antonbabenko · MaxymVlasov · Jul 5, 2022 · Jul 5, 2022 · Jul 5, 2022 · Jul 5, 2022
diff --git a/README.md b/README.md
@@ -37,6 +37,7 @@ If you are using `pre-commit-terraform` already or want to support its developme
 * [Available Hooks](#available-hooks)
 * [Hooks usage notes and examples](#hooks-usage-notes-and-examples)
   * [All hooks: Usage of environment variables in `--args`](#all-hooks-usage-of-environment-variables-in---args)
+  * [All hooks: Set env vars inside hook runtime](#all-hooks-set-env-vars-inside-hook-runtime)
   * [checkov (deprecated) and terraform_checkov](#checkov-deprecated-and-terraform_checkov)
   * [infracost_breakdown](#infracost_breakdown)
   * [terraform_docs](#terraform_docs)
@@ -283,6 +284,22 @@ Config example:
 
 If for config above set up `export CONFIG_NAME=.tflint; export CONFIG_EXT=hcl` before `pre-commit run`, args will be expanded to `--config=.tflint.hcl --module`.
 
+### All hooks: Set env vars inside hook runtime
+
+> All, except deprecated hooks: `checkov`, `terraform_docs_replace`
+
+You can specify environment variables that will be passed to the hook runtime.
+
+Config example:
+
+```yaml
+- id: terraform_validate
+  args:
+    - --envs=AWS_DEFAULT_REGION="us-west-2"
+    - --envs=AWS_ACCESS_KEY_ID="anaccesskey"
+    - --envs=AWS_SECRET_ACCESS_KEY="asecretkey"
+```
+
 ### checkov (deprecated) and terraform_checkov
 
 > `checkov` hook is deprecated, please use `terraform_checkov`.
@@ -614,25 +631,15 @@ Example:
          - --args=-no-color
     ```
 
-2. `terraform_validate` also supports custom environment variables passed to the pre-commit runtime:
-
-    ```yaml
-    - id: terraform_validate
-      args:
-        - --envs=AWS_DEFAULT_REGION="us-west-2"
-        - --envs=AWS_ACCESS_KEY_ID="anaccesskey"
-        - --envs=AWS_SECRET_ACCESS_KEY="asecretkey"
-    ```
-
-3. `terraform_validate` also supports passing custom arguments to its `terraform init`:
+2. `terraform_validate` also supports passing custom arguments to its `terraform init`:
 
     ```yaml
     - id: terraform_validate
       args:
         - --tf-init-args=-lockfile=readonly
     ```
 
-4. It may happen that Terraform working directory (`.terraform`) already exists but not in the best condition (eg, not initialized modules, wrong version of Terraform, etc.). To solve this problem, you can find and delete all `.terraform` directories in your repository:
+3. It may happen that Terraform working directory (`.terraform`) already exists but not in the best condition (eg, not initialized modules, wrong version of Terraform, etc.). To solve this problem, you can find and delete all `.terraform` directories in your repository:
 
     ```bash
     echo "
@@ -648,7 +655,7 @@ Example:
 
     **Warning:** If you use Terraform workspaces, DO NOT use this workaround ([details](https://github.com/antonbabenko/pre-commit-terraform/issues/203#issuecomment-918791847)). Wait to [`force-init`](https://github.com/antonbabenko/pre-commit-terraform/issues/224) option implementation.
 
-5. `terraform_validate` in a repo with Terraform module, written using Terraform 0.15+ and which uses provider `configuration_aliases` ([Provider Aliases Within Modules](https://www.terraform.io/language/modules/develop/providers#provider-aliases-within-modules)), errors out.
+4. `terraform_validate` in a repo with Terraform module, written using Terraform 0.15+ and which uses provider `configuration_aliases` ([Provider Aliases Within Modules](https://www.terraform.io/language/modules/develop/providers#provider-aliases-within-modules)), errors out.
 
