add oci/iac-runner/terraform-aws/Dockerfile.custom

2023-02-28 10:35:22 +08:00 · 2023-02-28 10:35:22 +08:00 · 664152bec0
commit 664152bec0
parent 50b7762a54
6 changed files with 85 additions and 14 deletions
--- a/.github/workflows/terraform-aws-custom.yaml
+++ b/.github/workflows/terraform-aws-custom.yaml
@ -0,0 +1,31 @@
+name: Build & push ci runner terraform for aws image
+on:
+  pull_request:
+  push:
+    paths:
+      - 'oci/iac-runner/terraform-aws/main.tf'
+      - 'oci/iac-runner/terraform-aws/Dockerfile'
+      - 'oci/iac-runner/terraform-aws/.terraformrc'
+      - '.github/workflows/terraform-aws-custom.yaml'
+    branches:
+      - main
+
+jobs:
+  base-image:
+    runs-on: ubuntu-latest
+    name: Build ci runner terraform for aws image
+    steps:
+      - uses: actions/checkout@master
+
+      - name: 'Artifact: build && push terraform for aws image'
+        uses: aevea/action-kaniko@master
+        with:
+          registry: artifact.onwalk.net
+          username: admin 
+          password: ${{ secrets.HELM_REPO_PASSWORD }}
+          path: 'oci/iac-runner/terraform-aws/'
+          build_file: 'Dockerfile.custom'
+          image: devops/terraform-aws
+          tag: latest
+          cache: true
+          cache_registry: cache
--- a/oci/base/alpine-glibc/Dockerfile
+++ b/oci/base/alpine-glibc/Dockerfile
@ -1,5 +1,5 @@
 # Build IAC Runner
-FROM alpine:latest 
+FROM artifact.onwalk.net/k8s/alpine-ca:latest 
 LABEL maintainer="Haitao Pan <manbuzhe2009@qq.com>"

 ARG GLIBC_VERSION=2.34-r0
--- a/oci/base/alpine/Dockerfile
+++ b/oci/base/alpine/Dockerfile
@ -1,6 +1,8 @@
 FROM alpine:latest
 MAINTAINER shenlan xz@onwalk.net

+RUN cd /usr/local/share/ca-certificates/ && curl http://certinfo.roche.com/rootcerts/Roche%20Root%20CA%201.cer -o RocheRootCA1.cer && curl http://certinfo.roche.com/rootcerts/RocheEnterpriseCA1.cer -o RocheEnterpriseCA1.cer && curl http://certinfo.roche.com/rootcerts/RocheEnterpriseCA2.cer -o RocheEnterpriseCA2.cer && curl http://certinfo.roche.com/rootcerts/Roche%20Root%20CA%201%20-%20G2.crt -o RocheRootCA1-G2.crt && curl http://certinfo.roche.com/rootcerts/Roche%20Enterprise%20CA%201%20-%20G2.crt -o RocheEnterpriseCA1-G2.crt && curl http://certinfo.roche.com/rootcerts/Roche%20G3%20Root%20CA.crt -o RocheG3RootCA.crt && curl http://certinfo.roche.com/rootcerts/Roche%20G3%20Issuing%20CA%201.crt -o RocheG3IssuingCA1.crt && curl http://certinfo.roche.com/rootcerts/Roche%20G3%20Issuing%20CA%202.crt -o RocheG3IssuingCA2.crt && curl http://certinfo.roche.com/rootcerts/Roche%20G3%20Issuing%20CA%203.crt -o RocheG3IssuingCA3.crt && curl http://certinfo.roche.com/rootcerts/Roche%20G3%20Issuing%20CA%204.crt -o RocheG3IssuingCA4.crt && update-ca-certificates  
+
 ADD ca.crt /usr/share/ca-certificates/mozilla/Lets_Encrypt_ca.crt
 RUN apk add --no-cache ca-certificates && echo "mozilla/Lets_Encrypt_ca.crt" >> /etc/ca-certificates.conf && update-ca-certificates 

--- a/oci/iac-runner/terraform-aws/Dockerfile
+++ b/oci/iac-runner/terraform-aws/Dockerfile
@ -2,31 +2,37 @@ FROM hashicorp/terraform:latest as builder
 FROM infracost/infracost:latest as finops

 # Build IAC Runner
-FROM artifact.onwalk.net/k8s/alpine-glibc-awscli:2.6.1 as prod
+FROM artifact.onwalk.net/k8s/alpine-awscli:2.6.1 as prod
 LABEL maintainer="Haitao Pan <xz@onwalk.net>"

