feat: TFLint: Add --hook-config=--delegate-chdir to use tflint -chdir (antonbabenko#512)

Co-authored-by: Maksym Vlasov <[email protected]>

Author: lexton

README.md

@@ -604,6 +604,14 @@ To replicate functionality in `terraform_docs` hook:
         - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
     ```
 
+3. By default pre-commit-terraform performs directory switching into the terraform modules for you. If you want to delgate the directory changing to the binary - this will allow tflint to determine the full paths for error/warning messages, rather than just module relative paths. *Note: this requires `tflint>=0.44.0`.* For example:
+
+    ```yaml
+    - id: terraform_tflint
+          args:
+            - --hook-config=--delegate-chdir
+    ```
+
 
 ### terraform_tfsec
 

hooks/_common.sh

@@ -217,6 +217,25 @@ function common::per_dir_hook {
     ((index += 1))
   done
 
+  # Lookup hook-config for modifiers that impact common behavior
+  local change_dir_in_unique_part=false
+  IFS=";" read -r -a configs <<< "${HOOK_CONFIG[*]}"
+  for c in "${configs[@]}"; do
+    IFS="=" read -r -a config <<< "$c"
+    key=${config[0]}
+    value=${config[1]}
+
+    case $key in
+      --delegate-chdir)
+        # this flag will skip pushing and popping directories
+        # delegating the responsibility to the hooked plugin/binary
+        if [[ ! $value || $value == true ]]; then
+          change_dir_in_unique_part="delegate_chdir"
+        fi
+        ;;
+    esac
+  done
+
   # preserve errexit status
   shopt -qo errexit && ERREXIT_IS_SET=true
   # allow hook to continue if exit_code is greater than 0
@@ -226,16 +245,22 @@ function common::per_dir_hook {
   # run hook for each path
   for dir_path in $(echo "${dir_paths[*]}" | tr ' ' '\n' | sort -u); do
     dir_path="${dir_path//__REPLACED__SPACE__/ }"
-    pushd "$dir_path" > /dev/null || continue
 
-    per_dir_hook_unique_part "$dir_path" "${args[@]}"
+    if [[ $change_dir_in_unique_part == false ]]; then
+      pushd "$dir_path" > /dev/null || continue
+    fi
+
+    per_dir_hook_unique_part "$dir_path" "$change_dir_in_unique_part" "${args[@]}"
 
     local exit_code=$?
     if [ $exit_code -ne 0 ]; then
       final_exit_code=$exit_code
     fi
 
-    popd > /dev/null
+    if [[ $change_dir_in_unique_part == false ]]; then
+      popd > /dev/null
+    fi
+
   done
 
   # restore errexit if it was set before the "for" loop

hooks/terraform_checkov.sh

@@ -31,14 +31,19 @@ function main {
 # Arguments:
 #   dir_path (string) PATH to dir relative to git repo root.
 #     Can be used in error logging
+#   change_dir_in_unique_part (string/false) Modifier which creates
+#     possibilities to use non-common chdir strategies.
+#     Availability depends on hook.
 #   args (array) arguments that configure wrapped tool behavior
 # Outputs:
 #   If failed - print out hook checks status
 #######################################################################
 function per_dir_hook_unique_part {
   # shellcheck disable=SC2034 # Unused var.
   local -r dir_path="$1"
-  shift
+  # shellcheck disable=SC2034 # Unused var.
+  local -r change_dir_in_unique_part="$2"
+  shift 2
   local -a -r args=("$@")
 
   checkov -d . "${args[@]}"

hooks/terraform_fmt.sh

@@ -28,14 +28,19 @@ function main {
 # Arguments:
 #   dir_path (string) PATH to dir relative to git repo root.
 #     Can be used in error logging
+#   change_dir_in_unique_part (string/false) Modifier which creates
+#     possibilities to use non-common chdir strategies.
+#     Availability depends on hook.
 #   args (array) arguments that configure wrapped tool behavior
 # Outputs:
 #   If failed - print out hook checks status
 #######################################################################
 function per_dir_hook_unique_part {
   # shellcheck disable=SC2034 # Unused var.
   local -r dir_path="$1"
-  shift
+  # shellcheck disable=SC2034 # Unused var.
+  local -r change_dir_in_unique_part="$2"
+  shift 2
   local -a -r args=("$@")
 
   # pass the arguments to hook

hooks/terraform_providers_lock.sh

@@ -25,6 +25,9 @@ function main {
 # Arguments:
 #   dir_path (string) PATH to dir relative to git repo root.
 #     Can be used in error logging
+#   change_dir_in_unique_part (string/false) Modifier which creates
+#     possibilities to use non-common chdir strategies.
+#     Availability depends on hook.
 #   args (array) arguments that configure wrapped tool behavior
 # Outputs:
 #   If failed - print out hook checks status

hooks/terraform_tflint.sh

@@ -28,7 +28,7 @@ function main {
   } || {
     local exit_code=$?
     common::colorify "red" "Command 'tflint --init' failed:"
-    echo "${TFLINT_INIT}"
+    echo -e "${TFLINT_INIT}"
     return ${exit_code}
   }
 
