{"id":13505814,"url":"https://github.com/antonbabenko/pre-commit-terraform","last_synced_at":"2026-01-04T16:16:08.999Z","repository":{"id":37444880,"uuid":"69382485","full_name":"antonbabenko/pre-commit-terraform","owner":"antonbabenko","description":"pre-commit git hooks to take care of Terraform configurations πŸ‡ΊπŸ‡¦","archived":false,"fork":false,"pushed_at":"2025-05-13T11:51:52.000Z","size":1445,"stargazers_count":3411,"open_issues_count":32,"forks_count":565,"subscribers_count":24,"default_branch":"master","last_synced_at":"2025-05-13T12:45:59.367Z","etag":null,"topics":["automation","code-style","git-hooks","hacktoberfest","hooks","pre-commit","terraform","terraform-docs","terragrunt"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/antonbabenko.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["antonbabenko"],"patreon":"antonbabenko","custom":["https://paypal.me/antonbabenko","https://www.buymeacoffee.com/antonbabenko"]}},"created_at":"2016-09-27T17:37:42.000Z","updated_at":"2025-05-13T11:36:39.000Z","dependencies_parsed_at":"2023-09-22T11:39:56.967Z","dependency_job_id":"9afdecc9-0487-4d18-ba19-e0fd72ffdb83","html_url":"https://github.com/antonbabenko/pre-commit-terraform","commit_stats":{"total_commits":513,"total_committers":97,"mean_commits":5.288659793814433,"dds":0.7621832358674464,"last_synced_commit":"89f45610a846f56273a6c4290b3c42534175949e"},"previous_names":[],"tags_count":152,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antonbabenko%2Fpre-commit-terraform","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antonbabenko%2Fpre-commit-terraform/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antonbabenko%2Fpre-commit-terraform/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antonbabenko%2Fpre-commit-terraform/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/antonbabenko","download_url":"https://codeload.github.com/antonbabenko/pre-commit-terraform/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254020633,"owners_count":22000755,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","code-style","git-hooks","hacktoberfest","hooks","pre-commit","terraform","terraform-docs","terragrunt"],"created_at":"2024-08-01T00:01:14.482Z","updated_at":"2026-01-04T16:16:08.985Z","avatar_url":"https://github.com/antonbabenko.png","language":"Shell","readme":"# Collection of git hooks for Terraform to be used with [pre-commit framework](http://pre-commit.com/)\n\n[![Latest Github tag]](https://github.com/antonbabenko/pre-commit-terraform/releases)\n![Maintenance status](https://img.shields.io/maintenance/yes/2026.svg)\n[![GHA Tests CI/CD Badge]](https://github.com/antonbabenko/pre-commit-terraform/actions/workflows/ci-cd.yml)\n[![Codecov pytest Badge]](https://app.codecov.io/gh/antonbabenko/pre-commit-terraform?flags[]=pytest)\n[![OpenSSF Scorecard Badge]](https://scorecard.dev/viewer/?uri=github.com/antonbabenko/pre-commit-terraform)\n[![OpenSSF Best Practices Badge]](https://www.bestpractices.dev/projects/9963)\n[![Codetriage - Help Contribute to Open Source Badge]](https://www.codetriage.com/antonbabenko/pre-commit-terraform)\n\n[![StandWithUkraine Banner]](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md)\n\n\u003c!-- markdownlint-disable no-inline-html --\u003e\n\u003cp align=\"center\"\u003e\u003cimg src=\"assets/pre-commit-terraform-banner.png\" alt=\"pre-commit-terraform logo\" width=\"700\"/\u003e\u003c/p\u003e\n\n[`pre-commit-terraform`](https://github.com/antonbabenko/pre-commit-terraform) provides a collection of [Git Hooks](https://git-scm.com/book/en/v2/Customizing-Git-Git-Hooks) for Terraform and related tools and is driven by the [pre-commit framework](https://pre-commit.com). It helps ensure that Terraform, OpenTofu, and Terragrunt configurations are kept in good shape by automatically running various checks and formatting code before committing changes to version control system. This helps maintain code quality and consistency across the project.\n\nIt can be run:\n\n* Locally and in CI\n* As standalone Git hooks or as a Docker image\n* For the entire repository or just for change-related files (e.g., local git stash, last commit, or all changes in a Pull Request)\n\nWant to contribute?\nCheck [open issues](https://github.com/antonbabenko/pre-commit-terraform/issues?q=label%3A%22good+first+issue%22+is%3Aopen+sort%3Aupdated-desc)\nand [contributing notes](/.github/CONTRIBUTING.md).\n\n[Latest Github tag]: https://img.shields.io/github/tag/antonbabenko/pre-commit-terraform.svg\n[Codetriage - Help Contribute to Open Source Badge]: https://www.codetriage.com/antonbabenko/pre-commit-terraform/badges/users.svg\n[GHA Tests CI/CD Badge]: https://github.com/antonbabenko/pre-commit-terraform/actions/workflows/ci-cd.yml/badge.svg?branch=master\n[Codecov Pytest Badge]: https://codecov.io/gh/antonbabenko/pre-commit-terraform/branch/master/graph/badge.svg?flag=pytest\n[OpenSSF Scorecard Badge]: https://api.scorecard.dev/projects/github.com/antonbabenko/pre-commit-terraform/badge\n[OpenSSF Best Practices Badge]: https://www.bestpractices.dev/projects/9963/badge\n[StandWithUkraine Banner]: https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner-direct.svg\n\n## Sponsors\n\nIf you want to support the development of `pre-commit-terraform` and [many other open-source projects](https://github.com/antonbabenko/terraform-aws-devops), please become a [GitHub Sponsor](https://github.com/sponsors/antonbabenko)!\n\n\n## Table of content\n\n* [Sponsors](#sponsors)\n* [Table of content](#table-of-content)\n* [How to install](#how-to-install)\n * [1. Install dependencies](#1-install-dependencies)\n * [1.1 Custom Terraform binaries and OpenTofu support](#11-custom-terraform-binaries-and-opentofu-support)\n * [2. Install the pre-commit hook globally](#2-install-the-pre-commit-hook-globally)\n * [3. Add configs and hooks](#3-add-configs-and-hooks)\n * [4. Run](#4-run)\n* [Available Hooks](#available-hooks)\n* [Hooks usage notes and examples](#hooks-usage-notes-and-examples)\n * [Known limitations](#known-limitations)\n * [All hooks: Usage of environment variables in `--args`](#all-hooks-usage-of-environment-variables-in---args)\n * [All hooks: Usage of `__GIT_WORKING_DIR__` placeholder in `--args`](#all-hooks-usage-of-__git_working_dir__-placeholder-in---args)\n * [All hooks: Set env vars inside hook at runtime](#all-hooks-set-env-vars-inside-hook-at-runtime)\n * [All hooks: Disable color output](#all-hooks-disable-color-output)\n * [All hooks: Log levels](#all-hooks-log-levels)\n * [Many hooks: Parallelism](#many-hooks-parallelism)\n * [checkov (deprecated) and terraform\\_checkov](#checkov-deprecated-and-terraform_checkov)\n * [infracost\\_breakdown](#infracost_breakdown)\n * [terraform\\_docs](#terraform_docs)\n * [terraform\\_docs\\_replace (deprecated)](#terraform_docs_replace-deprecated)\n * [terraform\\_fmt](#terraform_fmt)\n * [terraform\\_providers\\_lock](#terraform_providers_lock)\n * [terraform\\_tflint](#terraform_tflint)\n * [terraform\\_tfsec (deprecated)](#terraform_tfsec-deprecated)\n * [terraform\\_trivy](#terraform_trivy)\n * [terraform\\_validate](#terraform_validate)\n * [terraform\\_wrapper\\_module\\_for\\_each](#terraform_wrapper_module_for_each)\n * [terrascan](#terrascan)\n * [tfupdate](#tfupdate)\n * [terragrunt\\_providers\\_lock](#terragrunt_providers_lock)\n * [terragrunt\\_validate\\_inputs](#terragrunt_validate_inputs)\n* [Docker Usage](#docker-usage)\n * [About Docker image security](#about-docker-image-security)\n * [File Permissions](#file-permissions)\n * [Download Terraform modules from private GitHub repositories](#download-terraform-modules-from-private-github-repositories)\n* [GitHub Actions](#github-actions)\n* [Authors](#authors)\n* [License](#license)\n * [Additional information for users from Russia and Belarus](#additional-information-for-users-from-russia-and-belarus)\n\n## How to install\n\n### 1. Install dependencies\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003eDocker\u003c/b\u003e\u003c/summary\u003e\u003cbr\u003e\n\n**Pull docker image with all hooks**:\n\n```bash\nTAG=latest\ndocker pull ghcr.io/antonbabenko/pre-commit-terraform:$TAG\n```\n\nAll available tags [here](https://github.com/antonbabenko/pre-commit-terraform/pkgs/container/pre-commit-terraform/versions).\n\nCheck [About Docker image security](#about-docker-image-security) section to learn more about possible security issues and why you probably want to build and maintain your own image.