diff --git a/Dockerfile b/Dockerfile index 1b431034..3cd003a8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,3 @@ FROM ghcr.io/terrateamio/action-base:latest - -COPY entrypoint.sh /entrypoint.sh COPY terrat_runner /terrat_runner - -ENTRYPOINT ["/entrypoint.sh"] +ENTRYPOINT ["/usr/local/bin/entrypoint"] diff --git a/Dockerfile.base b/Dockerfile.base index c7ea04b0..5c340134 100644 --- a/Dockerfile.base +++ b/Dockerfile.base @@ -1,60 +1,14 @@ -FROM debian:bullseye-20220622-slim -RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ - apt-utils \ - bash \ - ca-certificates \ - curl \ - git \ - git-lfs \ - gnupg \ - groff \ - jq \ - less \ - libcap2 \ - openssh-client \ - openssl \ - python3 \ - python3-pip \ - python3-pycryptodome \ - python3-requests \ - python3-yaml \ - unzip \ - && rm -rf /var/lib/apt/lists/* - -ENV TENV_LATEST_VERSION=v3.2.10 -RUN curl -O -L "https://github.com/tofuutils/tenv/releases/download/${TENV_LATEST_VERSION}/tenv_${TENV_LATEST_VERSION}_amd64.deb" && \ - dpkg -i "tenv_${TENV_LATEST_VERSION}_amd64.deb" - -ENV INFRACOST_VERSION v0.10.29 -RUN curl -fsSL -o /tmp/infracost-linux-amd64.tar.gz "https://github.com/terrateamio/packages/raw/main/infracost/infracost-${INFRACOST_VERSION}-linux-amd64.tar.gz" \ - && tar -C /tmp -xzf /tmp/infracost-linux-amd64.tar.gz \ - && mv /tmp/infracost-linux-amd64 /usr/local/bin/infracost \ - && rm -f /tmp/infracost-linux-amd64.tar.gz - -ENV CONFTEST_VERSION 0.46.0 -RUN mkdir /tmp/conftest \ - && curl -fsSL -o /tmp/conftest/conftest.tar.gz "https://github.com/terrateamio/packages/raw/main/conftest/conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz" \ - && tar -C /tmp/conftest -xzf /tmp/conftest/conftest.tar.gz \ - && mv /tmp/conftest/conftest /usr/local/bin/conftest \ - && rm -rf /tmp/conftest - -ENV AWSCLI_VERSION 2.13.26 -RUN mkdir /tmp/awscli \ - && curl -fsSL -o /tmp/awscli/awscli.zip "https://github.com/terrateamio/packages/raw/main/aws/awscli-exe-linux-x86_64-${AWSCLI_VERSION}.zip" \ - && unzip -q /tmp/awscli/awscli.zip -d /tmp/awscli/ \ - && /tmp/awscli/aws/install > /dev/null \ - && rm -rf /tmp/awscli - -ENV CHECKOV_VERSION=2.5.10 -RUN pip3 install checkov==${CHECKOV_VERSION} - -ENV RESOURCELY_VERSION=1.0.14 - +FROM debian:bookworm-20241202-slim +ARG TENV_VERSION=3.2.10 +ENV TENV_VERSION=${TENV_VERSION} +RUN apt update && \ + DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends \ + curl python3-minimal python3-pip git openssh-client jq unzip && \ + pip3 install --no-cache-dir --break-system-packages pycryptodome requests pyyaml && \ + curl -fsSL -o tenv.deb "https://github.com/tofuutils/tenv/releases/download/v${TENV_VERSION}/tenv_v${TENV_VERSION}_amd64.deb" && \ + dpkg -i tenv.deb && \ + rm -f tenv.deb && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* /tmp/* /usr/share/doc/* /usr/share/man/* COPY ./bin/ /usr/local/bin COPY proxy/bin /usr/local/proxy/bin -COPY conftest-wrapper /usr/local/bin/conftest-wrapper -COPY checkov-wrapper /usr/local/bin/checkov-wrapper -COPY cdktf-setup.sh /cdktf-setup.sh -COPY gcloud-cli-setup.sh /gcloud-cli-setup.sh -COPY azure-cli-setup.sh /azure-cli-setup.sh diff --git a/azure-cli-setup.sh b/bin/azure-cli-setup similarity index 100% rename from azure-cli-setup.sh rename to bin/azure-cli-setup diff --git a/cdktf-setup.sh b/bin/cdktf-setup similarity index 100% rename from cdktf-setup.sh rename to bin/cdktf-setup diff --git a/checkov-wrapper b/bin/checkov-wrapper similarity index 100% rename from checkov-wrapper rename to bin/checkov-wrapper diff --git a/conftest-wrapper b/bin/conftest-wrapper similarity index 100% rename from conftest-wrapper rename to bin/conftest-wrapper diff --git a/entrypoint.sh b/bin/entrypoint similarity index 100% rename from entrypoint.sh rename to bin/entrypoint diff --git a/gcloud-cli-setup.sh b/bin/gcloud-cli-setup similarity