feat: add pre-commit check in ci

- add a ci workflow to verify pre-commit passes - fix pre-commit errors/warnings: - missing required_version - missing required_providers - fixed terraform_deprecated_interpolation - removed terraform_unused_declarations
2026-02-28 18:05:42 +11:00 · 2026-02-28 18:05:42 +11:00 · 66119e5207
commit 66119e5207
parent 9e6de4dc32
32 changed files with 216 additions and 51 deletions
--- a/.woodpecker/pre-commit.yaml
+++ b/.woodpecker/pre-commit.yaml
@ -0,0 +1,9 @@
 when:
  - event: pull_request
 steps:
  - name: pre-commit
    image: git.unkin.net/unkin/almalinux9-base:latest
    commands:
      - dnf install uv opentofu terragrunt tflint -y
      - uvx pre-commit run --all-files
--- a/modules/vault_cluster/.tflint.hcl
+++ b/modules/vault_cluster/.tflint.hcl
@ -0,0 +1,11 @@
 rule "terraform_required_providers" {
  enabled = false
 }
 rule "terraform_required_version" {
  enabled = false
 }
 rule "terraform_unused_declarations" {
  enabled = false
 }
--- a/modules/vault_cluster/main.tf
+++ b/modules/vault_cluster/main.tf
@ -3,8 +3,6 @@ module "auth_approle_backend" {
  for_each = var.auth_approle_backend
  country            = var.country
  region             = var.region
  path               = each.key
  listing_visibility = each.value.listing_visibility
  default_lease_ttl  = each.value.default_lease_ttl
@ -186,7 +184,6 @@ module "pki_secret_backend" {
  crl_distribution_points       = each.value.crl_distribution_points
  ocsp_servers                  = each.value.ocsp_servers
  enable_templating             = each.value.enable_templating
  default_issuer_ref            = each.value.default_issuer_ref
  default_follows_latest_issuer = each.value.default_follows_latest_issuer
  crl_expiry                    = each.value.crl_expiry
  crl_disable                   = each.value.crl_disable
@ -266,12 +263,11 @@ module "consul_secret_backend_role" {
  for_each = var.consul_secret_backend_role
-  name         = each.value.name
+  name    = each.value.name
-  backend      = each.value.backend
+  backend = each.value.backend
-  consul_roles = each.value.consul_roles
+  ttl     = each.value.ttl
-  ttl          = each.value.ttl
+  max_ttl = each.value.max_ttl
-  max_ttl      = each.value.max_ttl
+  local   = each.value.local
  local        = each.value.local
  depends_on = [module.consul_secret_backend, module.consul_acl_management]
 }
@ -324,7 +320,6 @@ module "pki_mount_only" {
  path                          = each.key
  description                   = each.value.description
  max_lease_ttl_seconds         = each.value.max_lease_ttl_seconds
  issuer_ref                    = each.value.issuer_ref
  issuing_certificates          = each.value.issuing_certificates
  crl_distribution_points       = each.value.crl_distribution_points
  ocsp_servers                  = each.value.ocsp_servers
--- a/modules/vault_cluster/modules/auth_approle_backend/main.tf
+++ b/modules/vault_cluster/modules/auth_approle_backend/main.tf
@ -8,4 +8,4 @@ resource "vault_auth_backend" "approle" {
    max_lease_ttl      = var.max_lease_ttl
    listing_visibility = var.listing_visibility
  }
-}
+}
--- a/modules/vault_cluster/modules/auth_approle_backend/terraform.tf
+++ b/modules/vault_cluster/modules/auth_approle_backend/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/auth_approle_backend/variables.tf
+++ b/modules/vault_cluster/modules/auth_approle_backend/variables.tf
@ -1,13 +1,3 @@
 variable "country" {
  description = "Country identifier"
  type        = string
 }
 variable "region" {
  description = "Region identifier"
  type        = string
 }
 variable "path" {
  description = "Mount path of the AppRole auth backend"
  type        = string
@ -34,4 +24,4 @@ variable "max_lease_ttl" {
  description = "Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string"
  type        = string
  default     = null
-}
+}
--- a/modules/vault_cluster/modules/auth_approle_role/main.tf
+++ b/modules/vault_cluster/modules/auth_approle_role/main.tf
@ -16,7 +16,7 @@ data "vault_kv_secret_v2" "role_config" {
 locals {
  salt                  = data.vault_kv_secret_v2.salt_config.data["salt"]
  role_id_input         = "${local.salt}-${var.approle_name}-${var.mount_path}"
-  deterministic_role_id = uuidv5("dns", "${local.role_id_input}")
+  deterministic_role_id = uuidv5("dns", local.role_id_input)
  # Use deterministic role-id by default, or read from KV if specified
  role_id = var.use_deterministic_role_id ? local.deterministic_role_id : data.vault_kv_secret_v2.role_config[0].data["role_id"]
--- a/modules/vault_cluster/modules/auth_approle_role/terraform.tf
+++ b/modules/vault_cluster/modules/auth_approle_role/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/auth_kubernetes_backend/terraform.tf
+++ b/modules/vault_cluster/modules/auth_kubernetes_backend/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/auth_kubernetes_role/terraform.tf
+++ b/modules/vault_cluster/modules/auth_kubernetes_role/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/auth_ldap_backend/terraform.tf
+++ b/modules/vault_cluster/modules/auth_ldap_backend/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/auth_ldap_group/terraform.tf
+++ b/modules/vault_cluster/modules/auth_ldap_group/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/consul_acl_management/.tflint.hcl
+++ b/modules/vault_cluster/modules/consul_acl_management/.tflint.hcl
@ -4,4 +4,4 @@ rule "terraform_required_providers" {
 rule "terraform_required_version" {
  enabled = false
-}
+}
--- a/modules/vault_cluster/modules/consul_acl_management/terraform.tf
