From b3f70d121ed615fedc43a5aab62de54fd0c77855 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 28 Feb 2026 18:05:42 +1100 Subject: [PATCH] feat: add pre-commit check in ci - add a ci workflow to verify pre-commit passes - fix pre-commit errors/warnings: - missing required_version - missing required_providers - fixed terraform_deprecated_interpolation - removed terraform_unused_declarations --- .woodpecker/pre-commit.yaml | 9 +++++++++ modules/vault_cluster/main.tf | 3 --- .../modules/auth_approle_backend/main.tf | 2 +- .../modules/auth_approle_backend/terraform.tf | 9 +++++++++ .../modules/auth_approle_backend/variables.tf | 12 +----------- .../vault_cluster/modules/auth_approle_role/main.tf | 2 +- .../modules/auth_approle_role/terraform.tf | 9 +++++++++ .../modules/auth_kubernetes_backend/terraform.tf | 9 +++++++++ .../modules/auth_kubernetes_role/terraform.tf | 9 +++++++++ .../modules/auth_ldap_backend/terraform.tf | 9 +++++++++ .../modules/auth_ldap_group/terraform.tf | 9 +++++++++ .../modules/consul_acl_management/.tflint.hcl | 2 +- .../modules/consul_acl_management/terraform.tf | 13 +++++++++++++ .../modules/consul_secret_backend/terraform.tf | 9 +++++++++ .../modules/consul_secret_backend_role/terraform.tf | 9 +++++++++ .../modules/kubernetes_secret_backend/terraform.tf | 9 +++++++++ .../kubernetes_secret_backend_role/terraform.tf | 9 +++++++++ .../modules/kv_secret_backend/terraform.tf | 9 +++++++++ .../vault_cluster/modules/pki_mount_only/main.tf | 7 +------ .../modules/pki_mount_only/terraform.tf | 9 +++++++++ .../modules/pki_secret_backend/terraform.tf | 9 +++++++++ .../modules/pki_secret_backend_role/terraform.tf | 9 +++++++++ .../modules/ssh_secret_backend/terraform.tf | 9 +++++++++ .../modules/ssh_secret_backend_role/terraform.tf | 9 +++++++++ .../modules/transit_secret_backend/terraform.tf | 9 +++++++++ .../modules/transit_secret_backend_key/terraform.tf | 9 +++++++++ .../vault_cluster/modules/vault_policy/terraform.tf | 9 +++++++++ modules/vault_cluster/variables.tf | 1 - 28 files changed, 198 insertions(+), 24 deletions(-) create mode 100644 .woodpecker/pre-commit.yaml create mode 100644 modules/vault_cluster/modules/auth_approle_backend/terraform.tf create mode 100644 modules/vault_cluster/modules/auth_approle_role/terraform.tf create mode 100644 modules/vault_cluster/modules/auth_kubernetes_backend/terraform.tf create mode 100644 modules/vault_cluster/modules/auth_kubernetes_role/terraform.tf create mode 100644 modules/vault_cluster/modules/auth_ldap_backend/terraform.tf create mode 100644 modules/vault_cluster/modules/auth_ldap_group/terraform.tf create mode 100644 modules/vault_cluster/modules/consul_acl_management/terraform.tf create mode 100644 modules/vault_cluster/modules/consul_secret_backend/terraform.tf create mode 100644 modules/vault_cluster/modules/consul_secret_backend_role/terraform.tf create mode 100644 modules/vault_cluster/modules/kubernetes_secret_backend/terraform.tf create mode 100644 modules/vault_cluster/modules/kubernetes_secret_backend_role/terraform.tf create mode 100644 modules/vault_cluster/modules/kv_secret_backend/terraform.tf create mode 100644 modules/vault_cluster/modules/pki_mount_only/terraform.tf create mode 100644 modules/vault_cluster/modules/pki_secret_backend/terraform.tf create mode 100644 modules/vault_cluster/modules/pki_secret_backend_role/terraform.tf create mode 100644 modules/vault_cluster/modules/ssh_secret_backend/terraform.tf create mode 100644 modules/vault_cluster/modules/ssh_secret_backend_role/terraform.tf create mode 100644 modules/vault_cluster/modules/transit_secret_backend/terraform.tf create mode 100644 modules/vault_cluster/modules/transit_secret_backend_key/terraform.tf create mode 100644 modules/vault_cluster/modules/vault_policy/terraform.tf diff --git a/.woodpecker/pre-commit.yaml b/.woodpecker/pre-commit.yaml new file mode 100644 index 0000000..4bde44d --- /dev/null +++ b/.woodpecker/pre-commit.yaml @@ -0,0 +1,9 @@ +when: + - event: pull_request + +steps: + - name: pre-commit + image: git.unkin.net/unkin/almalinux9-base:latest + commands: + - dnf install uv opentofu terragrunt tflint -y + - uvx pre-commit run --all-files diff --git a/modules/vault_cluster/main.tf b/modules/vault_cluster/main.tf index 6f00018..3c7e275 100644 --- a/modules/vault_cluster/main.tf +++ b/modules/vault_cluster/main.tf @@ -3,8 +3,6 @@ module "auth_approle_backend" { for_each = var.auth_approle_backend - country = var.country - region = var.region path = each.key listing_visibility = each.value.listing_visibility default_lease_ttl = each.value.default_lease_ttl @@ -186,7 +184,6 @@ module "pki_secret_backend" { crl_distribution_points = each.value.crl_distribution_points ocsp_servers = each.value.ocsp_servers enable_templating = each.value.enable_templating - default_issuer_ref = each.value.default_issuer_ref default_follows_latest_issuer = each.value.default_follows_latest_issuer crl_expiry = each.value.crl_expiry crl_disable = each.value.crl_disable diff --git a/modules/vault_cluster/modules/auth_approle_backend/main.tf b/modules/vault_cluster/modules/auth_approle_backend/main.tf index 09a072d..79fa6f0 100644 --- a/modules/vault_cluster/modules/auth_approle_backend/main.tf +++ b/modules/vault_cluster/modules/auth_approle_backend/main.tf @@ -8,4 +8,4 @@ resource "vault_auth_backend" "approle" { max_lease_ttl = var.max_lease_ttl listing_visibility = var.listing_visibility } -} \ No newline at end of file +} diff --git a/modules/vault_cluster/modules/auth_approle_backend/terraform.tf b/modules/vault_cluster/modules/auth_approle_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/auth_approle_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/auth_approle_backend/variables.tf b/modules/vault_cluster/modules/auth_approle_backend/variables.tf index a575230..f113844 100644 --- a/modules/vault_cluster/modules/auth_approle_backend/variables.tf +++ b/modules/vault_cluster/modules/auth_approle_backend/variables.tf @@ -1,13 +1,3 @@ -variable "country" { - description = "Country identifier" - type = string -} - -variable "region" { - description = "Region identifier" - type = string -} - variable "path" { description = "Mount path of the AppRole auth backend" type = string @@ -34,4 +24,4 @@ variable "max_lease_ttl" { description = "Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string" type = string default = null -} \ No newline at end of file +} diff --git a/modules/vault_cluster/modules/auth_approle_role/main.tf b/modules/vault_cluster/modules/auth_approle_role/main.tf index f4617bd..f3365a4 100644 --- a/modules/vault_cluster/modules/auth_approle_role/main.tf +++ b/modules/vault_cluster/modules/auth_approle_role/main.tf @@ -16,7 +16,7 @@ data "vault_kv_secret_v2" "role_config" { locals { salt = data.vault_kv_secret_v2.salt_config.data["salt"] role_id_input = "${local.salt}-${var.approle_name}-${var.mount_path}" - deterministic_role_id = uuidv5("dns", "${local.role_id_input}") + deterministic_role_id = uuidv5("dns", local.role_id_input) # Use deterministic role-id by default, or read from KV if specified role_id = var.use_deterministic_role_id ? local.deterministic_role_id : data.vault_kv_secret_v2.role_config[0].data["role_id"] diff --git a/modules/vault_cluster/modules/auth_approle_role/terraform.tf b/modules/vault_cluster/modules/auth_approle_role/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/auth_approle_role/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/auth_kubernetes_backend/terraform.tf b/modules/vault_cluster/modules/auth_kubernetes_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/auth_kubernetes_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/auth_kubernetes_role/terraform.tf b/modules/vault_cluster/modules/auth_kubernetes_role/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/auth_kubernetes_role/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/auth_ldap_backend/terraform.tf b/modules/vault_cluster/modules/auth_ldap_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/auth_ldap_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/auth_ldap_group/terraform.tf b/modules/vault_cluster/modules/auth_ldap_group/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/auth_ldap_group/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/consul_acl_management/.tflint.hcl b/modules/vault_cluster/modules/consul_acl_management/.tflint.hcl index 8f9177e..3657e1d 100644 --- a/modules/vault_cluster/modules/consul_acl_management/.tflint.hcl +++ b/modules/vault_cluster/modules/consul_acl_management/.tflint.hcl @@ -4,4 +4,4 @@ rule "terraform_required_providers" { rule "terraform_required_version" { enabled = false -} \ No newline at end of file +} diff --git a/modules/vault_cluster/modules/consul_acl_management/terraform.tf b/modules/vault_cluster/modules/consul_acl_management/terraform.tf