Merge pull request #20 from craftech-io/feature/pre-commit-terraform-fmt-validate

mateotoledano · web-flow · commit 44eb0fc4c223 · 2025-09-16T15:45:15.000-03:00
feat: Add Terraform pre-commit hooks (fmt --check &amp; validate), skip examples, improve output, update README
diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
@@ -6,12 +6,22 @@
   entry: hooks/terraform-fmt.sh
   language: script
   files: \.tf$
-  exclude: \.+.terraform\/.*$
+  exclude: '(^|.*/)(\.terraform|examples)/'
+  require_serial: true
+
+- id: terraform-validate
+  name: Terraform validate
+  description: Runs 'terraform validate'
+  entry: hooks/terraform-validate.sh
+  language: script
+  files: \.tf$
+  exclude: '(^|.*/)(\.terraform|examples)/'
   require_serial: true
 
 - id: pipeline-generator
   name: pipeline-generator
   description: Generate ci config automatically.
   entry: hooks/pipeline-generator.sh
   language: script
-  pass_filenames: false
+  pass_filenames: false
+
diff --git a/README.md b/README.md
@@ -1,41 +1,55 @@
 # Pre-commit hooks
 
-This repo defines Git pre-commit hooks intended for use with [pre-commit](http://pre-commit.com/). The currently
+This repo defines Git pre-commit hooks intended for use with [pre-commit](https://pre-commit.com/). The currently
 supported hooks are:
 
-* **terraform-fmt**: Automatically run `terraform fmt` on all Terraform code (`*.tf` files).
+* **terraform-fmt**: Checks that all Terraform files (`*.tf`) are properly formatted (`terraform fmt --check -diff`).
+* **terraform-validate**: Runs `terraform init -backend=false` and then `terraform validate`.  
+  > Notes: directories requiring a private registry and lacking credentials are marked as **skipped** (do not fail the commit). Both hooks ignore `.terraform/` and `examples/`.
 
 ## General Usage
 
 In each of your repos, add a file called `.pre-commit-config.yaml` with the following contents:
 
 ```yaml
 repos:
-  - repo: https://github.com/craftech-io/pre-commit
-    rev: <VERSION> # Get the latest from: https://github.com/craftech-io/pre-commit/releases
+  - repo: git@github.com:craftech-io/pre-commit.git   # or https://github.com/craftech-io/pre-commit.git
+    rev: <VERSION>
     hooks:
       - id: terraform-fmt
+      - id: terraform-validate
+        verbose: true
 ```
 
-Next, have every developer: 
+Next, have every developer:
 
-1. Install [pre-commit](http://pre-commit.com/). E.g. `brew install pre-commit`.
-1. Run `pre-commit install` in the repo.
+1. Install [pre-commit](https://pre-commit.com/#install).  
+   - macOS: `brew install pre-commit`  
+   - Linux: `pipx install pre-commit` (or `pip install --user pre-commit`)
+2. Run `pre-commit install` in the repo.
 
-That’s it! Now every time you commit a code change (`.tf` file), the hooks in the `hooks:` config will execute.
+That's it! Now every time you commit a code change (`.tf` file), the hooks in the `hooks:` config will execute.  
+If any hook fails, the commit is aborted; if all pass, the commit succeeds.
 
 ## Running Against All Files At Once
 
+### Example: Formatting and validating all files
 
-### Example: Formatting all files
-
-If you'd like to format all of your code at once (rather than one file at a time), you can run:
+If you'd like to run the hooks across the whole repo (useful the first time), you can run:
 
 ```bash
+# Check formatting for all Terraform files
 pre-commit run terraform-fmt --all-files
+
+# Validate all Terraform directories
+pre-commit run terraform-validate --all-files
+
+# Or run every configured hook across the repo
+pre-commit run --all-files
 ```
 
-## License
+> Tip: for detailed output on demand, use `-v`, e.g. `pre-commit run -v terraform-validate --all-files`.
 
