#369 REFACTOR Optimize Dockerfiles and organize scripts

terrateamio · Dec 20, 2024 · 9a83675 · 9a83675
1 parent d911c87
commit 9a83675
Show file tree

Hide file tree

Showing 16 changed files with 163 additions and 79 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,3 @@
 FROM ghcr.io/terrateamio/action-base:latest
-
-COPY entrypoint.sh /entrypoint.sh
 COPY terrat_runner /terrat_runner
-
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/usr/local/bin/entrypoint"]
diff --git a/Dockerfile.base b/Dockerfile.base
@@ -1,60 +1,14 @@
-FROM debian:bullseye-20220622-slim
-RUN apt-get update \
-	&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
-	apt-utils \
-	bash \
-	ca-certificates \
-	curl \
-	git \
-	git-lfs \
-	gnupg \
-	groff \
-	jq \
-	less \
-	libcap2 \
-	openssh-client \
-	openssl \
-	python3 \
-	python3-pip \
-	python3-pycryptodome \
-	python3-requests \
-	python3-yaml \
-	unzip \
-	&& rm -rf /var/lib/apt/lists/*
-
-ENV TENV_LATEST_VERSION=v3.2.10
-RUN curl -O -L "https://github.com/tofuutils/tenv/releases/download/${TENV_LATEST_VERSION}/tenv_${TENV_LATEST_VERSION}_amd64.deb" && \
-    dpkg -i "tenv_${TENV_LATEST_VERSION}_amd64.deb"
-
-ENV INFRACOST_VERSION v0.10.29
-RUN curl -fsSL -o /tmp/infracost-linux-amd64.tar.gz "https://github.com/terrateamio/packages/raw/main/infracost/infracost-${INFRACOST_VERSION}-linux-amd64.tar.gz" \
-    && tar -C /tmp -xzf /tmp/infracost-linux-amd64.tar.gz \
-    && mv /tmp/infracost-linux-amd64 /usr/local/bin/infracost \
-    && rm -f /tmp/infracost-linux-amd64.tar.gz
-
-ENV CONFTEST_VERSION 0.46.0
-RUN mkdir /tmp/conftest \
-    && curl -fsSL -o /tmp/conftest/conftest.tar.gz "https://github.com/terrateamio/packages/raw/main/conftest/conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz" \
-    && tar -C /tmp/conftest -xzf /tmp/conftest/conftest.tar.gz \
-    && mv /tmp/conftest/conftest /usr/local/bin/conftest \
-    && rm -rf /tmp/conftest
-
-ENV AWSCLI_VERSION 2.13.26
-RUN mkdir /tmp/awscli \
-    && curl -fsSL -o /tmp/awscli/awscli.zip "https://github.com/terrateamio/packages/raw/main/aws/awscli-exe-linux-x86_64-${AWSCLI_VERSION}.zip" \
-    && unzip -q /tmp/awscli/awscli.zip -d /tmp/awscli/ \
-    && /tmp/awscli/aws/install > /dev/null \
-    && rm -rf /tmp/awscli
-
-ENV CHECKOV_VERSION=2.5.10
-RUN pip3 install checkov==${CHECKOV_VERSION}
-
-ENV RESOURCELY_VERSION=1.0.14
-
+FROM debian:bookworm-20241202-slim
+ARG TENV_VERSION=3.2.10
+ENV TENV_VERSION=${TENV_VERSION}
+RUN apt update && \
+    DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends \
+    curl python3-minimal python3-pip git openssh-client jq unzip && \
+    pip3 install --no-cache-dir --break-system-packages pycryptodome requests pyyaml && \
+    curl -fsSL -o tenv.deb "https://github.com/tofuutils/tenv/releases/download/v${TENV_VERSION}/tenv_v${TENV_VERSION}_amd64.deb" && \
+    dpkg -i tenv.deb && \
+    rm -f tenv.deb && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /usr/share/doc/* /usr/share/man/*
 COPY ./bin/ /usr/local/bin
 COPY proxy/bin /usr/local/proxy/bin
-COPY conftest-wrapper /usr/local/bin/conftest-wrapper
-COPY checkov-wrapper /usr/local/bin/checkov-wrapper
-COPY cdktf-setup.sh /cdktf-setup.sh
-COPY gcloud-cli-setup.sh /gcloud-cli-setup.sh
-COPY azure-cli-setup.sh /azure-cli-setup.sh
diff --git a/azure-cli-setup.sh → bin/azure-cli-setup b/azure-cli-setup.sh → bin/azure-cli-setup
diff --git a/cdktf-setup.sh → bin/cdktf-setup b/cdktf-setup.sh → bin/cdktf-setup
diff --git a/checkov-wrapper → bin/checkov-wrapper b/checkov-wrapper → bin/checkov-wrapper
diff --git a/conftest-wrapper → bin/conftest-wrapper b/conftest-wrapper → bin/conftest-wrapper
diff --git a/entrypoint.sh → bin/entrypoint b/entrypoint.sh → bin/entrypoint
diff --git a/gcloud-cli-setup.sh → bin/gcloud-cli-setup b/gcloud-cli-setup.sh → bin/gcloud-cli-setup
diff --git a/proxy/bin/aws b/proxy/bin/aws
@@ -0,0 +1,19 @@
+#! /usr/bin/env bash
+
+set -e
+set -u
+
+if [ -f /usr/local/bin/aws ]; then
+    exec /usr/local/bin/aws "$@"
+else
+    flock /tmp/awscli-install sh -c '
+        mkdir -p /tmp/awscli
+        cd /tmp/awscli
+        curl -fsSL -o awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"
+        unzip -q awscliv2.zip
+        ./aws/install > /dev/null
+        cd -
+        rm -rf /tmp/awscli
+    ' 1>&2
+    exec /usr/local/bin/aws "$@"
+fi
diff --git a/proxy/bin/checkov b/proxy/bin/checkov
@@ -0,0 +1,32 @@
+#! /usr/bin/env bash
+
+set -e
+set -u
+
+if [ -f /usr/local/bin/checkov ]; then
+    exec /usr/local/bin/checkov "$@"
+else