\n\n\n**Build from scratch**:\n\n\u003e **IMPORTANT** \n\u003e To build image you need to have [`docker buildx`](https://docs.docker.com/build/install-buildx/) enabled as default builder. \n\u003e Otherwise - provide `TARGETOS` and `TARGETARCH` as additional `--build-arg`'s to `docker build`.\n\nWhen hooks-related `--build-arg`s are not specified, only the latest version of `pre-commit` and `terraform` will be installed.\n\n```bash\ngit clone git@github.com:antonbabenko/pre-commit-terraform.git\ncd pre-commit-terraform\n# Install the latest versions of all the tools\ndocker build -t pre-commit-terraform --build-arg INSTALL_ALL=true .\n```\n\nTo install a specific version of individual tools, define it using `--build-arg` arguments or set it to `latest`:\n\n```bash\ndocker build -t pre-commit-terraform \\\n --build-arg PRE_COMMIT_VERSION=latest \\\n --build-arg OPENTOFU_VERSION=latest \\\n --build-arg TERRAFORM_VERSION=1.5.7 \\\n --build-arg CHECKOV_VERSION=2.0.405 \\\n --build-arg HCLEDIT_VERSION=latest \\\n --build-arg INFRACOST_VERSION=latest \\\n --build-arg TERRAFORM_DOCS_VERSION=0.15.0 \\\n --build-arg TERRAGRUNT_VERSION=latest \\\n --build-arg TERRASCAN_VERSION=1.10.0 \\\n --build-arg TFLINT_VERSION=0.31.0 \\\n --build-arg TFSEC_VERSION=latest \\\n --build-arg TFUPDATE_VERSION=latest \\\n --build-arg TRIVY_VERSION=latest \\\n .\n```\n\nSet `-e PRE_COMMIT_COLOR=never` to disable the color output in `pre-commit`.\n\n\u003e **NOTE**\n\u003e The build install scripts are calling the GitHub API to resolve the release URL. If you need to authenticate those calls, you can pass a GitHub token (the `GITHUB_TOKEN` environment variable is expected to be set with an [access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)):\n\u003e ```bash\n\u003e docker build -t pre-commit-terraform --build-arg GITHUB_TOKEN .\n\u003e ```\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003eMacOS\u003c/b\u003e\u003c/summary\u003e\u003cbr\u003e\n\n```bash\nbrew install pre-commit terraform-docs tflint tfsec trivy checkov terrascan infracost tfupdate minamijoyo/hcledit/hcledit jq\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003eUbuntu 18.04\u003c/b\u003e\u003c/summary\u003e\u003cbr\u003e\n\n```bash\nsudo apt update\nsudo apt install -y unzip software-properties-common\nsudo add-apt-repository ppa:deadsnakes/ppa\nsudo apt install -y python3.7 python3-pip\npython3 -m pip install --upgrade pip\npip3 install --no-cache-dir pre-commit\npython3.7 -m pip install -U checkov\ncurl -L \"$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E -m 1 \"https://.+?-linux-amd64.tar.gz\")\" \u003e terraform-docs.tgz \u0026\u0026 tar -xzf terraform-docs.tgz \u0026\u0026 rm terraform-docs.tgz \u0026\u0026 chmod +x terraform-docs \u0026\u0026 sudo mv terraform-docs /usr/bin/\ncurl -L \"$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E -m 1 \"https://.+?_linux_amd64.zip\")\" \u003e tflint.zip \u0026\u0026 unzip tflint.zip \u0026\u0026 rm tflint.zip \u0026\u0026 sudo mv tflint /usr/bin/\ncurl -L \"$(curl -s https://api.github.com/repos/aquasecurity/tfsec/releases/latest | grep -o -E -m 1 \"https://.+?tfsec-linux-amd64\")\" \u003e tfsec \u0026\u0026 chmod +x tfsec \u0026\u0026 sudo mv tfsec /usr/bin/\ncurl -L \"$(curl -s https://api.github.com/repos/aquasecurity/trivy/releases/latest | grep -o -E -i -m 1 \"https://.+?/trivy_.+?_Linux-64bit.tar.gz\")\" \u003e trivy.tar.gz \u0026\u0026 tar -xzf trivy.tar.gz trivy \u0026\u0026 rm trivy.tar.gz \u0026\u0026 sudo mv trivy /usr/bin\ncurl -L \"$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o -E -m 1 \"https://.+?_Linux_x86_64.tar.gz\")\" \u003e terrascan.tar.gz \u0026\u0026 tar -xzf terrascan.tar.gz terrascan \u0026\u0026 rm terrascan.tar.gz \u0026\u0026 sudo mv terrascan /usr/bin/ \u0026\u0026 terrascan init\nsudo apt install -y jq \u0026\u0026 \\\ncurl -L \"$(curl -s https://api.github.com/repos/infracost/infracost/releases/latest | grep -o -E -m 1 \"https://.+?-linux-amd64.tar.gz\")\" \u003e infracost.tgz \u0026\u0026 tar -xzf infracost.tgz \u0026\u0026 rm infracost.tgz \u0026\u0026 sudo mv infracost-linux-amd64 /usr/bin/infracost \u0026\u0026 infracost auth login\ncurl -L \"$(curl -s https://api.github.com/repos/minamijoyo/tfupdate/releases/latest | grep -o -E -m 1 \"https://.+?_linux_amd64.tar.gz\")\" \u003e tfupdate.tar.gz \u0026\u0026 tar -xzf tfupdate.tar.gz tfupdate \u0026\u0026 rm tfupdate.tar.gz \u0026\u0026 sudo mv tfupdate /usr/bin/\ncurl -L \"$(curl -s https://api.github.com/repos/minamijoyo/hcledit/releases/latest | grep -o -E -m 1 \"https://.+?_linux_amd64.tar.gz\")\" \u003e hcledit.tar.gz \u0026\u0026 tar -xzf hcledit.tar.gz hcledit \u0026\u0026 rm hcledit.tar.gz \u0026\u0026 sudo mv hcledit /usr/bin/\n```\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003eUbuntu 20.04+\u003c/b\u003e\u003c/summary\u003e\u003cbr\u003e\n\n```bash\nsudo apt update\nsudo apt install -y unzip software-properties-common python3 python3-pip python-is-python3\npython3 -m pip install --upgrade pip\npip3 install --no-cache-dir pre-commit\npip3 install --no-cache-dir checkov\ncurl -L \"$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E -m 1 \"https://.+?-linux-amd64.tar.gz\")\" \u003e terraform-docs.tgz \u0026\u0026 tar -xzf terraform-docs.tgz terraform-docs \u0026\u0026 rm terraform-docs.tgz \u0026\u0026 chmod +x terraform-docs \u0026\u0026 sudo mv terraform-docs /usr/bin/\ncurl -L \"$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o -E -m 1 \"https://.+?_Linux_x86_64.tar.gz\")\" \u003e terrascan.tar.gz \u0026\u0026 tar -xzf terrascan.tar.gz terrascan \u0026\u0026 rm terrascan.tar.gz \u0026\u0026 sudo mv terrascan /usr/bin/ \u0026\u0026 terrascan init\ncurl -L \"$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E -m 1 \"https://.+?_linux_amd64.zip\")\" \u003e tflint.zip \u0026\u0026 unzip tflint.zip \u0026\u0026 rm tflint.zip \u0026\u0026 sudo mv tflint /usr/bin/\ncurl -L \"$(curl -s https://api.github.com/repos/aquasecurity/tfsec/releases/latest | grep -o -E -m 1 \"https://.+?tfsec-linux-amd64\")\" \u003e tfsec \u0026\u0026 chmod +x tfsec \u0026\u0026 sudo mv tfsec /usr/bin/\ncurl -L \"$(curl -s https://api.github.com/repos/aquasecurity/trivy/releases/latest | grep -o -E -i -m 1 \"https://.+?/trivy_.+?_Linux-64bit.tar.gz\")\" \u003e trivy.tar.gz \u0026\u0026 tar -xzf trivy.tar.gz trivy \u0026\u0026 rm trivy.tar.gz \u0026\u0026 sudo mv trivy /usr/bin\nsudo apt install -y jq \u0026\u0026 \\\ncurl -L \"$(curl -s https://api.github.com/repos/infracost/infracost/releases/latest | grep -o -E -m 1 \"https://.+?-linux-amd64.tar.gz\")\" \u003e infracost.tgz \u0026\u0026 tar -xzf infracost.tgz \u0026\u0026 rm infracost.tgz \u0026\u0026 sudo mv infracost-linux-amd64 /usr/bin/infracost \u0026\u0026 infracost auth login\ncurl -L \"$(curl -s https://api.github.com/repos/minamijoyo/tfupdate/releases/latest | grep -o -E -m 1 \"https://.+?_linux_amd64.tar.gz\")\" \u003e tfupdate.tar.gz \u0026\u0026 tar -xzf tfupdate.tar.gz tfupdate \u0026\u0026 rm tfupdate.tar.gz \u0026\u0026 sudo mv tfupdate /usr/bin/\ncurl -L \"$(curl -s https://api.github.com/repos/minamijoyo/hcledit/releases/latest | grep -o -E -m 1 \"https://.+?_linux_amd64.tar.gz\")\" \u003e hcledit.tar.gz \u0026\u0026 tar -xzf hcledit.tar.gz hcledit \u0026\u0026 rm hcledit.tar.gz \u0026\u0026 sudo mv hcledit /usr/bin/\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003eWindows 10/11\u003c/b\u003e\u003c/summary\u003e\n\nWe highly recommend using [WSL/WSL2](https://docs.microsoft.com/en-us/windows/wsl/install) with Ubuntu and following the Ubuntu installation guide. Or use Docker.\n\n\u003e **IMPORTANT** \n\u003e We won't be able to help with issues that can't be reproduced in Linux/Mac. \n\u003e So, try to find a working solution and send PR before open an issue.\n\nOtherwise, you can follow [this gist](https://gist.github.com/etiennejeanneaurevolve/1ed387dc73c5d4cb53ab313049587d09):\n\n1. Install [`git`](https://git-scm.com/downloads) and [`gitbash`](https://gitforwindows.org/)\n2. Install [Python 3](https://www.python.org/downloads/)\n3. Install all prerequisites needed (see above)\n\nEnsure your PATH environment variable looks for `bash.exe` in `C:\\Program Files\\Git\\bin` (the one present in `C:\\Windows\\System32\\bash.exe` does not work with `pre-commit.exe`)\n\nFor `checkov`, you may need to also set your `PYTHONPATH` environment variable with the path to your Python modules. \nE.g. `C:\\Users\\USERNAME\\AppData\\Local\\Programs\\Python\\Python39\\Lib\\site-packages`\n\n\u003c/details\u003e\n\nFull list of dependencies and where they are used:\n\n\u003c!