bazel: add terrafrom to //:check and //:generate

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

bazel/ci/BUILD.bazel

@@ -131,6 +131,40 @@ sh_template(
     template = "tfsec.sh.in",
 )
 
+alias(
+    name = "com_github_hashicorp_terraform",
+    actual = select({
+        "@io_bazel_rules_go//go/platform:darwin_amd64": "@com_github_hashicorp_terraform_darwin_amd64//:terraform_bin",
+        "@io_bazel_rules_go//go/platform:darwin_arm64": "@com_github_hashicorp_terraform_darwin_arm64//:terraform_bin",
+        "@io_bazel_rules_go//go/platform:linux_amd64": "@com_github_hashicorp_terraform_linux_amd64//:terraform_bin",
+        "@io_bazel_rules_go//go/platform:linux_arm64": "@com_github_hashicorp_terraform_linux_arm64//:terraform_bin",
+    }),
+)
+
+sh_template(
+    name = "terraform_gen",
+    data = [
+        ":com_github_hashicorp_terraform",
+    ],
+    substitutions = {
+        "@@MODE@@": "generate",
+        "@@TERRAFORM@@": "$(rootpath :com_github_hashicorp_terraform)",
+    },
+    template = "tf.sh.in",
+)
+
+sh_template(
+    name = "terraform_check",
+    data = [
+        ":com_github_hashicorp_terraform",
+    ],
+    substitutions = {
+        "@@MODE@@": "check",
+        "@@TERRAFORM@@": "$(rootpath :com_github_hashicorp_terraform)",
+    },
+    template = "tf.sh.in",
+)
+
 multirun(
     name = "tidy",
     commands = [
@@ -151,6 +185,7 @@ multirun(
     commands = [
         ":gazelle_check",
         ":buildifier_check",
+        ":terraform_check",
     ] + select({
         "@io_bazel_rules_go//go/platform:darwin_arm64": [
             ":shellcheck_noop_warning",
@@ -164,3 +199,12 @@ multirun(
     jobs = 1,  # execute sequentially
     visibility = ["//visibility:public"],
 )
+
+multirun(
+    name = "generate",
+    commands = [
+        ":terraform_gen",
+    ],
+    jobs = 1,  # execute sequentially
+    visibility = ["//visibility:public"],
+)

bazel/ci/tf.sh.in

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+
+lib=$(realpath @@BASE_LIB@@) || exit 1
+terraform=$(realpath @@TERRAFORM@@) || exit 1
+mode="@@MODE@@" || exit 1
+
+# shellcheck source=../sh/lib.bash
+if ! source "${lib}"; then
+  echo "Error: could not find import"
+  exit 1
+fi
+
+cd "${BUILD_WORKSPACE_DIRECTORY}" || exit 1
+
+readarray -t <<< "$(
+  find "$(pwd)" -type f -name "*.tf" -exec dirname "{}" \; |
+    sort -ud
+)"
+terraformPaths=("${MAPFILE[@]}")
+terraformModules=()
+pathPrefix="${terraformPaths[0]}"
+for ((i = 1; i < ${#terraformPaths[@]}; i++)); do
+  path="${terraformPaths[i]}"
+  if [[ ${path} == "${pathPrefix}"* ]]; then
+    continue
+  fi
+  terraformModules+=("${pathPrefix}")
+  pathPrefix="${path}"
+done
+
+excludeDirs=(
+  "build"
+)
+
+echo "The following Terraform modules are excluded and won't be tidied:"
+for exclude in "${excludeDirs[@]}"; do
+  for i in "${!terraformModules[@]}"; do
+    if [[ ${terraformModules[i]} == "${BUILD_WORKSPACE_DIRECTORY}/${exclude}"* ]]; then
+      echo "  ${terraformModules[i]}"
+      unset 'terraformModules[i]'
+    fi
+  done
+done
+
+case ${mode} in
+"check")
+  echo "Checking validity and format of the following Terraform modules:"
+  for script in "${terraformModules[@]}"; do
+    echo "  ${script}"
+  done
+  echo "This may take a minute..."
+  for module in "${terraformModules[@]}"; do
+    ${terraform} -chdir="${module}" init > /dev/null
+    ${terraform} -chdir="${module}" fmt -check -recursive > /dev/null
+    ${terraform} -chdir="${module}" validate > /dev/null
+    rm -rf "${module}/.terraform"
+  done
+  ;;
+
+"generate")
+  echo "Formatting and generating lock files for the following Terraform modules:"
+  for script in "${terraformModules[@]}"; do
+    echo "  ${script}"
+  done
+  echo "This may take 5-10 min..."
+  for module in "${terraformModules[@]}"; do
+    ${terraform} -chdir="${module}" init > /dev/null
+    ${terraform} -chdir="${module}" providers lock -platform=linux_arm64 > /dev/null
+    ${terraform} -chdir="${module}" providers lock -platform=linux_amd64 > /dev/null
+    ${terraform} -chdir="${module}" providers lock -platform=darwin_arm64 > /dev/null
+    ${terraform} -chdir="${module}" providers lock -platform=darwin_amd64 > /dev/null
+    ${terraform} -chdir="${module}" providers lock -platform=windows_amd64 > /dev/null
+    ${terraform} -chdir="${module}" fmt -recursive > /dev/null
+    rm -rf "${module}/.terraform"
+  done
+  ;;
+
+*)
+  echo "Error: unknown mode \"${mode}\""
+  exit 1
+  ;;
+esac

