feat(checks): add Terraform validations

gekoke · Feb 28, 2025 · f6ca9fd · f6ca9fd
1 parent 24e7381
commit f6ca9fd
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 11 deletions.
diff --git a/checks.nix b/checks.nix
@@ -3,7 +3,7 @@
   imports = [ inputs.nix-pre-commit-hooks.flakeModule ];
 
   perSystem =
-    { pkgs, ... }:
+    { lib, pkgs, ... }:
     {
       pre-commit = {
         check.enable = true;
@@ -23,6 +23,18 @@
               enable = true;
               settings.ignore = [ "tofu/.terraform/**" ];
             };
+            tofu-fmt = {
+              enable = true;
+              name = "tofu-fmt";
+              entry = "${lib.getExe pkgs.opentofu} fmt ./tofu";
+              pass_filenames = false;
+            };
+            tflint = {
+              enable = true;
+              name = "tflint";
+              entry = "${lib.getExe pkgs.tflint} --chdir ./tofu";
+              pass_filenames = false;
+            };
             gitleaks = {
               enable = true;
               name = "gitleaks";

diff --git a/dev-shells.nix b/dev-shells.nix
@@ -9,6 +9,7 @@ _: {
           nativeBuildInputs = [
             pkgs.deadnix
             pkgs.opentofu
+            pkgs.tflint
           ];
 
           shellHook = ''

diff --git a/tofu/inputs.tf b/tofu/inputs.tf
@@ -1,23 +1,23 @@
 variable "aws_access_key" {
-  type = string
-  sensitive = true
+  type        = string
+  sensitive   = true
   description = "The AWS root access key ID"
 }
 
 variable "aws_secret_key" {
-  type = string
-  sensitive = true
+  type        = string
+  sensitive   = true
   description = "The AWS root access key value"
 }
 
 variable "cloudflare_api_token" {
-  type = string
-  sensitive = true
+  type        = string
+  sensitive   = true
   description = "The Cloudflare API token with permissions: DNS:Edit"
 }
 
 variable "hcloud_token" {
-  type = string
-  sensitive = true
+  type        = string
+  sensitive   = true
   description = "The Hetzner Cloud API token for a particular project"
 }
diff --git a/tofu/providers.tf b/tofu/providers.tf
@@ -1,5 +1,11 @@
 terraform {
+  required_version = "~> 1.9.0"
+
   required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
     cloudflare = {
       source  = "cloudflare/cloudflare"
       version = "~> 5"
@@ -11,11 +17,11 @@ terraform {
 
     # Dependencies for `nixos-anywhere`
     null = {
-      source = "hashicorp/null"
+      source  = "hashicorp/null"
       version = "3.2.3"
     }
     external = {
-      source = "hashicorp/external"
+      source  = "hashicorp/external"
       version = "2.3.4"
     }
   }