-- (Do not remove html tags here) --\u003e\n* [`pre-commit`](https://pre-commit.com/#install),\n \u003csub\u003e\u003csup\u003e[`terraform`](https://www.terraform.io/downloads.html) or [`opentofu`](https://opentofu.org/docs/intro/install/),\n \u003csub\u003e\u003csup\u003e[`git`](https://git-scm.com/downloads),\n \u003csub\u003e\u003csup\u003e[BASH `3.2.57` or newer](https://www.gnu.org/software/bash/#download),\n \u003csub\u003e\u003csup\u003eInternet connection (on first run),\n \u003csub\u003e\u003csup\u003ex86_64 or arm64 compatible operating system,\n \u003csub\u003e\u003csup\u003eSome hardware where this OS will run,\n \u003csub\u003e\u003csup\u003eElectricity for hardware and internet connection,\n \u003csub\u003e\u003csup\u003eSome basic physical laws,\n \u003csub\u003e\u003csup\u003eHope that it all will work.\n \u003c/sup\u003e\u003c/sub\u003e\u003c/sup\u003e\u003c/sub\u003e\u003c/sup\u003e\u003c/sub\u003e\u003c/sup\u003e\u003c/sub\u003e\u003c/sup\u003e\u003c/sub\u003e\u003c/sup\u003e\u003c/sub\u003e\u003c/sup\u003e\u003c/sub\u003e\u003c/sup\u003e\u003c/sub\u003e\u003c/sup\u003e\u003c/sub\u003e\u003cbr\u003e\u003cbr\u003e\n* [`checkov`][checkov repo] required for `terraform_checkov` hook\n* [`terraform-docs`][terraform-docs repo] 0.12.0+ required for `terraform_docs` hook\n* [`terragrunt`][terragrunt repo] required for `terragrunt_validate` and `terragrunt_valid_inputs` hooks\n* [`terrascan`][terrascan repo] required for `terrascan` hook\n* [`TFLint`][tflint repo] required for `terraform_tflint` hook\n* [`TFSec`][tfsec repo] required for `terraform_tfsec` hook\n* [`Trivy`][trivy repo] required for `terraform_trivy` hook\n* [`infracost`][infracost repo] required for `infracost_breakdown` hook\n* [`jq`][jq repo] required for `terraform_validate` with `--retry-once-with-cleanup` flag, and for `infracost_breakdown` hook\n* [`tfupdate`][tfupdate repo] required for `tfupdate` hook\n* [`hcledit`][hcledit repo] required for `terraform_wrapper_module_for_each` hook\n\n\n#### 1.1 Custom Terraform binaries and OpenTofu support\n\nIt is possible to set custom path to `terraform` binary. \nThis makes it possible to use [OpenTofu](https://opentofu.org) binary (`tofu`) instead of `terraform`.\n\nHow binary discovery works and how you can redefine it (first matched takes precedence):\n\n1. Check if per hook configuration `--hook-config=--tf-path=\u003cpath_to_binary_or_binary_name\u003e` is set\n2. Check if `PCT_TFPATH=\u003cpath_to_binary_or_binary_name\u003e` environment variable is set\n3. Check if `TERRAGRUNT_TFPATH=\u003cpath_to_binary_or_binary_name\u003e` environment variable is set\n4. Check if `terraform` binary can be found in the user's `$PATH`\n5. Check if `tofu` binary can be found in the user's `$PATH`\n\n\n### 2. Install the pre-commit hook globally\n\n\u003e [!NOTE]\n\u003e Not needed if you use the Docker image\n\n```bash\nDIR=~/.git-template\ngit config --global init.templateDir ${DIR}\npre-commit init-templatedir -t pre-commit ${DIR}\n```\n\n### 3. Add configs and hooks\n\nStep into the repository you want to have the pre-commit hooks installed and run:\n\n```bash\ngit init\ncat \u003c\u003cEOF \u003e .pre-commit-config.yaml\nrepos:\n- repo: https://github.com/antonbabenko/pre-commit-terraform\n rev: \u003cVERSION\u003e # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases\n hooks:\n - id: terraform_fmt\n - id: terraform_docs\nEOF\n```\n\nIf this repository was initialized locally via `git init` or `git clone` _before_\nyou installed the pre-commit hook globally ([step 2](#2-install-the-pre-commit-hook-globally)),\nyou will need to run:\n\n```bash\npre-commit install\n```\n\n### 4. Run\n\nExecute this command to run `pre-commit` on all files in the repository (not only changed files):\n\n```bash\npre-commit run -a\n```\n\nOr, using Docker ([available tags](https://github.com/antonbabenko/pre-commit-terraform/pkgs/container/pre-commit-terraform/versions)):\n\n\u003e [!TIP]\n\u003e This command uses your user id and group id for the docker container to use to access the local files. If the files are owned by another user, update the `USERID` environment variable. See [File Permissions section](#file-permissions) for more information.\n\n```bash\nTAG=latest\ndocker run -e \"USERID=$(id -u):$(id -g)\" -v \"$(pwd):/lint\" -w \"/lint\" \"ghcr.io/antonbabenko/pre-commit-terraform:$TAG\" run -a\n```\n\nExecute this command to list the versions of the tools in Docker:\n\n```bash\nTAG=latest\ndocker run --rm --entrypoint cat ghcr.io/antonbabenko/pre-commit-terraform:$TAG /usr/bin/tools_versions_info\n```\n\n## Available Hooks\n\nThere are several [pre-commit](https://pre-commit.com/) hooks to keep Terraform configurations (both `*.tf` and `*.tfvars`) and Terragrunt configurations (`*.hcl`) in a good shape:\n\n| Hook name | Description | Dependencies\u003cbr\u003e\u003csup\u003e[Install instructions here](#1-install-dependencies)\u003c/sup\u003e |\n| ------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ |\n| `checkov` and `terraform_checkov` | [checkov][checkov repo] static analysis of terraform templates to spot potential security issues. [Hook notes](#checkov-deprecated-and-terraform_checkov) | `checkov`\u003cbr\u003eUbuntu deps: `python3`, `python3-pip` |\n| `infracost_breakdown` | Check how much your infra costs with [infracost][infracost repo]. [Hook notes](#infracost_breakdown) | `infracost`, `jq`, [Infracost API key](https://www.infracost.io/docs/#2-get-api-key) |\n| `terraform_docs` | Inserts input and output documentation into `README.md`. [Hook notes](#terraform_docs) | `terraform-docs` |\n| `terraform_docs_replace` | Runs `terraform-docs` and pipes the output directly to README.md. **DEPRECATED**, see [#248](https://github.com/antonbabenko/pre-commit-terraform/issues/248). [Hook notes](#terraform_docs_replace-deprecated) | `python3`, `terraform-docs` |\n| `terraform_docs_without_`\u003cbr\u003e`aggregate_type_defaults` | Inserts input and output documentation into `README.md` without aggregate type defaults. Hook notes same as for [terraform_docs](#terraform_docs) | `terraform-docs` |\n| `terraform_fmt` | Reformat all Terraform configuration files to a canonical format. [Hook notes](#terraform_fmt) | - |\n| `terraform_providers_lock` | Updates provider signatures in [dependency lock files](https://www.terraform.io/docs/cli/commands/providers/lock.html). [Hook notes](#terraform_providers_lock) | - |\n| `terraform_tflint` | Validates all Terraform configuration files with [TFLint][tflint repo]. [Available TFLint rules](https://github.com/terraform-linters/tflint-ruleset-terraform/blob/main/docs/rules/README.md). [Hook notes](#terraform_tflint). | `tflint` |\n| `terraform_tfsec` | [TFSec][tfsec repo] static analysis of terraform templates to spot potential security issues. **DEPRECATED**, use `terraform_trivy`. [Hook notes](#terraform_tfsec-deprecated) | `tfsec` |\n| `terraform_trivy` | [Trivy][trivy repo] static analysis of terraform templates to spot potential security issues. [Hook notes](#terraform_trivy) | `trivy` |\n| `terraform_validate` | Validates all Terraform configuration files. [Hook notes](#terraform_validate) | `jq`, only for `--retry-once-with-cleanup` flag |\n| `terragrunt_fmt` | Reformat all [Terragrunt][terragrunt repo] configuration files (`*.hcl`) to a canonical format. | `terragrunt` |\n| `terragrunt_validate` | Validates all [Terragrunt][terragrunt repo] configuration files (`*.hcl`) | `terragrunt` |\n| `terragrunt_validate_inputs` | Validates [Terragrunt][terragrunt repo] unused and undefined inputs (`*.hcl`) | |\n| `terragrunt_providers_lock` | Generates `.terraform.lock.hcl` files using [Terragrunt][terragrunt repo]. | `terragrunt` |\n| `terraform_wrapper_module_for_each` | Generates Terraform wrappers with `for_each` in module. [Hook notes](#terraform_wrapper_module_for_each) | `hcledit` |\n| `terrascan` | [terrascan][terrascan repo] Detect compliance and security violations. [Hook notes](#terrascan) | `terrascan` |\n| `tfupdate` | [tfupdate][tfupdate repo] Update version constraints of Terraform core, providers, and modules. [Hook notes](#tfupdate) | `tfupdate` |\n\nCheck the [source file](https://github.com/antonbabenko/pre-commit-terraform/blob/master/.pre-commit-hooks.yaml) to know arguments used for each hook.\n\n## Hooks usage notes and examples\n\n### Known limitations\n\nTerraform operates on a per-dir basis, while `pre-commit` framework only supports files and files that exist. This means if you only remove the TF-related file without any other changes in the same dir, checks will be skipped. Example and details [here](https://github.com/pre-commit/pre-commit/issues/3048).