From f6ca9fd405ddde71fd99c950787ecbdf965cac51 Mon Sep 17 00:00:00 2001
From: Gregor Grigorjan <gregor.grigorjan@gamesglobal.com>
Date: Fri, 28 Feb 2025 10:01:27 +0200
Subject: [PATCH] feat(checks): add Terraform validations

---
 checks.nix        | 14 +++++++++++++-
 dev-shells.nix    |  1 +
 tofu/inputs.tf    | 16 ++++++++--------
 tofu/providers.tf | 10 ++++++++--
 4 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/checks.nix b/checks.nix
index bbfb0bb..5f19791 100644
--- a/checks.nix
+++ b/checks.nix
@@ -3,7 +3,7 @@
   imports = [ inputs.nix-pre-commit-hooks.flakeModule ];
 
   perSystem =
-    { pkgs, ... }:
+    { lib, pkgs, ... }:
     {
       pre-commit = {
         check.enable = true;
@@ -23,6 +23,18 @@
               enable = true;
               settings.ignore = [ "tofu/.terraform/**" ];
             };
+            tofu-fmt = {
+              enable = true;
+              name = "tofu-fmt";
+              entry = "${lib.getExe pkgs.opentofu} fmt ./tofu";
+              pass_filenames = false;
+            };
+            tflint = {
+              enable = true;
+              name = "tflint";
+              entry = "${lib.getExe pkgs.tflint} --chdir ./tofu";
+              pass_filenames = false;
+            };
             gitleaks = {
               enable = true;
               name = "gitleaks";
diff --git a/dev-shells.nix b/dev-shells.nix
index 6f288ed..ac65d42 100644
--- a/dev-shells.nix
+++ b/dev-shells.nix
@@ -9,6 +9,7 @@ _: {
           nativeBuildInputs = [
             pkgs.deadnix
             pkgs.opentofu
+            pkgs.tflint
           ];
 
           shellHook = ''
diff --git a/tofu/inputs.tf b/tofu/inputs.tf
index 0f4d328..2c341b3 100644
--- a/tofu/inputs.tf
+++ b/tofu/inputs.tf
@@ -1,23 +1,23 @@
 variable "aws_access_key" {
-  type = string
-  sensitive = true
+  type        = string
+  sensitive   = true
   description = "The AWS root access key ID"
 }
 
 variable "aws_secret_key" {
-  type = string
-  sensitive = true
+  type        = string
+  sensitive   = true
   description = "The AWS root access key value"
 }
 
 variable "cloudflare_api_token" {
-  type = string
-  sensitive = true
+  type        = string
+  sensitive   = true
   description = "The Cloudflare API token with permissions: DNS:Edit"
 }
 
 variable "hcloud_token" {
-  type = string
-  sensitive = true
+  type        = string
+  sensitive   = true
   description = "The Hetzner Cloud API token for a particular project"
 }
diff --git a/tofu/providers.tf b/tofu/providers.tf
index bfd4fa1..95a8a52 100644
--- a/tofu/providers.tf
+++ b/tofu/providers.tf
@@ -1,5 +1,11 @@
 terraform {
+  required_version = "~> 1.9.0"
+
   required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
     cloudflare = {
       source  = "cloudflare/cloudflare"
       version = "~> 5"
@@ -11,11 +17,11 @@ terraform {
 
     # Dependencies for `nixos-anywhere`
     null = {
-      source = "hashicorp/null"
+      source  = "hashicorp/null"
       version = "3.2.3"
     }
     external = {
-      source = "hashicorp/external"
+      source  = "hashicorp/external"
       version = "2.3.4"
     }
   }