diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml new file mode 100644 index 0000000..eee8a7e --- /dev/null +++ b/.github/workflows/pre-commit.yml @@ -0,0 +1,138 @@ +name: Pre-commit + +on: + pull_request: + branches: [master] + paths: + - '**.tf' + - '**.tfvars' + - '**.md' + - '.pre-commit-config.yaml' + push: + branches: [master] + paths: + - '**.tf' + - '**.tfvars' + - '**.md' + - '.pre-commit-config.yaml' + +jobs: + pre-commit: + runs-on: ubuntu-latest + timeout-minutes: 15 + permissions: + contents: read + pull-requests: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.11' + + - name: Set up Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: '1.3.0' + + - name: Cache terraform tools + uses: actions/cache@v3 + with: + path: | + ~/.local/bin/terraform-docs + ~/.local/bin/tflint + key: terraform-tools-${{ runner.os }}-v1 + restore-keys: | + terraform-tools-${{ runner.os }}- + + - name: Install terraform-docs + run: | + if [ ! -f ~/.local/bin/terraform-docs ]; then + echo "Installing terraform-docs..." + mkdir -p ~/.local/bin + curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz + tar -xzf terraform-docs.tar.gz + chmod +x terraform-docs + mv terraform-docs ~/.local/bin/ + rm terraform-docs.tar.gz + fi + echo "$HOME/.local/bin" >> $GITHUB_PATH + + - name: Install tflint + run: | + if ! command -v tflint &> /dev/null; then + echo "Installing tflint..." + curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash + fi + + - name: Install pre-commit + run: | + python -m pip install --upgrade pip + pip install pre-commit + + - name: Cache pre-commit hooks + uses: actions/cache@v3 + with: + path: ~/.cache/pre-commit + key: pre-commit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }} + restore-keys: | + pre-commit-${{ runner.os }}- + + - name: Install pre-commit hooks + run: pre-commit install-hooks + + - name: Run pre-commit on all files (push to master) + if: github.event_name == 'push' && github.ref == 'refs/heads/master' + run: pre-commit run --all-files + + - name: Run pre-commit on changed files (pull request) + if: github.event_name == 'pull_request' + run: | + # Get the list of changed files + git fetch origin ${{ github.base_ref }} + CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD -- '*.tf' '*.tfvars' '*.md') + + if [ -n "$CHANGED_FILES" ]; then + echo "Running pre-commit on changed files:" + echo "$CHANGED_FILES" + pre-commit run --files $CHANGED_FILES + else + echo "No relevant files changed, skipping pre-commit checks" + fi + + - name: Pre-commit summary + if: always() + run: | + echo "## ๐Ÿ” Pre-commit Results" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + + if [ "${{ job.status }}" == "success" ]; then + echo "โœ… All pre-commit checks passed!" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "**Tools verified:**" >> $GITHUB_STEP_SUMMARY + echo "- ๐Ÿ”ง Terraform formatting" >> $GITHUB_STEP_SUMMARY + echo "- โœ… Terraform validation" >> $GITHUB_STEP_SUMMARY + echo "- ๐Ÿ“š Documentation generation" >> $GITHUB_STEP_SUMMARY + echo "- ๐Ÿ” TFLint analysis" >> $GITHUB_STEP_SUMMARY + echo "- ๐Ÿงน File formatting" >> $GITHUB_STEP_SUMMARY + else + echo "โŒ Pre-commit checks failed" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Please check the logs above for specific failures." >> $GITHUB_STEP_SUMMARY + echo "You can run \`pre-commit run --all-files\` locally to fix issues." >> $GITHUB_STEP_SUMMARY + fi + + echo "" >> $GITHUB_STEP_SUMMARY + echo "**Configured hooks:**" >> $GITHUB_STEP_SUMMARY + echo "- trailing-whitespace" >> $GITHUB_STEP_SUMMARY + echo "- end-of-file-fixer" >> $GITHUB_STEP_SUMMARY + echo "- check-yaml" >> $GITHUB_STEP_SUMMARY + echo "- terraform_fmt" >> $GITHUB_STEP_SUMMARY + echo "- terraform_validate" >> $GITHUB_STEP_SUMMARY + echo "- terraform_docs" >> $GITHUB_STEP_SUMMARY + echo "- terraform_tflint" >> $GITHUB_STEP_SUMMARY \ No newline at end of file diff --git a/CLAUDE.md b/CLAUDE.md index 7633ac2..4535d66 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -196,6 +196,170 @@ export AWS_BACKUP_ENABLE_LONG_RUNNING_TESTS=false - Test audit framework compliance - Validate organization policy enforcement +## Pre-commit Configuration & Automation + +### Automated Code Quality with GitHub Actions + +This module includes a comprehensive pre-commit GitHub Actions workflow (`.github/workflows/pre-commit.yml`) that automatically validates code quality and formatting. The workflow runs on: + +- **Pull requests** targeting the master branch with changes to `.tf`, `.tfvars`, `.md`, or `.pre-commit-config.yaml` files +- **Pushes** to the master branch with