https://www.runatlantis.io/ logo
Join Slack
Powered by
This message was deleted.
# atlantis-community
s
This message was deleted.
r
Yes
tflint, tfsec, tf-summarize
s
can you give more context about the flow
r
Custom container Install tools Custom workflow init tflint tfsec then plan and apply steps
s
So this scan will do only the updated file in the PR or entire code?
r
It depends on the flags
Here is a container i use and customize. It may not be up to date tho https://github.com/nitrocode/atlantis-terraform-module
c
I have tflint etc in a pre-commit hook and then just run that as a separate validate step in a github action
šŸ‘ 2
r
That's probably the best way to do it! :)
(referring to the separate gh action)
s
@Chastity Blackwell Are you trigger the github action from the pre_commit_hook?
c
No, the hook is triggered via a push to a PR
Actually, I think I stole it from a previous employer's public repo šŸ™‚
s
Could you please paste it here for a reference šŸ™‚
c
This is what I have here:
Copy code
name: validate

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master

# Pre-commit checking code was cribbed from trussworks/shared-actions
jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v3
      - name: Set up homebrew
        uses: Homebrew/actions/setup-homebrew@master
      - name: Install prereqs for checks
        run: |
          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
          brew install terraform-docs
          brew install gh
          pip install pre-commit
      - name: Cache
        uses: actions/cache@v3
        with:
          path: ~/.cache/pre-commit
          key: pre-commit-dot-cache-{{ hashFiles('.pre-commit-config.yaml') }}
      - name: Pre-commit checks
        run: |
          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
          pre-commit run --all-files --show-diff-on-failure
šŸ‘ 1
I think that one is only running terraform-docs and terraform fmt
the .pre-commit-config.yaml looks like this:
Copy code
repos:
  - repo: <https://github.com/pre-commit/pre-commit-hooks>
    rev: v3.4.0
    hooks:
      - id: trailing-whitespace

  - repo: <https://github.com/antonbabenko/pre-commit-terraform>
    rev: v1.47.0
    hooks:
      - id: terraform_fmt
      - id: terraform_docs
      # - id: terraform_validate

  - repo: <https://github.com/igorshubovych/markdownlint-cli>
    rev: v0.32.2
    hooks:
      - id: markdownlint
šŸ‘ 1
I can't remember why I'm not running validate, I need to probably take another look at that
But you should be able to do something pretty similar to add tflint or whatever else you want to add
w
We run these kinds of things in a CI pipeline (and also in pre-commit though that only works if people enable it)
c
Yeah. Using precommit makes it easy to just throw it in a pipeline too though
w
For us, the pipeline is a lot more complex, but yeah.
current pre-commit config
Untitled.yaml
šŸ‘ 1
note: Aqua is pushing folks from 
tfsec
to 
trivy
šŸ˜ž so far, Iā€™m not liking working with trivy as much
c
tfsec always drove me nuts because it scanned modules I pulled in from the registry
šŸ‘ 2
w
@Chastity Blackwell I had that problem too. 
trivy
does that even worse. 
tfsec
fixed at least most of the problems with that that I had in the past
c
blerg
w
with tfsec, it at least seems to be smart enough to follow the chain of whatā€™s actually included (most of the time). 
trivy
uses the same scanning engine; I guess hopefully they fix all the remaining bugs, because they havenā€™t updated tfsec at all in a while
in CI, also have something that will auto run 
tf fmt
and commit the results if there are unformatted files, and a daily integration test that tests core modules (using test kitchen)
and also added some simple checks for non-snake-case resource names
šŸ‘€ 1
c
Care to share? šŸ™‚
s
w
Absolutely. Itā€™s dead simple, but is working pretty well so far. This is a Circle config, but the basic commands should work anywhere.
Untitled.yaml
thankyou 1
I do something basically like this for the validate / init / tflint bits (in a project with a bunch of directories which are basically all terraform states) (first bit is specific to Circleā€™s parallel test splitting, but you could use a similar approach without it)
Untitled
@Chastity Blackwell if you had issues w/ validate on the pre-commit hook before, maybe try with 
- --hook-config=--retry-once-with-cleanup=true
if you didnā€™t already have it.
šŸ‘€ 1
c
I'll give that a shot.
w
It deals with the issue where if the .terraform directory is stale, validation fails. Or something like that.
c
ah...that might fix my issue then. Thanks!
w
to the OPā€™s original question: Iā€™ve normally used the CI provider to run the checks, and then relied on the VCS providerā€™s required checks combined with things like Atlantisā€™s ā€œmergeableā€ requirement to enforce them. I donā€™t know of many cases where people are using atlantis to run / enforce those checks directly. it might be possible with some kind of custom workflow, but I think the other way is most typical, if itā€™s usable for you
ā˜ļø 1
Open in Slack
PreviousNext
Powered by