From 4e6a0118ef2d394012ab687e43ed145f2d0f4c7b Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Mon, 11 Mar 2024 23:19:16 +0200 Subject: [PATCH 01/18] fix(docker): Prevent all possible "silent errors" during `docker build` --- .dockerignore | 1 + .pre-commit-config.yaml | 1 + Dockerfile | 163 ++++---------------------------- tools/install/checkov.sh | 30 ++++++ tools/install/hcledit.sh | 18 ++++ tools/install/infracost.sh | 18 ++++ tools/install/pre-commit.sh | 8 ++ tools/install/terraform-docs.sh | 18 ++++ tools/install/terraform.sh | 11 +++ tools/install/terragrunt.sh | 16 ++++ tools/install/terrascan.sh | 29 ++++++ tools/install/tflint.sh | 17 ++++ tools/install/tfsec.sh | 16 ++++ tools/install/tfupdate.sh | 18 ++++ tools/install/trivy.sh | 24 +++++ 15 files changed, 244 insertions(+), 144 deletions(-) create mode 100755 tools/install/checkov.sh create mode 100755 tools/install/hcledit.sh create mode 100755 tools/install/infracost.sh create mode 100755 tools/install/pre-commit.sh create mode 100755 tools/install/terraform-docs.sh create mode 100755 tools/install/terraform.sh create mode 100755 tools/install/terragrunt.sh create mode 100755 tools/install/terrascan.sh create mode 100755 tools/install/tflint.sh create mode 100755 tools/install/tfsec.sh create mode 100755 tools/install/tfupdate.sh create mode 100755 tools/install/trivy.sh diff --git a/.dockerignore b/.dockerignore index a78e675d2..e57569568 100644 --- a/.dockerignore +++ b/.dockerignore @@ -2,3 +2,4 @@ !.dockerignore !Dockerfile !tools/entrypoint.sh +!tools/install/*.sh diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 17fc5a6fc..9108f3ef6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -49,6 +49,7 @@ repos: '--ignore', 'SC2015', # Useless check '--ignore', 'SC3037', # Not related to alpine '--ignore', 'DL3013', # Pin versions in pip + '--ignore', 'DL3059', # Docker `RUN`s shouldn't be consolidated here ] # JSON5 Linter diff --git a/Dockerfile b/Dockerfile index 242a45405..6fee087cb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,10 +3,13 @@ FROM python:${TAG} as builder ARG TARGETOS ARG TARGETARCH +COPY tools/install/ /install/ + WORKDIR /bin_dir RUN apk add --no-cache \ # Builder deps + bash=~5 \ curl=~8 && \ # Upgrade packages for be able get latest Checkov python3 -m pip install --no-cache-dir --upgrade \ @@ -16,32 +19,24 @@ RUN apk add --no-cache \ ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest} ARG TERRAFORM_VERSION=${TERRAFORM_VERSION:-latest} -# Install pre-commit -RUN if [ ${PRE_COMMIT_VERSION} = "latest" ]; \ - then pip3 install --no-cache-dir pre-commit; \ - else pip3 install --no-cache-dir pre-commit==${PRE_COMMIT_VERSION}; \ - fi +RUN /install/pre-commit.sh # Install terraform because pre-commit needs it -RUN if [ "${TERRAFORM_VERSION}" = "latest" ]; then \ - TERRAFORM_VERSION="$(curl -s https://api.github.com/repos/hashicorp/terraform/releases/latest | grep tag_name | grep -o -E -m 1 "[0-9.]+")" \ - ; fi && \ - curl -L "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_${TARGETOS}_${TARGETARCH}.zip" > terraform.zip && \ - unzip terraform.zip terraform && rm terraform.zip +RUN /install/terraform.sh # # Install tools # ARG CHECKOV_VERSION=${CHECKOV_VERSION:-false} +ARG HCLEDIT_VERSION=${HCLEDIT_VERSION:-false} ARG INFRACOST_VERSION=${INFRACOST_VERSION:-false} ARG TERRAFORM_DOCS_VERSION=${TERRAFORM_DOCS_VERSION:-false} ARG TERRAGRUNT_VERSION=${TERRAGRUNT_VERSION:-false} ARG TERRASCAN_VERSION=${TERRASCAN_VERSION:-false} ARG TFLINT_VERSION=${TFLINT_VERSION:-false} ARG TFSEC_VERSION=${TFSEC_VERSION:-false} -ARG TRIVY_VERSION=${TRIVY_VERSION:-false} ARG TFUPDATE_VERSION=${TFUPDATE_VERSION:-false} -ARG HCLEDIT_VERSION=${HCLEDIT_VERSION:-false} +ARG TRIVY_VERSION=${TRIVY_VERSION:-false} # Tricky thing to install all tools by set only one arg. @@ -63,137 +58,17 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \ touch /.env \ ; fi +RUN /install/checkov.sh +RUN /install/hcledit.sh +RUN /install/infracost.sh +RUN /install/terraform-docs.sh +RUN /install/terragrunt.sh +RUN /install/terrascan.sh +RUN /install/tflint.sh +RUN /install/tfsec.sh +RUN /install/tfupdate.sh +RUN /install/trivy.sh -# Checkov -RUN . /.env && \ - if [ "$CHECKOV_VERSION" != "false" ]; then \ - ( \ - # cargo, gcc, git, musl-dev, rust and CARGO envvar required for compilation of rustworkx@0.13.2, no longer required once checkov version depends on rustworkx >0.14.0 - # https://github.com/bridgecrewio/checkov/pull/6045 - # gcc libffi-dev musl-dev required for compilation of cffi, until it contains musl aarch64 - export CARGO_NET_GIT_FETCH_WITH_CLI=true && \ - apk add --no-cache cargo=~1 gcc=~12 git=~2 libffi-dev=~3 libgcc=~12 musl-dev=~1 rust=~1 ; \ - if [ "$CHECKOV_VERSION" = "latest" ]; \ - then pip3 install --no-cache-dir checkov || exit 1; \ - else pip3 install --no-cache-dir checkov==${CHECKOV_VERSION} || exit 1; \ - fi; \ - apk del cargo gcc git libffi-dev musl-dev rust \ - ) \ - ; fi - -# infracost -RUN . /.env && \ - if [ "$INFRACOST_VERSION" != "false" ]; then \ - ( \ - INFRACOST_RELEASES="https://api.github.com/repos/infracost/infracost/releases" && \ - if [ "$INFRACOST_VERSION" = "latest" ]; \ - then curl -L "$(curl -s ${INFRACOST_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz; \ - else curl -L "$(curl -s ${INFRACOST_RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz; \ - fi; \ - ) && tar -xzf infracost.tgz && rm infracost.tgz && mv infracost-${TARGETOS}-${TARGETARCH} infracost \ - ; fi - -# Terraform docs -RUN . /.env && \ - if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then \ - ( \ - TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" && \ - if [ "$TERRAFORM_DOCS_VERSION" = "latest" ]; \ - then curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz; \ - else curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz; \ - fi; \ - ) && tar -xzf terraform-docs.tgz terraform-docs && rm terraform-docs.tgz && chmod +x terraform-docs \ - ; fi - -# Terragrunt -RUN . /.env \ - && if [ "$TERRAGRUNT_VERSION" != "false" ]; then \ - ( \ - TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" && \ - if [ "$TERRAGRUNT_VERSION" = "latest" ]; \ - then curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt; \ - else curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt; \ - fi; \ - ) && chmod +x terragrunt \ - ; fi - - -# Terrascan -RUN . /.env && \ - if [ "$TERRASCAN_VERSION" != "false" ]; then \ - if [ "$TARGETARCH" != "amd64" ]; then ARCH="$TARGETARCH"; else ARCH="x86_64"; fi; \ - # Convert the first letter to Uppercase - OS="$(echo ${TARGETOS} | cut -c1 | tr '[:lower:]' '[:upper:]' | xargs echo -n; echo ${TARGETOS} | cut -c2-)"; \ - ( \ - TERRASCAN_RELEASES="https://api.github.com/repos/tenable/terrascan/releases" && \ - if [ "$TERRASCAN_VERSION" = "latest" ]; \ - then curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz; \ - else curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz; \ - fi; \ - ) && tar -xzf terrascan.tar.gz terrascan && rm terrascan.tar.gz && \ - ./terrascan init \ - ; fi - -# TFLint -RUN . /.env && \ - if [ "$TFLINT_VERSION" != "false" ]; then \ - ( \ - TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" && \ - if [ "$TFLINT_VERSION" = "latest" ]; \ - then curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip; \ - else curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip; \ - fi; \ - ) && unzip tflint.zip && rm tflint.zip \ - ; fi - -# TFSec -RUN . /.env && \ - if [ "$TFSEC_VERSION" != "false" ]; then \ - ( \ - TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" && \ - if [ "$TFSEC_VERSION" = "latest" ]; then \ - curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec; \ - else curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec; \ - fi; \ - ) && chmod +x tfsec \ - ; fi - -# Trivy -RUN . /.env && \ - if [ "$TRIVY_VERSION" != "false" ]; then \ - if [ "$TARGETARCH" != "amd64" ]; then ARCH="$TARGETARCH"; else ARCH="64bit"; fi; \ - ( \ - TRIVY_RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases" && \ - if [ "$TRIVY_VERSION" = "latest" ]; \ - then curl -L "$(curl -s ${TRIVY_RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz; \ - else curl -L "$(curl -s ${TRIVY_RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz; \ - fi; \ - ) && tar -xzf trivy.tar.gz trivy && rm trivy.tar.gz \ - ; fi - -# TFUpdate -RUN . /.env && \ - if [ "$TFUPDATE_VERSION" != "false" ]; then \ - ( \ - TFUPDATE_RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases" && \ - if [ "$TFUPDATE_VERSION" = "latest" ]; \ - then curl -L "$(curl -s ${TFUPDATE_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz; \ - else curl -L "$(curl -s ${TFUPDATE_RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz; \ - fi; \ - ) && tar -xzf tfupdate.tgz tfupdate && rm tfupdate.tgz \ - ; fi - -# hcledit -RUN . /.env && \ - if [ "$HCLEDIT_VERSION" != "false" ]; then \ - ( \ - HCLEDIT_RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" && \ - if [ "$HCLEDIT_VERSION" = "latest" ]; \ - then curl -L "$(curl -s ${HCLEDIT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz; \ - else curl -L "$(curl -s ${HCLEDIT_RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz; \ - fi; \ - ) && tar -xzf hcledit.tgz hcledit && rm hcledit.tgz \ - ; fi # Checking binaries versions