+    flock /tmp/checkov-install sh -c '
+        if [ -z "${CHECKOV_VERSION:-}" ]; then
+            echo "Determining the latest version of Checkov..."
+            LATEST_VERSION=$(curl -s https://api.github.com/repos/bridgecrewio/checkov/releases/latest | jq -r .tag_name | sed "s/^v//")
+            
+            if [ -z "$LATEST_VERSION" ] || [ "$LATEST_VERSION" = "null" ]; then
+                echo "Error: Unable to determine the latest version of Checkov." >&2
+                exit 1
+            fi
+            
+            CHECKOV_VERSION=${LATEST_VERSION}
+            echo "Installing Checkov version ${CHECKOV_VERSION}..."
+        else
+            echo "Installing Checkov version ${CHECKOV_VERSION} (specified by environment variable)..."
+        fi
+
+        # Install Checkov with all dependencies
+        if ! pip3 install "checkov[all]==${CHECKOV_VERSION}" --break-system-packages --upgrade; then
+            echo "Error: Failed to install Checkov version ${CHECKOV_VERSION}." >&2
+            exit 1
+        fi
+    '
+    exec /usr/local/bin/checkov "$@"
+fi
diff --git a/proxy/bin/conftest b/proxy/bin/conftest
@@ -0,0 +1,25 @@
+#! /usr/bin/env bash
+
+set -e
+set -u
+
+if [ -f /usr/bin/conftest ]; then
+    exec /usr/bin/conftest "$@"
+else
+    flock /tmp/conftest-install sh -c '
+        if [ -z "${CONFTEST_VERSION:-}" ]; then
+            echo "Determining the latest version of Conftest..."
+            LATEST_VERSION=$(curl -s https://api.github.com/repos/open-policy-agent/conftest/releases/latest | jq -r .tag_name | sed "s/^v//")
+            CONFTEST_VERSION=${LATEST_VERSION}
+            echo "Installing Conftest version ${CONFTEST_VERSION}..."
+        else
+            echo "Installing Conftest version ${CONFTEST_VERSION} (specified by environment variable)..."
+        fi
+        
+        DEB_URL="https://github.com/open-policy-agent/conftest/releases/download/v${CONFTEST_VERSION}/conftest_${CONFTEST_VERSION}_linux_amd64.deb"
+        curl -fsSL -o /tmp/conftest.deb "$DEB_URL"
+        dpkg -i /tmp/conftest.deb
+        rm -f /tmp/conftest.deb
+    ' 1>&2
+    exec /usr/bin/conftest "$@"
+fi
diff --git a/proxy/bin/gcloud b/proxy/bin/gcloud
@@ -6,7 +6,6 @@ set -u
 if [ -f /usr/bin/gcloud ]; then
     exec /usr/bin/gcloud "$@"
 else
-    flock /tmp/gcloud-cli-setup.sh-install /gcloud-cli-setup.sh
+    flock /tmp/gcloud-cli-setup-install gcloud-cli-setup
     exec /usr/bin/gcloud "$@"
 fi
-
diff --git a/proxy/bin/infracost b/proxy/bin/infracost
@@ -0,0 +1,20 @@
+#! /usr/bin/env bash
+
+set -e
+set -u
+
+export INFRACOST_VERSION="${INFRACOST_VERSION:-v0.10.29}"
+
+if [ -f /usr/local/bin/infracost ]; then
+    exec /usr/local/bin/infracost "$@"
+else
+    flock /tmp/infracost-install sh -c '
+        TAR_URL="https://github.com/infracost/infracost/releases/download/${INFRACOST_VERSION}/infracost-linux-amd64.tar.gz"
+        curl -fsSL -o /tmp/infracost-linux-amd64.tar.gz "$TAR_URL"
+        tar -C /tmp -xzf /tmp/infracost-linux-amd64.tar.gz
+        mv /tmp/infracost-linux-amd64 /usr/local/bin/infracost
+        chmod +x /usr/local/bin/infracost
+        rm -f /tmp/infracost-linux-amd64.tar.gz
+    ' 1>&2
+    exec /usr/local/bin/infracost "$@"
+fi
diff --git a/proxy/bin/oci b/proxy/bin/oci
@@ -6,7 +6,27 @@ set -u
 if [ -f /usr/local/bin/oci ]; then
     exec /usr/local/bin/oci "$@"
 else
-    flock /tmp/oci-cli-install pip install oci-cli 1>&2
+    flock /tmp/oci-cli-install sh -c '
+        if [ -z "${OCI_CLI_VERSION:-}" ]; then
+            echo "Determining the latest version of OCI CLI..."
+            LATEST_VERSION=$(curl -s https://api.github.com/repos/oracle/oci-cli/releases/latest | jq -r .tag_name | sed "s/^v//")
+
+            if [ -z "$LATEST_VERSION" ] || [ "$LATEST_VERSION" = "null" ]; then
+                echo "Error: Unable to determine the latest version of OCI CLI." >&2
+                exit 1
+            fi
+
+            OCI_CLI_VERSION=${LATEST_VERSION}
+            echo "Installing OCI CLI version ${OCI_CLI_VERSION}..."
+        else
+            echo "Installing OCI CLI version ${OCI_CLI_VERSION} (specified by environment variable)..."
+        fi
+
+        # Install OCI CLI
+        if ! pip3 install "oci-cli==${OCI_CLI_VERSION}" --break-system-packages --upgrade; then
+            echo "Error: Failed to install OCI CLI version ${OCI_CLI_VERSION}." >&2
+            exit 1
+        fi
+    '
     exec /usr/local/bin/oci "$@"
 fi
-
diff --git a/proxy/bin/resourcely-cli b/proxy/bin/resourcely-cli
@@ -3,17 +3,35 @@
 set -e
 set -u
 
