Easier execution via docker image

[mtsulek]

Hello,

I am trying to implement pre-commit-terraform tflint fmt and checkov but I am facing issues when trying to execute it when running everything on docker image.

To be a bit more specific I just build image with dependencies and created .git/hooks/pre-push script manually:

# Dockerfile
(...)
WORKDIR /pre-commit
CMD ["pre-commit", "run", "--hook-stage", "push"]

# .git/hooks/pre-push
(...)
docker run -t -v "$(pwd)":/pre-commit --name "$NAME" my-image:latest

This is how my .pre-commit-config.yamls looks like:

# .pre-commit-config.yaml
  repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.70.0
    hooks:
      - id: terraform_tflint
        stages: 
          - push
      - id: terraform_checkov
        stages: 
          - push

This surprisingly works very well when trying same solution for commit stage, but it sees no diff when its set push and its getting always "skipped". I saw there is a dedicated docker image but if I am correct there is no easy way for implementation in pre-commit-config.yaml to do the same but via docker image to get rid off dependencies.

How could pre-commit-terraform help solve your problem?

It would be great to have possibility to have hooks preconfigured with docker image and just run following without worrying about dependencies:

#.pre-commit-config.yamls
  repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.70.0
    hooks:
      - id: terraform_tflint_docker
      - id: terraform_checkov_docker

[MaxymVlasov]

but it sees no diff when its set push and its getting always "skipped".

That is expected, because there is no git diff on pre-push stage. And next is redundant:

        stages: 
          - push

https://pre-commit.com/#hooks-stages

You need manually detect differ files (GHA example) if you'd like to run pre-commit only on that files, otherwise, use pre-commit run -a

---

It would be great to have possibility to have hooks preconfigured with docker image and just run following without worrying about dependencies:

That already can be done via

TAG=latest
docker run -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG run

or if you need specific versions use --build-arg's as specified in 1. Install dependencies -> Docker

Also, it should not be a problem to create a shell or git alias to run the needed docker run command.

Running all that stuff as many separate containers will slow down hook executions compared to a usage of OS-native env, different teams prefer to use different versions of each tool (and sometimes, their dependencies) so to do what you ask good (and w/o big maintenance effort) will need some time.

Anyway, glad to review your PR that will implement that.

P.S. That may resolve #397 as not needed, if anyone with Mac will switch to docker

[karvounis]

#.pre-commit-config.yamls
repos:

• repo: https://github.com/antonbabenko/pre-commit-terraform
  rev: v1.70.0
  hooks:
  • id: terraform_tflint_docker
  • id: terraform_checkov_docker

I would also love to have the above functionality and not have to install any dependencies on my CI/CD pipeline.

Below, there is a list of repos that already offer pre-commit hooks using Docker:

• https://github.com/igorshubovych/markdownlint-cli/blob/master/.pre-commit-hooks.yaml#L15
• https://github.com/igorshubovych/markdownlint-cli/blob/master/.pre-commit-hooks.yaml#L22
• https://github.com/zricethezav/gitleaks/blob/master/.pre-commit-hooks.yaml#L7

[MaxymVlasov]

Note: TF_PLUGIN_CACHE_DIR should be exported and set inside most hooks. That may be related to other envs too.

Also, in case of TF_PLUGIN_CACHE_DIR usage, terraform init will need to run inside the container OR mount to the same path that is used outside. That need to have the right symlinks to cached dir in .terraform, if .terrafrom was generated outside the image.

Example

on host machine

➜ pwd
/home/vm/code/Oslo/modules/aws-environment/.terraform/providers/registry.terraform.io/hashicorp/random/3.4.3

➜ ls -lah
lrwxrwxrwx 1 vm vm   91 Oct  3 17:59 linux_amd64 -> /home/vm/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/random/3.4.3/linux_amd64

in container:

```bash
bash-5.1# pwd
/lint/modules/aws-environment/.terraform/providers/registry.terraform.io/hashicorp/random/3.4.3
bash-5.1# ls -lah
lrwxrwxrwx    1 root     root          68 Oct  3 14:55 linux_amd64 -> /tf_plugins/registry.terraform.io/hashicorp/random/3.4.3/linux_amd64

So, work command is

TAG=latest
docker run \
    -e "USERID=$(id -u):$(id -g)" \
    -v "$TF_PLUGIN_CACHE_DIR:$TF_PLUGIN_CACHE_DIR" -e TF_PLUGIN_CACHE_DIR="$TF_PLUGIN_CACHE_DIR" \
    -v $(pwd):/lint -w /lint \
    ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a

[MaxymVlasov]

Looks like #622 (comment) could be related to this issue

WORKDIR $PRE_COMMIT_CACHE

COPY .pre-commit-config.yaml .

RUN \
  git init . && \
  pre-commit install --install-hooks \
  && chmod -R a+rwX "$PRE_COMMIT_HOME" 

[MaxymVlasov]

Also, it can be done in slightly different way:
https://github.com/StyraInc/regal/blob/4d7cbe19ff5dacc51e957f8811d30e681ddc7ea9/.pre-commit-hooks.yaml#L15-L20
Could be implemented after: #644