and write it to debug file RUN . /.env && \ @@ -201,15 +76,15 @@ RUN . /.env && \ pre-commit --version >> $F && \ ./terraform --version | head -n 1 >> $F && \ (if [ "$CHECKOV_VERSION" != "false" ]; then echo "checkov $(checkov --version)" >> $F; else echo "checkov SKIPPED" >> $F ; fi) && \ + (if [ "$HCLEDIT_VERSION" != "false" ]; then echo "hcledit $(./hcledit version)" >> $F; else echo "hcledit SKIPPED" >> $F ; fi) && \ (if [ "$INFRACOST_VERSION" != "false" ]; then echo "$(./infracost --version)" >> $F; else echo "infracost SKIPPED" >> $F ; fi) && \ (if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then ./terraform-docs --version >> $F; else echo "terraform-docs SKIPPED" >> $F ; fi) && \ (if [ "$TERRAGRUNT_VERSION" != "false" ]; then ./terragrunt --version >> $F; else echo "terragrunt SKIPPED" >> $F ; fi) && \ (if [ "$TERRASCAN_VERSION" != "false" ]; then echo "terrascan $(./terrascan version)" >> $F; else echo "terrascan SKIPPED" >> $F ; fi) && \ (if [ "$TFLINT_VERSION" != "false" ]; then ./tflint --version >> $F; else echo "tflint SKIPPED" >> $F ; fi) && \ (if [ "$TFSEC_VERSION" != "false" ]; then echo "tfsec $(./tfsec --version)" >> $F; else echo "tfsec SKIPPED" >> $F ; fi) && \ - (if [ "$TRIVY_VERSION" != "false" ]; then echo "trivy $(./trivy --version)" >> $F; else echo "trivy SKIPPED" >> $F ; fi) && \ (if [ "$TFUPDATE_VERSION" != "false" ]; then echo "tfupdate $(./tfupdate --version)" >> $F; else echo "tfupdate SKIPPED" >> $F ; fi) && \ - (if [ "$HCLEDIT_VERSION" != "false" ]; then echo "hcledit $(./hcledit version)" >> $F; else echo "hcledit SKIPPED" >> $F ; fi) && \ + (if [ "$TRIVY_VERSION" != "false" ]; then echo "trivy $(./trivy --version)" >> $F; else echo "trivy SKIPPED" >> $F ; fi) && \ echo -e "\n\n" && cat $F && echo -e "\n\n" diff --git a/tools/install/checkov.sh b/tools/install/checkov.sh new file mode 100755 index 000000000..07095f988 --- /dev/null +++ b/tools/install/checkov.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash +set -eo pipefail +# shellcheck disable=SC1091 # Created by Dockerfile above script call +source /.env + +if [[ $CHECKOV_VERSION != false ]]; then + apk add --no-cache \ + gcc=~12 \ + libffi-dev=~3 \ + musl-dev=~1 + + # cargo, gcc, git, musl-dev, rust and CARGO envvar required for compilation of rustworkx@0.13.2, no longer required once checkov version depends on rustworkx >0.14.0 + # https://github.com/bridgecrewio/checkov/pull/6045 + # gcc libffi-dev musl-dev required for compilation of cffi, until it contains musl aarch64 + export CARGO_NET_GIT_FETCH_WITH_CLI=true + apk add --no-cache \ + cargo=~1 \ + git=~2 \ + libgcc=~12 \ + rust=~1 + + if [[ $CHECKOV_VERSION == latest ]]; then + pip3 install --no-cache-dir checkov + else + pip3 install --no-cache-dir "checkov==${CHECKOV_VERSION}" + fi + + apk del gcc libffi-dev musl-dev + apk del cargo git rust +fi diff --git a/tools/install/hcledit.sh b/tools/install/hcledit.sh new file mode 100755 index 000000000..251eafc99 --- /dev/null +++ b/tools/install/hcledit.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +set -eo pipefail +# shellcheck disable=SC1091 # Created by Dockerfile above script call +source /.env + +# hcledit +if [[ $HCLEDIT_VERSION != false ]]; then + HCLEDIT_RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" + + if [[ $HCLEDIT_VERSION == latest ]]; then + curl -L "$(curl -s ${HCLEDIT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz + else + curl -L "$(curl -s ${HCLEDIT_RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz + fi + + tar -xzf hcledit.tgz hcledit + rm hcledit.tgz +fi diff --git a/tools/install/infracost.sh b/tools/install/infracost.sh new file mode 100755 index 000000000..8fc7b7f28 --- /dev/null +++ b/tools/install/infracost.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +set -eo pipefail +# shellcheck disable=SC1091 # Created by Dockerfile above script call +source /.env + +if [[ $INFRACOST_VERSION != false ]]; then + INFRACOST_RELEASES="https://api.github.com/repos/infracost/infracost/releases" + + if [[ $INFRACOST_VERSION == latest ]]; then + curl -L "$(curl -s ${INFRACOST_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz + else + curl -L "$(curl -s ${INFRACOST_RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz + fi + + tar -xzf infracost.tgz + rm infracost.tgz + mv "infracost-${TARGETOS}-${TARGETARCH}" infracost +fi diff --git a/tools/install/pre-commit.sh b/tools/install/pre-commit.sh new file mode 100755 index 000000000..4c27dcac2 --- /dev/null +++ b/tools/install/pre-commit.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +set -eo pipefail + +if [[ $PRE_COMMIT_VERSION == latest ]]; then + pip3 install --no-cache-dir pre-commit +else + pip3 install --no-cache-dir "pre-commit==${PRE_COMMIT_VERSION}" +fi diff --git a/tools/install/terraform-docs.sh b/tools/install/terraform-docs.sh new file mode 100755 index 000000000..f6088d6c0 --- /dev/null +++ b/tools/install/terraform-docs.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +set -eo pipefail +# shellcheck disable=SC1091 # Created by Dockerfile above script call +source /.env + +if [[ $TERRAFORM_DOCS_VERSION != false ]]; then + TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" + + if [[ $TERRAFORM_DOCS_VERSION == latest ]]; then + curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz + else + curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz + fi + + tar -xzf terraform-docs.tgz terraform-docs + rm terraform-docs.tgz + chmod +x terraform-docs +fi diff --git a/tools/install/terraform.sh b/tools/install/terraform.sh new file mode 100755 index 000000000..33bb630ba --- /dev/null +++ b/tools/install/terraform.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +set -eo pipefail + +# Install terraform because pre-commit needs it +if [[ $TERRAFORM_VERSION == latest ]]; then + TERRAFORM_VERSION="$(curl -s https://api.github.com/repos/hashicorp/terraform/releases/latest | grep tag_name | grep -o -E -m 1 "[0-9.]+")" +fi + +curl -L "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_${TARGETOS}_${TARGETARCH}.zip" > terraform.zip +unzip terraform.zip terraform +rm terraform.zip diff --git a/tools/install/terragrunt.sh b/tools/install/terragrunt.sh new file mode 100755 index 000000000..ed6870cac --- /dev/null +++ b/tools/install/terragrunt.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +set -eo pipefail +# shellcheck disable=SC1091 # Created by Dockerfile above script call +source /.env + +if [[ $TERRAGRUNT_VERSION != false ]]; then + TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" + + if [[ $TERRAGRUNT_VERSION == latest ]]; then + curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt + else + curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt + fi + + chmod +x terragrunt +fi diff --git a/tools/install/terrascan.sh b/tools/install/terrascan.sh new file mode 100755 index 000000000..bea749824 --- /dev/null +++ b/tools/install/terrascan.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash +set -eo pipefail +# shellcheck disable=SC1091 # Created by Dockerfile above script call +source /.env + +if [[ $TERRASCAN_VERSION != false ]]; then + if [[ $TARGETARCH != amd64 ]]; then + ARCH="$TARGETARCH" + else + ARCH="x86_64" + fi + # Convert the first letter to Uppercase + OS="$( + echo "${TARGETOS}" | cut -c1 | tr '[:lower:]' '[:upper:]' | xargs echo -n + echo "${TARGETOS}" | cut -c2- + )" + + TERRASCAN_RELEASES="https://api.github.com/repos/tenable/terrascan/releases" + + if [[ $TERRASCAN_VERSION == latest ]]; then + curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz + else + curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz + fi + + tar -xzf terrascan.tar.gz terrascan + rm terrascan.tar.gz + ./terrascan init +fi diff --git a/tools/install/tflint.sh b/tools/install/tflint.sh new file mode 100755 index 000000000..16813dd77 --- /dev/null +++ b/tools/install/tflint.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +set -eo pipefail +# shellcheck disable=SC1091 # Created by Dockerfile above script call +source /.env + +if [[ $TFLINT_VERSION != false ]]; then + TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" + + if [[ $TFLINT_VERSION == latest ]]; then + curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip + else + curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip + fi + + unzip tflint.zip + rm tflint.zip +fi diff --git a/tools/install/tfsec.sh b/tools/install/tfsec.sh new file mode 100755 index 000000000..47c22e4b6 --- /dev/null +++ b/tools/install/tfsec.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +set -eo pipefail +# shellcheck disable=SC1091 # Created by Dockerfile above script call +source /.env + +if [[ $TFSEC_VERSION != false ]]; then + TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" + + if [[ $TFSEC_VERSION == latest ]]; then + curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec + else + curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec + fi + + chmod +x tfsec +fi diff --git a/tools/install/tfupdate.sh b/tools/install/tfupdate.sh new file mode 100755 index 000000000..242f22c2e --- /dev/null +++ b/tools/install/tfupdate.