feat: add pre-commit check in ci

- add a ci workflow to verify pre-commit passes - fix pre-commit errors/warnings: - missing required_version
2026-02-28 18:36:40 +11:00
5 changed files with 22 additions and 3 deletions
--- a/modules/vault_cluster/main.tf
+++ b/modules/vault_cluster/main.tf
@ -3,6 +3,8 @@ module "auth_approle_backend" {

  for_each = var.auth_approle_backend

+  country            = var.country
+  region             = var.region
  path               = each.key
  listing_visibility = each.value.listing_visibility
  default_lease_ttl  = each.value.default_lease_ttl
@ -184,6 +186,7 @@ module "pki_secret_backend" {
  crl_distribution_points       = each.value.crl_distribution_points
  ocsp_servers                  = each.value.ocsp_servers
  enable_templating             = each.value.enable_templating
+  default_issuer_ref            = each.value.default_issuer_ref
  default_follows_latest_issuer = each.value.default_follows_latest_issuer
  crl_expiry                    = each.value.crl_expiry
  crl_disable                   = each.value.crl_disable
--- a/modules/vault_cluster/modules/auth_approle_backend/variables.tf
+++ b/modules/vault_cluster/modules/auth_approle_backend/variables.tf
@ -1,3 +1,13 @@
+variable "country" {
+  description = "Country identifier"
+  type        = string
+}
+
+variable "region" {
+  description = "Region identifier"
+  type        = string
+}
+
 variable "path" {
  description = "Mount path of the AppRole auth backend"
  type        = string
@ -24,4 +34,4 @@ variable "max_lease_ttl" {
  description = "Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string"
  type        = string
  default     = null
-}
+}
--- a/modules/vault_cluster/modules/auth_approle_role/main.tf
+++ b/modules/vault_cluster/modules/auth_approle_role/main.tf
@ -16,7 +16,7 @@ data "vault_kv_secret_v2" "role_config" {
 locals {
  salt                  = data.vault_kv_secret_v2.salt_config.data["salt"]
  role_id_input         = "${local.salt}-${var.approle_name}-${var.mount_path}"
-  deterministic_role_id = uuidv5("dns", local.role_id_input)
+  deterministic_role_id = uuidv5("dns", "${local.role_id_input}")

  # Use deterministic role-id by default, or read from KV if specified
  role_id = var.use_deterministic_role_id ? local.deterministic_role_id : data.vault_kv_secret_v2.role_config[0].data["role_id"]
--- a/modules/vault_cluster/modules/pki_mount_only/main.tf
+++ b/modules/vault_cluster/modules/pki_mount_only/main.tf
@ -5,6 +5,11 @@ resource "vault_mount" "pki" {
  max_lease_ttl_seconds = var.max_lease_ttl_seconds
 }

+data "vault_pki_secret_backend_issuer" "issuer" {
+  backend    = vault_mount.pki.path
+  issuer_ref = var.issuer_ref
+}
+
 resource "vault_pki_secret_backend_config_urls" "config_urls" {
  backend = vault_mount.pki.path

@ -30,4 +35,4 @@ resource "vault_pki_secret_backend_crl_config" "crl" {
  auto_rebuild           = var.auto_rebuild
  enable_delta           = var.enable_delta
  delta_rebuild_interval = var.delta_rebuild_interval
-}
+}
--- a/modules/vault_cluster/variables.tf
+++ b/modules/vault_cluster/variables.tf
@ -166,6 +166,7 @@ variable "pki_secret_backend" {
    crl_distribution_points       = optional(list(string), [])
    ocsp_servers                  = optional(list(string), [])
    enable_templating             = optional(bool, false)
+    default_issuer_ref            = optional(string)
    default_follows_latest_issuer = optional(bool, false)
    crl_expiry                    = optional(string, "72h")
    crl_disable                   = optional(bool, false)