@@ -41,21 +41,30 @@ function main {
 # Arguments:
 #   dir_path (string) PATH to dir relative to git repo root.
 #     Can be used in error logging
+#   change_dir_in_unique_part (string/false) Modifier which creates
+#     possibilities to use non-common chdir strategies.
+#     Availability depends on hook.
 #   args (array) arguments that configure wrapped tool behavior
 # Outputs:
 #   If failed - print out hook checks status
 #######################################################################
 function per_dir_hook_unique_part {
   local -r dir_path="$1"
-  shift
+  local -r change_dir_in_unique_part="$2"
+  shift 2
   local -a -r args=("$@")
 
-  TFLINT_OUTPUT=$(tflint "${args[@]}" 2>&1)
+  if [ "$change_dir_in_unique_part" == "delegate_chdir" ]; then
+    local dir_args="--chdir=$dir_path"
+  fi
+
+  # shellcheck disable=SC2086 # we need to remove the arg if its unset
+  TFLINT_OUTPUT=$(tflint ${dir_args:-} "${args[@]}" 2>&1)
   local exit_code=$?
 
   if [ $exit_code -ne 0 ]; then
     common::colorify "yellow" "TFLint in $dir_path/:"
-    echo "$TFLINT_OUTPUT"
+    echo -e "$TFLINT_OUTPUT"
   fi
 
   # return exit code to common::per_dir_hook

hooks/terraform_tfsec.sh

@@ -31,14 +31,19 @@ function main {
 # Arguments:
 #   dir_path (string) PATH to dir relative to git repo root.
 #     Can be used in error logging
+#   change_dir_in_unique_part (string/false) Modifier which creates
+#     possibilities to use non-common chdir strategies.
+#     Availability depends on hook.
 #   args (array) arguments that configure wrapped tool behavior
 # Outputs:
 #   If failed - print out hook checks status
 #######################################################################
 function per_dir_hook_unique_part {
   # shellcheck disable=SC2034 # Unused var.
   local -r dir_path="$1"
-  shift
+  # shellcheck disable=SC2034 # Unused var.
+  local -r change_dir_in_unique_part="$2"
+  shift 2
   local -a -r args=("$@")
 
   # pass the arguments to hook

hooks/terraform_validate.sh

@@ -70,13 +70,18 @@ function match_validate_errors {
 # Arguments:
 #   dir_path (string) PATH to dir relative to git repo root.
 #     Can be used in error logging
+#   change_dir_in_unique_part (string/false) Modifier which creates
+#     possibilities to use non-common chdir strategies.
+#     Availability depends on hook.
 #   args (array) arguments that configure wrapped tool behavior
 # Outputs:
 #   If failed - print out hook checks status
 #######################################################################
 function per_dir_hook_unique_part {
   local -r dir_path="$1"
-  shift
+  # shellcheck disable=SC2034 # Unused var.
+  local -r change_dir_in_unique_part="$2"
+  shift 2
   local -a -r args=("$@")
 
   local exit_code
@@ -95,7 +100,7 @@ function per_dir_hook_unique_part {
 
     case $key in
       --retry-once-with-cleanup)
-        if [ $retry_once_with_cleanup ]; then 
+        if [ $retry_once_with_cleanup ]; then
           common::colorify "yellow" 'Invalid hook config. Make sure that you specify not more than one "--retry-once-with-cleanup" flag'
           exit 1
         fi

hooks/terragrunt_fmt.sh

@@ -24,14 +24,19 @@ function main {
 # Arguments:
 #   dir_path (string) PATH to dir relative to git repo root.
 #     Can be used in error logging
+#   change_dir_in_unique_part (string/false) Modifier which creates
+#     possibilities to use non-common chdir strategies.
+#     Availability depends on hook.
 #   args (array) arguments that configure wrapped tool behavior
 # Outputs:
 #   If failed - print out hook checks status
 #######################################################################
 function per_dir_hook_unique_part {
   # shellcheck disable=SC2034 # Unused var.
   local -r dir_path="$1"
-  shift
+  # shellcheck disable=SC2034 # Unused var.
+  local -r change_dir_in_unique_part="$2"
+  shift 2
   local -a -r args=("$@")
 
   # pass the arguments to hook

hooks/terragrunt_validate.sh

@@ -24,14 +24,19 @@ function main {
 # Arguments:
 #   dir_path (string) PATH to dir relative to git repo root.
 #     Can be used in error logging
+#   change_dir_in_unique_part (string/false) Modifier which creates
+#     possibilities to use non-common chdir strategies.
+#     Availability depends on hook.
 #   args (array) arguments that configure wrapped tool behavior
 # Outputs:
 #   If failed - print out hook checks status
 #######################################################################
 function per_dir_hook_unique_part {
   # shellcheck disable=SC2034 # Unused var.
   local -r dir_path="$1"
-  shift
+  # shellcheck disable=SC2034 # Unused var.
+  local -r change_dir_in_unique_part="$2"
+  shift 2
   local -a -r args=("$@")
 
   # pass the arguments to hook