feat: add pre-commit check in ci

- add a ci workflow to verify pre-commit passes
- fix pre-commit errors/warnings:
  - missing required_version
  - missing required_providers
  - fixed terraform_deprecated_interpolation
  - removed terraform_unused_declarations

.woodpecker/pre-commit.yaml

@@ -0,0 +1,9 @@
+when:
+  - event: pull_request
+
+steps:
+  - name: pre-commit
+    image: git.unkin.net/unkin/almalinux9-base:latest
+    commands:
+      - dnf install uv opentofu terragrunt tflint -y
+      - uvx pre-commit run --all-files

modules/vault_cluster/main.tf

@@ -3,8 +3,6 @@ module "auth_approle_backend" {
 
   for_each = var.auth_approle_backend
 
-  country            = var.country
-  region             = var.region
   path               = each.key
   listing_visibility = each.value.listing_visibility
   default_lease_ttl  = each.value.default_lease_ttl
@@ -186,7 +184,6 @@ module "pki_secret_backend" {
   crl_distribution_points       = each.value.crl_distribution_points
   ocsp_servers                  = each.value.ocsp_servers
   enable_templating             = each.value.enable_templating
-  default_issuer_ref            = each.value.default_issuer_ref
   default_follows_latest_issuer = each.value.default_follows_latest_issuer
   crl_expiry                    = each.value.crl_expiry
   crl_disable                   = each.value.crl_disable

modules/vault_cluster/modules/auth_approle_backend/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/auth_approle_backend/variables.tf

@@ -1,13 +1,3 @@
-variable "country" {
-  description = "Country identifier"
-  type        = string
-}
-
-variable "region" {
-  description = "Region identifier"
-  type        = string
-}
-
 variable "path" {
   description = "Mount path of the AppRole auth backend"
   type        = string

modules/vault_cluster/modules/auth_approle_role/main.tf

@@ -16,7 +16,7 @@ data "vault_kv_secret_v2" "role_config" {
 locals {
   salt                  = data.vault_kv_secret_v2.salt_config.data["salt"]
   role_id_input         = "${local.salt}-${var.approle_name}-${var.mount_path}"
-  deterministic_role_id = uuidv5("dns", "${local.role_id_input}")
+  deterministic_role_id = uuidv5("dns", local.role_id_input)
 
   # Use deterministic role-id by default, or read from KV if specified
   role_id = var.use_deterministic_role_id ? local.deterministic_role_id : data.vault_kv_secret_v2.role_config[0].data["role_id"]

modules/vault_cluster/modules/auth_approle_role/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/auth_kubernetes_backend/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/auth_kubernetes_role/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/auth_ldap_backend/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/auth_ldap_group/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/consul_acl_management/terraform.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+    consul = {
+      source  = "hashicorp/consul"
+      version = "2.23.0"
+    }
+  }
+}

modules/vault_cluster/modules/consul_secret_backend/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/consul_secret_backend_role/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/kubernetes_secret_backend/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/kubernetes_secret_backend_role/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/kv_secret_backend/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/pki_mount_only/main.tf

@@ -5,11 +5,6 @@ resource "vault_mount" "pki" {
   max_lease_ttl_seconds = var.max_lease_ttl_seconds
 }
 
-data "vault_pki_secret_backend_issuer" "issuer" {
-  backend    = vault_mount.pki.path
-  issuer_ref = var.issuer_ref
-}
-
 resource "vault_pki_secret_backend_config_urls" "config_urls" {
   backend = vault_mount.pki.path
 

modules/vault_cluster/modules/pki_mount_only/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/pki_secret_backend/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/pki_secret_backend_role/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/ssh_secret_backend/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/ssh_secret_backend_role/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/transit_secret_backend/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/transit_secret_backend_key/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/modules/vault_policy/terraform.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "5.6.0"
+    }
+  }
+}

modules/vault_cluster/variables.tf

@@ -166,7 +166,6 @@ variable "pki_secret_backend" {
     crl_distribution_points       = optional(list(string), [])
     ocsp_servers                  = optional(list(string), [])
     enable_templating             = optional(bool, false)
-    default_issuer_ref            = optional(string)
     default_follows_latest_issuer = optional(bool, false)
     crl_expiry                    = optional(string, "72h")
     crl_disable                   = optional(bool, false)