    When running the hook against Terraform code where you have provider `configuration_aliases` defined in a `required_providers` configuration block, terraform will throw an error like:
    >

diff --git a/hooks/_common.sh b/hooks/_common.sh
@@ -26,6 +26,8 @@ function common::initialize {
 #   ARGS (array) arguments that configure wrapped tool behavior
 #   HOOK_CONFIG (array) arguments that configure hook behavior
 #   TF_INIT_ARGS (array) arguments for `terraform init` command
+#   ENVS (array) environment variables that will be with all
+#     3rd-party tools that will read them.
 #   FILES (array) filenames to check
 # Arguments:
 #   $@ (array) all specified in `hooks.[].args` in
@@ -37,9 +39,11 @@ function common::parse_cmdline {
   ARGS=() HOOK_CONFIG=() FILES=()
   # Used inside `common::terraform_init` function
   TF_INIT_ARGS=()
+  # Used inside `common::export_provided_env_vars` function
+  ENVS=()
 
   local argv
-  argv=$(getopt -o a:,h:,i: --long args:,hook-config:,init-args:,tf-init-args: -- "$@") || return
+  argv=$(getopt -o a:,h:,i:,e: --long args:,hook-config:,init-args:,tf-init-args:,envs: -- "$@") || return
   eval "set -- $argv"
 
   for argv; do
@@ -60,6 +64,11 @@ function common::parse_cmdline {
         TF_INIT_ARGS+=("$1")
         shift
         ;;
+      -e | --envs)
+        shift
+        ENVS+=("$1")
+        shift
+        ;;
       --)
         shift
         # shellcheck disable=SC2034 # Variable is used
@@ -270,3 +279,25 @@ function common::terraform_init {
 
   return $exit_code
 }
+
+#######################################################################
+# Export provided K/V as environment variables.
+# Arguments:
+#   env_vars (array) environment variables that will be with all
+#     3rd-party tools that will read them.
+#######################################################################
+function common::export_provided_env_vars {
+  local -a -r env_vars=("$@")
+
+  local var
+  local var_name
+  local var_value
+
+  for var in "${env_vars[@]}"; do
+    var_name="${var%%=*}"
+    var_value="${var#*=}"
+    # shellcheck disable=SC2086
+    export $var_name="$var_value"
+  done
+  exit 1
+}
diff --git a/hooks/infracost_breakdown.sh b/hooks/infracost_breakdown.sh
@@ -10,6 +10,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::export_provided_env_vars "${ENVS[@]}"
   common::parse_and_export_env_vars
   # shellcheck disable=SC2153 # False positive
   infracost_breakdown_ "${HOOK_CONFIG[*]}" "${ARGS[*]}"

diff --git a/hooks/terraform_checkov.sh b/hooks/terraform_checkov.sh
@@ -10,6 +10,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::export_provided_env_vars "${ENVS[@]}"
   common::parse_and_export_env_vars
   # Support for setting PATH to repo root.
   # shellcheck disable=SC2178 # It's the simplest syntax for that case

diff --git a/hooks/terraform_docs.sh b/hooks/terraform_docs.sh
@@ -13,6 +13,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::export_provided_env_vars "${ENVS[@]}"
   common::parse_and_export_env_vars
   # Support for setting relative PATH to .terraform-docs.yml config.
   # shellcheck disable=SC2178 # It's the simplest syntax for that case

diff --git a/hooks/terraform_fmt.sh b/hooks/terraform_fmt.sh
@@ -10,6 +10,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::export_provided_env_vars "${ENVS[@]}"
   common::parse_and_export_env_vars
   # shellcheck disable=SC2153 # False positive
   common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"

diff --git a/hooks/terraform_providers_lock.sh b/hooks/terraform_providers_lock.sh
@@ -11,6 +11,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::export_provided_env_vars "${ENVS[@]}"
   common::parse_and_export_env_vars
   # shellcheck disable=SC2153 # False positive
   common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"

diff --git a/hooks/terraform_tflint.sh b/hooks/terraform_tflint.sh
@@ -11,6 +11,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::export_provided_env_vars "${ENVS[@]}"
   common::parse_and_export_env_vars
   # Support for setting PATH to repo root.
   # shellcheck disable=SC2178 # It's the simplest syntax for that case

diff --git a/hooks/terraform_tfsec.sh b/hooks/terraform_tfsec.sh
@@ -10,6 +10,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::export_provided_env_vars "${ENVS[@]}"
   common::parse_and_export_env_vars
   # Support for setting PATH to repo root.
   # shellcheck disable=SC2178 # It's the simplest syntax for that case