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +set -eo pipefail +# shellcheck disable=SC1091 # Created by Dockerfile above script call +source /.env + +# TFUpdate +if [[ $TFUPDATE_VERSION != false ]]; then + TFUPDATE_RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases" + + if [[ $TFUPDATE_VERSION == latest ]]; then + curl -L "$(curl -s ${TFUPDATE_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz + else + curl -L "$(curl -s ${TFUPDATE_RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz + fi + + tar -xzf tfupdate.tgz tfupdate + rm tfupdate.tgz +fi diff --git a/tools/install/trivy.sh b/tools/install/trivy.sh new file mode 100755 index 000000000..8d2b6bf87 --- /dev/null +++ b/tools/install/trivy.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +set -eo pipefail +# shellcheck disable=SC1091 # Created by Dockerfile above script call +source /.env + +if [[ $TRIVY_VERSION != false ]]; then + + if [[ $TARGETARCH != amd64 ]]; then + ARCH="$TARGETARCH" + else + ARCH="64bit" + fi + + TRIVY_RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases" + + if [[ $TRIVY_VERSION == latest ]]; then + curl -L "$(curl -s ${TRIVY_RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz + else + curl -L "$(curl -s ${TRIVY_RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz + fi + + tar -xzf trivy.tar.gz trivy + rm trivy.tar.gz +fi From 5de5a974bce16c0fa4c04794f4337af13577206d Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Mon, 11 Mar 2024 23:21:46 +0200 Subject: [PATCH 02/18] ci: Fix platform --- .github/workflows/build-image-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index 9dfbda3c6..0784676b8 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -38,7 +38,7 @@ jobs: context: . build-args: | INSTALL_ALL=true - platforms: linux/amd64 # Only one allowed here, see https://github.com/docker/buildx/issues/59#issuecomment-1433097926 + platforms: linux/${{ matrix.arch }} # Only one allowed here, see https://github.com/docker/buildx/issues/59#issuecomment-1433097926 push: false load: true tags: | From 82cb16263e719f15cde68a4dfba087fc486bec84 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Tue, 12 Mar 2024 00:25:00 +0200 Subject: [PATCH 03/18] Add QEMU wich hope that it will change anything https://blog.thesparktree.com/docker-multi-arch-github-actions#qemu-support --- .github/workflows/build-image-test.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index 0784676b8..05fbc37b0 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -27,6 +27,13 @@ jobs: .dockerignore tools/entrypoint.sh .github/workflows/build-image-test.yaml + tools/*.sh + + - name: Set up QEMU + if: matrix.os != 'ubuntu-latest' || matrix.arch != 'amd64' + uses: docker/setup-qemu-action@v2 + with: + platforms: 'arm64' - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 From 35f89ba78e308d9d420c3f8d675f160012af4c42 Mon Sep 17 00:00:00 2001 From: Maksym Vlasov Date: Thu, 14 Mar 2024 20:18:59 +0200 Subject: [PATCH 04/18] Apply suggestions from code review Co-authored-by: George L. Yermulnik --- tools/install/checkov.sh | 3 ++- tools/install/hcledit.sh | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/install/checkov.sh b/tools/install/checkov.sh index 07095f988..d8d65abbb 100755 --- a/tools/install/checkov.sh +++ b/tools/install/checkov.sh @@ -9,7 +9,8 @@ if [[ $CHECKOV_VERSION != false ]]; then libffi-dev=~3 \ musl-dev=~1 - # cargo, gcc, git, musl-dev, rust and CARGO envvar required for compilation of rustworkx@0.13.2, no longer required once checkov version depends on rustworkx >0.14.0 + # cargo, gcc, git, musl-dev, rust and CARGO envvar required for compilation of rustworkx@0.13.2 + # no longer required once checkov version depends on rustworkx >0.14.0 # https://github.com/bridgecrewio/checkov/pull/6045 # gcc libffi-dev musl-dev required for compilation of cffi, until it contains musl aarch64 export CARGO_NET_GIT_FETCH_WITH_CLI=true diff --git a/tools/install/hcledit.sh b/tools/install/hcledit.sh index 251eafc99..fd413efde 100755 --- a/tools/install/hcledit.sh +++ b/tools/install/hcledit.sh @@ -3,7 +3,6 @@ set -eo pipefail # shellcheck disable=SC1091 # Created by Dockerfile above script call source /.env -# hcledit if [[ $HCLEDIT_VERSION != false ]]; then HCLEDIT_RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" From 07490511c1f04e943ff7c73dece9561acf415ea1 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Thu, 14 Mar 2024 20:22:21 +0200 Subject: [PATCH 05/18] Apply revie suggestions --- .pre-commit-config.yaml | 6 +++--- tools/install/checkov.sh | 2 +- tools/install/hcledit.sh | 8 ++++---- tools/install/infracost.sh | 8 ++++---- tools/install/terraform-docs.sh | 8 ++++---- tools/install/terragrunt.sh | 8 ++++---- tools/install/terrascan.sh | 12 ++++++------ tools/install/tflint.sh | 8 ++++---- tools/install/tfsec.sh | 8 ++++---- tools/install/tfupdate.sh | 8 ++++---- tools/install/trivy.sh | 12 ++++++------ 11 files changed, 44 insertions(+), 44 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9108f3ef6..dee8870ae 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,14 +42,14 @@ repos: hooks: - id: hadolint args: [ - '--ignore', 'DL3027', # Do not use apt '--ignore', 'DL3007', # Using latest + '--ignore', 'DL3013', # Pin versions in pip + '--ignore', 'DL3027', # Do not use apt + '--ignore', 'DL3059', # Docker `RUN`s shouldn't be consolidated here '--ignore', 'DL4006', # Not related to alpine '--ignore', 'SC1091', # Useless check '--ignore', 'SC2015', # Useless check '--ignore', 'SC3037', # Not related to alpine - '--ignore', 'DL3013', # Pin versions in pip - '--ignore', 'DL3059', # Docker `RUN`s shouldn't be consolidated here ] # JSON5 Linter diff --git a/tools/install/checkov.sh b/tools/install/checkov.sh index d8d65abbb..61678375b 100755 --- a/tools/install/checkov.sh +++ b/tools/install/checkov.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash set -eo pipefail -# shellcheck disable=SC1091 # Created by Dockerfile above script call +# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script source /.env if [[ $CHECKOV_VERSION != false ]]; then diff --git a/tools/install/hcledit.sh b/tools/install/hcledit.sh index fd413efde..a2ba10e63 100755 --- a/tools/install/hcledit.sh +++ b/tools/install/hcledit.sh @@ -1,15 +1,15 @@ #!/usr/bin/env bash set -eo pipefail -# shellcheck disable=SC1091 # Created by Dockerfile above script call +# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script source /.env if [[ $HCLEDIT_VERSION != false ]]; then - HCLEDIT_RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" + readonly RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" if [[ $HCLEDIT_VERSION == latest ]]; then - curl -L "$(curl -s ${HCLEDIT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz + curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz else - curl -L "$(curl -s ${HCLEDIT_RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz + curl -L "$(curl -s ${RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz fi tar -xzf hcledit.tgz hcledit diff --git a/tools/install/infracost.sh b/tools/install/infracost.sh index 8fc7b7f28..71f556404 100755 --- a/tools/install/infracost.sh +++ b/tools/install/infracost.sh @@ -1,15 +1,15 @@ #!/usr/bin/env bash set -eo pipefail -# shellcheck disable=SC1091 # Created by Dockerfile above script call +# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script source /.env if [[ $INFRACOST_VERSION != false ]]; then - INFRACOST_RELEASES="https://api.github.com/repos/infracost/infracost/releases" + readonly RELEASES="https://api.github.com/repos/infracost/infracost/releases" if [[ $INFRACOST_VERSION == latest ]]; then - curl -L "$(curl -s ${INFRACOST_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz + curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz else - curl -L "$(curl -s ${INFRACOST_RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz + curl -L "$(curl -s ${RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz fi tar -xzf infracost.tgz diff --git a/tools/install/terraform-docs.sh b/tools/install/terraform-docs.sh index f6088d6c0..4deb90752 100755 --- a/tools/install/terraform-docs.sh +++ b/tools/install/terraform-docs.sh @@ -1,15 +1,15 @@ #!/usr/bin/env bash set -eo pipefail -# shellcheck disable=SC1091 # Created by Dockerfile above script call +# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script source /.env if [[ $TERRAFORM_DOCS_VERSION != false ]]; then - TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" + readonly RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" if [[ $TERRAFORM_DOCS_VERSION == latest ]]; then - curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz + curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz else - curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz + curl -L "$(curl -s ${RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz fi tar -xzf terraform-docs.tgz terraform-docs diff --git a/tools/install/terragrunt.sh b/tools/install/terragrunt.sh index ed6870cac..0874ff597 100755 --- a/tools/install/terragrunt.sh +++ b/tools/install/terragrunt.sh @@ -1,15 +1,15 @@ #!