bazel/toolchains/BUILD.terraform.bazel

@@ -0,0 +1,8 @@
+genrule(
+    name = "terraform_bin",
+    srcs = ["terraform"],
+    outs = ["terraform_bin_out"],
+    cmd = "cp $< $@",  # Copy the binary to the output directory.
+    executable = True,
+    visibility = ["//visibility:public"],
+)

bazel/toolchains/ci_deps.bzl

@@ -3,7 +3,9 @@
 load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 
 def ci_deps():
+    """Install CI dependencies"""
     _shellcheck_deps()
+    _terraform_deps()
 
 def _shellcheck_deps():
     http_archive(
@@ -31,3 +33,37 @@ def _shellcheck_deps():
         strip_prefix = "shellcheck-v0.9.0",
         build_file = "//bazel/toolchains:BUILD.shellcheck.bazel",
     )
+
+def _terraform_deps():
+    http_archive(
+        name = "com_github_hashicorp_terraform_linux_amd64",
+        build_file = "//bazel/toolchains:BUILD.terraform.bazel",
+        urls = [
+            "https://releases.hashicorp.com/terraform/1.4.2/terraform_1.4.2_linux_amd64.zip",
+        ],
+        sha256 = "9f3ca33d04f5335472829d1df7785115b60176d610ae6f1583343b0a2221a931",
+    )
+    http_archive(
+        name = "com_github_hashicorp_terraform_linux_arm64",
+        build_file = "//bazel/toolchains:BUILD.terraform.bazel",
+        urls = [
+            "https://releases.hashicorp.com/terraform/1.4.2/terraform_1.4.2_linux_arm64.zip",
+        ],
+        sha256 = "39c182670c4e63e918e0a16080b1cc47bb16e158d7da96333d682d6a9cb8eb91",
+    )
+    http_archive(
+        name = "com_github_hashicorp_terraform_darwin_amd64",
+        build_file = "//bazel/toolchains:BUILD.terraform.bazel",
+        urls = [
+            "https://releases.hashicorp.com/terraform/1.4.2/terraform_1.4.2_darwin_amd64.zip",
+        ],
+        sha256 = "c218a6c0ef6692b25af16995c8c7bdf6739e9638fef9235c6aced3cd84afaf66",
+    )
+    http_archive(
+        name = "com_github_hashicorp_terraform_darwin_arm64",
+        build_file = "//bazel/toolchains:BUILD.terraform.bazel",
+        urls = [
+            "https://releases.hashicorp.com/terraform/1.4.2/terraform_1.4.2_darwin_arm64.zip",
+        ],
+        sha256 = "af8ff7576c8fc41496fdf97e9199b00d8d81729a6a0e821eaf4dfd08aa763540",
+    )