-if [[ ! -f /usr/local/bin/resourcely-cli ]]; then
-    flock /tmp/resourcely-install \
-          curl \
-          -s \
-          -L \
-          -o \
-          /tmp/resourcely-cli-v"$RESOURCELY_VERSION"-linux-amd64.tar.gz \
-          https://github.com/Resourcely-Inc/resourcely-container-registry/releases/download/v"$RESOURCELY_VERSION"/resourcely-cli-v"$RESOURCELY_VERSION"-linux-amd64.tar.gz
+export RESOURCELY_VERSION="${RESOURCELY_VERSION:-v1.0.14}"
 
-    flock /tmp/resourcely-install tar -xzf /tmp/resourcely-cli-v"$RESOURCELY_VERSION"-linux-amd64.tar.gz
-    flock /tmp/resourcely-install mv resourcely-cli /usr/local/bin/ || true
-fi
+if [ -f /usr/local/bin/resourcely-cli ]; then
+    exec /usr/local/bin/resourcely-cli "$@"
+else
+    flock /tmp/resourcely-install sh -c '
+        if [ -z "${RESOURCELY_VERSION:-}" ]; then
+            echo "Determining the latest version of Resourcely CLI..."
+            LATEST_VERSION=$(curl -s https://api.github.com/repos/Resourcely-Inc/resourcely-container-registry/releases/latest | jq -r .tag_name | sed "s/^v//")
+            if [ -z "$LATEST_VERSION" ]; then
+                echo "Failed to determine the latest version. Please check the repository." >&2
+                exit 1
+            fi
+            RESOURCELY_VERSION="v${LATEST_VERSION}"
+            echo "Installing Resourcely CLI version ${RESOURCELY_VERSION}..."
+        else
+            echo "Installing Resourcely CLI version ${RESOURCELY_VERSION} (specified by environment variable)..."
+        fi
 
-exec /usr/local/bin/resourcely-cli "$@"
+        TAR_URL="https://github.com/Resourcely-Inc/resourcely-container-registry/releases/download/${RESOURCELY_VERSION}/resourcely-cli-${RESOURCELY_VERSION}-linux-amd64.tar.gz"
+        if curl -fsSL -o /tmp/resourcely-cli.tar.gz "$TAR_URL"; then
+            tar -xzf /tmp/resourcely-cli.tar.gz -C /tmp
+            mv /tmp/resourcely-cli /usr/local/bin/
+            chmod +x /usr/local/bin/resourcely-cli
+            rm -f /tmp/resourcely-cli.tar.gz
+        else
+            echo "Failed to download Resourcely CLI from $TAR_URL. Please verify the version or URL." >&2
+            exit 1
+        fi
+    ' 1>&2
+    exec /usr/local/bin/resourcely-cli "$@"
+fi
diff --git a/terrat_runner/main.py b/terrat_runner/main.py
@@ -55,7 +55,7 @@ def maybe_setup_cdktf(rc, work_manifest, env):
             cdktf_used = cdktf_used or workflow['engine']['name'] == 'cdktf'
 
     if cdktf_used:
-        subprocess.check_call(['/cdktf-setup.sh'])
+        subprocess.check_call(['cdktf-setup'])
         env['PATH'] = env['PATH'] + ':' + os.path.join(env['TERRATEAM_ROOT'], 'node_modules', '.bin')