/usr/bin/env bash set -eo pipefail -# shellcheck disable=SC1091 # Created by Dockerfile above script call +# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script source /.env if [[ $TERRAGRUNT_VERSION != false ]]; then - TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" + readonly RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" if [[ $TERRAGRUNT_VERSION == latest ]]; then - curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt + curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt else - curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt + curl -L "$(curl -s ${RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt fi chmod +x terragrunt diff --git a/tools/install/terrascan.sh b/tools/install/terrascan.sh index bea749824..caafdd284 100755 --- a/tools/install/terrascan.sh +++ b/tools/install/terrascan.sh @@ -1,13 +1,13 @@ #!/usr/bin/env bash set -eo pipefail -# shellcheck disable=SC1091 # Created by Dockerfile above script call +# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script source /.env if [[ $TERRASCAN_VERSION != false ]]; then if [[ $TARGETARCH != amd64 ]]; then - ARCH="$TARGETARCH" + readonly ARCH="$TARGETARCH" else - ARCH="x86_64" + readonly ARCH="x86_64" fi # Convert the first letter to Uppercase OS="$( @@ -15,12 +15,12 @@ if [[ $TERRASCAN_VERSION != false ]]; then echo "${TARGETOS}" | cut -c2- )" - TERRASCAN_RELEASES="https://api.github.com/repos/tenable/terrascan/releases" + readonly RELEASES="https://api.github.com/repos/tenable/terrascan/releases" if [[ $TERRASCAN_VERSION == latest ]]; then - curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz + curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz else - curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz + curl -L "$(curl -s ${RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz fi tar -xzf terrascan.tar.gz terrascan diff --git a/tools/install/tflint.sh b/tools/install/tflint.sh index 16813dd77..770d0e59a 100755 --- a/tools/install/tflint.sh +++ b/tools/install/tflint.sh @@ -1,15 +1,15 @@ #!/usr/bin/env bash set -eo pipefail -# shellcheck disable=SC1091 # Created by Dockerfile above script call +# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script source /.env if [[ $TFLINT_VERSION != false ]]; then - TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" + readonly RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" if [[ $TFLINT_VERSION == latest ]]; then - curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip + curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip else - curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip + curl -L "$(curl -s ${RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip fi unzip tflint.zip diff --git a/tools/install/tfsec.sh b/tools/install/tfsec.sh index 47c22e4b6..f5d0da1d9 100755 --- a/tools/install/tfsec.sh +++ b/tools/install/tfsec.sh @@ -1,15 +1,15 @@ #!/usr/bin/env bash set -eo pipefail -# shellcheck disable=SC1091 # Created by Dockerfile above script call +# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script source /.env if [[ $TFSEC_VERSION != false ]]; then - TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" + readonly RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" if [[ $TFSEC_VERSION == latest ]]; then - curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec + curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec else - curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec + curl -L "$(curl -s ${RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec fi chmod +x tfsec diff --git a/tools/install/tfupdate.sh b/tools/install/tfupdate.sh index 242f22c2e..c50c73c76 100755 --- a/tools/install/tfupdate.sh +++ b/tools/install/tfupdate.sh @@ -1,16 +1,16 @@ #!/usr/bin/env bash set -eo pipefail -# shellcheck disable=SC1091 # Created by Dockerfile above script call +# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script source /.env # TFUpdate if [[ $TFUPDATE_VERSION != false ]]; then - TFUPDATE_RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases" + readonly RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases" if [[ $TFUPDATE_VERSION == latest ]]; then - curl -L "$(curl -s ${TFUPDATE_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz + curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz else - curl -L "$(curl -s ${TFUPDATE_RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz + curl -L "$(curl -s ${RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz fi tar -xzf tfupdate.tgz tfupdate diff --git a/tools/install/trivy.sh b/tools/install/trivy.sh index 8d2b6bf87..5ea9ed9e4 100755 --- a/tools/install/trivy.sh +++ b/tools/install/trivy.sh @@ -1,22 +1,22 @@ #!/usr/bin/env bash set -eo pipefail -# shellcheck disable=SC1091 # Created by Dockerfile above script call +# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script source /.env if [[ $TRIVY_VERSION != false ]]; then if [[ $TARGETARCH != amd64 ]]; then - ARCH="$TARGETARCH" + readonly ARCH="$TARGETARCH" else - ARCH="64bit" + readonly ARCH="64bit" fi - TRIVY_RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases" + readonly RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases" if [[ $TRIVY_VERSION == latest ]]; then - curl -L "$(curl -s ${TRIVY_RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz + curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz else - curl -L "$(curl -s ${TRIVY_RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz + curl -L "$(curl -s ${RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz fi tar -xzf trivy.tar.gz trivy From 6ebe87960b15e6dacb4e2db42082b6a3bf3ad344 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Thu, 14 Mar 2024 22:16:58 +0200 Subject: [PATCH 06/18] Templating and move out most common part --- Dockerfile | 31 ++++++++++--------- tools/install/_common.sh | 22 ++++++++++++++ tools/install/checkov.sh | 53 +++++++++++++++++---------------- tools/install/hcledit.sh | 27 +++++++++-------- tools/install/infracost.sh | 29 ++++++++++-------- tools/install/pre-commit.sh | 16 +++++++--- tools/install/terraform-docs.sh | 29 ++++++++++-------- tools/install/terraform.sh | 20 ++++++++----- tools/install/terragrunt.sh | 25 +++++++++------- tools/install/terrascan.sh | 49 ++++++++++++++++-------------- tools/install/tflint.sh | 27 +++++++++-------- tools/install/tfsec.sh | 25 +++++++++------- tools/install/tfupdate.sh | 28 +++++++++-------- tools/install/trivy.sh | 38 ++++++++++++----------- 14 files changed, 243 insertions(+), 176 deletions(-) create mode 100755 tools/install/_common.sh diff --git a/Dockerfile b/Dockerfile index 6fee087cb..c66609993 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,12 +16,17 @@ RUN apk add --no-cache \ pip \ setuptools +# +# Install required tools +# ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest} ARG TERRAFORM_VERSION=${TERRAFORM_VERSION:-latest} -RUN /install/pre-commit.sh +RUN touch /.env && \ + if [ "$PRE_COMMIT_VERSION" = "false" ]; then echo "PRE_COMMIT_VERSION=latest" >> /.env; fi; \ + if [ "$TERRAFORM_VERSION" = "false" ]; then echo "TERRAFORM_VERSION=latest" >> /.env; fi -# Install terraform because pre-commit needs it +RUN /install/pre-commit.sh RUN /install/terraform.sh # @@ -44,18 +49,16 @@ ARG TRIVY_VERSION=${TRIVY_VERSION:-false} # specified in step below ARG INSTALL_ALL=${INSTALL_ALL:-false} RUN if [ "$INSTALL_ALL" != "false" ]; then \ - echo "export CHECKOV_VERSION=latest" >> /.env && \ - echo "export INFRACOST_VERSION=latest" >> /.env && \ - echo "export TERRAFORM_DOCS_VERSION=latest" >> /.env && \ - echo "export TERRAGRUNT_VERSION=latest" >> /.env && \ - echo "export TERRASCAN_VERSION=latest" >> /.env && \ - echo "export TFLINT_VERSION=latest" >> /.env && \ - echo "export TFSEC_VERSION=latest" >> /.env && \ - echo "export TRIVY_VERSION=latest" >> /.env && \ - echo "export TFUPDATE_VERSION=latest" >> /.env && \ - echo "export HCLEDIT_VERSION=latest" >> /.env \ - ; else \ - touch /.env \ + echo "CHECKOV_VERSION=latest" >> /.env && \ + echo "INFRACOST_VERSION=latest" >> /.env && \ + echo "TERRAFORM_DOCS_VERSION=latest" >> /.env && \ + echo "TERRAGRUNT_VERSION=latest" >> /.env && \ + echo "TERRASCAN_VERSION=latest" >> /.env && \ + echo "TFLINT_VERSION=latest" >> /.env && \ + echo "TFSEC_VERSION=latest" >> /.env && \ + echo "TRIVY_VERSION=latest" >> /.env && \ + echo "TFUPDATE_VERSION=latest" >> /.env && \ + echo "HCLEDIT_VERSION=latest" >> /.env \ ; fi RUN /install/checkov.sh diff --git a/tools/install/_common.sh b/tools/install/_common.sh new file mode 100755 index 000000000..589b1c655 --- /dev/null +++ b/tools/install/_common.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +set -eo pipefail + +# Tool name, based on filename. +# Tool filename MUST BE same as in package manager/binary name +TOOL=${0##*/} +readonly TOOL=${TOOL%%.*} + +# Get "TOOL_VERSION" +# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script +source /.env +env_var_name="${TOOL//-/_}" +env_var_name="${env_var_name^^}_VERSION" +# shellcheck disable=SC2034 # Used in other scripts +VERSION="${!env_var_name}" + +# Skip tool installation if the version is set to "false" +if [[ $VERSION == false ]]; then + echo "'$TOOL' skipped" + exit 0 +fi diff --git a/tools/install/checkov.sh b/tools/install/checkov.sh index 61678375b..b49546f93 100755 --- a/tools/install/checkov.sh +++ b/tools/install/checkov.sh @@ -1,31 +1,34 @@ #!