\n\n### All hooks: Usage of environment variables in `--args`\n\n\u003e All, except deprecated hooks: `checkov`, `terraform_docs_replace`\n\nYou can use environment variables for the `--args` section.\n\n\u003e [!IMPORTANT]\n\u003e You _must_ use the `${ENV_VAR}` definition, `$ENV_VAR` will not expand.\n\nConfig example:\n\n```yaml\n- id: terraform_tflint\n args:\n - --args=--config=${CONFIG_NAME}.${CONFIG_EXT}\n - --args=--call-module-type=\"all\"\n```\n\nIf for config above set up `export CONFIG_NAME=.tflint; export CONFIG_EXT=hcl` before `pre-commit run`, args will be expanded to `--config=.tflint.hcl --call-module-type=\"all\"`.\n\n### All hooks: Usage of `__GIT_WORKING_DIR__` placeholder in `--args`\n\n\n\u003e All, except deprecated hooks: `checkov`, `terraform_docs_replace`\n\nYou can use `__GIT_WORKING_DIR__` placeholder in `--args`. It will be replaced\nby the Git working directory (repo root) at run time.\n\nFor instance, if you have multiple directories and want to run\n`terraform_tflint` in all of them while sharing a single config file β€” use the\n`__GIT_WORKING_DIR__` placeholder in the file path. For example:\n\n```yaml\n- id: terraform_tflint\n args:\n - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl\n```\n\n### All hooks: Set env vars inside hook at runtime\n\n\u003e All, except deprecated hooks: `checkov`, `terraform_docs_replace`\n\nYou can specify environment variables that will be passed to the hook at runtime.\n\n\u003e [!IMPORTANT]\n\u003e Variable values are exported _verbatim_:\n\u003e - No interpolation or expansion are applied\n\u003e - The enclosing double quotes are removed if they are provided\n\nConfig example:\n\n```yaml\n- id: terraform_validate\n args:\n - --env-vars=AWS_DEFAULT_REGION=\"us-west-2\"\n - --env-vars=AWS_PROFILE=\"my-aws-cli-profile\"\n```\n\n### All hooks: Disable color output\n\n\u003e All, except deprecated hooks: `checkov`, `terraform_docs_replace`\n\nTo disable color output for all hooks, set `PRE_COMMIT_COLOR=never` var. Eg:\n\n```bash\nPRE_COMMIT_COLOR=never pre-commit run\n```\n\n### All hooks: Log levels\n\nIn case you need to debug hooks, you can set `PCT_LOG=trace`.\n\nFor example:\n\n```bash\nPCT_LOG=trace pre-commit run -a\n```\n\nLess verbose log levels will be implemented in [#562](https://github.com/antonbabenko/pre-commit-terraform/issues/562).\n\n### Many hooks: Parallelism\n\n\u003e All, except deprecated hooks: `checkov`, `terraform_docs_replace` and hooks which can't be paralleled this way: `infracost_breakdown`, `terraform_wrapper_module_for_each`. \n\u003e Also, there's a chance that parallelism have no effect on `terragrunt_fmt` and `terragrunt_validate` hooks\n\nBy default, parallelism is set to `number of logical CPUs - 1`. \nIf you'd like to disable parallelism, set it to `1`\n\n```yaml\n- id: terragrunt_validate\n args:\n - --hook-config=--parallelism-limit=1\n```\n\nIn the same way you can set it to any positive integer.\n\nIf you'd like to set parallelism value relative to number of CPU logical cores - provide valid Bash arithmetic expression and use `CPU` as a reference to the number of CPU logical cores\n\n\n```yaml\n- id: terraform_providers_lock\n args:\n - --hook-config=--parallelism-limit=CPU*4\n```\n\n\u003e [!TIP]\n\u003e \u003cdetails\u003e\u003csummary\u003eInfo useful for parallelism fine-tunning\u003c/summary\u003e\n\u003e\n\u003e \u003cbr\u003e\n\u003e Tests below were run on repo with 45 Terraform dirs on laptop with 16 CPUs, SSD and 1Gbit/s network. Laptop was slightly used in the process.\n\u003e\n\u003e Observed results may vary greatly depending on your repo structure, machine characteristics and their usage.\n\u003e\n\u003e If during fine-tuning you'll find that your results are very different from provided below and you think that this data could help someone else - feel free to send PR.\n\u003e\n\u003e\n\u003e | Hook | Most used resource | Comparison of optimization results / Notes |\n\u003e | ------------------------------------------------------------------------------ | ---------------------------------- | --------------------------------------------------------------- |\n\u003e | terraform_checkov | CPU heavy | - |\n\u003e | terraform_fmt | CPU heavy | - |\n\u003e | terraform_providers_lock (3 platforms,\u003cbr\u003e`--mode=always-regenerate-lockfile`) | Network \u0026 Disk heavy | `defaults (CPU-1)` - 3m 39s; `CPU*2` - 3m 19s; `CPU*4` - 2m 56s |\n\u003e | terraform_tflint | CPU heavy | - |\n\u003e | terraform_tfsec | CPU heavy | - |\n\u003e | terraform_trivy | CPU moderate | `defaults (CPU-1)` - 32s; `CPU*2` - 30s; `CPU*4` - 31s |\n\u003e | terraform_validate (t validate only) | CPU heavy | - |\n\u003e | terraform_validate (t init + t validate) | Network \u0026 Disk heavy, CPU moderate | `defaults (CPU-1)` - 1m 30s; `CPU*2` - 1m 25s; `CPU*4` - 1m 41s |\n\u003e | terragrunt_fmt | CPU heavy | N/A? need more info from TG users |\n\u003e | terragrunt_validate | CPU heavy | N/A? need more info from TG users |\n\u003e | terrascan | CPU moderate-heavy | `defaults (CPU-1)` - 8s; `CPU*2` - 6s |\n\u003e | tfupdate | Disk/Network? | too quick in any settings. More info needed |\n\u003e\n\u003e\n\u003e \u003c/details\u003e\n\n\n\n```yaml\nargs:\n - --hook-config=--parallelism-ci-cpu-cores=N\n```\n\nIf you don't see code above in your `pre-commit-config.yaml` or logs - you don't need it. \n`--parallelism-ci-cpu-cores` used only in edge cases and is ignored in other situations. Check out its usage in [hooks/_common.sh](hooks/_common.sh)\n\n### checkov (deprecated) and terraform_checkov\n\n\u003e `checkov` hook is deprecated, please use `terraform_checkov`.\n\nNote that `terraform_checkov` runs recursively during `-d .` usage. That means, for example, if you change `.tf` file in repo root, all existing `.tf` files in the repo will be checked.\n\nYou can specify custom arguments. E.g.:\n\n```yaml\n- id: terraform_checkov\n args:\n - --args=--quiet\n - --args=--skip-check CKV2_AWS_8\n```\n\nCheck all available arguments [here](https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html).\n\nFor deprecated hook you need to specify each argument separately:\n\n```yaml\n- id: checkov\n args: [\n \"-d\", \".\",\n \"--skip-check\", \"CKV2_AWS_8\",\n ]\n```\n\n### infracost_breakdown\n\n`infracost_breakdown` executes `infracost breakdown` command and compare the estimated costs with those specified in the hook-config. `infracost breakdown` parses Terraform HCL code, and calls Infracost Cloud Pricing API (remote version or [self-hosted version](https://www.infracost.io/docs/cloud_pricing_api/self_hosted)).\n\nUnlike most other hooks, this hook triggers once if there are any changed files in the repository.\n\n1. `infracost_breakdown` supports all `infracost breakdown` arguments (run `infracost breakdown --help` to see them). The following example only shows costs:\n\n ```yaml\n - id: infracost_breakdown\n args:\n - --args=--path=./env/dev\n verbose: true # Always show costs\n ```\n\n \u003cdetails\u003e\u003csummary\u003eOutput\u003c/summary\u003e\n\n ```bash\n Running in \"env/dev\"\n\n Summary: {\n \"unsupportedResourceCounts\": {\n \"aws_sns_topic_subscription\": 1\n }\n }\n\n Total Monthly Cost: 86.83 USD\n Total Monthly Cost (diff): 86.83 USD\n ```\n\n \u003c/details\u003e\n\n2. Note that spaces are not allowed in `--args`, so you need to split it, like this:\n\n ```yaml\n - id: infracost_breakdown\n args:\n - --args=--path=./env/dev\n - --args=--terraform-var-file=\"terraform.tfvars\"\n - --args=--terraform-var-file=\"../terraform.tfvars\"\n ```\n\n3. (Optionally) Define `cost constraints` the hook should evaluate successfully in order to pass:\n\n ```yaml\n - id: infracost_breakdown\n args:\n - --args=--path=./env/dev\n - --hook-config='.totalHourlyCost|tonumber \u003e 0.1'\n - --hook-config='.totalHourlyCost|tonumber \u003e 1'\n - --hook-config='.projects[].diff.totalMonthlyCost|tonumber != 10000'\n - --hook-config='.currency == \"USD\"'\n ```\n\n \u003cdetails\u003e\u003csummary\u003eOutput\u003c/summary\u003e\n\n ```bash\n Running in \"env/dev\"\n Passed: .totalHourlyCost|tonumber \u003e 0.1 0.11894520547945205 \u003e 0.1\n Failed: .totalHourlyCost|tonumber \u003e 1 0.11894520547945205 \u003e 1\n Passed: .projects[].diff.totalMonthlyCost|tonumber !