Detect secret

.github/workflows/validate_terraform.yml

@@ -25,6 +25,9 @@ jobs:
       -
         name: Install pre-commit
         run: pip install pre-commit
+      -
+        name: Upgrade hooks
+        run: pre-commit autoupdate
       -
         name: Run pre-commit command
         run: pre-commit run -a
@@ -37,12 +40,3 @@ jobs:
       -
         name: terraform fmt check           # perform format checks
         run: terraform fmt -list=true -write=false -check -recursive
-
-      - uses: 8398a7/action-slack@v2
-        with:
-          status: ${{ job.status }}
-          author_name: Integration Test # default: 8398a7@action-slack
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # optional
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} # required
-        if: always() # Pick up events even if the job fails or is canceled.

.pre-commit-config.yaml

@@ -6,12 +6,26 @@ default_stages: [commit]
 # Terraform Validate : Validates the configuration files in a directory, referring only to the configuration and not accessing any remote services such as remote state, provider APIs, etc
 repos:
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.45.0
+  rev: v1.52.0
   hooks:
     - id: terraform_fmt
 - repo: git://github.com/pre-commit/pre-commit-hooks
-  rev: v3.4.0
+  rev: v4.0.1
   hooks:
       - id: check-merge-conflict
       - id: trailing-whitespace
       - id: detect-private-key
+- repo: https://github.com/ibm/detect-secrets
+  # If you desire to use a specific version of detect-secrets, you can replace `master` with other git revisions such as branch, tag or commit sha.
+  # You are encouraged to use static refs such as tags, instead of branch name
+  #
+  # Running "pre-commit autoupdate" would automatically updates rev to latest tag
+  rev: 0.13.1+ibm.46.dss
+  hooks:
+    - id: detect-secrets # pragma: whitelist secret
+      # Add options for detect-secrets-hook binary. You can run `detect-secrets-hook --help` to list out all possible options.
+      # You may also run `pre-commit run detect-secrets` to preview the scan result.
+      # when "--baseline" without "--use-all-plugins", pre-commit scan with just plugins in baseline file
+      # when "--baseline" with "--use-all-plugins", pre-commit scan with all available plugins
+      # add "--fail-on-non-audited" to fail pre-commit for unaudited potential secrets
+      args: [--baseline, .secrets.baseline, --use-all-plugins ]

.secrets.baseline

@@ -0,0 +1,85 @@
+{
+  "exclude": {
+    "files": "^.secrets.baseline$",
+    "lines": null
+  },
+  "generated_at": "2021-10-12T12:36:29Z",
+  "plugins_used": [
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "base64_limit": 4.5,
+      "name": "Base64HighEntropyString"
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "BoxDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "ghe_instance": "github.ibm.com",
+      "name": "GheDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "hex_limit": 3,
+      "name": "HexHighEntropyString"
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "keyword_exclude": null,
+      "name": "KeywordDetector"
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "results": {},
+  "version": "0.13.1+ibm.46.dss",
+  "word_list": {
+    "file": null,
+    "hash": null
+  }
+}

README.md

@@ -119,16 +119,45 @@ Be sure you have the compiled plugins on $HOME/.terraform.d/plugins/
 ### Pre-commit Hooks
 
 Run the following command to execute the pre-commit hooks defined in .pre-commit-config.yaml file
-
+```
 pre-commit run -a
+```
 
 We can install pre-coomit tool using
 
+```
 pip install pre-commit
 
       or
 
 pip3 install pre-commit
+```
+
+### Detect Secret Hook
+
+Used to detect secrets within a code base.
+
+To create a secret baseline file run following command
+
+```
+detect-secrets scan --update .secrets.baseline
+```
+
+While running the pre-commit hook, if you encounter an error like
+
+```
+WARNING: You are running an outdated version of detect-secrets.
+Your version: 0.13.1+ibm.27.dss
+Latest version: 0.13.1+ibm.46.dss
+See upgrade guide at https://ibm.biz/detect-secrets-how-to-upgrade
+```
+
+run below command
+
+```
+pre-commit autoupdate
+```
+which upgrades all the pre-commit hooks present in .pre-commit.yaml file.
 
 ## How to input varaible values through a file
 

test/cluster_e2e_test.go

@@ -27,6 +27,7 @@ func TestAccIBMClusterE2E(t *testing.T) {
 			"flavor":             "b3c.16x64",
 			"worker_pool_name":   "workerPoolDemo",
 			"region":             "us-south",
+			"private_vlan_id":    "2988890",
 		},
 	})