get min/max Terraform versions
+    runs-on: ubuntu-latest
+    outputs:
+      minVersion: ${{ steps.minMax.outputs.minVersion }}
+      maxVersion: ${{ steps.minMax.outputs.maxVersion }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Get Terraform version
+        uses: clowdhaus/terraform-min-max@04440fe3b2a1e64eb5ad115f8f7c57c4d6a54333 #v1.4.1
+        id: minMax
+        with:
+          directory: .
+
+  pre_commit:
+    name: pre-commit
+    needs: terraformVersions
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        version:
+          - ${{ needs.terraformVersions.outputs.minVersion }}
+          - ${{ needs.terraformVersions.outputs.maxVersion }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: pre-commit ${{ matrix.version }}
+        uses: clowdhaus/terraform-composite-actions/pre-commit@26118b78561fb44052ce9ab6c5ab850df70b9aa0 #v1.13.0
+        with:
+          terraform-version: ${{ matrix.version }}
+          install-trivy: true
+          trivy-version: '0.67.0'
+          args: '--all-files --color always --show-diff-on-failure --verbose'

.gitignore

@@ -1,7 +1,8 @@
 .terraform*
 terraform.tfstate
 terraform.tfstate.backup
+**/*.zip
 
 bin/
 .idea
-lambda.zip
+**/.DS_Store

.pre-commit-config.yaml

@@ -1,16 +1,16 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.100.0
+    rev: v1.101.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
         args: ['--envs=AWS_REGION="eu-west-1"']
       - id: terraform_tflint
+        args:
+          - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
       - id: terraform_trivy
         args:
-          - --args=--tf-exclude-downloaded-modules
-          - --args=--skip-dirs "**/.terraform/**/*"
-          - --args=--severity=HIGH,CRITICAL
+          - --args=--config=__GIT_WORKING_DIR__/trivy.yaml
       - id: terraform_docs
         args:
           - '--args=--lockfile=false'

Makefile

@@ -11,7 +11,6 @@ MAJOR              := $(word 1,$(VERSION_PARTS))
 MINOR              := $(word 2,$(VERSION_PARTS))
 PATCH              := $(word 3,$(VERSION_PARTS))
 
-BUMP ?= patch
 ifeq ($(BUMP), major)
 NEXT_VERSION		:= $(shell echo $$(($(MAJOR)+1)).0.0)
 else ifeq ($(BUMP), minor)
@@ -21,51 +20,17 @@ NEXT_VERSION		:= $(shell echo $(MAJOR).$(MINOR).$$(($(PATCH)+1)))
 endif
 NEXT_TAG 			:= v$(NEXT_VERSION)
 
-STACKS = $(shell find . -not -path "*/\.*" -iname "*.tf" | sed -E "s|/[^/]+$$||" | sort --unique)
-ROOT_DIR := $(shell pwd)
-
-all: fmt validate tflint trivy
-
-.PHONY: fmt
-fmt: ## Rewrites Terraform files to canonical format
-	@echo "+ $@"
-	@terraform fmt -check=true -recursive
-
-.PHONY: validate
-validate: ## Validates the Terraform files
-	@echo "+ $@"
-	@for s in $(STACKS); do \
-		echo "validating $$s"; \
-		terraform -chdir=$$s init -backend=false > /dev/null; \
-		terraform -chdir=$$s validate || exit 1 ;\
-    done;
-
-.PHONY: tflint
-tflint: ## Runs tflint on all Terraform files
+.PHONY: check
+check: ## Runs pre-commit hooks against all files
 	@echo "+ $@"
-	@tflint --init
-	@for s in $(STACKS); do \
-		echo "tflint $$s"; \
-		terraform -chdir=$$s init -backend=false > /dev/null; \
-		tflint -chdir=$$s -f compact --config $(ROOT_DIR)/.tflint.hcl || exit 1; \
-	done;
-
-trivy: ## Runs trivy on all Terraform files
-	@echo "+ $@"
-	@trivy config  --exit-code 1 --severity HIGH --tf-exclude-downloaded-modules .
-
-.PHONY: providers
-providers: ## Upgrades all providers and platform independent dependency locks (slow)
-	@echo "+ $@"
-	@for s in $(STACKS) ; do \
-  		echo upgrading: $$s ;\
-		terraform -chdir=$$s init -upgrade=true -backend=false > /dev/null; \
-		terraform -chdir=$$s providers lock -platform=darwin_amd64 -platform=darwin_arm64 -platform=linux_amd64 ;\
-	done
+	@command -v pre-commit >/dev/null 2>&1 || { \
+		echo "pre-commit not installed. Install via 'pip install pre-commit' or 'brew install pre-commit'."; \
+		exit 1; \
+	}
+	@pre-commit run --all-files
 