=10000 86.83 != 10000\n Passed: .currency == \"USD\" \"USD\" == \"USD\"\n\n Summary: {\n \"unsupportedResourceCounts\": {\n \"aws_sns_topic_subscription\": 1\n }\n }\n\n Total Monthly Cost: 86.83 USD\n Total Monthly Cost (diff): 86.83 USD\n ```\n\n \u003c/details\u003e\n\n * Only one path per one hook (`- id: infracost_breakdown`) is allowed.\n * Set `verbose: true` to see cost even when the checks are passed.\n * Hook uses `jq` to process the cost estimation report returned by `infracost breakdown` command\n * Expressions defined as `--hook-config` argument should be in a jq-compatible format (e.g. `.totalHourlyCost`, `.totalMonthlyCost`)\n To study json output produced by `infracost`, run the command `infracost breakdown -p PATH_TO_TF_DIR --format json`, and explore it on [jqplay.org](https://jqplay.org/).\n * Supported comparison operators: `\u003c`, `\u003c=`, `==`, `!=`, `\u003e=`, `\u003e`.\n * Most useful paths and checks:\n * `.totalHourlyCost` (same as `.projects[].breakdown.totalHourlyCost`) - show total hourly infra cost\n * `.totalMonthlyCost` (same as `.projects[].breakdown.totalMonthlyCost`) - show total monthly infra cost\n * `.projects[].diff.totalHourlyCost` - show the difference in hourly cost for the existing infra and tf plan\n * `.projects[].diff.totalMonthlyCost` - show the difference in monthly cost for the existing infra and tf plan\n * `.diffTotalHourlyCost` (for Infracost version 0.9.12 or newer) or `[.projects[].diff.totalMonthlyCost | select (.!=null) | tonumber] | add` (for Infracost older than 0.9.12)\n\n4. **Docker usage**. In `docker build` or `docker run` command:\n * You need to provide [Infracost API key](https://www.infracost.io/docs/integrations/environment_variables/#infracost_api_key) via `-e INFRACOST_API_KEY=\u003cyour token\u003e`. By default, it is saved in `~/.config/infracost/credentials.yml`\n * Set `-e INFRACOST_SKIP_UPDATE_CHECK=true` to [skip the Infracost update check](https://www.infracost.io/docs/integrations/environment_variables/#infracost_skip_update_check) if you use this hook as part of your CI/CD pipeline.\n\n### terraform_docs\n\n1. `terraform_docs` and `terraform_docs_without_aggregate_type_defaults` will insert/update documentation generated by [terraform-docs][terraform-docs repo] framed by markers:\n\n ```txt\n \u003c!-- BEGIN_TF_DOCS --\u003e\n\n \u003c!-- END_TF_DOCS --\u003e\n ```\n\n if they are present in `README.md`.\n\n2. It is possible to pass additional arguments to shell scripts when using `terraform_docs` and `terraform_docs_without_aggregate_type_defaults`.\n\n3. It is possible to automatically:\n * create a documentation file\n * extend existing documentation file by appending markers to the end of the file (see item 1 above)\n * use different filename for the documentation (default is `README.md`)\n * use the same insertion markers as `terraform-docs`. It's default starting from `v1.93`. \n To migrate everything to `terraform-docs` insertion markers, run in repo root:\n\n ```bash\n sed --version \u0026\u003e /dev/null \u0026\u0026 SED_CMD=(sed -i) || SED_CMD=(sed -i '')\n grep -rl --null 'BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK' . | xargs -0 \"${SED_CMD[@]}\" -e 's/BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK/BEGIN_TF_DOCS/'\n grep -rl --null 'END OF PRE-COMMIT-TERRAFORM DOCS HOOK' . | xargs -0 \"${SED_CMD[@]}\" -e 's/END OF PRE-COMMIT-TERRAFORM DOCS HOOK/END_TF_DOCS/'\n ```\n\n ```yaml\n - id: terraform_docs\n args:\n - --hook-config=--path-to-file=README.md # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc.\n - --hook-config=--add-to-existing-file=true # Boolean. true or false\n - --hook-config=--create-file-if-not-exist=true # Boolean. true or false\n - --hook-config=--use-standard-markers=true # Boolean. Defaults to true (v1.93+), false (\u003cv1.93). Set to true for compatibility with terraform-docs\n # The following two options \"--custom-marker-begin\" and \"--custom-marker-end\" are ignored if \"--use-standard-markers\" is set to false\n - --hook-config=--custom-marker-begin=\u003c!-- BEGIN_TF_DOCS --\u003e # String.\n # Set to use custom marker which helps you with using other formats like asciidoc.\n # For Asciidoc this could be \"--hook-config=--custom-marker-begin=// BEGIN_TF_DOCS\"\n - --hook-config=--custom-marker-end=\u003c!-- END_TF_DOCS --\u003e # String.\n # Set to use custom marker which helps you with using other formats like asciidoc.\n # For Asciidoc this could be \"--hook-config=--custom-marker-end=// END_TF_DOCS\"\n - --hook-config=--custom-doc-header=\"# \" # String. Defaults to \"# \"\n # Set to use custom marker which helps you with using other formats like asciidoc.\n # For Asciidoc this could be \"--hook-config=--custom-marker-end=\\= \"\n ```\n\n4. If you want to use a terraform-docs config file, you must supply the path to the file, relative to the git repo root path:\n\n ```yaml\n - id: terraform_docs\n args:\n - --args=--config=.terraform-docs.yml\n ```\n\n \u003e **Warning** \n \u003e Avoid use `recursive.enabled: true` in config file, that can cause unexpected behavior.\n\n5. You can provide [any configuration available in `terraform-docs`](https://terraform-docs.io/user-guide/configuration/) as an argument to `terraform_docs` hook:\n\n ```yaml\n - id: terraform_docs\n args:\n - --args=--output-mode=replace\n ```\n\n6. If you need some exotic settings, it can be done too. I.e. this one generates HCL files:\n\n ```yaml\n - id: terraform_docs\n args:\n - tfvars hcl --output-file terraform.tfvars.model .\n ```\n\n### terraform_docs_replace (deprecated)\n\n**DEPRECATED**. Will be merged in [`terraform_docs`](#terraform_docs).\n\n`terraform_docs_replace` replaces the entire `README.md` rather than doing string replacement between markers. Put your additional documentation at the top of your `main.tf` for it to be pulled in.\n\nTo replicate functionality in `terraform_docs` hook:\n\n1. Create `.terraform-docs.yml` in the repo root with the following content:\n\n ```yaml\n formatter: \"markdown\"\n\n output:\n file: \"README.md\"\n mode: replace\n template: |-\n {{/** End of file fixer */}}\n ```\n\n2. Replace `terraform_docs_replace` hook config in `.pre-commit-config.yaml` with:\n\n ```yaml\n - id: terraform_docs\n args:\n - --args=--config=.terraform-docs.yml\n ```\n\n### terraform_fmt\n\n`terraform_fmt` supports custom arguments so you can pass [supported flags](https://www.terraform.io/docs/cli/commands/fmt.html#usage). Eg:\n\n```yaml\n - id: terraform_fmt\n args:\n - --args=-no-color\n - --args=-diff\n - --args=-write=false\n```\n\n### terraform_providers_lock\n\n\u003e [!NOTE]\n\u003e The hook requires Terraform 0.14 or later.\n\n\u003e [!NOTE]\n\u003e The hook can invoke `terraform providers lock` that can be really slow and requires fetching metadata from remote Terraform registries - not all of that metadata is currently being cached by Terraform.\n\n\u003e [!NOTE]\n\u003e \u003cdetails\u003e\u003csummary\u003eRead this if you used this hook before v1.80.0 | Planned breaking changes in v2.0\u003c/summary\u003e\n\u003e \u003cbr\u003e\n\u003e We introduced `--mode` flag for this hook. If you'd like to continue using this hook as before, please:\n\u003e\n\u003e * Specify `--hook-config=--mode=always-regenerate-lockfile` in `args:`\n\u003e * Before `terraform_providers_lock`, add `terraform_validate` hook with `--hook-config=--retry-once-with-cleanup=true`\n\u003e * Move `--tf-init-args=` to `terraform_validate` hook\n\u003e\n\u003e In the end, you should get config like this:\n\u003e\n\u003e ```yaml\n\u003e - id: terraform_validate\n\u003e args:\n\u003e - --hook-config=--retry-once-with-cleanup=true\n\u003e # - --tf-init-args=-upgrade\n\u003e\n\u003e - id: terraform_providers_lock\n\u003e args:\n\u003e - --hook-config=--mode=always-regenerate-lockfile\n\u003e ```\n\u003e\n\u003e Why? When v2.x will be introduced - the default mode will be changed, probably, to `only-check-is-current-lockfile-cross-platform`.\n\u003e\n\u003e You can check available modes for hook below.\n\u003e \u003c/details\u003e\n\n\n1. The hook can work in a few different modes: `only-check-is-current-lockfile-cross-platform` with and without [terraform_validate hook](#terraform_validate) and `always-regenerate-lockfile` - only with terraform_validate hook.\n\n * `only-check-is-current-lockfile-cross-platform` without terraform_validate - only checks that lockfile has all required SHAs for all providers already added to lockfile.\n\n ```yaml\n - id: terraform_providers_lock\n args:\n - --hook-config=--mode=only-check-is-current-lockfile-cross-platform\n ```\n\n * `only-check-is-current-lockfile-cross-platform` with [terraform_validate hook](#terraform_validate) - make up-to-date lockfile by adding/removing providers and only then check that lockfile has all required SHAs.