new file mode 100644 index 0000000..3aa5b98 --- /dev/null +++ b/modules/vault_cluster/modules/consul_acl_management/terraform.tf @@ -0,0 +1,13 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + consul = { + source = "hashicorp/consul" + version = "2.23.0" + } + } +} diff --git a/modules/vault_cluster/modules/consul_secret_backend/terraform.tf b/modules/vault_cluster/modules/consul_secret_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/consul_secret_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/consul_secret_backend_role/terraform.tf b/modules/vault_cluster/modules/consul_secret_backend_role/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/consul_secret_backend_role/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/kubernetes_secret_backend/terraform.tf b/modules/vault_cluster/modules/kubernetes_secret_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/kubernetes_secret_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/kubernetes_secret_backend_role/terraform.tf b/modules/vault_cluster/modules/kubernetes_secret_backend_role/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/kubernetes_secret_backend_role/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/kv_secret_backend/terraform.tf b/modules/vault_cluster/modules/kv_secret_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/kv_secret_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/pki_mount_only/main.tf b/modules/vault_cluster/modules/pki_mount_only/main.tf index 4f3e409..ce383cc 100644 --- a/modules/vault_cluster/modules/pki_mount_only/main.tf +++ b/modules/vault_cluster/modules/pki_mount_only/main.tf @@ -5,11 +5,6 @@ resource "vault_mount" "pki" { max_lease_ttl_seconds = var.max_lease_ttl_seconds } -data "vault_pki_secret_backend_issuer" "issuer" { - backend = vault_mount.pki.path - issuer_ref = var.issuer_ref -} - resource "vault_pki_secret_backend_config_urls" "config_urls" { backend = vault_mount.pki.path @@ -35,4 +30,4 @@ resource "vault_pki_secret_backend_crl_config" "crl" { auto_rebuild = var.auto_rebuild enable_delta = var.enable_delta delta_rebuild_interval = var.delta_rebuild_interval -} \ No newline at end of file +} diff --git a/modules/vault_cluster/modules/pki_mount_only/terraform.tf b/modules/vault_cluster/modules/pki_mount_only/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/pki_mount_only/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/pki_secret_backend/terraform.tf b/modules/vault_cluster/modules/pki_secret_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/pki_secret_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/pki_secret_backend_role/terraform.tf b/modules/vault_cluster/modules/pki_secret_backend_role/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/pki_secret_backend_role/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/ssh_secret_backend/terraform.tf b/modules/vault_cluster/modules/ssh_secret_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/ssh_secret_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/ssh_secret_backend_role/terraform.tf b/modules/vault_cluster/modules/ssh_secret_backend_role/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/ssh_secret_backend_role/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/transit_secret_backend/terraform.tf b/modules/vault_cluster/modules/transit_secret_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/transit_secret_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/transit_secret_backend_key/terraform.tf b/modules/vault_cluster/modules/transit_secret_backend_key/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/transit_secret_backend_key/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/vault_policy/terraform.tf b/modules/vault_cluster/modules/vault_policy/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/vault_policy/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/variables.tf b/modules/vault_cluster/variables.tf index d9b03fc..eb6be36 100644 --- a/modules/vault_cluster/variables.tf +++ b/modules/vault_cluster/variables.tf @@ -166,7 +166,6 @@ variable "pki_secret_backend" { crl_distribution_points = optional(list(string), []) ocsp_servers = optional(list(string), []) enable_templating = optional(bool, false) - default_issuer_ref = optional(string) default_follows_latest_issuer = optional(bool, false) crl_expiry = optional(string, "72h") crl_disable = optional(bool, false)