From 664152bec0fb511a82f6fa767411f071811de4cd Mon Sep 17 00:00:00 2001 From: Haitao Pan Date: Tue, 28 Feb 2023 10:35:22 +0800 Subject: [PATCH] add oci/iac-runner/terraform-aws/Dockerfile.custom --- .github/workflows/terraform-aws-custom.yaml | 31 ++++++++++++++++++ oci/base/alpine-glibc/Dockerfile | 2 +- oci/base/alpine/Dockerfile | 2 ++ oci/iac-runner/terraform-aws/Dockerfile | 24 ++++++++------ .../terraform-aws/Dockerfile.custom | 32 +++++++++++++++++++ oci/iac-runner/terraform-aws/main.tf | 8 ++--- 6 files changed, 85 insertions(+), 14 deletions(-) create mode 100644 .github/workflows/terraform-aws-custom.yaml create mode 100644 oci/iac-runner/terraform-aws/Dockerfile.custom diff --git a/.github/workflows/terraform-aws-custom.yaml b/.github/workflows/terraform-aws-custom.yaml new file mode 100644 index 0000000..039b7b2 --- /dev/null +++ b/.github/workflows/terraform-aws-custom.yaml @@ -0,0 +1,31 @@ +name: Build & push ci runner terraform for aws image +on: + pull_request: + push: + paths: + - 'oci/iac-runner/terraform-aws/main.tf' + - 'oci/iac-runner/terraform-aws/Dockerfile' + - 'oci/iac-runner/terraform-aws/.terraformrc' + - '.github/workflows/terraform-aws-custom.yaml' + branches: + - main + +jobs: + base-image: + runs-on: ubuntu-latest + name: Build ci runner terraform for aws image + steps: + - uses: actions/checkout@master + + - name: 'Artifact: build && push terraform for aws image' + uses: aevea/action-kaniko@master + with: + registry: artifact.onwalk.net + username: admin + password: ${{ secrets.HELM_REPO_PASSWORD }} + path: 'oci/iac-runner/terraform-aws/' + build_file: 'Dockerfile.custom' + image: devops/terraform-aws + tag: latest + cache: true + cache_registry: cache diff --git a/oci/base/alpine-glibc/Dockerfile b/oci/base/alpine-glibc/Dockerfile index e1370a6..1060465 100644 --- a/oci/base/alpine-glibc/Dockerfile +++ b/oci/base/alpine-glibc/Dockerfile @@ -1,5 +1,5 @@ # Build IAC Runner -FROM alpine:latest +FROM artifact.onwalk.net/k8s/alpine-ca:latest LABEL maintainer="Haitao Pan " ARG GLIBC_VERSION=2.34-r0 diff --git a/oci/base/alpine/Dockerfile b/oci/base/alpine/Dockerfile index 0ca18c3..8503273 100644 --- a/oci/base/alpine/Dockerfile +++ b/oci/base/alpine/Dockerfile @@ -1,6 +1,8 @@ FROM alpine:latest MAINTAINER shenlan xz@onwalk.net +RUN cd /usr/local/share/ca-certificates/ && curl http://certinfo.roche.com/rootcerts/Roche%20Root%20CA%201.cer -o RocheRootCA1.cer && curl http://certinfo.roche.com/rootcerts/RocheEnterpriseCA1.cer -o RocheEnterpriseCA1.cer && curl http://certinfo.roche.com/rootcerts/RocheEnterpriseCA2.cer -o RocheEnterpriseCA2.cer && curl http://certinfo.roche.com/rootcerts/Roche%20Root%20CA%201%20-%20G2.crt -o RocheRootCA1-G2.crt && curl http://certinfo.roche.com/rootcerts/Roche%20Enterprise%20CA%201%20-%20G2.crt -o RocheEnterpriseCA1-G2.crt && curl http://certinfo.roche.com/rootcerts/Roche%20G3%20Root%20CA.crt -o RocheG3RootCA.crt && curl http://certinfo.roche.com/rootcerts/Roche%20G3%20Issuing%20CA%201.crt -o RocheG3IssuingCA1.crt && curl http://certinfo.roche.com/rootcerts/Roche%20G3%20Issuing%20CA%202.crt -o RocheG3IssuingCA2.crt && curl http://certinfo.roche.com/rootcerts/Roche%20G3%20Issuing%20CA%203.crt -o RocheG3IssuingCA3.crt && curl http://certinfo.roche.com/rootcerts/Roche%20G3%20Issuing%20CA%204.crt -o RocheG3IssuingCA4.crt && update-ca-certificates + ADD ca.crt /usr/share/ca-certificates/mozilla/Lets_Encrypt_ca.crt RUN apk add --no-cache ca-certificates && echo "mozilla/Lets_Encrypt_ca.crt" >> /etc/ca-certificates.conf && update-ca-certificates diff --git a/oci/iac-runner/terraform-aws/Dockerfile b/oci/iac-runner/terraform-aws/Dockerfile index 0c22a8e..fcc321f 100644 --- a/oci/iac-runner/terraform-aws/Dockerfile +++ b/oci/iac-runner/terraform-aws/Dockerfile @@ -2,31 +2,37 @@ FROM hashicorp/terraform:latest as builder FROM infracost/infracost:latest as finops # Build IAC Runner -FROM artifact.onwalk.net/k8s/alpine-glibc-awscli:2.6.1 as prod +FROM artifact.onwalk.net/k8s/alpine-awscli:2.6.1 as prod LABEL maintainer="Haitao Pan " -ARG AWSCLI_VERSION=2.6.1 +ENV KUBECTL_VERSION=1.19.3 -RUN apk add --update --no-cache ca-certificates openssl openssh-client git bash wget make curl jq py3-pip unzip zip && \ - mkdir -pv /root/.terraform.d/plugin-cache && \ - pip3 install jinja2 hvac python-hcl2 && \ +RUN apk add --update --no-cache ca-certificates openssl openssh-client git bash wget make curl jq unzip zip python3 py3-pip && \ + pip3 install --upgrade pip --user && \ + pip3 install jinja2 hvac python-hcl2 pyyaml && \ wget https://mirrors.onwalk.net/tools/linux-amd64/gauth.tar.gz && tar -xvpf gauth.tar.gz -C /usr/bin/ && chmod 755 /usr/bin/gauth && \ + wget -O /usr/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl & chmod +x /usr/bin/kubectl && \ wget https://mirrors.onwalk.net/tools/linux-amd64/gitleaks_8.8.5_linux_x64.tar.gz && tar -xvpf gitleaks_8.8.5_linux_x64.tar.gz && cp gitleaks /usr/bin/ && chmod 755 /usr/bin/gitleaks && \ - apk --no-cache del binutils curl && \ + apk --no-cache del binutils make && \ rm -rf /var/cache/apk/* + mkdir -pv /root/.terraform.d/plugin-cache && \ + +# add iac tools +COPY --from=builder /bin/terraform /bin/ # add pre-cost tools -COPY --from=builder /bin/terraform /bin/ COPY --from=finops /usr/bin/terragrunt /usr/bin/ COPY --from=finops /usr/bin/infracost /usr/bin/ + +# config pre-cost tools RUN mkdir -pv /root/.config/infracost/ COPY credentials.yml /root/.config/infracost/ RUN infracost configure get api_key -# init terraform provider local mirror +# init terraform provider cache COPY main.tf . RUN mkdir -pv /data/terraform/ RUN terraform providers mirror /data/terraform/ && rm -f main.tf .terraform.lock.hcl COPY .terraformrc /root/ -ENTRYPOINT ["terraform"] +ENTRYPOINT ["/bin/sh", "-c"] diff --git a/oci/iac-runner/terraform-aws/Dockerfile.custom b/oci/iac-runner/terraform-aws/Dockerfile.custom new file mode 100644 index 0000000..dea05fa --- /dev/null +++ b/oci/iac-runner/terraform-aws/Dockerfile.custom @@ -0,0 +1,32 @@ +#FROM infracost/infracost:latest as finops +FROM artifact.onwalk.net/devops/terraform:latest as builder + +# Build IAC Runner +FROM artifact.onwalk.net/k8s/alpine-awscli-python3:latest as prod + +ENV KUBECTL_VERSION=1.19.3 + +COPY --from=builder /bin/terraform /bin/ + +# install kubectl in apline +RUN wget -O /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl && chmod +x /usr/local/bin/kubectl + +# make terraform plugin cache +RUN mkdir -p $HOME/.terraform.d/plugins +RUN echo $'\ +provider "aws" {} \n\ +provider "tls" {}\n\ +provider "null" {}\n\ +provider "template" {}' >> /tmp/provider-cache.tf +RUN cd /tmp && terraform init && mv .terraform/providers/* $HOME/.terraform.d/plugins && rm -rf .terraform && rm -rf provider-cache.tf +# config terraform cli +# ENV TF_CLI_ARGS_init="-plugin-dir=$HOME/.terraform.d/plugins" + +# install python3 +# RUN apk --no-cache add python3 py3-pip + +# packages for eks-environment/kubernetes/addon.sh +RUN pip install --upgrade pip --user && \ + pip install pyyaml + +ENTRYPOINT ["/bin/sh", "-c"] diff --git a/oci/iac-runner/terraform-aws/main.tf b/oci/iac-runner/terraform-aws/main.tf index a6c922d..82ce734 100644 --- a/oci/iac-runner/terraform-aws/main.tf +++ b/oci/iac-runner/terraform-aws/main.tf @@ -1,6 +1,7 @@ -provider "aws" { - region = "ap-east-1" -} +provider "aws" {} +provider "tls" {} +provider "null" {} +provider "template" {} terraform { required_providers { @@ -9,7 +10,6 @@ terraform { } aws = { source = "hashicorp/aws" - version = "= 4.14.0" } tls = { source = "hashicorp/tls"