\n\n \u003e **Important**\n \u003e Next `terraform_validate` flag requires additional dependency to be installed: `jq`. Also, it could run another slow and time consuming command - `terraform init`\n\n ```yaml\n - id: terraform_validate\n args:\n - --hook-config=--retry-once-with-cleanup=true\n\n - id: terraform_providers_lock\n args:\n - --hook-config=--mode=only-check-is-current-lockfile-cross-platform\n ```\n\n * `always-regenerate-lockfile` only with [terraform_validate hook](#terraform_validate) - regenerate lockfile from scratch. Can be useful for upgrading providers in lockfile to latest versions\n\n ```yaml\n - id: terraform_validate\n args:\n - --hook-config=--retry-once-with-cleanup=true\n - --tf-init-args=-upgrade\n\n - id: terraform_providers_lock\n args:\n - --hook-config=--mode=always-regenerate-lockfile\n ```\n\n2. `terraform_providers_lock` supports custom arguments:\n\n ```yaml\n - id: terraform_providers_lock\n args:\n - --args=-platform=windows_amd64\n - --args=-platform=darwin_amd64\n ```\n\n3. It may happen that Terraform working directory (`.terraform`) already exists but not in the best condition (eg, not initialized modules, wrong version of Terraform, etc.). To solve this problem, you can find and delete all `.terraform` directories in your repository:\n\n ```bash\n echo \"\n function rm_terraform {\n find . \\( -iname \".terraform*\" ! -iname \".terraform-docs*\" \\) -print0 | xargs -0 rm -r\n }\n \" \u003e\u003e~/.bashrc\n\n # Reload shell and use `rm_terraform` command in the repo root\n ```\n\n `terraform_providers_lock` hook will try to reinitialize directories before running the `terraform providers lock` command.\n\n4. `terraform_providers_lock` support passing custom arguments to its `terraform init`:\n\n \u003e **Warning** \n \u003e DEPRECATION NOTICE: This is available only in `no-mode` mode, which will be removed in v2.0. Please provide this keys to [`terraform_validate`](#terraform_validate) hook, which, to take effect, should be called before `terraform_providers_lock`\n\n ```yaml\n - id: terraform_providers_lock\n args:\n - --tf-init-args=-upgrade\n ```\n\n\n### terraform_tflint\n\n1. `terraform_tflint` supports custom arguments so you can enable module inspection, enable / disable rules, etc.\n\n Example:\n\n ```yaml\n - id: terraform_tflint\n args:\n - --args=--module\n - --args=--enable-rule=terraform_documented_variables\n ```\n\n2. By default, pre-commit-terraform performs directory switching into the terraform modules for you. If you want to delegate the directory changing to the binary - this will allow tflint to determine the full paths for error/warning messages, rather than just module relative paths. *Note: this requires `tflint\u003e=0.44.0`.* For example:\n\n ```yaml\n - id: terraform_tflint\n args:\n - --hook-config=--delegate-chdir\n ```\n\n### terraform_tfsec (deprecated)\n\n**DEPRECATED**. [tfsec was replaced by trivy](https://github.com/aquasecurity/tfsec/discussions/1994), so please use [`terraform_trivy`](#terraform_trivy).\n\n1. `terraform_tfsec` will consume modified files that pre-commit\n passes to it, so you can perform whitelisting of directories\n or files to run against via [files](https://pre-commit.com/#config-files)\n pre-commit flag\n\n Example:\n\n ```yaml\n - id: terraform_tfsec\n files: ^prd-infra/\n ```\n\n The above will tell pre-commit to pass down files from the `prd-infra/` folder\n only such that the underlying `tfsec` tool can run against changed files in this\n directory, ignoring any other folders at the root level\n\n2. To ignore specific warnings, follow the convention from the\n[documentation](https://github.com/aquasecurity/tfsec#ignoring-warnings).\n\n Example:\n\n ```hcl\n resource \"aws_security_group_rule\" \"my-rule\" {\n type = \"ingress\"\n cidr_blocks = [\"0.0.0.0/0\"] #tfsec:ignore:AWS006\n }\n ```\n\n3. `terraform_tfsec` supports custom arguments, so you can pass supported `--no-color` or `--format` (output), `-e` (exclude checks) flags:\n\n ```yaml\n - id: terraform_tfsec\n args:\n - \u003e\n --args=--format json\n --no-color\n -e aws-s3-enable-bucket-logging,aws-s3-specify-public-access-block\n ```\n\n### terraform_trivy\n\n1. `terraform_trivy` will consume modified files that pre-commit\n passes to it, so you can perform whitelisting of directories\n or files to run against via [files](https://pre-commit.com/#config-files)\n pre-commit flag\n\n Example:\n\n ```yaml\n - id: terraform_trivy\n files: ^prd-infra/\n ```\n\n The above will tell pre-commit to pass down files from the `prd-infra/` folder\n only such that the underlying `trivy` tool can run against changed files in this\n directory, ignoring any other folders at the root level\n\n2. To ignore specific warnings, follow the convention from the\n[documentation](https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/).\n\n Example:\n\n ```hcl\n #trivy:ignore:AVD-AWS-0107\n #trivy:ignore:AVD-AWS-0124\n resource \"aws_security_group_rule\" \"my-rule\" {\n type = \"ingress\"\n cidr_blocks = [\"0.0.0.0/0\"]\n }\n ```\n\n3. `terraform_trivy` supports custom arguments, so you can pass supported `--format` (output), `--skip-dirs` (exclude directories) and other flags:\n\n ```yaml\n - id: terraform_trivy\n args:\n - --args=--format=json\n - --args=--skip-dirs=\"**/.terraform\"\n ```\n\n### terraform_validate\n\n\u003e [!IMPORTANT]\n\u003e If you use [`TF_PLUGIN_CACHE_DIR`](https://developer.hashicorp.com/terraform/cli/config/config-file#provider-plugin-cache), we recommend enabling `--hook-config=--retry-once-with-cleanup=true` or disabling parallelism (`--hook-config=--parallelism-limit=1`) to avoid [race conditions when `terraform init` writes to it](https://github.com/hashicorp/terraform/issues/31964).\n\n1. `terraform_validate` supports custom arguments so you can pass supported `-no-color` or `-json` flags:\n\n ```yaml\n - id: terraform_validate\n args:\n - --args=-json\n - --args=-no-color\n ```\n\n2. `terraform_validate` also supports passing custom arguments to its `terraform init`:\n\n ```yaml\n - id: terraform_validate\n args:\n - --tf-init-args=-upgrade\n - --tf-init-args=-lockfile=readonly\n ```\n\n3. It may happen that Terraform working directory (`.terraform`) already exists but not in the best condition (eg, not initialized modules, wrong version of Terraform, etc.). To solve this problem, you can delete broken `.terraform` directories in your repository:\n\n **Option 1**\n\n ```yaml\n - id: terraform_validate\n args:\n - --hook-config=--retry-once-with-cleanup=true # Boolean. true or false\n ```\n\n \u003e **Important** \n \u003e The flag requires additional dependency to be installed: `jq`.\n\n \u003e **Note** \n \u003e Reinit can be very slow and require downloading data from remote Terraform registries, and not all of that downloaded data or meta-data is currently being cached by Terraform.\n\n When `--retry-once-with-cleanup=true`, in each failed directory the cached modules and providers from the `.terraform` directory will be deleted, before retrying once more. To avoid unnecessary deletion of this directory, the cleanup and retry will only happen if Terraform produces any of the following error messages:\n\n * \"Missing or corrupted provider plugins\"\n * \"Module source has changed\"\n * \"Module version requirements have changed\"\n * \"Module not installed\"\n * \"Could not load plugin\"\n\n \u003e **Warning** \n \u003e When using `--retry-once-with-cleanup=true`, problematic `.terraform/modules/` and `.terraform/providers/` directories will be recursively deleted without prompting for consent. Other files and directories will not be affected, such as the `.terraform/environment` file.\n\n **Option 2**\n\n An alternative solution is to find and delete all `.terraform` directories in your repository:\n\n ```bash\n echo \"\n function rm_terraform {\n find . \\( -iname \".terraform*\" ! -iname \".terraform-docs*\" \\) -print0 | xargs -0 rm -r\n }\n \" \u003e\u003e~/.bashrc\n\n # Reload shell and use `rm_terraform` command in the repo root\n ```\n\n `terraform_validate` hook will try to reinitialize them before running the `terraform validate` command.\n\n \u003e **Caution** \n \u003e If you use Terraform workspaces, DO NOT use this option ([details](https://github.com/antonbabenko/pre-commit-terraform/issues/203#issuecomment-918791847)). Consider the first option, or wait for [`force-init`](https://github.com/antonbabenko/pre-commit-terraform/issues/224) option implementation.