Using Pre‑commit Hooks with Terraform for Automated Code Quality Checks

In the rapidly evolving tech landscape, ensuring code quality and security is essential, yet manually running checks before each commit can be tedious. This article introduces pre‑commit hooks—a powerful tool that automatically runs code quality checks such as linting, security scanning, and formatting before code is committed.

Terraform, an open‑source infrastructure‑as‑code (IaC) tool, benefits greatly from these hooks, which help maintain high‑quality, secure configurations ready for deployment.

The article lists the most popular Terraform‑related pre‑commit hooks, including:

terraform‑docs – validates documentation in Terraform files.

tflint – performs thorough linting to catch errors.

tfsec – scans for potential security vulnerabilities.

checkov – evaluates configurations against security best‑practice rules.

terrascan – checks compliance with security standards.

infracost – estimates cost impact of Terraform runs.

tfupdate – keeps provider versions up to date.

hcledit – improves readability and maintainability.

jq – flexible JSON processor for Terraform files.

Terragrunt – wrapper for DRY configurations and remote state management.

Terraform Validate – native command to validate configuration syntax.

Terraform Fmt – formats Terraform code according to style conventions.

To install and configure pre‑commit hooks globally for Terraform, follow these steps:

DIR=~/.git-template
git config --global init.templateDir ${DIR}
pre-commit init-templatedir -t pre-commit ${DIR}

If using a Docker image, this step can be skipped. Next, add a .pre-commit-config.yaml file to your repository with the desired hooks. An example configuration is shown below:

git init
cat <
.pre-commit-config.yaml
default_install_hook_types:
  - pre-commit
  - commit-msg

repos:
  # BASIC CONF FOR ALL PRE-COMMITS REPO TYPE
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
      - id: trailing-whitespace
        stages: [commit]
      - id: end-of-file-fixer
        exclude: /secrets
        stages: [commit]
      - id: check-added-large-files
        stages: [commit]
      - id: check-yaml
        args:
          - '--allow-multiple-documents'
        exclude: /templates|/secrets
        stages: [commit]
      - id: check-json
        stages: [commit]
      - id: check-toml
        stages: [commit]
      - id: check-shebang-scripts-are-executable
        stages: [commit]

  - repo: https://github.com/compilerla/conventional-pre-commit
    rev: v2.1.1
    hooks:
      - id: conventional-pre-commit
        stages: [commit-msg]

  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.16.1
    hooks:
      - id: gitleaks

  # SPECIFIC CONF FOR TERRAFORM MODULE REPOSITORIES
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.77.1
    hooks:
      - id: terraform_fmt
        args:
          - --args=-diff
          - --args=-write=true
        stages: [commit]
      - id: terraform_docs
        stages: [commit]
      - id: terraform_tflint
        files: \.tf$
        args:
          - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
        stages: [commit]
      - id: terraform_tfsec
        files: \.tf$
        args:
          - --args=--config-file=__GIT_WORKING_DIR__/.tfsec.yml
          - --var-file tests/terraform.tfvars
        stages: [commit]
EOF

Replace <VERSION> with the latest version available from the provided URLs. After configuring, run the hooks manually or install them globally. To execute all hooks at once, use:

pre-commit run -a

By integrating pre‑commit hooks, you can seamlessly combine various open‑source and native Terraform tools into a unified automated workflow, shifting code‑quality responsibility to the hooks, reducing downstream CI workload, and enabling faster identification and resolution of issues, resulting in cleaner pull requests and shorter review times.