mirror of
https://github.com/ghndrx/terraform-foundation.git
synced 2026-02-10 06:45:06 +00:00
Greg Hendrickson
6136cde9bb
Enterprise-grade multi-tenant AWS cloud foundation. Modules: - GitHub OIDC for keyless CI/CD authentication - IAM account settings and security baseline - AWS Config Rules for compliance - ABAC (Attribute-Based Access Control) - SCPs (Service Control Policies) Features: - Multi-account architecture - Cost optimization patterns - Security best practices - Comprehensive documentation Tech: Terraform, AWS Organizations, IAM Identity Center
91 lines
2.4 KiB
YAML
91 lines
2.4 KiB
YAML
# Pre-commit hooks for Terraform
|
|
# Install: pip install pre-commit && pre-commit install
|
|
#
|
|
# Tools:
|
|
# - terraform fmt/validate
|
|
# - tflint (with AWS plugin)
|
|
# - tfsec (security scanner)
|
|
# - checkov (policy-as-code)
|
|
# - terraform-docs (auto-generate docs)
|
|
# - trivy (vulnerability scanner)
|
|
|
|
repos:
|
|
# Terraform formatting and validation
|
|
- repo: https://github.com/antonbabenko/pre-commit-terraform
|
|
rev: v1.86.0
|
|
hooks:
|
|
- id: terraform_fmt
|
|
- id: terraform_validate
|
|
args:
|
|
- --hook-config=--retry-once-with-cleanup=true
|
|
- id: terraform_tflint
|
|
args:
|
|
- --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
|
|
- id: terraform_docs
|
|
args:
|
|
- --args=--config=.terraform-docs.yml
|
|
- id: terraform_tfsec
|
|
args:
|
|
- --args=--soft-fail
|
|
- --args=--exclude-downloaded-modules
|
|
- id: terraform_checkov
|
|
args:
|
|
- --args=--config-file=__GIT_WORKING_DIR__/.checkov.yml
|
|
- --args=--framework=terraform
|
|
- --args=--download-external-modules=false
|
|
|
|
# Trivy security scanner
|
|
- repo: https://github.com/aquasecurity/trivy
|
|
rev: v0.48.0
|
|
hooks:
|
|
- id: trivy
|
|
args:
|
|
- --config=.trivy.yaml
|
|
- --exit-code=0 # Warn only
|
|
files: \.tf$
|
|
|
|
# General file checks
|
|
- repo: https://github.com/pre-commit/pre-commit-hooks
|
|
rev: v4.5.0
|
|
hooks:
|
|
- id: trailing-whitespace
|
|
- id: end-of-file-fixer
|
|
- id: check-yaml
|
|
args: ['--unsafe']
|
|
- id: check-json
|
|
- id: check-merge-conflict
|
|
- id: detect-private-key
|
|
- id: no-commit-to-branch
|
|
args: ['--branch', 'main']
|
|
stages: [commit]
|
|
|
|
# Security scanning for secrets
|
|
- repo: https://github.com/Yelp/detect-secrets
|
|
rev: v1.4.0
|
|
hooks:
|
|
- id: detect-secrets
|
|
args: ['--baseline', '.secrets.baseline']
|
|
exclude: '\.terraform/.*|\.terraform\.lock\.hcl'
|
|
|
|
# Markdown linting
|
|
- repo: https://github.com/igorshubovych/markdownlint-cli
|
|
rev: v0.39.0
|
|
hooks:
|
|
- id: markdownlint
|
|
args: ['--fix', '--disable', 'MD013', 'MD033', 'MD041']
|
|
|
|
# YAML linting
|
|
- repo: https://github.com/adrienverge/yamllint
|
|
rev: v1.33.0
|
|
hooks:
|
|
- id: yamllint
|
|
args: ['-c', '.yamllint.yml']
|
|
exclude: '\.terraform/.*'
|
|
|
|
# Shell script linting
|
|
- repo: https://github.com/shellcheck-py/shellcheck-py
|
|
rev: v0.9.0.6
|
|
hooks:
|
|
- id: shellcheck
|
|
args: ['--severity=warning']
|