Skip to content

Commit db8fbcd

Browse files
bgauduchbgauduch
bgauduch
and
bgauduch
authored
Feat/awscli v2 migration (#77)
* upgrade to AWS CLI v2 * upgrade dev script * use explicite binary path for aws install * improved local dev script, use buildx for container build * update binaries check doc, fmt dependencies upgrade doc --------- Co-authored-by: bgauduch <user.personal@users.noreply.github.com>
1 parent be27a3a commit db8fbcd

15 files changed

+117
-35
lines changed

Dockerfile

Lines changed: 21 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,8 @@ FROM debian:${DEBIAN_VERSION} as terraform
1010
ARG TARGETARCH
1111
ARG TERRAFORM_VERSION
1212
RUN apt-get update
13-
RUN apt-get install --no-install-recommends -y libcurl4=7.74.0-1.3+deb11u3
14-
RUN apt-get install --no-install-recommends -y curl=7.74.0-1.3+deb11u3
13+
# RUN apt-get install --no-install-recommends -y libcurl4=7.74.0-1.3+deb11u7
14+
RUN apt-get install --no-install-recommends -y curl=7.74.0-1.3+deb11u7
1515
RUN apt-get install --no-install-recommends -y ca-certificates=20210119
1616
RUN apt-get install --no-install-recommends -y unzip=6.0-26+deb11u1
1717
RUN apt-get install --no-install-recommends -y gnupg=2.2.27-2+deb11u2
@@ -24,15 +24,25 @@ RUN gpg --verify terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig terraform_${TERRA
2424
RUN sha256sum --check --strict --ignore-missing terraform_${TERRAFORM_VERSION}_SHA256SUMS
2525
RUN unzip -j terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip
2626

27-
# Install AWS CLI using PIP
27+
# Install AWS CLI version 2
2828
FROM debian:${DEBIAN_VERSION} as aws-cli
2929
ARG AWS_CLI_VERSION
30-
ARG PYTHON_MAJOR_VERSION
3130
RUN apt-get update
32-
RUN apt-get install -y --no-install-recommends python3=${PYTHON_MAJOR_VERSION}.2-3
33-
RUN apt-get install -y --no-install-recommends python3-pip=20.3.4-4+deb11u1
34-
RUN pip3 install --no-cache-dir setuptools==67.1.0
35-
RUN pip3 install --no-cache-dir awscli==${AWS_CLI_VERSION}
31+
RUN apt-get install -y --no-install-recommends curl=7.74.0-1.3+deb11u7
32+
RUN apt-get install -y --no-install-recommends ca-certificates=20210119
33+
RUN apt-get install -y --no-install-recommends unzip=6.0-26+deb11u1
34+
RUN apt-get install -y --no-install-recommends groff=1.22.4-6
35+
RUN apt-get install -y --no-install-recommends gnupg=2.2.27-2+deb11u2
36+
RUN apt-get install -y --no-install-recommends git=1:2.30.2-1+deb11u2
37+
RUN apt-get install -y --no-install-recommends jq=1.6-2.1
38+
WORKDIR /workspace
39+
RUN curl --show-error --fail --output "awscliv2.zip" --remote-name "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-${AWS_CLI_VERSION}.zip"
40+
COPY security/awscliv2.asc ./
41+
COPY security/awscli-exe-linux-x86_64-${AWS_CLI_VERSION}.zip.sig ./awscliv2.sig
42+
RUN gpg --import awscliv2.asc
43+
RUN gpg --verify awscliv2.sig awscliv2.zip
44+
RUN unzip -u awscliv2.zip
45+
RUN ./aws/install --install-dir /usr/local/aws-cli --bin-dir /usr/local/bin
3646