+++ b/modules/vault_cluster/modules/consul_acl_management/terraform.tf
@ -0,0 +1,13 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
    consul = {
      source  = "hashicorp/consul"
      version = "2.23.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/consul_secret_backend/terraform.tf
+++ b/modules/vault_cluster/modules/consul_secret_backend/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/consul_secret_backend_role/terraform.tf
+++ b/modules/vault_cluster/modules/consul_secret_backend_role/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/consul_secret_backend_role/variables.tf
+++ b/modules/vault_cluster/modules/consul_secret_backend_role/variables.tf
@ -9,12 +9,6 @@ variable "name" {
 }
 variable "consul_roles" {
  description = "List of Consul roles to attach to tokens"
  type        = list(string)
  default     = []
 }
 variable "ttl" {
  description = "TTL for generated tokens"
--- a/modules/vault_cluster/modules/kubernetes_secret_backend/terraform.tf
+++ b/modules/vault_cluster/modules/kubernetes_secret_backend/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/kubernetes_secret_backend_role/terraform.tf
+++ b/modules/vault_cluster/modules/kubernetes_secret_backend_role/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/kv_secret_backend/terraform.tf
+++ b/modules/vault_cluster/modules/kv_secret_backend/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/pki_mount_only/main.tf
+++ b/modules/vault_cluster/modules/pki_mount_only/main.tf
@ -5,11 +5,6 @@ resource "vault_mount" "pki" {
  max_lease_ttl_seconds = var.max_lease_ttl_seconds
 }
 data "vault_pki_secret_backend_issuer" "issuer" {
  backend    = vault_mount.pki.path
  issuer_ref = var.issuer_ref
 }
 resource "vault_pki_secret_backend_config_urls" "config_urls" {
  backend = vault_mount.pki.path
@ -35,4 +30,4 @@ resource "vault_pki_secret_backend_crl_config" "crl" {
  auto_rebuild           = var.auto_rebuild
  enable_delta           = var.enable_delta
  delta_rebuild_interval = var.delta_rebuild_interval
-}
+}
--- a/modules/vault_cluster/modules/pki_mount_only/terraform.tf
+++ b/modules/vault_cluster/modules/pki_mount_only/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/pki_mount_only/variables.tf
+++ b/modules/vault_cluster/modules/pki_mount_only/variables.tf
@ -13,11 +13,6 @@ variable "max_lease_ttl_seconds" {
  type        = number
 }
 variable "issuer_ref" {
  description = "Reference to the PKI issuer (default, or issuer ID/name)"
  type        = string
  default     = "default"
 }
 variable "issuing_certificates" {
  description = "List of URLs for issuing certificates"
@ -89,4 +84,4 @@ variable "delta_rebuild_interval" {
  description = "Delta CRL rebuild interval"
  type        = string
  default     = null
-}
+}
--- a/modules/vault_cluster/modules/pki_secret_backend/terraform.tf
+++ b/modules/vault_cluster/modules/pki_secret_backend/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/pki_secret_backend/variables.tf
+++ b/modules/vault_cluster/modules/pki_secret_backend/variables.tf
@ -61,12 +61,6 @@ variable "enable_templating" {
  default     = false
 }
 variable "default_issuer_ref" {
  description = "Reference to the default issuer"
  type        = string
  default     = null
 }
 variable "default_follows_latest_issuer" {
  description = "Whether the default issuer should follow the latest issuer"
  type        = bool
@ -107,4 +101,4 @@ variable "delta_rebuild_interval" {
  description = "Delta CRL rebuild interval"
  type        = string
  default     = null
-}
+}
--- a/modules/vault_cluster/modules/pki_secret_backend_role/terraform.tf
+++ b/modules/vault_cluster/modules/pki_secret_backend_role/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/ssh_secret_backend/terraform.tf
+++ b/modules/vault_cluster/modules/ssh_secret_backend/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/ssh_secret_backend_role/terraform.tf
+++ b/modules/vault_cluster/modules/ssh_secret_backend_role/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/transit_secret_backend/terraform.tf
+++ b/modules/vault_cluster/modules/transit_secret_backend/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/transit_secret_backend_key/terraform.tf
+++ b/modules/vault_cluster/modules/transit_secret_backend_key/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/modules/vault_policy/terraform.tf
+++ b/modules/vault_cluster/modules/vault_policy/terraform.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 1.10"
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.6.0"
    }
  }
 }
--- a/modules/vault_cluster/variables.tf
+++ b/modules/vault_cluster/variables.tf
@ -166,7 +166,6 @@ variable "pki_secret_backend" {
    crl_distribution_points       = optional(list(string), [])
    ocsp_servers                  = optional(list(string), [])
    enable_templating             = optional(bool, false)
    default_issuer_ref            = optional(string)
    default_follows_latest_issuer = optional(bool, false)
    crl_expiry                    = optional(string, "72h")
    crl_disable                   = optional(bool, false)
@ -204,7 +203,6 @@ variable "pki_mount_only" {
  type = map(object({
    description                   = optional(string)
    max_lease_ttl_seconds         = optional(number, 315360000)
    issuer_ref                    = optional(string, "default")
    issuing_certificates          = optional(list(string), [])
    crl_distribution_points       = optional(list(string), [])
    ocsp_servers                  = optional(list(string), [])