/usr/bin/env bash -set -eo pipefail -# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script -source /.env +# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines +readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +# shellcheck source=_common.sh +. "$SCRIPT_DIR/_common.sh" -if [[ $CHECKOV_VERSION != false ]]; then - apk add --no-cache \ - gcc=~12 \ - libffi-dev=~3 \ - musl-dev=~1 +# +# Unique part +# - # cargo, gcc, git, musl-dev, rust and CARGO envvar required for compilation of rustworkx@0.13.2 - # no longer required once checkov version depends on rustworkx >0.14.0 - # https://github.com/bridgecrewio/checkov/pull/6045 - # gcc libffi-dev musl-dev required for compilation of cffi, until it contains musl aarch64 - export CARGO_NET_GIT_FETCH_WITH_CLI=true - apk add --no-cache \ - cargo=~1 \ - git=~2 \ - libgcc=~12 \ - rust=~1 +apk add --no-cache \ + gcc=~12 \ + libffi-dev=~3 \ + musl-dev=~1 - if [[ $CHECKOV_VERSION == latest ]]; then - pip3 install --no-cache-dir checkov - else - pip3 install --no-cache-dir "checkov==${CHECKOV_VERSION}" - fi +# cargo, gcc, git, musl-dev, rust and CARGO envvar required for compilation of rustworkx@0.13.2 +# no longer required once checkov version depends on rustworkx >0.14.0 +# https://github.com/bridgecrewio/checkov/pull/6045 +# gcc libffi-dev musl-dev required for compilation of cffi, until it contains musl aarch64 +export CARGO_NET_GIT_FETCH_WITH_CLI=true +apk add --no-cache \ + cargo=~1 \ + git=~2 \ + libgcc=~12 \ + rust=~1 - apk del gcc libffi-dev musl-dev - apk del cargo git rust +if [[ $VERSION == latest ]]; then + pip3 install --no-cache-dir "${TOOL}" +else + pip3 install --no-cache-dir "${TOOL}==${VERSION}" fi + +apk del gcc libffi-dev musl-dev +apk del cargo git rust diff --git a/tools/install/hcledit.sh b/tools/install/hcledit.sh index a2ba10e63..b9428718f 100755 --- a/tools/install/hcledit.sh +++ b/tools/install/hcledit.sh @@ -1,17 +1,20 @@ #!/usr/bin/env bash -set -eo pipefail -# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script -source /.env +# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines +readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +# shellcheck source=_common.sh +. "$SCRIPT_DIR/_common.sh" -if [[ $HCLEDIT_VERSION != false ]]; then - readonly RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" +# +# Unique part +# - if [[ $HCLEDIT_VERSION == latest ]]; then - curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz - else - curl -L "$(curl -s ${RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz - fi +readonly RELEASES="https://api.github.com/repos/minamijoyo/${TOOL}/releases" - tar -xzf hcledit.tgz hcledit - rm hcledit.tgz +if [[ $VERSION == latest ]]; then + curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > "${TOOL}.tgz" +else + curl -L "$(curl -s "${RELEASES}" | grep -o -E -m 1 "https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > "${TOOL}.tgz" fi + +tar -xzf "${TOOL}.tgz" "$TOOL" +rm "${TOOL}.tgz" diff --git a/tools/install/infracost.sh b/tools/install/infracost.sh index 71f556404..6d9c50a64 100755 --- a/tools/install/infracost.sh +++ b/tools/install/infracost.sh @@ -1,18 +1,21 @@ #!/usr/bin/env bash -set -eo pipefail -# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script -source /.env +# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines +readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +# shellcheck source=_common.sh +. "$SCRIPT_DIR/_common.sh" -if [[ $INFRACOST_VERSION != false ]]; then - readonly RELEASES="https://api.github.com/repos/infracost/infracost/releases" +# +# Unique part +# - if [[ $INFRACOST_VERSION == latest ]]; then - curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz - else - curl -L "$(curl -s ${RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz - fi +readonly RELEASES="https://api.github.com/repos/infracost/${TOOL}/releases" - tar -xzf infracost.tgz - rm infracost.tgz - mv "infracost-${TARGETOS}-${TARGETARCH}" infracost +if [[ $VERSION == latest ]]; then + curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > "${TOOL}.tgz" +else + curl -L "$(curl -s "${RELEASES}" | grep -o -E "https://.+?v${VERSION}/${TOOL}-${TARGETOS}-${TARGETARCH}.tar.gz")" > "${TOOL}.tgz" fi + +tar -xzf "${TOOL}.tgz" +rm "${TOOL}.tgz" +mv "${TOOL}-${TARGETOS}-${TARGETARCH}" "$TOOL" diff --git a/tools/install/pre-commit.sh b/tools/install/pre-commit.sh index 4c27dcac2..aaf6c9d65 100755 --- a/tools/install/pre-commit.sh +++ b/tools/install/pre-commit.sh @@ -1,8 +1,16 @@ #!/usr/bin/env bash -set -eo pipefail +# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines +readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" -if [[ $PRE_COMMIT_VERSION == latest ]]; then - pip3 install --no-cache-dir pre-commit +# shellcheck source=_common.sh +. "$SCRIPT_DIR/_common.sh" + +# +# Unique part +# + +if [[ $VERSION == latest ]]; then + pip3 install --no-cache-dir "$TOOL" else - pip3 install --no-cache-dir "pre-commit==${PRE_COMMIT_VERSION}" + pip3 install --no-cache-dir "${TOOL}==${VERSION}" fi diff --git a/tools/install/terraform-docs.sh b/tools/install/terraform-docs.sh index 4deb90752..f4b57aa1f 100755 --- a/tools/install/terraform-docs.sh +++ b/tools/install/terraform-docs.sh @@ -1,18 +1,21 @@ #!/usr/bin/env bash -set -eo pipefail -# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script -source /.env +# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines +readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +# shellcheck source=_common.sh +. "$SCRIPT_DIR/_common.sh" -if [[ $TERRAFORM_DOCS_VERSION != false ]]; then - readonly RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" +# +# Unique part +# - if [[ $TERRAFORM_DOCS_VERSION == latest ]]; then - curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz - else - curl -L "$(curl -s ${RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz - fi +readonly RELEASES="https://api.github.com/repos/terraform-docs/${TOOL}/releases" - tar -xzf terraform-docs.tgz terraform-docs - rm terraform-docs.tgz - chmod +x terraform-docs +if [[ $VERSION == latest ]]; then + curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > "${TOOL}.tgz" +else + curl -L "$(curl -s "${RELEASES}" | grep -o -E "https://.+?v${VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > "${TOOL}.tgz" fi + +tar -xzf "${TOOL}.tgz" "$TOOL" +rm "${TOOL}.tgz" +chmod +x "$TOOL" diff --git a/tools/install/terraform.sh b/tools/install/terraform.sh index 33bb630ba..9bba2b687 100755 --- a/tools/install/terraform.sh +++ b/tools/install/terraform.sh @@ -1,11 +1,17 @@ #!/usr/bin/env bash -set -eo pipefail +# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines +readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +# shellcheck source=_common.sh +. "$SCRIPT_DIR/_common.sh" -# Install terraform because pre-commit needs it -if [[ $TERRAFORM_VERSION == latest ]]; then - TERRAFORM_VERSION="$(curl -s https://api.github.com/repos/hashicorp/terraform/releases/latest | grep tag_name | grep -o -E -m 1 "[0-9.]+")" +# +# Unique part +# + +if [[ $VERSION == latest ]]; then + VERSION="$(curl -s https://api.github.com/repos/hashicorp/terraform/releases/latest | grep tag_name | grep -o -E -m 1 "[0-9.]+")" fi -curl -L "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_${TARGETOS}_${TARGETARCH}.zip" > terraform.zip -unzip terraform.zip terraform -rm terraform.zip +curl -L "https://releases.hashicorp.com/terraform/${VERSION}/${TOOL}_${VERSION}_${TARGETOS}_${TARGETARCH}.zip" > "${TOOL}.zip" +unzip "${TOOL}.zip" "$TOOL" +rm "${TOOL}.zip" diff --git a/tools/install/terragrunt.sh b/tools/install/terragrunt.sh index 0874ff597..70e3fbe80 100755 --- a/tools/install/terragrunt.sh +++ b/tools/install/terragrunt.sh @@ -1,16 +1,19 @@ #!/usr/bin/env bash -set -eo pipefail -# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script -source /.env +# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines +readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +# shellcheck source=_common.sh +. "$SCRIPT_DIR/_common.sh" -if [[ $TERRAGRUNT_VERSION != false ]]; then - readonly RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" +# +# Unique part +# - if [[ $TERRAGRUNT_VERSION == latest ]]; then - curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt - else - curl -L "$(curl -s ${RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt - fi +readonly RELEASES="https://api.github.com/repos/gruntwork-io/${TOOL}/releases" - chmod +x terragrunt +if [[ $VERSION == latest ]]; then + curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -m 1 "https://.+?/${TOOL}_${TARGETOS}_${TARGETARCH}")" > "$TOOL" +else + curl -L "$(curl -s "${RELEASES}" | grep -o -E -m 1 "https://.+?v${VERSION}/${TOOL}_${TARGETOS}_${TARGETARCH}")" > "$TOOL" fi + +chmod +x "$TOOL" diff --git a/tools/install/terrascan.sh b/tools/install/terrascan.sh index caafdd284..7d9747848 100755 --- a/tools/install/terrascan.sh +++ b/tools/install/terrascan.sh @@ -1,29 +1,32 @@ #!