changes to the same file types + +#### Pre-commit Workflow Features + +**Automated Tools & Checks:** +- ๐Ÿ”ง **Terraform formatting** (`terraform fmt`) +- โœ… **Terraform validation** (`terraform validate`) +- ๐Ÿ“š **Documentation generation** (`terraform-docs`) +- ๐Ÿ” **TFLint analysis** for best practices and errors +- ๐Ÿงน **File formatting** (trailing whitespace, end-of-file fixes) +- ๐Ÿ“‹ **YAML validation** for configuration files + +**Performance Optimizations:** +- **Smart caching** of terraform-docs and tflint binaries +- **Pre-commit hook caching** for faster subsequent runs +- **Incremental checking** on pull requests (only changed files) +- **Full validation** on master branch pushes +- **15-minute timeout** to prevent hung jobs + +**Workflow Intelligence:** +- **Changed file detection** - Only runs pre-commit on relevant changed files in PRs +- **Comprehensive summary** - Provides detailed results in GitHub Actions summary +- **Tool installation verification** - Automatically installs and caches required tools +- **Cross-platform compatibility** - Optimized for Ubuntu runners + +#### Local Pre-commit Setup + +**Install pre-commit locally for development:** + +```bash +# Install pre-commit (requires Python) +pip install pre-commit + +# Install pre-commit hooks for this repository +pre-commit install + +# Run pre-commit on all files manually +pre-commit run --all-files + +# Run pre-commit on specific files +pre-commit run --files main.tf variables.tf +``` + +**Required Tools for Local Development:** +```bash +# Terraform (version 1.3.0+ recommended) +terraform --version + +# terraform-docs for README generation +curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz +tar -xzf terraform-docs.tar.gz +sudo mv terraform-docs /usr/local/bin/ + +# TFLint for Terraform linting +curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash +``` + +#### Pre-commit Configuration + +The module uses `.pre-commit-config.yaml` with the following hooks: + +**Basic File Quality:** +- `trailing-whitespace` - Remove trailing whitespace +- `end-of-file-fixer` - Ensure files end with newline +- `check-yaml` - Validate YAML syntax + +**Terraform Quality:** +- `terraform_fmt` - Format Terraform files +- `terraform_validate` - Validate Terraform syntax and logic +- `terraform_docs` - Generate documentation +- `terraform_tflint` - Advanced Terraform linting + +#### CI/CD Integration Benefits + +**Pull Request Automation:** +- **Instant feedback** on code quality issues +- **Prevents merge** of poorly formatted code +- **Reduces review time** by catching common issues +- **Maintains consistency** across contributors + +**Master Branch Protection:** +- **Comprehensive validation** on all files after merge +- **Documentation updates** automatically generated +- **Quality gate** for production code + +**Development Experience:** +- **Fast feedback loop** with incremental checking +- **Clear error messages** with actionable guidance +- **Automated fixes** for many formatting issues +- **Consistent development environment** across team + +### Pre-commit Best Practices + +#### Local Development Workflow +```bash +# Before committing changes +git add . +pre-commit run --files $(git diff --cached --name-only) + +# If pre-commit fixes issues, add them and commit +git add . +git commit -m "feat: add backup vault lock configuration" +``` + +#### Troubleshooting Pre-commit Issues + +**Common Issues & Solutions:** + +**Terraform Formatting Errors:** +```bash +# Fix formatting automatically +terraform fmt -recursive . + +# Check specific file +terraform fmt -check main.tf +``` + +**Documentation Generation Errors:** +```bash +# Regenerate documentation +terraform-docs markdown table . > README.md + +# Check terraform-docs configuration +terraform-docs --version +``` + +**TFLint Errors:** +```bash +# Run TFLint locally to see detailed errors +tflint + +# Initialize TFLint if needed +tflint --init +``` + +**Pre-commit Hook Installation Issues:** +```bash +# Reinstall pre-commit hooks +pre-commit uninstall +pre-commit install + +# Clear pre-commit cache if needed +pre-commit clean +``` + +#### Performance Considerations + +**Large Repositories:** +- Pre-commit runs only on changed files in PRs (faster feedback) +- Tool binaries are cached between runs +- Pre-commit hooks are cached based on configuration hash + +**Network Issues:** +- Tools are installed once and cached +- Fallback installation methods for corporate networks +- Offline capability after initial tool installation + ## Security Considerations ### AWS Backup-Specific Security Practices