Enable terraform validate pre-commit hook

[dav3r]

🗣 Description

This PR enables the terraform validate pre-commit hook.

💭 Motivation and context

That pre-commit hook had been disabled in all of our repositories because of issues related to proxy providers and Terraform code that uses remote state. We believe that those issues (see hashicorp/terraform#24887 and hashicorp/terraform#24896) have been corrected in Terraform 0.13.x, which we are in the process of migrating to, so this hook should now work as expected in most, if not all of our repos.

This PR will remain blocked until the following conditions have been met:

• All of our repositories that use Terraform have been successfully updated to use Terraform 0.13.x.
• All of our deployed Terraform states have been updated to Terraform 0.13.x. It is important to note that we cannot update any Terraform states to 0.14.x until they successfully apply with 0.13.x first.
• Update to Terraform 0.13 setup-env-github-action#37 has been approved and merged.

This PR is a part of cisagov/cool-system#94.

Similar PRs are:

• Support Terraform 0.13 skeleton-tf-module#57
• Support Terraform 0.13 skeleton-packer#82
• Support Terraform 0.13 skeleton-ansible-role-with-test-user#24

🧪 Testing

I verified that running terraform validate with Terraform 0.13.7 works without any errors in this repository. I also confirmed that all pre-commit hooks (including the newly-enabled terraform validate hook) run successfully.

After I confirmed that pre-commit with Terraform 0.13.7 ran successfully in GitHub Actions via 6a7fbf0, I reverted that commit (see b51dbb5) in preparation for when this PR becomes unblocked at the end of downstream testing.

Further testing will be done in all downstream repositories.

✅ Checklist

• This PR has an informative and human-readable title.
• Changes are limited to a single goal - eschew scope creep!
• All relevant type-of-change labels have been added.
• I have read the CONTRIBUTING document.
• These code changes follow cisagov code standards.
• All new and existing tests pass.

[jsf9k]

I look forward to the day when terraform validate is again looking out for us.

[mcdonnnj]

This makes sense. I think we should remove

skeleton-generic/.github/workflows/build.yml

Lines 87 to 93 in 6a7fbf0

	- name: Find and initialize Terraform directories
	run: |
	for path in $(find . -not \( -type d -name ".terraform" -prune \) \
	-type f -iname "*.tf" -exec dirname "{}" \; | sort -u); do \
	echo "Initializing '$path'..."; \
	terraform init -input=false -backend=false "$path"; \
	done

from the workflow because this is handled by the terraform_validate hook per these lines.

[dav3r]

This makes sense. I think we should remove

skeleton-generic/.github/workflows/build.yml

Lines 87 to 93 in 6a7fbf0

	- name: Find and initialize Terraform directories
	run: |
	for path in $(find . -not \( -type d -name ".terraform" -prune \) \
	-type f -iname "*.tf" -exec dirname "{}" \; | sort -u); do \
	echo "Initializing '$path'..."; \
	terraform init -input=false -backend=false "$path"; \
	done

from the workflow because this is handled by the terraform_validate hook per these lines.

Good call- I had forgotten about that! See 895a692.

[dav3r]

@mcdonnnj - please review this when you can.

[mcdonnnj]

Since it doesn't seem to barf in this branch, do we want to add

  - package-ecosystem: "terraform"
    directory: "/"
    schedule:
      interval: "weekly"

to .github/dependabot.yml since we are hitting the minimum version of Terraform needed to support Dependabot alerts? This would resolve cisagov/skeleton-tf-module#59 downstream and also cover (with modification of the directory when doing PRs) the same need in cisagov/skeleton-packer and cisagov/skeleton-ansible-role-with-test-user.

[dav3r]

Since it doesn't seem to barf in this branch, do we want to add

  - package-ecosystem: "terraform"
    directory: "/"
    schedule:
      interval: "weekly"

to .github/dependabot.yml since we are hitting the minimum version of Terraform needed to support Dependabot alerts? This would resolve cisagov/skeleton-tf-module#59 downstream and also cover (with modification of the directory when doing PRs) the same need in cisagov/skeleton-packer and cisagov/skeleton-ansible-role-with-test-user.

My gut says to push that dependabot change to an upcoming Kraken and separate it from this TF 0.13 business. What do you think?

[mcdonnnj]

Since it doesn't seem to barf in this branch, do we want to add

  - package-ecosystem: "terraform"
    directory: "/"
    schedule:
      interval: "weekly"

to .github/dependabot.yml since we are hitting the minimum version of Terraform needed to support Dependabot alerts? This would resolve cisagov/skeleton-tf-module#59 downstream and also cover (with modification of the directory when doing PRs) the same need in cisagov/skeleton-packer and cisagov/skeleton-ansible-role-with-test-user.

My gut says to push that dependabot change to an upcoming Kraken and separate it from this TF 0.13 business. What do you think?

I'm ok with that. I only mentioned it because I would also be willing to consider it part of Terraform 0.13 jazz.

[dav3r]

My gut says to push that dependabot change to an upcoming Kraken and separate it from this TF 0.13 business. What do you think?

I'm ok with that. I only mentioned it because I would also be willing to consider it part of Terraform 0.13 jazz.

👍 Please reference this PR when you create a new PR with that dependabot change and we will decide when it makes the most sense to roll that one out.