index 100% rename from gcloud-cli-setup.sh rename to bin/gcloud-cli-setup diff --git a/proxy/bin/aws b/proxy/bin/aws new file mode 100755 index 00000000..6ffb00d4 --- /dev/null +++ b/proxy/bin/aws @@ -0,0 +1,19 @@ +#! /usr/bin/env bash + +set -e +set -u + +if [ -f /usr/local/bin/aws ]; then + exec /usr/local/bin/aws "$@" +else + flock /tmp/awscli-install sh -c ' + mkdir -p /tmp/awscli + cd /tmp/awscli + curl -fsSL -o awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" + unzip -q awscliv2.zip + ./aws/install > /dev/null + cd - + rm -rf /tmp/awscli + ' 1>&2 + exec /usr/local/bin/aws "$@" +fi diff --git a/proxy/bin/checkov b/proxy/bin/checkov new file mode 100755 index 00000000..67574ba2 --- /dev/null +++ b/proxy/bin/checkov @@ -0,0 +1,32 @@ +#! /usr/bin/env bash + +set -e +set -u + +if [ -f /usr/local/bin/checkov ]; then + exec /usr/local/bin/checkov "$@" +else + flock /tmp/checkov-install sh -c ' + if [ -z "${CHECKOV_VERSION:-}" ]; then + echo "Determining the latest version of Checkov..." + LATEST_VERSION=$(curl -s https://api.github.com/repos/bridgecrewio/checkov/releases/latest | jq -r .tag_name | sed "s/^v//") + + if [ -z "$LATEST_VERSION" ] || [ "$LATEST_VERSION" = "null" ]; then + echo "Error: Unable to determine the latest version of Checkov." >&2 + exit 1 + fi + + CHECKOV_VERSION=${LATEST_VERSION} + echo "Installing Checkov version ${CHECKOV_VERSION}..." + else + echo "Installing Checkov version ${CHECKOV_VERSION} (specified by environment variable)..." + fi + + # Install Checkov with all dependencies + if ! pip3 install "checkov[all]==${CHECKOV_VERSION}" --break-system-packages --upgrade; then + echo "Error: Failed to install Checkov version ${CHECKOV_VERSION}." >&2 + exit 1 + fi + ' + exec /usr/local/bin/checkov "$@" +fi diff --git a/proxy/bin/conftest b/proxy/bin/conftest new file mode 100755 index 00000000..c2d1ac95 --- /dev/null +++ b/proxy/bin/conftest @@ -0,0 +1,25 @@ +#! /usr/bin/env bash + +set -e +set -u + +if [ -f /usr/bin/conftest ]; then + exec /usr/bin/conftest "$@" +else + flock /tmp/conftest-install sh -c ' + if [ -z "${CONFTEST_VERSION:-}" ]; then + echo "Determining the latest version of Conftest..." + LATEST_VERSION=$(curl -s https://api.github.com/repos/open-policy-agent/conftest/releases/latest | jq -r .tag_name | sed "s/^v//") + CONFTEST_VERSION=${LATEST_VERSION} + echo "Installing Conftest version ${CONFTEST_VERSION}..." + else + echo "Installing Conftest version ${CONFTEST_VERSION} (specified by environment variable)..." + fi + + DEB_URL="https://github.com/open-policy-agent/conftest/releases/download/v${CONFTEST_VERSION}/conftest_${CONFTEST_VERSION}_linux_amd64.deb" + curl -fsSL -o /tmp/conftest.deb "$DEB_URL" + dpkg -i /tmp/conftest.deb + rm -f /tmp/conftest.deb + ' 1>&2 + exec /usr/bin/conftest "$@" +fi diff --git a/proxy/bin/gcloud b/proxy/bin/gcloud index e4555a46..2b45f8fe 100755 --- a/proxy/bin/gcloud +++ b/proxy/bin/gcloud @@ -6,7 +6,6 @@ set -u if [ -f /usr/bin/gcloud ]; then exec /usr/bin/gcloud "$@" else - flock /tmp/gcloud-cli-setup.sh-install /gcloud-cli-setup.sh + flock /tmp/gcloud-cli-setup-install gcloud-cli-setup exec /usr/bin/gcloud "$@" fi - diff --git a/proxy/bin/infracost b/proxy/bin/infracost new file mode 100755 index 00000000..7fafb628 --- /dev/null +++ b/proxy/bin/infracost @@ -0,0 +1,20 @@ +#! /usr/bin/env bash + +set -e +set -u + +export INFRACOST_VERSION="${INFRACOST_VERSION:-v0.10.29}" + +if [ -f /usr/local/bin/infracost ]; then + exec /usr/local/bin/infracost "$@" +else + flock /tmp/infracost-install sh -c ' + TAR_URL="https://github.com/infracost/infracost/releases/download/${INFRACOST_VERSION}/infracost-linux-amd64.tar.gz" + curl -fsSL -o /tmp/infracost-linux-amd64.tar.gz "$TAR_URL" + tar -C /tmp -xzf /tmp/infracost-linux-amd64.tar.gz + mv /tmp/infracost-linux-amd64 /usr/local/bin/infracost + chmod +x /usr/local/bin/infracost + rm -f /tmp/infracost-linux-amd64.tar.gz + ' 1>&2 + exec /usr/local/bin/infracost "$@" +fi diff --git a/proxy/bin/oci b/proxy/bin/oci index 008c8898..38028b83 100755 --- a/proxy/bin/oci +++ b/proxy/bin/oci @@ -6,7 +6,27 @@ set -u if [ -f /usr/local/bin/oci ]; then exec /usr/local/bin/oci "$@" else - flock /tmp/oci-cli-install pip install oci-cli 1>&2 + flock /tmp/oci-cli-install sh -c ' + if [ -z "${OCI_CLI_VERSION:-}" ]; then + echo "Determining the latest version of OCI CLI..." + LATEST_VERSION=$(curl -s https://api.github.com/repos/oracle/oci-cli/releases/latest | jq -r .tag_name | sed "s/^v//") + + if [ -z "$LATEST_VERSION" ] || [ "$LATEST_VERSION" = "null" ]; then + echo "Error: Unable to determine the latest version of OCI CLI." >&2 + exit 1 + fi + + OCI_CLI_VERSION=${LATEST_VERSION} + echo "Installing OCI CLI version ${OCI_CLI_VERSION}..." + else + echo "Installing OCI CLI version ${OCI_CLI_VERSION} (specified by environment variable)..." + fi + + # Install OCI CLI + if ! pip3 install "oci-cli==${OCI_CLI_VERSION}" --break-system-packages --upgrade; then + echo "Error: Failed to install OCI CLI version ${OCI_CLI_VERSION}." >&2 + exit 1 + fi + ' exec /usr/local/bin/oci "$@" fi - diff --git a/proxy/bin/resourcely-cli b/proxy/bin/resourcely-cli index 20a2d96b..d3b959a7 100755 --- a/proxy/bin/resourcely-cli +++ b/proxy/bin/resourcely-cli @@ -3,17 +3,35 @@ set -e set -u -if [[ ! -f /usr/local/bin/resourcely-cli ]]; then - flock /tmp/resourcely-install \ - curl \ - -s \ - -L \ - -o \ - /tmp/resourcely-cli-v"$RESOURCELY_VERSION"-linux-amd64.tar.gz \ - https://github.com/Resourcely-Inc/resourcely-container-registry/releases/download/v"$RESOURCELY_VERSION"/resourcely-cli-v"$RESOURCELY_VERSION"-linux-amd64.tar.gz +export RESOURCELY_VERSION="${RESOURCELY_VERSION:-v1.0.14}" - flock /tmp/resourcely-install tar -xzf /tmp/resourcely-cli-v"$RESOURCELY_VERSION"-linux-amd64.tar.gz - flock /tmp/resourcely-install mv resourcely-cli /usr/local/bin/ || true -fi +if [ -f /usr/local/bin/resourcely-cli ]; then + exec /usr/local/bin/resourcely-cli "$@" +else + flock /tmp/resourcely-install sh -c ' + if [ -z "${RESOURCELY_VERSION:-}" ]; then + echo "Determining the latest version of Resourcely CLI..." + LATEST_VERSION=$(curl -s https://api.github.com/repos/Resourcely-Inc/resourcely-container-registry/releases/latest | jq -r .tag_name | sed "s/^v//") + if [ -z "$LATEST_VERSION" ]; then + echo "Failed to determine the latest version. Please check the repository." >&2 + exit 1 + fi + RESOURCELY_VERSION="v${LATEST_VERSION}" + echo "Installing Resourcely CLI version ${RESOURCELY_VERSION}..." + else + echo "Installing Resourcely CLI version ${RESOURCELY_VERSION} (specified by environment variable)..." + fi -exec /usr/local/bin/resourcely-cli "$@" + TAR_URL="https://github.com/Resourcely-Inc/resourcely-container-registry/releases/download/${RESOURCELY_VERSION}/resourcely-cli-${RESOURCELY_VERSION}-linux-amd64.tar.gz" + if curl -fsSL -o /tmp/resourcely-cli.tar.gz "$TAR_URL"; then + tar -xzf /tmp/resourcely-cli.tar.gz -C /tmp + mv /tmp/resourcely-cli /usr/local/bin/ + chmod +x /usr/local/bin/resourcely-cli + rm -f /tmp/resourcely-cli.tar.gz + else + echo "Failed to download Resourcely CLI from $TAR_URL. Please verify the version or URL." >&2 + exit 1 + fi + ' 1>&2 + exec /usr/local/bin/resourcely-cli "$@" +fi diff --git a/terrat_runner/main.py b/terrat_runner/main.py index 7935b785..7baa4f5d 100644 --- a/terrat_runner/main.py +++ b/terrat_runner/main.py @@ -55,7 +55,7 @@ def maybe_setup_cdktf(rc, work_manifest, env): cdktf_used = cdktf_used or workflow['engine']['name'] == 'cdktf' if cdktf_used: - subprocess.check_call(['/cdktf-setup.sh']) + subprocess.check_call(['cdktf-setup']) env['PATH'] = env['PATH'] + ':' + os.path.join(env['TERRATEAM_ROOT'], 'node_modules', '.bin')