\n\n4. `terraform_validate` in a repo with Terraform module, written using Terraform 0.15+ and which uses provider `configuration_aliases` ([Provider Aliases Within Modules](https://www.terraform.io/language/modules/develop/providers#provider-aliases-within-modules)), errors out.\n\n When running the hook against Terraform code where you have provider `configuration_aliases` defined in a `required_providers` configuration block, terraform will throw an error like:\n\n \u003e Error: Provider configuration not present\n \u003e To work with `\u003cresource\u003e` its original provider configuration at provider `[\"registry.terraform.io/hashicorp/aws\"].\u003cprovider_alias\u003e` is required, but it has been removed. This occurs when a provider configuration is removed while\n \u003e objects created by that provider still exist in the state. Re-add the provider configuration to destroy `\u003cresource\u003e`, after which you can remove the provider configuration again.\n\n This is a [known issue](https://github.com/hashicorp/terraform/issues/28490) with Terraform and how providers are initialized in Terraform 0.15 and later. To work around this you can add an `exclude` parameter to the configuration of `terraform_validate` hook like this:\n\n ```yaml\n - id: terraform_validate\n exclude: '^[^/]+$'\n ```\n\n This will exclude the root directory from being processed by this hook. Then add a subdirectory like \"examples\" or \"tests\" and put an example implementation in place that defines the providers with the proper aliases, and this will give you validation of your module through the example. If instead you are using this with multiple modules in one repository you'll want to set the path prefix in the regular expression, such as `exclude: modules/offendingmodule/[^/]+$`.\n\n Alternately, you can use [terraform-config-inspect](https://github.com/hashicorp/terraform-config-inspect) and use a variant of [this script](https://github.com/bendrucker/terraform-configuration-aliases-action/blob/main/providers.sh) to generate a providers file at runtime:\n\n ```bash\n terraform-config-inspect --json . | jq -r '\n [.required_providers[].aliases]\n | flatten\n | del(.[] | select(. == null))\n | reduce .[] as $entry (\n {};\n .provider[$entry.name] //= [] | .provider[$entry.name] += [{\"alias\": $entry.alias}]\n )\n ' | tee aliased-providers.tf.json\n ```\n\n Save it as `.generate-providers.sh` in the root of your repository and add a `pre-commit` hook to run it before all other hooks, like so:\n\n ```yaml\n - repos:\n - repo: local\n hooks:\n - id: generate-terraform-providers\n name: generate-terraform-providers\n require_serial: true\n entry: .generate-providers.sh\n language: script\n files: \\.tf(vars)?$\n pass_filenames: false\n\n - repo: https://github.com/pre-commit/pre-commit-hooks\n ```\n\n \u003e **Tip** \n \u003e The latter method will leave an \"aliased-providers.tf.json\" file in your repo. You will either want to automate a way to clean this up or add it to your `.gitignore` or both.\n\n### terraform_wrapper_module_for_each\n\n`terraform_wrapper_module_for_each` generates module wrappers for Terraform modules (useful for Terragrunt where `for_each` is not supported). When using this hook without arguments it will create wrappers for the root module and all modules available in \"modules\" directory.\n\nYou may want to customize some of the options:\n\n1. `--module-dir=...` - Specify a single directory to process. Values: \".\" (means just root module), \"modules/iam-user\" (a single module), or empty (means include all submodules found in \"modules/*\").\n2. `--module-repo-org=...` - Module repository organization (e.g. \"terraform-aws-modules\").\n3. `--module-repo-shortname=...` - Short name of the repository (e.g. \"s3-bucket\").\n4. `--module-repo-provider=...` - Name of the repository provider (e.g. \"aws\" or \"google\").\n\nSample configuration:\n\n```yaml\n- id: terraform_wrapper_module_for_each\n args:\n - --args=--module-dir=. # Process only root module\n - --args=--dry-run # No files will be created/updated\n - --args=--verbose # Verbose output\n```\n\n**If you use hook inside Docker:** \nThe `terraform_wrapper_module_for_each` hook attempts to determine the module's short name to be inserted into the generated `README.md` files for the `source` URLs. Since the container uses a bind mount at a static location, it can cause this short name to be incorrect. \nIf the generated name is incorrect, set them by providing the `module-repo-shortname` option to the hook:\n\n```yaml\n- id: terraform_wrapper_module_for_each\n args:\n - '--args=--module-repo-shortname=ec2-instance'\n```\n\n### terrascan\n\n1. `terrascan` supports custom arguments so you can pass supported flags like `--non-recursive` and `--policy-type` to disable recursive inspection and set the policy type respectively:\n\n ```yaml\n - id: terrascan\n args:\n - --args=--non-recursive # avoids scan errors on subdirectories without Terraform config files\n - --args=--policy-type=azure\n ```\n\n See the `terrascan run -h` command line help for available options.\n\n2. Use the `--args=--verbose` parameter to see the rule ID in the scanning output. Useful to skip validations.\n3. Use `--skip-rules=\"ruleID1,ruleID2\"` parameter to skip one or more rules globally while scanning (e.g.: `--args=--skip-rules=\"ruleID1,ruleID2\"`).\n4. Use the syntax `#ts:skip=RuleID optional_comment` inside a resource to skip the rule for that resource.\n\n### tfupdate\n\n1. Out of the box `tfupdate` will pin the terraform version:\n\n ```yaml\n - id: tfupdate\n name: Autoupdate Terraform versions\n ```\n\n2. If you'd like to pin providers, etc., use custom arguments, i.e `provider=PROVIDER_NAME`:\n\n ```yaml\n - id: tfupdate\n name: Autoupdate AWS provider versions\n args:\n - --args=provider aws # Will be pined to latest version\n\n - id: tfupdate\n name: Autoupdate Helm provider versions\n args:\n - --args=provider helm\n - --args=--version 2.5.0 # Will be pined to specified version\n ```\n\nCheck [`tfupdate` usage instructions](https://github.com/minamijoyo/tfupdate#usage) for other available options and usage examples. \nNo need to pass `--recursive .` as it is added automatically.\n\n### terragrunt_providers_lock\n\n\u003e [!TIP]\n\u003e Use this hook only in infrastructure repos managed solely by `terragrunt` and do not mix with [`terraform_providers_lock`](#terraform_providers_lock) to avoid conflicts.\n\n\u003e [!WARNING]\n\u003e Hook _may_ be very slow, because terragrunt invokes `t init` under the hood.\n\nHook produces same results as [`terraform_providers_lock`](#terraform_providers_lock), but for terragrunt root modules.\n\nIt invokes `terragrunt providers lock` under the hood and terragrunt [does its' own magic](https://terragrunt.gruntwork.io/docs/features/lock-file-handling/) for handling lock files.\n\n\n```yaml\n- id: terragrunt_providers_lock\n name: Terragrunt providers lock\n args:\n - --args=-platform=darwin_arm64\n - --args=-platform=darwin_amd64\n - --args=-platform=linux_amd64\n```\n\n### terragrunt_validate_inputs\n\nValidates Terragrunt unused and undefined inputs. This is useful for keeping\nconfigs clean when module versions change or if configs are copied.\n\nSee the [Terragrunt docs](https://terragrunt.gruntwork.io/docs/reference/cli-options/#validate-inputs) for more details.\n\nExample:\n\n```yaml\n- id: terragrunt_validate_inputs\n name: Terragrunt validate inputs\n args:\n # Optionally check for unused inputs\n - --args=--terragrunt-strict-validate\n```\n\n\u003e [!NOTE]\n\u003e This hook requires authentication to a given account if defined by config to work properly. For example, if you use a third-party tool to store AWS credentials like `aws-vault` you must be authenticated first.\n\u003e\n\u003e See docs for the [iam_role](https://terragrunt.gruntwork.io/docs/reference/config-blocks-and-attributes/#iam_role) attribute and [--terragrunt-iam-role](https://terragrunt.gruntwork.io/docs/reference/cli-options/#terragrunt-iam-role) flag for more.\n\n## Docker Usage\n\n### About Docker image security\n\nPre-built Docker images contain the latest versions of tools available at the time of their build and remain unchanged afterward. Tags should be immutable whenever possible, and it is highly recommended to pin them using hash sums for security and reproducibility.