 .PHONY: bump-version
-BUMP ?= patch
-bump-version: ## Bumps the version of this module. Set BUMP to [ patch | major | minor ].
+bump-version: check-bump ## Bumps the version of this module. Set BUMP to [ major | minor | patch ].
 	@echo bumping version from $(VERSION_TAG) to $(NEXT_TAG)
 	@echo "Updating links in README.md"
 	@sed -i '' s/$(subst v,,$(VERSION))/$(subst v,,$(NEXT_VERSION))/g README.md
@@ -81,6 +46,20 @@ check-git-branch: check-git-clean
 	git fetch --all --tags --prune
 	git checkout main
 
+.PHONY: check-bump
+check-bump:
+	@echo "+ $@"
+	@if [ -z "$(BUMP)" ]; then \
+		echo "Error: BUMP variable must be specified for release."; \
+		echo "Usage: make release BUMP=major|minor|patch"; \
+		exit 1; \
+	fi
+	@if [ "$(BUMP)" != "major" ] && [ "$(BUMP)" != "minor" ] && [ "$(BUMP)" != "patch" ]; then \
+		echo "Error: BUMP must be one of: major, minor, patch"; \
+		echo "Usage: make release BUMP=major|minor|patch"; \
+		exit 1; \
+	fi
+
 release: check-git-branch bump-version ## Releases a new module version
 	@echo "+ $@"
 	git add README.md

README.md

@@ -1,6 +1,6 @@
 # AWS Lambda Terraform module
 
-![](https://github.com/moritzzimmer/terraform-aws-lambda/workflows/static%20analysis/badge.svg) [![Terraform Module Registry](https://img.shields.io/badge/Terraform%20Module%20Registry-8.4.0-blue.svg)](https://registry.terraform.io/modules/moritzzimmer/lambda/aws/8.4.0) ![Terraform Version](https://img.shields.io/badge/Terraform-0.12+-green.svg) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+![](https://github.com/moritzzimmer/terraform-aws-lambda/workflows/static%20checks/badge.svg) [![Terraform Module Registry](https://img.shields.io/badge/Terraform%20Module%20Registry-8.4.0-blue.svg)](https://registry.terraform.io/modules/moritzzimmer/lambda/aws/8.4.0) ![Terraform Version](https://img.shields.io/badge/Terraform-1.5.7+-green.svg) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
 Terraform module to create AWS [Lambda](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) and accompanying resources for an efficient and secure
 development of Lambda functions like:
@@ -17,8 +17,7 @@ development of Lambda functions like:
 - inline declaration of [SNS Topic Subscriptions](https://www.terraform.io/docs/providers/aws/r/sns_topic_subscription.html) including required [Lambda permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) (see [example](examples/with-sns-subscriptions))
 - inline declaration of [CloudWatch Event Rules](https://www.terraform.io/docs/providers/aws/r/cloudwatch_event_rule.html) including required [Lambda permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) (see [example](examples/with-cloudwatch-event-rules))
 - IAM permissions for read access to parameters from [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html)
-- [CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html) Log group configuration including retention time and [subscription filters](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html) with required permissions
-to stream logs to other Lambda functions (e.g. forwarding logs to Elasticsearch)
+- [CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html) Logs configuration like retention time or [subscription filters](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html) with all required IAM permissions (see [example](examples/cloudwatch-logs))
 - Lambda@Edge support fulfilling [requirements for CloudFront triggers](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-requirements-limits.html#lambda-requirements-cloudfront-triggers). Functions need
 to be deployed to US East (N. Virginia) region (`us-east-1`)
 - configuration for [Amazon CloudWatch Lambda Insights](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-insights.html) including required
@@ -346,8 +345,8 @@ see [examples](examples/deployment) for details.
 - [complete](examples/complete)
 - [container-image](examples/container-image)
 - [deployment](examples/deployment)
+- [cloudwatch-logs](examples/cloudwatch-logs)
 - [with-cloudwatch-event-rules](examples/with-cloudwatch-event-rules)
-- [with-cloudwatch-logs-subscription](examples/cloudwatch-logs)
 - [with-event-source-mappings](examples/with-event-source-mappings)
 - [with-sns-subscriptions](examples/with-sns-subscriptions)
 - [with-vpc](examples/with-vpc)

trivy.yaml

@@ -0,0 +1,16 @@
+# see https://trivy.dev/latest/docs/references/configuration/config-file/
+
+exit-code: 1
+exit-on-eol: 1
+
+misconfiguration:
+  terraform:
+    exclude-downloaded-modules: true
+
+severity:
+  - HIGH
+  - CRITICAL
+
+scan:
+  skip-dirs:
+    - "**/.terraform/**/*"