diff --git a/hooks/terraform_validate.sh b/hooks/terraform_validate.sh
@@ -12,73 +12,13 @@ export AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION:-us-east-1}
 
 function main {
   common::initialize "$SCRIPT_DIR"
-  parse_cmdline_ "$@"
+  common::parse_cmdline "$@"
+  common::export_provided_env_vars "${ENVS[@]}"
   common::parse_and_export_env_vars
-
-  # Export provided env var K/V pairs to environment
-  local var var_name var_value
-  for var in "${ENVS[@]}"; do
-    var_name="${var%%=*}"
-    var_value="${var#*=}"
-    # shellcheck disable=SC2086
-    export $var_name="$var_value"
-  done
-
   # shellcheck disable=SC2153 # False positive
   common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"
 }
 
-#######################################################################
-# Parse args and filenames passed to script and populate respective
-# global variables with appropriate values
-# Globals (init and populate):
-#   ARGS (array) arguments that configure wrapped tool behavior
-#   HOOK_CONFIG (array) arguments that configure hook behavior
-#   TF_INIT_ARGS (array) arguments to `terraform init` command
-#   ENVS (array) environment variables that will be used with
-#     `terraform` commands
-#   FILES (array) filenames to check
-# Arguments:
-#   $@ (array) all specified in `hooks.[].args` in
-#     `.pre-commit-config.yaml` and filenames.
-#######################################################################
-function parse_cmdline_ {
-  declare argv
-  argv=$(getopt -o e:i:a:h: --long envs:,tf-init-args:,init-args:,args: -- "$@") || return
-  eval "set -- $argv"
-
-  for argv; do
-    case $argv in
-      -a | --args)
-        shift
-        ARGS+=("$1")
-        shift
-        ;;
-      -h | --hook-config)
-        shift
-        HOOK_CONFIG+=("$1;")
-        shift
-        ;;
-      # TODO: Planned breaking change: remove `--init-args` as not self-descriptive
-      -i | --init-args | --tf-init-args)
-        shift
-        TF_INIT_ARGS+=("$1")
-        shift
-        ;;
-      -e | --envs)
-        shift
-        ENVS+=("$1")
-        shift
-        ;;
-      --)
-        shift
-        FILES=("$@")
-        break
-        ;;
-    esac
-  done
-}
-
 #######################################################################
 # Unique part of `common::per_dir_hook`. The function is executed in loop
 # on each provided dir path. Run wrapped tool with specified arguments
@@ -120,7 +60,4 @@ function per_dir_hook_unique_part {
   return $exit_code
 }
 
-# global arrays
-declare -a ENVS
-
 [ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"
diff --git a/hooks/terraform_wrapper_module_for_each.sh b/hooks/terraform_wrapper_module_for_each.sh
@@ -10,6 +10,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::export_provided_env_vars "${ENVS[@]}"
   common::parse_and_export_env_vars
 
   check_dependencies

diff --git a/hooks/terragrunt_fmt.sh b/hooks/terragrunt_fmt.sh
@@ -10,6 +10,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::export_provided_env_vars "${ENVS[@]}"
   common::parse_and_export_env_vars
   # shellcheck disable=SC2153 # False positive
   common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"

diff --git a/hooks/terragrunt_validate.sh b/hooks/terragrunt_validate.sh
@@ -10,6 +10,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::export_provided_env_vars "${ENVS[@]}"
   common::parse_and_export_env_vars
   # shellcheck disable=SC2153 # False positive
   common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"

diff --git a/hooks/terrascan.sh b/hooks/terrascan.sh
@@ -10,6 +10,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::export_provided_env_vars "${ENVS[@]}"
   common::parse_and_export_env_vars
   # shellcheck disable=SC2153 # False positive
   common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"

diff --git a/hooks/tfupdate.sh b/hooks/tfupdate.sh
@@ -10,6 +10,7 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 function main {
   common::initialize "$SCRIPT_DIR"
   common::parse_cmdline "$@"
+  common::export_provided_env_vars "${ENVS[@]}"
   common::parse_and_export_env_vars
   # shellcheck disable=SC2153 # False positive
   common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"