From 6d84efe81e9a17f98ec8d7a0ba6351b6b7d398c0 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 16 Nov 2025 13:29:48 +1100
Subject: [PATCH 1/2] feat: add pre-commit

- ran 'pre-commit install'
- add pre-commit configuration
- test yaml + terraform related checks
- terragrunt-hcl-fmt for policy hcl files
---
 .pre-commit-config.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 .pre-commit-config.yaml

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..623e022
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,12 @@
+repos:
+  - repo: https://github.com/gruntwork-io/pre-commit
+    rev: v0.1.30
+    hooks:
+      - id: terraform-fmt
+      - id: terraform-validate
+      - id: tflint
+      - id: terragrunt-hcl-fmt
+  - repo: https://github.com/adrienverge/yamllint.git
+    rev: v1.37.1
+    hooks:
+      - id: yamllint
-- 
2.47.3


From 5cbd5815a0229d714fc677933a983df1947c8584 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 16 Nov 2025 13:35:10 +1100
Subject: [PATCH 2/2] chore: format policy files

- ensure all policy files are correctly formatted
---
 policies/auth/token/auth_token_self.hcl                       | 4 ++--
 policies/kv/service/glauth/services/svc_vault_read.hcl        | 2 +-
 policies/kv/service/packer/packer_builder.hcl                 | 4 ++--
 .../kv/service/puppet/certificates/terraform_puppet_cert.hcl  | 4 ++--
 policies/kv/service/puppetapi/puppetapi_read_tokens.hcl       | 2 +-
 policies/kv/service/terraform/incus.hcl                       | 2 +-
 policies/kv/service/terraform/nomad.hcl                       | 2 +-
 policies/ssh-host-signer/sshsign-host-policy.hcl              | 2 +-
 policies/ssh-host-signer/sshsigner.hcl                        | 2 +-
 policies/sshca/sshca_signhost.hcl                             | 2 +-
 10 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/policies/auth/token/auth_token_self.hcl b/policies/auth/token/auth_token_self.hcl
index 55a1157..4e80d4c 100644
--- a/policies/auth/token/auth_token_self.hcl
+++ b/policies/auth/token/auth_token_self.hcl
@@ -5,10 +5,10 @@ path "auth/token/lookup-self" {
 
 # Allow tokens to renew themselves
 path "auth/token/renew-self" {
-    capabilities = ["update"]
+  capabilities = ["update"]
 }
 
 # Allow tokens to revoke themselves
 path "auth/token/revoke-self" {
-    capabilities = ["update"]
+  capabilities = ["update"]
 }
diff --git a/policies/kv/service/glauth/services/svc_vault_read.hcl b/policies/kv/service/glauth/services/svc_vault_read.hcl
index 93300b6..e34e98d 100644
--- a/policies/kv/service/glauth/services/svc_vault_read.hcl
+++ b/policies/kv/service/glauth/services/svc_vault_read.hcl
@@ -1,3 +1,3 @@
 path "kv/data/service/glauth/services/svc_vault" {
-    capabilities = ["list", "read"]
+  capabilities = ["list", "read"]
 }
diff --git a/policies/kv/service/packer/packer_builder.hcl b/policies/kv/service/packer/packer_builder.hcl
index 3f33ab3..f36d0d3 100644
--- a/policies/kv/service/packer/packer_builder.hcl
+++ b/policies/kv/service/packer/packer_builder.hcl
@@ -1,6 +1,6 @@
 path "kv/data/service/packer/builder/env" {
-    capabilities = ["read"]
+  capabilities = ["read"]
 }
 path "kv/data/service/packer/builder/docker-incus-client" {
-    capabilities = ["read"]
+  capabilities = ["read"]
 }
diff --git a/policies/kv/service/puppet/certificates/terraform_puppet_cert.hcl b/policies/kv/service/puppet/certificates/terraform_puppet_cert.hcl
index 6a31417..736758f 100644
--- a/policies/kv/service/puppet/certificates/terraform_puppet_cert.hcl
+++ b/policies/kv/service/puppet/certificates/terraform_puppet_cert.hcl
@@ -1,6 +1,6 @@
 path "kv/data/service/puppet/certificates/terraform" {
-    capabilities = ["read"]
+  capabilities = ["read"]
 }
 path "kv/data/service/puppet/certificates/ca" {
-    capabilities = ["read"]
+  capabilities = ["read"]
 }
diff --git a/policies/kv/service/puppetapi/puppetapi_read_tokens.hcl b/policies/kv/service/puppetapi/puppetapi_read_tokens.hcl
index d979cab..465a81e 100644
--- a/policies/kv/service/puppetapi/puppetapi_read_tokens.hcl
+++ b/policies/kv/service/puppetapi/puppetapi_read_tokens.hcl
@@ -1,3 +1,3 @@
 path "kv/data/service/puppetapi/tokens" {
-    capabilities = ["read"]
+  capabilities = ["read"]
 }
diff --git a/policies/kv/service/terraform/incus.hcl b/policies/kv/service/terraform/incus.hcl
index 7173116..4708a89 100644
--- a/policies/kv/service/terraform/incus.hcl
+++ b/policies/kv/service/terraform/incus.hcl
@@ -1,3 +1,3 @@
 path "kv/data/service/terraform/incus" {
-    capabilities = ["read"]
+  capabilities = ["read"]
 }
diff --git a/policies/kv/service/terraform/nomad.hcl b/policies/kv/service/terraform/nomad.hcl
index e9b4219..c3118ba 100644
--- a/policies/kv/service/terraform/nomad.hcl
+++ b/policies/kv/service/terraform/nomad.hcl
@@ -1,3 +1,3 @@
 path "kv/data/service/terraform/nomad" {
-    capabilities = ["read"]
+  capabilities = ["read"]
 }
diff --git a/policies/ssh-host-signer/sshsign-host-policy.hcl b/policies/ssh-host-signer/sshsign-host-policy.hcl
index 5127e62..7709b99 100644
--- a/policies/ssh-host-signer/sshsign-host-policy.hcl
+++ b/policies/ssh-host-signer/sshsign-host-policy.hcl
@@ -1,3 +1,3 @@
 path "ssh-host-signer/sign/hostrole" {
-    capabilities = ["create", "update"]
+  capabilities = ["create", "update"]
 }
diff --git a/policies/ssh-host-signer/sshsigner.hcl b/policies/ssh-host-signer/sshsigner.hcl
index 5127e62..7709b99 100644
--- a/policies/ssh-host-signer/sshsigner.hcl
+++ b/policies/ssh-host-signer/sshsigner.hcl
@@ -1,3 +1,3 @@
 path "ssh-host-signer/sign/hostrole" {
-    capabilities = ["create", "update"]
+  capabilities = ["create", "update"]
 }
diff --git a/policies/sshca/sshca_signhost.hcl b/policies/sshca/sshca_signhost.hcl
index 58b104b..436eea1 100644
--- a/policies/sshca/sshca_signhost.hcl
+++ b/policies/sshca/sshca_signhost.hcl
@@ -1,3 +1,3 @@
 path "sshca/sign/host" {
-    capabilities = ["create", "update"]
+  capabilities = ["create", "update"]
 }
-- 
2.47.3