-This code is released under the Apache 2.0 License. Please see [LICENSE](LICENSE) for more details.
+## License
 
+This code is released under the Apache 2.0 License. Please see [LICENSE](LICENSE) for more details.
diff --git a/hooks/terraform-fmt.sh b/hooks/terraform-fmt.sh
@@ -1,9 +1,37 @@
-#!/bin/bash
+#!/usr/bin/env bash
+set -uo pipefail
+IFS=$'\n\t'
 
-set -e
+RED='\033[31m'; GRN='\033[32m'; YLW='\033[33m'; BLD='\033[1m'; RST='\033[0m'
+if [[ "${PRE_COMMIT_COLOR:-}" == "never" ]]; then RED=''; GRN=''; YLW=''; BLD=''; RST=''; fi
 
-for file in "$@"; do
-  pushd "$(dirname "$file")" >/dev/null
-  terraform fmt -write=true "$(basename "$file")"
+exit_code=0
+
+for f in "$@"; do
+  dir="$(dirname "$f")"
+  base="$(basename "$f")"
+
+  echo -e "${BLD}→ ${f}${RST}"
+
+  pushd "$dir" >/dev/null
+  out="$(terraform fmt -check -diff -no-color "$base" 2>&1)"
+  status=$?
   popd >/dev/null
-done
+
+  if [[ $status -eq 0 ]]; then
+    echo -e "  ${GRN}✓ Formato correcto${RST}"
+  else
+    if grep -q "^Error:" <<<"$out"; then
+      echo -e "  ${RED}✗ Error de sintaxis (terraform fmt)${RST}"
+      echo "$out" | sed 's/^/    /'
+    else
+      echo -e "  ${RED}✗ No está formateado${RST} (aplicá 'terraform fmt')"
+      echo "$out" | sed 's/^/    /'
+    fi
+    exit_code=1
+  fi
+
+  echo
+done
+
+exit "$exit_code"
diff --git a/hooks/terraform-validate.sh b/hooks/terraform-validate.sh
@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+set -uo pipefail
+IFS=$'\n\t'
+
+RED='\033[31m'; GRN='\033[32m'; YLW='\033[33m'; BLD='\033[1m'; RST='\033[0m'
+if [[ "${PRE_COMMIT_COLOR:-}" == "never" ]]; then RED=''; GRN=''; YLW=''; BLD=''; RST=''; fi
+
+VALIDATE_ARGS=()
+[[ "${PRE_COMMIT_COLOR:-}" == "never" ]] && VALIDATE_ARGS+=("-no-color")
+
+if [[ "$#" -gt 0 ]]; then
+  mapfile -t DIRS < <(for f in "$@"; do dirname "$f"; done | sort -u)
+else
+  mapfile -t DIRS < <(git ls-files '*.tf' | xargs -n1 dirname | sort -u)
+fi
+
+exit_code=0
+
+for d in "${DIRS[@]}"; do
+  mapfile -t TFFILES < <(find "$d" -maxdepth 1 -type f -name '*.tf' | sort)
+  [[ "${#TFFILES[@]}" -gt 0 ]] || continue
+
+  echo -e "${BLD}>> Validando Terraform en: ${d}${RST}"
+  pushd "${d}" >/dev/null
+
+  set +e
+  out_init="$(terraform init -backend=false -input=false 2>&1)"
+  st_init=$?
+  set -e
+
+  if [[ $st_init -ne 0 ]]; then
+    if grep -Eq "Error accessing remote module registry|401 Unauthorized|403 Forbidden|Failed to retrieve available versions" <<<"$out_init"; then
+      echo -e "  ${YLW}! skipped${RST} (requires private registry auth)"
+      echo "$out_init" | sed 's/^/    /'
+      for f in "${TFFILES[@]}"; do
+        echo -e "→ ${f}"
+        echo -e "  ${YLW}! skipped${RST}"
+      done
+      popd >/dev/null
+      echo
+      continue
+    fi
+
+    echo -e "  ${RED}✗ init failed${RST}"
+    echo "$out_init" | sed 's/^/    /'
+    exit_code=1
+    popd >/dev/null
+    echo
+    continue
+  fi
+
+  # ---------- VALIDATE ----------
+  set +e
+  out_val="$(terraform validate "${VALIDATE_ARGS[@]}" 2>&1)"
+  st_val=$?
+  set -e
+
+  if [[ $st_val -eq 0 ]]; then
+    for f in "${TFFILES[@]}"; do
+      echo -e "→ ${f}"
+      echo -e "  ${GRN}✓ Válido${RST}"
+      echo
+    done
+  else
+    echo -e "  ${RED}✗ validate failed${RST}"
+    echo "$out_val" | sed 's/^/    /'
+    exit_code=1
+    echo
+  fi
+
+  popd >/dev/null
+done
+
+exit "$exit_code"
