⬆️ Terraform and Azure CLI Version update, use non-root user (#106)

bgauduch · web-flow · commit 42c4e2aab72c · 2020-12-07T14:39:36.000+01:00
* ⬆️ bumped az cli to 2.15.1

* ⬆️ prepare next release with tf 0.14 rc1 and az cli 2.15.1

* 🔧 correct env variables setup in actions

* ⬆️ update default terraform version to 0.14.0 and add non-root user

* ✅ update tests for Terraform version and non-root user

* 🔖 prepare next release

* ✏️ add packages indentation back
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -28,7 +28,8 @@ jobs:
           - "0.11.14"
           - "0.12.29"
           - "0.13.5"
-          - "0.14.0-rc1"
+          - "0.14.0"
+
         azcli_version:
           - "2.13.0"
           - "2.14.2"
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # Setup build arguments with default versions
 ARG AZURE_CLI_VERSION=2.15.1
-ARG TERRAFORM_VERSION=0.13.5
+ARG TERRAFORM_VERSION=0.14.0
 ARG PYTHON_MAJOR_VERSION=3.7
 ARG DEBIAN_VERSION=buster-20201012-slim
 
@@ -52,5 +52,12 @@ COPY --from=terraform-cli /terraform /usr/local/bin/terraform
 COPY --from=azure-cli /usr/local/bin/az* /usr/local/bin/
 COPY --from=azure-cli /usr/local/lib/python${PYTHON_MAJOR_VERSION}/dist-packages /usr/local/lib/python${PYTHON_MAJOR_VERSION}/dist-packages
 COPY --from=azure-cli /usr/lib/python3/dist-packages /usr/lib/python3/dist-packages
+
 WORKDIR /workspace
+RUN groupadd --gid 1001 nonroot \
+  # user needs a home folder to store azure credentials
+  && useradd --gid nonroot --create-home --uid 1001 nonroot \
+  && chown nonroot:nonroot /workspace
+USER nonroot
+
 CMD ["bash"]
diff --git a/README.md b/README.md
@@ -41,6 +41,7 @@ This image gives you the flexibility to be used for development or as a base ima
   * Available versions on the [Debian Packages repository](https://packages.debian.org/search?suite=buster&arch=any&searchon=names&keywords=git)
 * [Python 3](https://www.python.org/)
   * Available versions on the [Debian packages repository](https://packages.debian.org/search?suite=buster&arch=any&searchon=names&keywords=python3)
+* This image use a non root user with a GID and UID of 1001
 
 This image uses a non-root user with a UID and GID of 1001 to conform with docker security best practices.
 
@@ -73,7 +74,7 @@ Optionally, it is possible to choose the tools desired versions using [Docker bu
 ```bash
 # Set tools desired versions
 AZURE_CLI_VERSION=2.15.1
-TERRAFORM_VERSION=0.13.5
+TERRAFORM_VERSION=0.14.0
 
 # launch the build script with parameters
 ./dev-build.sh $AZURE_CLI_VERSION $TERRAFORM_VERSION
diff --git a/tests/container-structure-tests.yml b/tests/container-structure-tests.yml
@@ -21,9 +21,25 @@ commandTests:
   - name: "Check Terraform CLI version"
     command: "terraform"
     args: ["version"]
-    expectedOutput: ["Terraform v0.13.5"]
+    expectedOutput: ["Terraform v0.14.0"]
 
   - name: "Check Azure CLI version"
     command: "az"
     args: ["version"]
     expectedOutput: ['"azure-cli": "2.15.1"']
+
+fileExistenceTests:
+  - name: 'Check nonroot user home'
+    path: '/home/nonroot'
+    shouldExist: true
+    permissions: 'drwxr-xr-x'
+    uid: 1001
+    gid: 1001
+    isExecutableBy: 'group'
+  - name: 'Check nonroot user rights on /workspace folder'
+    path: '/workspace'
+    shouldExist: true
+    permissions: 'drwxr-xr-x'
+    uid: 1001
+    gid: 1001
+    isExecutableBy: 'group'