3747
# Build final image
3848
FROM debian:${DEBIAN_VERSION} as build
@@ -41,7 +51,7 @@ ARG PYTHON_MAJOR_VERSION
4151
RUN apt-get update \
4252
&& apt-get install -y --no-install-recommends \
4353
ca-certificates=20210119\
44-
git=1:2.30.2-1 \
54+
git=1:2.30.2-1+deb11u2 \
4555
jq=1.6-2.1 \
4656
python3=${PYTHON_MAJOR_VERSION}.2-3 \
4757
openssh-client=1:8.4p1-5+deb11u1 \
@@ -50,9 +60,8 @@ RUN apt-get update \
5060
&& update-alternatives --install /usr/bin/python python /usr/bin/python${PYTHON_MAJOR_VERSION} 1
5161
WORKDIR /workspace
5262
COPY --from=terraform /workspace/terraform /usr/local/bin/terraform
53-
COPY --from=aws-cli /usr/local/bin/aws* /usr/local/bin/
54-
COPY --from=aws-cli /usr/local/lib/python${PYTHON_MAJOR_VERSION}/dist-packages /usr/local/lib/python${PYTHON_MAJOR_VERSION}/dist-packages
55-
COPY --from=aws-cli /usr/lib/python3/dist-packages /usr/lib/python3/dist-packages
63+
COPY --from=aws-cli /usr/local/bin/ /usr/local/bin/
64+
COPY --from=aws-cli /usr/local/aws-cli /usr/local/aws-cli
5665

5766
RUN groupadd --gid 1001 nonroot \
5867
# user needs a home folder to store aws credentials

dev.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ echo "Lint Successful!"
2323

2424
# Build image
2525
echo "Building images with AWS_CLI_VERSION=${AWS_VERSION} and TERRAFORM_VERSION=${TF_VERSION}..."
26-
docker image build --build-arg AWS_CLI_VERSION="$AWS_VERSION" --build-arg TERRAFORM_VERSION="$TF_VERSION" -t $IMAGE_NAME:$IMAGE_TAG .
26+
docker buildx build --platform "${PLATEFORM}" --build-arg AWS_CLI_VERSION="${AWS_VERSION}" --build-arg TERRAFORM_VERSION="${TF_VERSION}" --tag ${IMAGE_NAME}:${IMAGE_TAG} .
2727
echo "Image successfully builded!"
2828

2929
# Test image
@@ -32,7 +32,7 @@ export AWS_VERSION=${AWS_VERSION} && export TF_VERSION=${TF_VERSION}
3232
envsubst '${AWS_VERSION},${TF_VERSION}' < tests/container-structure-tests.yml.template > tests/container-structure-tests.yml
3333
echo "Test config successfully generated!"
3434
echo "Executing container structure test..."
35-
docker container run --rm --interactive --volume "${PWD}"/tests/container-structure-tests.yml:/tests.yml:ro -v /var/run/docker.sock:/var/run/docker.sock:ro gcr.io/gcp-runtimes/container-structure-test:v1.14.0 test --image $IMAGE_NAME:$IMAGE_TAG --config /tests.yml
35+
docker container run --rm --interactive --volume "${PWD}"/tests/container-structure-tests.yml:/tests.yml:ro --volume /var/run/docker.sock:/var/run/docker.sock:ro gcr.io/gcp-runtimes/container-structure-test:v1.15.0 test --image ${IMAGE_NAME}:${IMAGE_TAG} --config /tests.yml
3636

3737
# cleanup
3838
unset AWS_VERSION

docs/dependencies-upgrades.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# ⬆️ Dependencies upgrades checklist
22

3-
Supported versions:
3+
* Supported versions:
44
* check available **AWS CLI** version on the [PyPip release page](https://pypi.org/project/awscli/)
55
* check available **Terraform CLI** version (keep all minor versions from 0.11) available on the [project release page](https://github.com/hashicorp/terraform/releases)
66
* [Report to the doc](https://github.com/zenika-open-source/terraform-aws-cli/tree/master/docs/terraform-binaries-verifications.md) to add required security files when adding a new supported Terraform version

docs/terraform-binaries-verifications.md

Lines changed: 18 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,27 @@
1-
# Terraform binary verifications
1+
# Binary verifications
22

33
## Terraform signature and PGP verification
44

5-
Terraform binaries are verified against both there SHA256SUMS and signatures after donwload.
5+
Both Terraform SHA256SUM and signature files are verified against [Hashicorp public GPG key](https://www.hashicorp.com/security).
6+
7+
Terraform archives are verified against there SHA256SUMS after donwload.
68

