From 7d9e805da23859ecde6f63bbe42ad235af50bcb4 Mon Sep 17 00:00:00 2001
From: Stefan Hattrell <29941279+digorgonzola@users.noreply.github.com>
Date: Thu, 1 May 2025 11:54:18 +1000
Subject: [PATCH 1/8] chore: add .pre-commit-config.yaml

---
 .pre-commit-config.yaml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 .pre-commit-config.yaml

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..e0edc0d
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,27 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+      # Security
+      - id: detect-private-key
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.25.1
+    hooks:
+      - id: gitleaks
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.99.0
+    hooks:
+      - id: terraform_fmt
+      - id: terragrunt_fmt
+      - id: terraform_trivy
+        args:
+          - --hook-config=--parallelism-ci-cpu-cores=1
+          - --args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore
+      - id: terraform_docs
+        args:
+          - --args=--config=.tfdocs-config.yml
+          - --hook-config=--create-file-if-not-exist=true

From 24682dbb10872ad48bd612846f33759edf7cc668 Mon Sep 17 00:00:00 2001
From: Stefan Hattrell <29941279+digorgonzola@users.noreply.github.com>
Date: Thu, 1 May 2025 12:04:38 +1000
Subject: [PATCH 2/8] chore: run trivy pre-commit check manually

---
 .pre-commit-config.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index e0edc0d..3022195 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -18,6 +18,8 @@ repos:
       - id: terraform_fmt
       - id: terragrunt_fmt
       - id: terraform_trivy
+        stages:
+          - manual
         args:
           - --hook-config=--parallelism-ci-cpu-cores=1
           - --args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore

From 6ece524e1cefa2df17a44396003fee5cdf75e2cd Mon Sep 17 00:00:00 2001
From: Stefan Hattrell <29941279+digorgonzola@users.noreply.github.com>
Date: Thu, 1 May 2025 12:05:20 +1000
Subject: [PATCH 3/8] chore: add .trivyignore

---
 .trivyignore | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 .trivyignore

diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..92a842f
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,27 @@
+# Ignore warnings about cloudwatch log groups using customer-managed keys for encryption
+AVD-AWS-0017
+
+# DynamoDB
+AVD-AWS-0024
+AVD-AWS-0025
+
+# Ignore warnings about X-Ray tracing for Lambda functions
+AVD-AWS-0066
+
+# Ignore since S3 buckets block public access by default
+AVD-AWS-0086
+
+# Ignore since S3 buckets are encrypted by default
+AVD-AWS-0087
+AVD-AWS-0088
+AVD-AWS-0089
+AVD-AWS-0091
+AVD-AWS-0093
+AVD-AWS-0094
+AVD-AWS-0132
+
+# Ignore warnings about missing security group descriptions
+AVD-AWS-0124
+
+# Ignore warnings about encrypting SNS topics with KMS
+AVD-AWS-0136

From 502371889d5b1bf62ddc62208b7cf9ec6c568998 Mon Sep 17 00:00:00 2001
From: Stefan Hattrell <29941279+digorgonzola@users.noreply.github.com>
Date: Thu, 1 May 2025 12:05:29 +1000
Subject: [PATCH 4/8] chore: add .tool-versions

---
 .tool-versions | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .tool-versions

diff --git a/.tool-versions b/.tool-versions
new file mode 100644
index 0000000..6ea41e8
--- /dev/null
+++ b/.tool-versions
@@ -0,0 +1,3 @@
+opentofu 1.8.7
+python 3.13.1
+trivy 0.58.2

From a8b77b886f9a1bc45e171aea3d0f53e693401ef4 Mon Sep 17 00:00:00 2001
From: Stefan Hattrell <29941279+digorgonzola@users.noreply.github.com>
Date: Thu, 1 May 2025 12:05:37 +1000
Subject: [PATCH 5/8] chore: add .tfdocs-config.yml

---
 .tfdocs-config.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 .tfdocs-config.yml

diff --git a/.tfdocs-config.yml b/.tfdocs-config.yml
new file mode 100644
index 0000000..c7ec506
--- /dev/null
+++ b/.tfdocs-config.yml
@@ -0,0 +1,19 @@
+formatter: markdown
+
+content: |-
+  {{ .Header }}
+  {{ .Footer }}
+  {{ .Inputs }}
+  {{ .Modules }}
+  {{ .Outputs }}
+  {{ .Providers }}
+  {{ .Requirements }}
+  {{ .Resources }}
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->

From 08c0659eb556e1deabf63dc38df61f4442ce958b Mon Sep 17 00:00:00 2001
From: Stefan Hattrell <29941279+digorgonzola@users.noreply.github.com>
Date: Thu, 1 May 2025 12:15:33 +1000
Subject: [PATCH 6/8] chore: make tfdocs hook manual

---
 .pre-commit-config.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 3022195..52c90e2 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -24,6 +24,8 @@ repos:
           - --hook-config=--parallelism-ci-cpu-cores=1
           - --args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore
       - id: terraform_docs
+        stages:
+          - manual
         args:
           - --args=--config=.tfdocs-config.yml
           - --hook-config=--create-file-if-not-exist=true

From 93d501d599d774776a244a30ebc3feab51f7fae6 Mon Sep 17 00:00:00 2001
From: Stefan Hattrell <29941279+digorgonzola@users.noreply.github.com>
Date: Thu, 1 May 2025 12:15:44 +1000
Subject: [PATCH 7/8] chore: update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8714cb8..bb7924a 100644
--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@ The running instances can be accessed via SSM for debugging purposes.
 ```hcl
 module "squid_proxy" {
   source = "git@github.com:digorgonzola/squid_proxy.git?ref=v1.0.0"
-  
+
   private_subnet_ids = ["subnet-10a214dfcd63a97a4", "subnet-c727b18850685046b"]
   public_subnet_ids  = ["subnet-37f911e98a8616eee", "subnet-233bfad11fdd81dfd"]
   vpc_id             = "vpc-1eb7bfbe312f068e1"

From b39e16ecdc74c227fcd4ce770b3953463fba46af Mon Sep 17 00:00:00 2001
From: Stefan Hattrell <29941279+digorgonzola@users.noreply.github.com>
Date: Thu, 1 May 2025 12:16:00 +1000
Subject: [PATCH 8/8] ci: add pre-commit.yml workflow

---
 .github/workflows/pre-commit.yml | 38 ++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 .github/workflows/pre-commit.yml

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
new file mode 100644
index 0000000..07a5767
--- /dev/null
+++ b/.github/workflows/pre-commit.yml
@@ -0,0 +1,38 @@
+name: Pre-Commit Checks
+
+on:
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pre-commit:
+    name: Run pre-commit checks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: endorama/asdf-parse-tool-versions@v1
+
+      - name: Setup Python
+        uses: actions/setup-python@v5.6.0
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Setup Trivy
+        uses: aquasecurity/setup-trivy@v0.2.3
+        with:
+          version: v${{ env.TRIVY_VERSION }}
+
+      - name: Setup OpenTofu
+        uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_version: ${{ env.OPENTOFU_VERSION }}
+          tofu_wrapper: false
+
+      - name: Run Pre-Commit Checks
+        uses: pre-commit/action@v3.0.1