Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add hook for provider version checking #51

Merged
merged 2 commits into from
Dec 10, 2024
Merged

feat: add hook for provider version checking #51

merged 2 commits into from
Dec 10, 2024

Conversation

yohanb
Copy link
Contributor

@yohanb yohanb commented Dec 6, 2024
edited
Loading

This pre-commit hook checks that the provider versions don't contain any constraints and thus are pinned. Version constraints include any of the following characters: <>!~.

You can try the hook locally by cloning this rep, checking out this PR and running this in your terraform repo:
pre-commit try-repo ~/code/standards-terraform provider-pinned-versions --all-files

Example success:
terraform.tf:

terraform {
  required_version = ">= 1.0.0, < 2.0.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.78.0"
    }
    newrelic = {
      source  = "newrelic/newrelic"
      version = "3.52.1"
    }
  }
}

Example failure:
terraform.tf:

terraform {
  required_version = ">= 1.0.0, < 2.0.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">=5"
    }
    newrelic = {
      source  = "newrelic/newrelic"
      version = "~> 3.52"
    }
  }
}

@yohanb yohanb requested a review from a team as a code owner December 6, 2024 19:57
@yohanb yohanb force-pushed the feat_add_pinned_provider_version_hook branch 4 times, most recently from f8f213e to 6f2bda0 Compare December 7, 2024 16:35
greenkiwi
greenkiwi requested changes Dec 7, 2024
View reviewed changes
Copy link
Contributor

@greenkiwi greenkiwi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of requiring x.x.x could we just fail if it contains > or ~ ? Or something along those lines.

For example, I could definitely see us testing prerelease builds.

@yohanb yohanb force-pushed the feat_add_pinned_provider_version_hook branch from 6f2bda0 to 75e5003 Compare December 7, 2024 20:40
@yohanb
Copy link
Contributor Author

yohanb commented Dec 7, 2024

Instead of requiring x.x.x could we just fail if it contains > or ~ ? Or something along those lines.

For example, I could definitely see us testing prerelease builds.

yeah I didn't think about the pre-releases.
Looking at the docs I think we should look for <,>,~,!

@yohanb yohanb force-pushed the feat_add_pinned_provider_version_hook branch 3 times, most recently from 79c3dea to e447bd1 Compare December 7, 2024 20:53
@yohanb yohanb requested a review from greenkiwi December 7, 2024 21:01
@yohanb
Copy link
Contributor Author

yohanb commented Dec 7, 2024

Instead of requiring x.x.x could we just fail if it contains > or ~ ? Or something along those lines.

For example, I could definitely see us testing prerelease builds.

made the updates!

@yohanb yohanb force-pushed the feat_add_pinned_provider_version_hook branch from e447bd1 to 425fe53 Compare December 7, 2024 21:03
@yohanb yohanb requested a review from tagoro9 December 7, 2024 21:04
yohanb
yohanb commented Dec 9, 2024
View reviewed changes
hooks/provider-pinned-versions/required_providers.awk
next;
} else {
# If the line contains a version, remove the prefix
gsub(version_prefix_regex, "", $0);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would have used match with capture groups but it wasn't working on macos. I think it's a gawk specific function and depends on the os.

tagoro9
tagoro9 approved these changes Dec 9, 2024
View reviewed changes
hooks/provider-pinned-versions/required_providers.awk
@@ -0,0 +1,54 @@
#! /bin/awk
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AWK is fine, but I wonder if it would be easier if we used python (since it's available already as pre-commit uses python)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought of it as well but I thought we wouldn't have access to it since we're removing the .python-version files.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can leave that in... and/or just assume that python is present.

.pre-commit-hooks.yaml
@@ -13,3 +13,11 @@
language: script
files: \.tf$
exclude: ^outputs\..*\.tf$

- id: provider-pinned-versions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add to the readme this hook and how to use it?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like we don't have any docs about hooks

greenkiwi
greenkiwi reviewed Dec 9, 2024
View reviewed changes
hooks/provider-pinned-versions/fixtures/pass_when_version_is_first.tf

required_providers {
aws = {
version = "5.78.0"

This comment was marked as resolved.

Sign in to view

This comment was marked as resolved.

Sign in to view

greenkiwi
greenkiwi approved these changes Dec 9, 2024
View reviewed changes
Copy link
Contributor

@greenkiwi greenkiwi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that there is still an unused variable that should be cleaned up.

We can revisit whether or not it would be easier for people to use simple grep or hcl2json or something along those lines later.

@yohanb yohanb force-pushed the feat_add_pinned_provider_version_hook branch from d529054 to 0c930e3 Compare December 10, 2024 15:38
@github-actions GitHub Actions
Copy link

Release notes preview

Below is a preview of the release notes if your PR gets merged.

1.4.0 (2024-12-10)

Features

  • add hook for provider version checking (425fe53)

Bug Fixes

  • locals: adds guideline for not duplicating vars into locals (d899870)

Build System

  • deps: bump actions/cache from 3 to 4 (02b5396)
  • deps: bump actions/configure-pages from 3 to 4 (322b1a8)
  • deps: bump actions/configure-pages from 4 to 5 (2722c12)
  • deps: bump actions/deploy-pages from 1 to 4 (c7425ef)
  • deps: bump actions/upload-pages-artifact from 2 to 3 (ea2faed)
  • deps: bump open-turo/action-pre-commit from 1 to 2 (c0fa4c7)
  • deps: bump open-turo/action-pre-commit from 2 to 3 (10bc579)

Continuous Integration

  • use renovate, update CI and precommit (7a46c8d)

Miscellaneous

  • deps: update all ci non-major dependencies (0f8a096)
  • deps: update all ci non-major dependencies (231add4)
  • deps: update all ci non-major dependencies (3e83a99)
  • deps: update dependency node to v20.18.0 (9639ee9)
  • deps: update dependency node to v22 (0410a63)
  • deps: update node.js to v20 (758c36c)
  • deps: update pre-commit hook alessandrojcm/commitlint-pre-commit-hook to v9.18.0 (b7ef399)
  • deps: update pre-commit hook pre-commit/mirrors-eslint to v9.11.0 (98f0d46)
  • deps: update pre-commit hook pre-commit/mirrors-eslint to v9.13.0 (df3d461)
  • deps: update pre-commit hook pre-commit/pre-commit-hooks to v5 (f7b6463)
  • deps: update pre-commit hook rhysd/actionlint to v1.7.2 (1ae18ee)

Documentation

  • add README for provider-pinned-versions hook (0c930e3)
  • standard: add resource tagging standard (45b5325)

@yohanb
Copy link
Contributor Author

yohanb commented Dec 10, 2024

I think that there is still an unused variable that should be cleaned up.

We can revisit whether or not it would be easier for people to use simple grep or hcl2json or something along those lines later.

simple grep wasn't so simple to implement (at least for me). I tried to stay away from any "non scripting" language but it was kind of a pain to implement TBH. At least I got to learn some AWK :)

@yohanb yohanb merged commit 9cc7868 into main Dec 10, 2024
2 checks passed
@yohanb yohanb deleted the feat_add_pinned_provider_version_hook branch December 10, 2024 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tagoro9 tagoro9 tagoro9 approved these changes

@greenkiwi greenkiwi greenkiwi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yohanb @greenkiwi @tagoro9