\n\nThis means that most Docker images will include known CVEs, and the longer an image exists, the more CVEs it may accumulate. This applies even to the latest `vX.Y.Z` tags.\nTo address this, you can use the `nightly` tag, which rebuilds nightly with the latest versions of all dependencies and latest `pre-commit-terraform` hooks. However, using mutable tags introduces different security concerns.\n\nNote: Currently, we DO NOT test third-party tools or their dependencies for security vulnerabilities, corruption, or injection (including obfuscated content). If you have ideas for introducing image scans or other security improvements, please open an issue or submit a PR. Some ideas are already tracked in [#835](https://github.com/antonbabenko/pre-commit-terraform/issues/835).\n\nFrom a security perspective, the best approach is to manage the Docker image yourself and update its dependencies as needed. This allows you to remove unnecessary dependencies, reducing the number of potential CVEs and improving overall security.\n\n### File Permissions\n\nA mismatch between the Docker container's user and the local repository file ownership can cause permission issues in the repository where `pre-commit` is run. The container runs as the `root` user by default, and uses a `tools/entrypoint.sh` script to assume a user ID and group ID if specified by the environment variable `USERID`.\n\nThe [recommended command](#4-run) to run the Docker container is:\n\n```bash\nTAG=latest\ndocker run -e \"USERID=$(id -u):$(id -g)\" -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a\n```\n\nwhich uses your current session's user ID and group ID to set the variable in the run command. Without this setting, you may find files and directories owned by `root` in your local repository.\n\nIf the local repository is using a different user or group for permissions, you can modify the `USERID` to the user ID and group ID needed. **Do not use the username or groupname in the environment variable, as it has no meaning in the container.** You can get the current directory's owner user ID and group ID from the 3rd (user) and 4th (group) columns in `ls` output:\n\n```bash\n$ ls -aldn .\ndrwxr-xr-x 9 1000 1000 4096 Sep 1 16:23 .\n```\n\n### Download Terraform modules from private GitHub repositories\n\nIf you use a private Git repository as your Terraform module source, you are required to authenticate to GitHub using a [Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token).\n\nWhen running pre-commit on Docker, both locally or on CI, you need to configure the [~/.netrc](https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html) file, which contains login and initialization information used by the auto-login process.\n\nThis can be achieved by firstly creating the `~/.netrc` file including your `GITHUB_PAT` and `GITHUB_SERVER_HOSTNAME`\n\n```bash\n# set GH values (replace with your own values)\nGITHUB_PAT=ghp_bl481aBlabl481aBla\nGITHUB_SERVER_HOSTNAME=github.com\n\n# create .netrc file\necho -e \"machine $GITHUB_SERVER_HOSTNAME\\n\\tlogin $GITHUB_PAT\" \u003e\u003e ~/.netrc\n```\n\nThe `~/.netrc` file will look similar to the following:\n\n```\nmachine github.com\n login ghp_bl481aBlabl481aBla\n```\n\n\u003e [!TIP]\n\u003e The value of `GITHUB_SERVER_HOSTNAME` can also refer to a GitHub Enterprise server (i.e. `github.my-enterprise.com`).\n\nFinally, you can execute `docker run` with an additional volume mount so that the `~/.netrc` is accessible within the container\n\n```bash\n# run pre-commit-terraform with docker\n# adding volume for .netrc file\n# .netrc needs to be in /root/ dir\ndocker run --rm -e \"USERID=$(id -u):$(id -g)\" -v ~/.netrc:/root/.netrc -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:latest run -a\n```\n\n## GitHub Actions\n\nYou can use this hook in your GitHub Actions workflow together with [pre-commit](https://pre-commit.com). To easy up\ndependency management, you can use the managed [docker image](#docker-usage) within your workflow. Make sure to set the\nimage tag to the version you want to use.\n\nIn this repository's pre-commit [workflow file](.github/workflows/pre-commit.yaml) we run pre-commit without the container image.\n\nHere's an example using the container image. It includes caching of pre-commit dependencies and utilizes the pre-commit\ncommand to run checks (Note: Fixes will not be automatically pushed back to your branch, even when possible.):\n\n```yaml\nname: pre-commit-terraform\n\non:\n pull_request:\n\njobs:\n pre-commit:\n runs-on: ubuntu-latest\n container:\n image: ghcr.io/antonbabenko/pre-commit-terraform:latest # latest used here for simplicity, not recommended\n defaults:\n run:\n shell: bash\n steps:\n - uses: actions/checkout@v4\n with:\n fetch-depth: 0\n ref: ${{ github.event.pull_request.head.sha }}\n\n - run: |\n git config --global --add safe.directory $GITHUB_WORKSPACE\n git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*\n\n - name: Get changed files\n id: file_changes\n run: |\n export DIFF=$(git diff --name-only origin/${{ github.base_ref }} ${{ github.sha }})\n echo \"Diff between ${{ github.base_ref }} and ${{ github.sha }}\"\n echo \"files=$( echo \"$DIFF\" | xargs echo )\" \u003e\u003e $GITHUB_OUTPUT\n\n - name: fix tar dependency in alpine container image\n run: |\n apk --no-cache add tar\n # check python modules installed versions\n python -m pip freeze --local\n\n - name: Cache pre-commit since we use pre-commit from container\n uses: actions/cache@v4\n with:\n path: ~/.cache/pre-commit\n key: pre-commit-3|${{ hashFiles('.pre-commit-config.yaml') }}\n\n - name: Execute pre-commit\n run: |\n pre-commit run --color=always --show-diff-on-failure --files ${{ steps.file_changes.outputs.files }}\n```\n\n## Authors\n\nThis repository is managed by [Anton Babenko](https://github.com/antonbabenko) with help from these awesome contributors:\n\n\u003ca href=\"https://github.com/antonbabenko/pre-commit-terraform/graphs/contributors\"\u003e\n \u003cimg alt=\"Contributors\" src=\"https://contrib.rocks/image?repo=antonbabenko/pre-commit-terraform\" /\u003e\n\u003c/a\u003e\n\n\n\u003ca href=\"https://star-history.com/#antonbabenko/pre-commit-terraform\u0026Date\"\u003e\n \u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"https://api.star-history.com/svg?repos=antonbabenko/pre-commit-terraform\u0026type=Date\u0026theme=dark\" /\u003e\n \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"https://api.star-history.com/svg?repos=antonbabenko/pre-commit-terraform\u0026type=Date\" /\u003e\n \u003cimg alt=\"Star History Chart\" src=\"https://api.star-history.com/svg?repos=antonbabenko/pre-commit-terraform\u0026type=Date\" /\u003e\n \u003c/picture\u003e\n\u003c/a\u003e\n\n## License\n\nMIT licensed. See [LICENSE](LICENSE) for full details.\n\n### Additional information for users from Russia and Belarus\n\n* Russia has [illegally annexed Crimea in 2014](https://en.wikipedia.org/wiki/Annexation_of_Crimea_by_the_Russian_Federation) and [brought the war in Donbas](https://en.wikipedia.org/wiki/War_in_Donbas) followed by [full-scale invasion of Ukraine in 2022](https://en.wikipedia.org/wiki/2022_Russian_invasion_of_Ukraine).\n* Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.\n* [Putin khuylo!](https://en.wikipedia.org/wiki/Putin_khuylo!)\n\n\n\u003c!-- Tools links --\u003e\n[checkov repo]: https://github.com/bridgecrewio/checkov\n[terraform-docs repo]: https://github.com/terraform-docs/terraform-docs\n[terragrunt repo]: https://github.com/gruntwork-io/terragrunt\n[terrascan repo]: https://github.com/tenable/terrascan\n[tflint repo]: https://github.com/terraform-linters/tflint\n[tfsec repo]: https://github.com/aquasecurity/tfsec\n[trivy repo]: https://github.com/aquasecurity/trivy\n[infracost repo]: https://github.com/infracost/infracost\n[jq repo]: https://github.com/stedolan/jq\n[tfupdate repo]: https://github.com/minamijoyo/tfupdate\n[hcledit repo]: https://github.com/minamijoyo/hcledit\n","funding_links":["https://github.com/sponsors/antonbabenko","https://patreon.com/antonbabenko","https://paypal.me/antonbabenko","https://www.buymeacoffee.com/antonbabenko","https://github.com/sponsors/antonbabenko)!"],"categories":["Tools","Shell","Infrastructure as Code","DevOps"],"sub_categories":["Miscellaneous","Terraform Tooling","Community providers","Terraform"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fantonbabenko%2Fpre-commit-terraform","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fantonbabenko%2Fpre-commit-terraform","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fantonbabenko%2Fpre-commit-terraform/lists"}