/usr/bin/env bash -set -eo pipefail -# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script -source /.env +# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines +readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +# shellcheck source=_common.sh +. "$SCRIPT_DIR/_common.sh" -if [[ $TERRASCAN_VERSION != false ]]; then - if [[ $TARGETARCH != amd64 ]]; then - readonly ARCH="$TARGETARCH" - else - readonly ARCH="x86_64" - fi - # Convert the first letter to Uppercase - OS="$( - echo "${TARGETOS}" | cut -c1 | tr '[:lower:]' '[:upper:]' | xargs echo -n - echo "${TARGETOS}" | cut -c2- - )" +# +# Unique part +# - readonly RELEASES="https://api.github.com/repos/tenable/terrascan/releases" +if [[ $TARGETARCH != amd64 ]]; then + readonly ARCH="$TARGETARCH" +else + readonly ARCH="x86_64" +fi +# Convert the first letter to Uppercase +OS="$( + echo "${TARGETOS}" | cut -c1 | tr '[:lower:]' '[:upper:]' | xargs echo -n + echo "${TARGETOS}" | cut -c2- +)" - if [[ $TERRASCAN_VERSION == latest ]]; then - curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz - else - curl -L "$(curl -s ${RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz - fi +readonly RELEASES="https://api.github.com/repos/tenable/${TOOL}/releases" - tar -xzf terrascan.tar.gz terrascan - rm terrascan.tar.gz - ./terrascan init +if [[ $VERSION == latest ]]; then + curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > "${TOOL}.tgz" +else + curl -L "$(curl -s "${RELEASES}" | grep -o -E "https://.+?${VERSION}_${OS}_${ARCH}.tar.gz")" > "${TOOL}.tgz" fi + +tar -xzf "${TOOL}.tgz" "$TOOL" +rm "${TOOL}.tgz" +./terrascan init diff --git a/tools/install/tflint.sh b/tools/install/tflint.sh index 770d0e59a..0a305eb45 100755 --- a/tools/install/tflint.sh +++ b/tools/install/tflint.sh @@ -1,17 +1,20 @@ #!/usr/bin/env bash -set -eo pipefail -# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script -source /.env +# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines +readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +# shellcheck source=_common.sh +. "$SCRIPT_DIR/_common.sh" -if [[ $TFLINT_VERSION != false ]]; then - readonly RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" +# +# Unique part +# - if [[ $TFLINT_VERSION == latest ]]; then - curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip - else - curl -L "$(curl -s ${RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip - fi +readonly RELEASES="https://api.github.com/repos/terraform-linters/${TOOL}/releases" - unzip tflint.zip - rm tflint.zip +if [[ $VERSION == latest ]]; then + curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > "${TOOL}.zip" +else + curl -L "$(curl -s "${RELEASES}" | grep -o -E "https://.+?/v${VERSION}/${TOOL}_${TARGETOS}_${TARGETARCH}.zip")" > "${TOOL}.zip" fi + +unzip "${TOOL}.zip" +rm "${TOOL}.zip" diff --git a/tools/install/tfsec.sh b/tools/install/tfsec.sh index f5d0da1d9..1bd322807 100755 --- a/tools/install/tfsec.sh +++ b/tools/install/tfsec.sh @@ -1,16 +1,19 @@ #!/usr/bin/env bash -set -eo pipefail -# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script -source /.env +# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines +readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +# shellcheck source=_common.sh +. "$SCRIPT_DIR/_common.sh" -if [[ $TFSEC_VERSION != false ]]; then - readonly RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" +# +# Unique part +# - if [[ $TFSEC_VERSION == latest ]]; then - curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec - else - curl -L "$(curl -s ${RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec - fi +readonly RELEASES="https://api.github.com/repos/aquasecurity/${TOOL}/releases" - chmod +x tfsec +if [[ $VERSION == latest ]]; then + curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -m 1 "https://.+?/${TOOL}-${TARGETOS}-${TARGETARCH}")" > "$TOOL" +else + curl -L "$(curl -s "${RELEASES}" | grep -o -E -m 1 "https://.+?v${VERSION}/${TOOL}-${TARGETOS}-${TARGETARCH}")" > "$TOOL" fi + +chmod +x "$TOOL" diff --git a/tools/install/tfupdate.sh b/tools/install/tfupdate.sh index c50c73c76..b9428718f 100755 --- a/tools/install/tfupdate.sh +++ b/tools/install/tfupdate.sh @@ -1,18 +1,20 @@ #!/usr/bin/env bash -set -eo pipefail -# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script -source /.env +# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines +readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +# shellcheck source=_common.sh +. "$SCRIPT_DIR/_common.sh" -# TFUpdate -if [[ $TFUPDATE_VERSION != false ]]; then - readonly RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases" +# +# Unique part +# - if [[ $TFUPDATE_VERSION == latest ]]; then - curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz - else - curl -L "$(curl -s ${RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz - fi +readonly RELEASES="https://api.github.com/repos/minamijoyo/${TOOL}/releases" - tar -xzf tfupdate.tgz tfupdate - rm tfupdate.tgz +if [[ $VERSION == latest ]]; then + curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > "${TOOL}.tgz" +else + curl -L "$(curl -s "${RELEASES}" | grep -o -E -m 1 "https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > "${TOOL}.tgz" fi + +tar -xzf "${TOOL}.tgz" "$TOOL" +rm "${TOOL}.tgz" diff --git a/tools/install/trivy.sh b/tools/install/trivy.sh index 5ea9ed9e4..214a8bdf5 100755 --- a/tools/install/trivy.sh +++ b/tools/install/trivy.sh @@ -1,24 +1,26 @@ #!/usr/bin/env bash -set -eo pipefail -# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script -source /.env +# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines +readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +# shellcheck source=_common.sh +. "$SCRIPT_DIR/_common.sh" -if [[ $TRIVY_VERSION != false ]]; then +# +# Unique part +# - if [[ $TARGETARCH != amd64 ]]; then - readonly ARCH="$TARGETARCH" - else - readonly ARCH="64bit" - fi - - readonly RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases" +if [[ $TARGETARCH != amd64 ]]; then + readonly ARCH="$TARGETARCH" +else + readonly ARCH="64bit" +fi - if [[ $TRIVY_VERSION == latest ]]; then - curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz - else - curl -L "$(curl -s ${RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz - fi +readonly RELEASES="https://api.github.com/repos/aquasecurity/${TOOL}/releases" - tar -xzf trivy.tar.gz trivy - rm trivy.tar.gz +if [[ $VERSION == latest ]]; then + curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -i -m 1 "https://.+?/${TOOL}_.+?_${TARGETOS}-${ARCH}.tar.gz")" > "${TOOL}.tgz" +else + curl -L "$(curl -s "${RELEASES}" | grep -o -E -i -m 1 "https://.+?/v${VERSION}/${TOOL}_.+?_${TARGETOS}-${ARCH}.tar.gz")" > "${TOOL}.tgz" fi + +tar -xzf "${TOOL}.tgz" "$TOOL" +rm "${TOOL}.tgz" From eed0722249d7f97b85860ab8fc26acf7020c0b74 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Thu, 14 Mar 2024 23:50:21 +0200 Subject: [PATCH 07/18] Use one function to install GH releases --- Dockerfile | 4 +- tools/install/_common.sh | 66 ++++++++++++++++++++++++++++++++- tools/install/hcledit.sh | 15 +++----- tools/install/infracost.sh | 19 ++++------ tools/install/terraform-docs.sh | 17 +++------ tools/install/terraform.sh | 6 +-- tools/install/terragrunt.sh | 15 +++----- tools/install/terrascan.sh | 14 +++---- tools/install/tflint.sh | 15 +++----- tools/install/tfsec.sh | 14 +++---- tools/install/tfupdate.sh | 16 +++----- tools/install/trivy.sh | 15 +++----- 12 files changed, 126 insertions(+), 90 deletions(-) diff --git a/Dockerfile b/Dockerfile index c66609993..443c68e62 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,8 +3,6 @@ FROM python:${TAG} as builder ARG TARGETOS ARG TARGETARCH -COPY tools/install/ /install/ - WORKDIR /bin_dir RUN apk add --no-cache \ @@ -16,6 +14,8 @@ RUN apk add --no-cache \ pip \ setuptools +COPY tools/install/ /install/ + # # Install required tools # diff --git a/tools/install/_common.sh b/tools/install/_common.sh index 589b1c655..6a212780e 100755 --- a/tools/install/_common.sh +++ b/tools/install/_common.sh @@ -13,10 +13,74 @@ source /.env env_var_name="${TOOL//-/_}" env_var_name="${env_var_name^^}_VERSION" # shellcheck disable=SC2034 # Used in other scripts -VERSION="${!env_var_name}" +readonly VERSION="${!env_var_name}" # Skip tool installation if the version is set to "false" if [[ $VERSION == false ]]; then echo "'$TOOL' skipped" exit 0 fi + +####################################################################### +# Install the latest or specific version of the tool from GitHub release +# Globals: +# TOOL - Name of the tool +# VERSION - Version of the tool +# Arguments: +# GH_ORG - GitHub organization name where the tool is hosted +# DISTRIBUTED_AS - How the tool is distributed. +# Can be: 'tar.gz', 'zip' or 'binary' +# GH_RELEASE_REGEX_LATEST - Regular expression to match the latest +# release URL +# GH_RELEASE_REGEX_SPECIFIC_VERSION - Regular expression to match the +# specific version release URL +# UNUSUAL_TOOL_NAME_IN_PKG - If the tool in the tar.gz package is +# not in the root or named differently than the tool name itself, +# For example, includes the version number or is in a subdirectory +####################################################################### +function common::install_from_gh_release { + local -r GH_ORG=$1 + local -r DISTRIBUTED_AS=$2 + local -r GH_RELEASE_REGEX_LATEST=$3 + local -r GH_RELEASE_REGEX_SPECIFIC_VERSION=$4 + local -r UNUSUAL_TOOL_NAME_IN_PKG=$5 + + case $DISTRIBUTED_AS in + tar.gz | zip) + local -r PKG="${TOOL}.