Upgrade to TF 0.13 + more pre-commit hooks & improvements (#4)

* Update pre-commit hooks, remove build-harness, rework docs, remove deps sources and switch to serverless for packaging

Author: aleks-fofanov

.github/workflows/pre-commit.yml

@@ -0,0 +1,155 @@
+name: Pre-Commit
+
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+
+env:
+  node-version: '14'
+  python-version: '3.8'
+  function-source-code-dir: ./source-code
+  packaged-function-dir: ./packaged
+
+jobs:
+  packageLambda:
+    name: Package lambda function
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Install Node.js & npm
+        uses: actions/setup-node@v2
+        with:
+          node-version: ${{env.node-version}}
+          check-latest: true
+      - name: Install Python 3
+        uses: actions/setup-python@v2
+        with:
+          python-version: ${{env.python-version}}
+      - name: Install Serverless Framework
+        run: npm install -g serverless
+      - name: Install Node.js dependencies
+        working-directory: ${{env.function-source-code-dir}}
+        run: npm install
+      - name: Create artifacts directory
+        run: mkdir -p ${{env.packaged-function-dir}}
+      - name: Package lambda function
+        working-directory: ${{env.function-source-code-dir}}
+        run: sls package --package ${{env.packaged-function-dir}}
+      - name: Upload packaged lambda function to artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: lambda
+          path: ${{env.packaged-function-dir}}/*.zip
+
+  # Min Terraform version(s)
+  getDirectories:
+    name: Get root directories
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Install Python
+        uses: actions/setup-python@v2
+      - name: Build matrix
+        id: matrix
+        run: |
+          DIRS=$(python -c "import json; import glob; print(json.dumps([x.replace('/versions.tf', '') for x in glob.glob('./**/versions.tf', recursive=True)]))")
+          echo "::set-output name=directories::$DIRS"
+    outputs:
+      directories: ${{ steps.matrix.outputs.directories }}
+
+  preCommitMinVersions:
+    name: Min TF validate
+    needs:
+      - getDirectories
+      - packageLambda
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        directory: ${{ fromJson(needs.getDirectories.outputs.directories) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Download artifcats (packaged lambda)
+        uses: actions/download-artifact@v2
+        with:
+          name: lambda
+      - name: Create artifacts directory
+        run: mkdir -p ${{env.packaged-function-dir}} && cp ./*.zip ${{env.packaged-function-dir}}
+      - name: Install Python
+        uses: actions/setup-python@v2
+      - name: Terraform min/max versions
+        id: minMax
+        uses: clowdhaus/[email protected]
+        with:
+          directory: ${{ matrix.directory }}
+      - name: Install Terraform v${{ steps.minMax.outputs.minVersion }}
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: ${{ steps.minMax.outputs.minVersion }}
+      - name: Install pre-commit dependencies
+        run: pip install pre-commit
+      - name: Execute pre-commit
+        # Run only validate pre-commit check on min version supported
+        if: ${{ matrix.directory !=  '.' }}
+        run:
+          pre-commit run terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*
+      - name: Execute pre-commit
+        # Run only validate pre-commit check on min version supported
+        if: ${{ matrix.directory ==  '.' }}
+        run:
+          pre-commit run terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)
+
+  # Max Terraform version
+  getBaseVersion:
+    name: Module max TF version
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Terraform min/max versions
+        id: minMax
+        uses: clowdhaus/[email protected]
+    outputs:
+      minVersion: ${{ steps.minMax.outputs.minVersion }}
+      maxVersion: ${{ steps.minMax.outputs.maxVersion }}
+
+  preCommitMaxVersion:
+    name: Max TF pre-commit
+    runs-on: ubuntu-latest
+    needs:
+      - getBaseVersion
+      - packageLambda
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+          - ${{ needs.getBaseVersion.outputs.maxVersion }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Download artifcats (packaged lambda)
+        uses: actions/download-artifact@v2
+        with:
+          name: lambda
+      - name: Create artifacts directory
+        run: mkdir -p ${{env.packaged-function-dir}} && cp ./*.zip ${{env.packaged-function-dir}}
+      - name: Install Python
+        uses: actions/setup-python@v2
+      - name: Install Terraform v${{ matrix.version }}
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: ${{ matrix.version }}
+      - name: Install pre-commit dependencies
+        run: |
+          pip install pre-commit
+          curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-v0.12\..+?-linux-amd64" | head -n1)" > terraform-docs && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/
+          curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/
+          curl -L "$(curl -s https://api.github.com/repos/tfsec/tfsec/releases/latest | grep -o -E "https://.+?tfsec-linux-amd64")" > tfsec && chmod +x tfsec && sudo mv tfsec /usr/bin/
+      - name: Execute pre-commit
+        # Run all pre-commit checks on max version supported
+        if: ${{ matrix.version ==  needs.getBaseVersion.outputs.maxVersion }}
+        run: pre-commit run --color=always --show-diff-on-failure --all-files

.gitignore

@@ -30,9 +30,13 @@ override.tf.json
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
 
+# IDE
 .idea/
-**/generated/
-!**/generated/.gitkeep
 
-.build-harness
-build-harness
+# Serverless directories
+.serverless
+**/packaged/*
+!**/packaged/*.zip
+
+# NodeJS
+node_modules/

.pre-commit-config.yaml

@@ -1,20 +1,21 @@
 repos:
   - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.30.0
+    rev: v1.48.0
     hooks:
       - id: terraform_fmt
-      - id: terraform_docs_replace
-        args: ['--with-aggregate-type-defaults', '--dest=docs/terraform.md']
-  - repo: local
-    hooks:
-        - id: build-readme
-          name: Build README.md
-          language: system
-          entry: make readme/sync
-          types: [file]
-          files: ^README\.yaml$
+      - id: terraform_validate
+      - id: terraform_docs
+      - id: terraform_tflint
+        args:
+          - '--args=--config=__GIT_WORKING_DIR__/.tflint.hcl'
+          - '--args=--format=compact'
+        require_serial: true
+      - id: terraform_tfsec
+        args:
+          - '--args=--exclude-downloaded-modules --concise-output'
+        require_serial: true
+        exclude: ^examples/
   - repo: git://github.com/pre-commit/pre-commit-hooks
-    rev: v2.5.0
+    rev: v3.4.0
     hooks:
       - id: check-merge-conflict
-

.tflint.hcl

@@ -0,0 +1,61 @@
+config {
+  module = false
+  force = false
+  disabled_by_default = true
+}
+
+plugin "aws" {
+  enabled = false
+}
+
+rule "terraform_deprecated_interpolation" {
+  enabled = true
+}
+
+rule "terraform_deprecated_index" {
+  enabled = true
+}
+
+rule "terraform_unused_declarations" {
+  enabled = true
+}
+
+rule "terraform_comment_syntax" {
+  enabled = true
+}
+
+rule "terraform_documented_outputs" {
+  enabled = true
+}
+
+rule "terraform_documented_variables" {
+  enabled = true
+}
+
+rule "terraform_typed_variables" {
+  enabled = true
+}
+
+rule "terraform_module_pinned_source" {
+  enabled = true
+}
+
+rule "terraform_naming_convention" {
+  enabled = true
+}
+
+rule "terraform_required_version" {
+  enabled = true
+}
+
+rule "terraform_required_providers" {
+  enabled = true
+}
+
+rule "terraform_standard_module_structure" {
+  enabled = true
+}
+
+rule "terraform_workspace_remote" {
+  enabled = true
+}