79
Theses files need to be added to the [/security](https://github.com/zenika-open-source/terraform-aws-cli/tree/master/security) folder.
810

911
They can be downloaded from the [official Terraform releases](https://releases.hashicorp.com/terraform).
1012

11-
## Hashicorp signature verification
13+
## AWS CLI signature and PGP verification
1214

13-
Both Terraform SHA256SUM and signature files are verified against [Hashicorp public GPG key](https://www.hashicorp.com/security).
15+
Both AWS CLI archives and signatures files are verified against AWS public GPG key.
16+
17+
Theses files need to be added to the [/security](https://github.com/zenika-open-source/terraform-aws-cli/tree/master/security) folder.
18+
19+
They can be downloaded locally using this command:
20+
21+
```shell
22+
# Export target aws cli version
23+
export AWS_CLI_VERSION=2.12.5
24+
25+
# Download signature file
26+
curl -o security/awscli-exe-linux-x86_64-${AWS_CLI_VERSION}.zip.sig https://awscli.amazonaws.com/awscli-exe-linux-x86_64-${AWS_CLI_VERSION}.zip.sig
27+
```

security/awscli-exe-linux-x86_64-2.12.5.zip.sig

566 Bytes
Binary file not shown.

security/awscliv2.asc

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
-----BEGIN PGP PUBLIC KEY BLOCK-----
2+
3+
mQINBF2Cr7UBEADJZHcgusOJl7ENSyumXh85z0TRV0xJorM2B/JL0kHOyigQluUG
4+
ZMLhENaG0bYatdrKP+3H91lvK050pXwnO/R7fB/FSTouki4ciIx5OuLlnJZIxSzx
5+
PqGl0mkxImLNbGWoi6Lto0LYxqHN2iQtzlwTVmq9733zd3XfcXrZ3+LblHAgEt5G
6+
TfNxEKJ8soPLyWmwDH6HWCnjZ/aIQRBTIQ05uVeEoYxSh6wOai7ss/KveoSNBbYz
7+
gbdzoqI2Y8cgH2nbfgp3DSasaLZEdCSsIsK1u05CinE7k2qZ7KgKAUIcT/cR/grk
8+
C6VwsnDU0OUCideXcQ8WeHutqvgZH1JgKDbznoIzeQHJD238GEu+eKhRHcz8/jeG
9+
94zkcgJOz3KbZGYMiTh277Fvj9zzvZsbMBCedV1BTg3TqgvdX4bdkhf5cH+7NtWO
10+
lrFj6UwAsGukBTAOxC0l/dnSmZhJ7Z1KmEWilro/gOrjtOxqRQutlIqG22TaqoPG
11+
fYVN+en3Zwbt97kcgZDwqbuykNt64oZWc4XKCa3mprEGC3IbJTBFqglXmZ7l9ywG
12+
EEUJYOlb2XrSuPWml39beWdKM8kzr1OjnlOm6+lpTRCBfo0wa9F8YZRhHPAkwKkX
13+
XDeOGpWRj4ohOx0d2GWkyV5xyN14p2tQOCdOODmz80yUTgRpPVQUtOEhXQARAQAB
14+
tCFBV1MgQ0xJIFRlYW0gPGF3cy1jbGlAYW1hem9uLmNvbT6JAlQEEwEIAD4WIQT7
15+
Xbd/1cEYuAURraimMQrMRnJHXAUCXYKvtQIbAwUJB4TOAAULCQgHAgYVCgkICwIE
16+
FgIDAQIeAQIXgAAKCRCmMQrMRnJHXJIXEAChLUIkg80uPUkGjE3jejvQSA1aWuAM
17+
yzy6fdpdlRUz6M6nmsUhOExjVIvibEJpzK5mhuSZ4lb0vJ2ZUPgCv4zs2nBd7BGJ
18+
MxKiWgBReGvTdqZ0SzyYH4PYCJSE732x/Fw9hfnh1dMTXNcrQXzwOmmFNNegG0Ox
19+
au+VnpcR5Kz3smiTrIwZbRudo1ijhCYPQ7t5CMp9kjC6bObvy1hSIg2xNbMAN/Do
20+
ikebAl36uA6Y/Uczjj3GxZW4ZWeFirMidKbtqvUz2y0UFszobjiBSqZZHCreC34B
21+
hw9bFNpuWC/0SrXgohdsc6vK50pDGdV5kM2qo9tMQ/izsAwTh/d/GzZv8H4lV9eO
22+
tEis+EpR497PaxKKh9tJf0N6Q1YLRHof5xePZtOIlS3gfvsH5hXA3HJ9yIxb8T0H
23+
QYmVr3aIUes20i6meI3fuV36VFupwfrTKaL7VXnsrK2fq5cRvyJLNzXucg0WAjPF
24+
RrAGLzY7nP1xeg1a0aeP+pdsqjqlPJom8OCWc1+6DWbg0jsC74WoesAqgBItODMB
25+
rsal1y/q+bPzpsnWjzHV8+1/EtZmSc8ZUGSJOPkfC7hObnfkl18h+1QtKTjZme4d
26+
H17gsBJr+opwJw/Zio2LMjQBOqlm3K1A4zFTh7wBC7He6KPQea1p2XAMgtvATtNe
27+
YLZATHZKTJyiqA==
28+
=vYOk
29+
-----END PGP PUBLIC KEY BLOCK-----