${DISTRIBUTED_AS}" + ;; + binary) + local -r PKG="$TOOL" + ;; + *) + echo "Unknown DISTRIBUTED_AS: '$DISTRIBUTED_AS'. Should be one of: 'tar.gz', 'zip' or 'binary'." + exit 1 + ;; + esac + + # Download tool + local -r RELEASES="https://api.github.com/repos/${GH_ORG}/${TOOL}/releases" + + if [[ $VERSION == latest ]]; then + curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_LATEST")" > "$PKG" + else + curl -L "$(curl -s "$RELEASES" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_SPECIFIC_VERSION")" > "$PKG" + fi + + # Make tool ready to use + if [[ $DISTRIBUTED_AS == tar.gz ]]; then + if [[ -z $UNUSUAL_TOOL_NAME_IN_PKG ]]; then + tar -xzf "$PKG" "$TOOL" + else + tar -xzf "$PKG" "$UNUSUAL_TOOL_NAME_IN_PKG" + mv "$UNUSUAL_TOOL_NAME_IN_PKG" "$TOOL" + fi + rm "$PKG" + + elif [[ $DISTRIBUTED_AS == zip ]]; then + unzip "$PKG" + rm "$PKG" + else + chmod +x "$PKG" + fi +} diff --git a/tools/install/hcledit.sh b/tools/install/hcledit.sh index b9428718f..7f9323d20 100755 --- a/tools/install/hcledit.sh +++ b/tools/install/hcledit.sh @@ -8,13 +8,10 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # Unique part # -readonly RELEASES="https://api.github.com/repos/minamijoyo/${TOOL}/releases" +readonly GH_ORG="minamijoyo" +readonly GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz" +readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz" +readonly DISTRIBUTED_AS="tar.gz" -if [[ $VERSION == latest ]]; then - curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > "${TOOL}.tgz" -else - curl -L "$(curl -s "${RELEASES}" | grep -o -E -m 1 "https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > "${TOOL}.tgz" -fi - -tar -xzf "${TOOL}.tgz" "$TOOL" -rm "${TOOL}.tgz" +common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ + "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" diff --git a/tools/install/infracost.sh b/tools/install/infracost.sh index 6d9c50a64..53895a26c 100755 --- a/tools/install/infracost.sh +++ b/tools/install/infracost.sh @@ -7,15 +7,12 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # # Unique part # +readonly GH_ORG="infracost" +readonly GH_RELEASE_REGEX_LATEST="https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz" +readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}/${TOOL}-${TARGETOS}-${TARGETARCH}.tar.gz" +readonly DISTRIBUTED_AS="tar.gz" +readonly UNUSUAL_TOOL_NAME_IN_PKG="${TOOL}-${TARGETOS}-${TARGETARCH}" -readonly RELEASES="https://api.github.com/repos/infracost/${TOOL}/releases" - -if [[ $VERSION == latest ]]; then - curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > "${TOOL}.tgz" -else - curl -L "$(curl -s "${RELEASES}" | grep -o -E "https://.+?v${VERSION}/${TOOL}-${TARGETOS}-${TARGETARCH}.tar.gz")" > "${TOOL}.tgz" -fi - -tar -xzf "${TOOL}.tgz" -rm "${TOOL}.tgz" -mv "${TOOL}-${TARGETOS}-${TARGETARCH}" "$TOOL" +common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ + "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" \ + "$UNUSUAL_TOOL_NAME_IN_PKG" diff --git a/tools/install/terraform-docs.sh b/tools/install/terraform-docs.sh index f4b57aa1f..7bfa4cd35 100755 --- a/tools/install/terraform-docs.sh +++ b/tools/install/terraform-docs.sh @@ -7,15 +7,10 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # # Unique part # +readonly GH_ORG="terraform-docs" +readonly GH_RELEASE_REGEX_LATEST="https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz" +readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz" +readonly DISTRIBUTED_AS="tar.gz" -readonly RELEASES="https://api.github.com/repos/terraform-docs/${TOOL}/releases" - -if [[ $VERSION == latest ]]; then - curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > "${TOOL}.tgz" -else - curl -L "$(curl -s "${RELEASES}" | grep -o -E "https://.+?v${VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > "${TOOL}.tgz" -fi - -tar -xzf "${TOOL}.tgz" "$TOOL" -rm "${TOOL}.tgz" -chmod +x "$TOOL" +common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ + "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" diff --git a/tools/install/terraform.sh b/tools/install/terraform.sh index 9bba2b687..d23d7d744 100755 --- a/tools/install/terraform.sh +++ b/tools/install/terraform.sh @@ -7,11 +7,11 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # # Unique part # - +# shellcheck disable=SC2153 # We are using the variable from _common.sh if [[ $VERSION == latest ]]; then - VERSION="$(curl -s https://api.github.com/repos/hashicorp/terraform/releases/latest | grep tag_name | grep -o -E -m 1 "[0-9.]+")" + readonly version="$(curl -s https://api.github.com/repos/hashicorp/terraform/releases/latest | grep tag_name | grep -o -E -m 1 "[0-9.]+")" fi -curl -L "https://releases.hashicorp.com/terraform/${VERSION}/${TOOL}_${VERSION}_${TARGETOS}_${TARGETARCH}.zip" > "${TOOL}.zip" +curl -L "https://releases.hashicorp.com/terraform/${version}/${TOOL}_${version}_${TARGETOS}_${TARGETARCH}.zip" > "${TOOL}.zip" unzip "${TOOL}.zip" "$TOOL" rm "${TOOL}.zip" diff --git a/tools/install/terragrunt.sh b/tools/install/terragrunt.sh index 70e3fbe80..d246097fc 100755 --- a/tools/install/terragrunt.sh +++ b/tools/install/terragrunt.sh @@ -7,13 +7,10 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # # Unique part # +readonly GH_ORG="gruntwork-io" +readonly GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}_${TARGETOS}_${TARGETARCH}" +readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}/${TOOL}_${TARGETOS}_${TARGETARCH}" +readonly DISTRIBUTED_AS="binary" -readonly RELEASES="https://api.github.com/repos/gruntwork-io/${TOOL}/releases" - -if [[ $VERSION == latest ]]; then - curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -m 1 "https://.+?/${TOOL}_${TARGETOS}_${TARGETARCH}")" > "$TOOL" -else - curl -L "$(curl -s "${RELEASES}" | grep -o -E -m 1 "https://.+?v${VERSION}/${TOOL}_${TARGETOS}_${TARGETARCH}")" > "$TOOL" -fi - -chmod +x "$TOOL" +common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ + "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" diff --git a/tools/install/terrascan.sh b/tools/install/terrascan.sh index 7d9747848..1c328fb5e 100755 --- a/tools/install/terrascan.sh +++ b/tools/install/terrascan.sh @@ -19,14 +19,12 @@ OS="$( echo "${TARGETOS}" | cut -c2- )" -readonly RELEASES="https://api.github.com/repos/tenable/${TOOL}/releases" +readonly GH_ORG="tenable" +readonly GH_RELEASE_REGEX_LATEST="https://.+?_${OS}_${ARCH}.tar.gz" +readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${OS}_${ARCH}.tar.gz" +readonly DISTRIBUTED_AS="tar.gz" -if [[ $VERSION == latest ]]; then - curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > "${TOOL}.tgz" -else - curl -L "$(curl -s "${RELEASES}" | grep -o -E "https://.+?${VERSION}_${OS}_${ARCH}.tar.gz")" > "${TOOL}.tgz" -fi +common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ + "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" -tar -xzf "${TOOL}.tgz" "$TOOL" -rm "${TOOL}.tgz" ./terrascan init diff --git a/tools/install/tflint.sh b/tools/install/tflint.sh index 0a305eb45..e3494a3d7 100755 --- a/tools/install/tflint.sh +++ b/tools/install/tflint.sh @@ -8,13 +8,10 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # Unique part # -readonly RELEASES="https://api.github.com/repos/terraform-linters/${TOOL}/releases" +readonly GH_ORG="terraform-linters" +readonly GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.zip" +readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?/v${VERSION}/${TOOL}_${TARGETOS}_${TARGETARCH}.zip" +readonly DISTRIBUTED_AS="zip" -if [[ $VERSION == latest ]]; then - curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > "${TOOL}.zip" -else - curl -L "$(curl -s "${RELEASES}" | grep -o -E "https://.+?/v${VERSION}/${TOOL}_${TARGETOS}_${TARGETARCH}.zip")" > "${TOOL}.zip" -fi - -unzip "${TOOL}.zip" -rm "${TOOL}.zip" +common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ + "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" diff --git a/tools/install/tfsec.sh b/tools/install/tfsec.sh index 1bd322807..184c361d7 100755 --- a/tools/install/tfsec.sh +++ b/tools/install/tfsec.sh @@ -8,12 +8,10 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # Unique part # -readonly RELEASES="https://api.github.com/repos/aquasecurity/${TOOL}/releases" +readonly GH_ORG="aquasecurity" +readonly GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}-${TARGETOS}-${TARGETARCH}" +readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}/${TOOL}-${TARGETOS}-${TARGETARCH}" +readonly DISTRIBUTED_AS="binary" -if [[ $VERSION == latest ]]; then - curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -m 1 "https://.+?/${TOOL}-${TARGETOS}-${TARGETARCH}")" > "$TOOL" -else - curl -L "$(curl -s "${RELEASES}" | grep -o -E -m 1 "https://.+?v${VERSION}/${TOOL}-${TARGETOS}-${TARGETARCH}")" > "$TOOL" -fi - -chmod +x "$TOOL" +common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ + "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" diff --git a/tools/install/tfupdate.sh b/tools/install/tfupdate.sh index b9428718f..9b407bc19 100755 --- a/tools/install/tfupdate.sh +++ b/tools/install/tfupdate.sh @@ -7,14 +7,10 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # # Unique part # +readonly GH_ORG="minamijoyo" +readonly GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz" +readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz" +readonly DISTRIBUTED_AS="tar.gz" -readonly RELEASES="https://api.github.com/repos/minamijoyo/${TOOL}/releases" - -if [[ $VERSION == latest ]]; then - curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > "${TOOL}.tgz" -else - curl -L "$(curl -s "${RELEASES}" | grep -o -E -m 1 "https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > "${TOOL}.tgz" -fi - -tar -xzf "${TOOL}.tgz" "$TOOL" -rm "${TOOL}.tgz" +common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ + "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" diff --git a/tools/install/trivy.sh b/tools/install/trivy.sh index 214a8bdf5..9a422b77d 100755 --- a/tools/install/trivy.sh +++ b/tools/install/trivy.sh @@ -14,13 +14,10 @@ else readonly ARCH="64bit" fi -readonly RELEASES="https://api.github.com/repos/aquasecurity/${TOOL}/releases" +readonly GH_ORG="aquasecurity" +readonly GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}_.