-ARG AWSCLI_VERSION=2.6.1
+ENV KUBECTL_VERSION=1.19.3

-RUN apk add --update --no-cache ca-certificates openssl openssh-client git bash wget make curl jq py3-pip unzip zip && \
-    mkdir -pv /root/.terraform.d/plugin-cache && \
-    pip3 install jinja2 hvac python-hcl2      && \
+RUN apk add --update --no-cache ca-certificates openssl openssh-client git bash wget make curl jq unzip zip python3 py3-pip && \
+    pip3 install --upgrade pip --user && \
+    pip3 install jinja2 hvac python-hcl2 pyyaml && \
    wget https://mirrors.onwalk.net/tools/linux-amd64/gauth.tar.gz && tar -xvpf gauth.tar.gz -C /usr/bin/ && chmod 755 /usr/bin/gauth && \
+    wget -O /usr/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl & chmod +x /usr/bin/kubectl && \
    wget https://mirrors.onwalk.net/tools/linux-amd64/gitleaks_8.8.5_linux_x64.tar.gz && tar -xvpf gitleaks_8.8.5_linux_x64.tar.gz && cp gitleaks /usr/bin/ && chmod 755 /usr/bin/gitleaks && \
-    apk --no-cache del binutils curl && \
+    apk --no-cache del binutils make && \
    rm -rf /var/cache/apk/*
+    mkdir -pv /root/.terraform.d/plugin-cache && \
+
+# add iac tools 
+COPY --from=builder /bin/terraform /bin/

 # add pre-cost tools 
-COPY --from=builder /bin/terraform /bin/
 COPY --from=finops /usr/bin/terragrunt /usr/bin/
 COPY --from=finops /usr/bin/infracost /usr/bin/
+
+# config pre-cost tools 
 RUN mkdir -pv /root/.config/infracost/
 COPY credentials.yml /root/.config/infracost/
 RUN infracost configure get api_key

-# init terraform provider local mirror
+# init terraform provider cache
 COPY main.tf .
 RUN mkdir -pv /data/terraform/
 RUN terraform providers mirror /data/terraform/ && rm -f main.tf .terraform.lock.hcl
 COPY .terraformrc /root/

-ENTRYPOINT ["terraform"]
+ENTRYPOINT ["/bin/sh", "-c"]
--- a/oci/iac-runner/terraform-aws/Dockerfile.custom
+++ b/oci/iac-runner/terraform-aws/Dockerfile.custom
@ -0,0 +1,32 @@
+#FROM infracost/infracost:latest as finops
+FROM artifact.onwalk.net/devops/terraform:latest as builder
+
+# Build IAC Runner
+FROM artifact.onwalk.net/k8s/alpine-awscli-python3:latest as prod
+
+ENV KUBECTL_VERSION=1.19.3
+
+COPY --from=builder /bin/terraform /bin/
+
+# install kubectl in apline
+RUN wget -O /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl &&   chmod +x /usr/local/bin/kubectl
+
+# make terraform plugin cache
+RUN mkdir -p $HOME/.terraform.d/plugins
+RUN echo $'\
+provider "aws" {} \n\
+provider "tls" {}\n\
+provider "null" {}\n\
+provider "template" {}' >> /tmp/provider-cache.tf
+RUN cd /tmp && terraform init && mv .terraform/providers/* $HOME/.terraform.d/plugins && rm -rf .terraform && rm -rf provider-cache.tf
+# config terraform cli
+# ENV TF_CLI_ARGS_init="-plugin-dir=$HOME/.terraform.d/plugins"
+
+# install python3 
+# RUN apk --no-cache add python3 py3-pip
+
+# packages for eks-environment/kubernetes/addon.sh
+RUN pip install --upgrade pip --user && \
+    pip install pyyaml
+
+ENTRYPOINT ["/bin/sh", "-c"]
--- a/oci/iac-runner/terraform-aws/main.tf
+++ b/oci/iac-runner/terraform-aws/main.tf
@ -1,6 +1,7 @@
-provider "aws" {
-  region     = "ap-east-1"
-}
+provider "aws" {}
+provider "tls" {}
+provider "null" {}
+provider "template" {}

 terraform {
  required_providers {
@ -9,7 +10,6 @@ terraform {
    }
    aws = {
      source  = "hashicorp/aws"
-      version = "= 4.14.0"  
    }
    tls = {
      source  = "hashicorp/tls"