security/terraform_1.3.7_SHA256SUMS

Lines changed: 0 additions & 14 deletions
This file was deleted.

security/terraform_1.3.7_SHA256SUMS.sig

-566 Bytes
Binary file not shown.

security/terraform_1.3.9_SHA256SUMS

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
a73326ea8fb06f6976597e005f8047cbd55ac76ed1e517303d8f6395db6c7805 terraform_1.3.9_darwin_amd64.zip
2+
d8a59a794a7f99b484a07a0ed2aa6520921d146ac5a7f4b1b806dcf5c4af0525 terraform_1.3.9_darwin_arm64.zip
3+
d786d97b4cf21b251c152bae76df19443408fd4c2cc1a4b2c5d015a6691fdcb1 terraform_1.3.9_freebsd_386.zip
4+
6b21e450538227528b65f4f511ad52789e182eeec666ca6e8a08223fc6395497 terraform_1.3.9_freebsd_amd64.zip
5+
5740901b1c86bb8898d63521710a27d54d65a59896295855bd43797ec248ddb8 terraform_1.3.9_freebsd_arm.zip
6+
d321b0ef810a3f972b031176e329006644c8915b83ecfcf506099952c5fbaccc terraform_1.3.9_linux_386.zip
7+
53048fa573effdd8f2a59b726234c6f450491fe0ded6931e9f4c6e3df6eece56 terraform_1.3.9_linux_amd64.zip
8+
da571087268c5faf884912c4239c6b9c8e1ed8e8401ab1dcb45712df70f42f1b terraform_1.3.9_linux_arm64.zip
9+
58203da8e5468ab5c22d26d242bf64e305c038d99717199f6783a3686130b60e terraform_1.3.9_linux_arm.zip
10+
93e587c321e4ea8823741d67be985eccfb842afb1c21d32a44c2a9a2322e7c9b terraform_1.3.9_openbsd_386.zip
11+
d03e4f761dd0b2ff77d68da8f920a71322a9f9dda4a9c9b2534c2f93578d3fca terraform_1.3.9_openbsd_amd64.zip
12+
0076a092051fad5bef394fa0b727433957d4897fd5ef0d1bd425020d0dc08f78 terraform_1.3.9_solaris_amd64.zip
13+
620c9d08b3b3d0f43c8035a353d08867abbde3ed5e0cabd368ba85fcc14b850f terraform_1.3.9_windows_386.zip
14+
d3de5ad925cb01d194d5c944c87afc48cf4a34512b67bac1f277ce043346da69 terraform_1.3.9_windows_amd64.zip

security/terraform_1.3.9_SHA256SUMS.sig

566 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)