feat: add pre-commit check in ci

- add a ci workflow to verify pre-commit passes
- fix pre-commit errors/warnings:
  - missing required_version

modules/vault_cluster/main.tf

@@ -3,6 +3,8 @@ module "auth_approle_backend" {
 
   for_each = var.auth_approle_backend
 
+  country            = var.country
+  region             = var.region
   path               = each.key
   listing_visibility = each.value.listing_visibility
   default_lease_ttl  = each.value.default_lease_ttl
@@ -184,6 +186,7 @@ module "pki_secret_backend" {
   crl_distribution_points       = each.value.crl_distribution_points
   ocsp_servers                  = each.value.ocsp_servers
   enable_templating             = each.value.enable_templating
+  default_issuer_ref            = each.value.default_issuer_ref
   default_follows_latest_issuer = each.value.default_follows_latest_issuer
   crl_expiry                    = each.value.crl_expiry
   crl_disable                   = each.value.crl_disable

modules/vault_cluster/modules/auth_approle_backend/variables.tf

@@ -1,3 +1,13 @@
+variable "country" {
+  description = "Country identifier"
+  type        = string
+}
+
+variable "region" {
+  description = "Region identifier"
+  type        = string
+}
+
 variable "path" {
   description = "Mount path of the AppRole auth backend"
   type        = string

modules/vault_cluster/modules/auth_approle_role/main.tf

@@ -16,7 +16,7 @@ data "vault_kv_secret_v2" "role_config" {
 locals {
   salt                  = data.vault_kv_secret_v2.salt_config.data["salt"]
   role_id_input         = "${local.salt}-${var.approle_name}-${var.mount_path}"
-  deterministic_role_id = uuidv5("dns", local.role_id_input)
+  deterministic_role_id = uuidv5("dns", "${local.role_id_input}")
 
   # Use deterministic role-id by default, or read from KV if specified
   role_id = var.use_deterministic_role_id ? local.deterministic_role_id : data.vault_kv_secret_v2.role_config[0].data["role_id"]

modules/vault_cluster/modules/pki_mount_only/main.tf

@@ -5,6 +5,11 @@ resource "vault_mount" "pki" {
   max_lease_ttl_seconds = var.max_lease_ttl_seconds
 }
 
+data "vault_pki_secret_backend_issuer" "issuer" {
+  backend    = vault_mount.pki.path
+  issuer_ref = var.issuer_ref
+}
+
 resource "vault_pki_secret_backend_config_urls" "config_urls" {
   backend = vault_mount.pki.path
 

modules/vault_cluster/variables.tf

@@ -166,6 +166,7 @@ variable "pki_secret_backend" {
     crl_distribution_points       = optional(list(string), [])
     ocsp_servers                  = optional(list(string), [])
     enable_templating             = optional(bool, false)
+    default_issuer_ref            = optional(string)
     default_follows_latest_issuer = optional(bool, false)
     crl_expiry                    = optional(string, "72h")
     crl_disable                   = optional(bool, false)