update .github/workflows/terraform-aws.yaml

.github/workflows/terraform-aws.yaml

@@ -0,0 +1,31 @@
+name: Build & push ci runner terraform for aws image
+on:
+  pull_request:
+  push:
+    paths:
+      - 'oci/iac-runner/terraform-aws/main.tf'
+      - 'oci/iac-runner/terraform-aws/Dockerfile'
+      - 'oci/iac-runner/terraform-aws/.terraformrc'
+      - '.github/workflows/terraform-aws.yaml'
+    branches:
+      - main
+
+jobs:
+  base-image:
+    runs-on: ubuntu-latest
+    name: Build ci runner terraform for aws image
+    steps:
+      - uses: actions/checkout@master
+
+      - name: 'Artifact: build && push terraform for aws image'
+        uses: aevea/action-kaniko@master
+        with:
+          registry: artifact.onwalk.net
+          username: admin 
+          password: ${{ secrets.HELM_REPO_PASSWORD }}
+          path: 'oci/iac-runner/terraform-aws/'
+          build_file: 'Dockerfile'
+          image: devops/terraform-aws
+          tag: latest
+          cache: true
+          cache_registry: cache

oci/iac-runner/terraform-aws/Dockerfile

@@ -0,0 +1,32 @@
+FROM hashicorp/terraform:latest as builder
+FROM infracost/infracost:latest as finops
+
+# Build IAC Runner
+FROM artifact.onwalk.net/k8s/alpine-glibc-awscli:2.6.1 as prod
+LABEL maintainer="Haitao Pan <xz@onwalk.net>"
+
+ARG AWSCLI_VERSION=2.6.1
+
+RUN apk add --update --no-cache ca-certificates openssl openssh-client git bash wget make curl jq py3-pip unzip zip && \
+    mkdir -pv /root/.terraform.d/plugin-cache && \
+    pip3 install jinja2 hvac python-hcl2      && \
+    wget https://mirrors.onwalk.net/tools/linux-amd64/gauth.tar.gz && tar -xvpf gauth.tar.gz -C /usr/bin/ && chmod 755 /usr/bin/gauth && \
+    wget https://mirrors.onwalk.net/tools/linux-amd64/gitleaks_8.8.5_linux_x64.tar.gz && tar -xvpf gitleaks_8.8.5_linux_x64.tar.gz && cp gitleaks /usr/bin/ && chmod 755 /usr/bin/gitleaks && \
+    apk --no-cache del binutils curl && \
+    rm -rf /var/cache/apk/*
+
+# add pre-cost tools 
+COPY --from=builder /bin/terraform /bin/
+COPY --from=finops /usr/bin/terragrunt /usr/bin/
+COPY --from=finops /usr/bin/infracost /usr/bin/
+RUN mkdir -pv /root/.config/infracost/
+COPY credentials.yml /root/.config/infracost/
+RUN infracost configure get api_key
+
+# init terraform provider local mirror
+COPY main.tf .
+RUN mkdir -pv /data/terraform/
+RUN terraform providers mirror /data/terraform/ && rm -f main.tf .terraform.lock.hcl
+COPY .terraformrc /root/
+
+ENTRYPOINT ["terraform"]

oci/iac-runner/terraform-aws/Makefile

@@ -0,0 +1,4 @@
+Makefileall:
+	cp -av ~/.terraform.d/ .
+	sudo docker build --network host --no-cache -t artifact.onwalk.net/devops/iac-runner:latest .
+	sudo docker push artifact.onwalk.net/devops/iac-runner:latest 

oci/iac-runner/terraform-aws/main.tf

@@ -0,0 +1,18 @@
+provider "aws" {
+  region     = "ap-east-1"
+}
+
+terraform {
+  required_providers {
+    local = {
+      source = "hashicorp/local"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "= 4.14.0"  
+    }
+    tls = {
+      source  = "hashicorp/tls"
+    }
+  }
+}

oci/iac-runner/terraform-aws/repositories

@@ -0,0 +1,2 @@
+https://mirrors.ustc.edu.cn/alpine/v3.15/main
+https://mirrors.ustc.edu.cn/alpine/v3.15/community