+?_${TARGETOS}-${ARCH}.tar.gz" +readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?/v${VERSION}/${TOOL}_.+?_${TARGETOS}-${ARCH}.tar.gz" +readonly DISTRIBUTED_AS="tar.gz" -if [[ $VERSION == latest ]]; then - curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -i -m 1 "https://.+?/${TOOL}_.+?_${TARGETOS}-${ARCH}.tar.gz")" > "${TOOL}.tgz" -else - curl -L "$(curl -s "${RELEASES}" | grep -o -E -i -m 1 "https://.+?/v${VERSION}/${TOOL}_.+?_${TARGETOS}-${ARCH}.tar.gz")" > "${TOOL}.tgz" -fi - -tar -xzf "${TOOL}.tgz" "$TOOL" -rm "${TOOL}.tgz" +common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ + "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" From cb59613f8fe56e9d54b030aa3d83e43c7f935eb5 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Thu, 14 Mar 2024 23:56:04 +0200 Subject: [PATCH 08/18] Apply review suggestions --- tools/install/terrascan.sh | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/tools/install/terrascan.sh b/tools/install/terrascan.sh index 1c328fb5e..8c4ecdbf1 100755 --- a/tools/install/terrascan.sh +++ b/tools/install/terrascan.sh @@ -14,10 +14,7 @@ else readonly ARCH="x86_64" fi # Convert the first letter to Uppercase -OS="$( - echo "${TARGETOS}" | cut -c1 | tr '[:lower:]' '[:upper:]' | xargs echo -n - echo "${TARGETOS}" | cut -c2- -)" +OS="${TARGETOS^}" readonly GH_ORG="tenable" readonly GH_RELEASE_REGEX_LATEST="https://.+?_${OS}_${ARCH}.tar.gz" From 65ba59343a0faf47e761ac55e58495a9bc34b8cf Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Fri, 15 Mar 2024 00:10:45 +0200 Subject: [PATCH 09/18] Fix "redefinition" of global vars in function --- tools/install/hcledit.sh | 8 ++++---- tools/install/infracost.sh | 10 +++++----- tools/install/terraform-docs.sh | 8 ++++---- tools/install/terragrunt.sh | 8 ++++---- tools/install/terrascan.sh | 8 ++++---- tools/install/tflint.sh | 8 ++++---- tools/install/tfsec.sh | 8 ++++---- tools/install/tfupdate.sh | 8 ++++---- tools/install/trivy.sh | 8 ++++---- 9 files changed, 37 insertions(+), 37 deletions(-) diff --git a/tools/install/hcledit.sh b/tools/install/hcledit.sh index 7f9323d20..62a58a59a 100755 --- a/tools/install/hcledit.sh +++ b/tools/install/hcledit.sh @@ -8,10 +8,10 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # Unique part # -readonly GH_ORG="minamijoyo" -readonly GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz" -readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz" -readonly DISTRIBUTED_AS="tar.gz" +GH_ORG="minamijoyo" +GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz" +GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz" +DISTRIBUTED_AS="tar.gz" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" diff --git a/tools/install/infracost.sh b/tools/install/infracost.sh index 53895a26c..33eab962c 100755 --- a/tools/install/infracost.sh +++ b/tools/install/infracost.sh @@ -7,11 +7,11 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # # Unique part # -readonly GH_ORG="infracost" -readonly GH_RELEASE_REGEX_LATEST="https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz" -readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}/${TOOL}-${TARGETOS}-${TARGETARCH}.tar.gz" -readonly DISTRIBUTED_AS="tar.gz" -readonly UNUSUAL_TOOL_NAME_IN_PKG="${TOOL}-${TARGETOS}-${TARGETARCH}" +GH_ORG="infracost" +GH_RELEASE_REGEX_LATEST="https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz" +GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}/${TOOL}-${TARGETOS}-${TARGETARCH}.tar.gz" +DISTRIBUTED_AS="tar.gz" +UNUSUAL_TOOL_NAME_IN_PKG="${TOOL}-${TARGETOS}-${TARGETARCH}" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" \ diff --git a/tools/install/terraform-docs.sh b/tools/install/terraform-docs.sh index 7bfa4cd35..a25a35573 100755 --- a/tools/install/terraform-docs.sh +++ b/tools/install/terraform-docs.sh @@ -7,10 +7,10 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # # Unique part # -readonly GH_ORG="terraform-docs" -readonly GH_RELEASE_REGEX_LATEST="https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz" -readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz" -readonly DISTRIBUTED_AS="tar.gz" +GH_ORG="terraform-docs" +GH_RELEASE_REGEX_LATEST="https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz" +GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz" +DISTRIBUTED_AS="tar.gz" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" diff --git a/tools/install/terragrunt.sh b/tools/install/terragrunt.sh index d246097fc..6b75f0e0c 100755 --- a/tools/install/terragrunt.sh +++ b/tools/install/terragrunt.sh @@ -7,10 +7,10 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # # Unique part # -readonly GH_ORG="gruntwork-io" -readonly GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}_${TARGETOS}_${TARGETARCH}" -readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}/${TOOL}_${TARGETOS}_${TARGETARCH}" -readonly DISTRIBUTED_AS="binary" +GH_ORG="gruntwork-io" +GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}_${TARGETOS}_${TARGETARCH}" +GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}/${TOOL}_${TARGETOS}_${TARGETARCH}" +DISTRIBUTED_AS="binary" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" diff --git a/tools/install/terrascan.sh b/tools/install/terrascan.sh index 8c4ecdbf1..51dae0538 100755 --- a/tools/install/terrascan.sh +++ b/tools/install/terrascan.sh @@ -16,10 +16,10 @@ fi # Convert the first letter to Uppercase OS="${TARGETOS^}" -readonly GH_ORG="tenable" -readonly GH_RELEASE_REGEX_LATEST="https://.+?_${OS}_${ARCH}.tar.gz" -readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${OS}_${ARCH}.tar.gz" -readonly DISTRIBUTED_AS="tar.gz" +GH_ORG="tenable" +GH_RELEASE_REGEX_LATEST="https://.+?_${OS}_${ARCH}.tar.gz" +GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${OS}_${ARCH}.tar.gz" +DISTRIBUTED_AS="tar.gz" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" diff --git a/tools/install/tflint.sh b/tools/install/tflint.sh index e3494a3d7..08ed28be8 100755 --- a/tools/install/tflint.sh +++ b/tools/install/tflint.sh @@ -8,10 +8,10 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # Unique part # -readonly GH_ORG="terraform-linters" -readonly GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.zip" -readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?/v${VERSION}/${TOOL}_${TARGETOS}_${TARGETARCH}.zip" -readonly DISTRIBUTED_AS="zip" +GH_ORG="terraform-linters" +GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.zip" +GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?/v${VERSION}/${TOOL}_${TARGETOS}_${TARGETARCH}.zip" +DISTRIBUTED_AS="zip" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" diff --git a/tools/install/tfsec.sh b/tools/install/tfsec.sh index 184c361d7..3eacc0e7f 100755 --- a/tools/install/tfsec.sh +++ b/tools/install/tfsec.sh @@ -8,10 +8,10 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # Unique part # -readonly GH_ORG="aquasecurity" -readonly GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}-${TARGETOS}-${TARGETARCH}" -readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}/${TOOL}-${TARGETOS}-${TARGETARCH}" -readonly DISTRIBUTED_AS="binary" +GH_ORG="aquasecurity" +GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}-${TARGETOS}-${TARGETARCH}" +GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}/${TOOL}-${TARGETOS}-${TARGETARCH}" +DISTRIBUTED_AS="binary" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" diff --git a/tools/install/tfupdate.sh b/tools/install/tfupdate.sh index 9b407bc19..512095803 100755 --- a/tools/install/tfupdate.sh +++ b/tools/install/tfupdate.sh @@ -7,10 +7,10 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # # Unique part # -readonly GH_ORG="minamijoyo" -readonly GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz" -readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz" -readonly DISTRIBUTED_AS="tar.gz" +GH_ORG="minamijoyo" +GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz" +GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz" +DISTRIBUTED_AS="tar.gz" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" diff --git a/tools/install/trivy.sh b/tools/install/trivy.sh index 9a422b77d..a562e7552 100755 --- a/tools/install/trivy.sh +++ b/tools/install/trivy.sh @@ -14,10 +14,10 @@ else readonly ARCH="64bit" fi -readonly GH_ORG="aquasecurity" -readonly GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}_.+?_${TARGETOS}-${ARCH}.tar.gz" -readonly GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?/v${VERSION}/${TOOL}_.+?_${TARGETOS}-${ARCH}.tar.gz" -readonly DISTRIBUTED_AS="tar.gz" +GH_ORG="aquasecurity" +GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}_.+?_${TARGETOS}-${ARCH}.tar.gz" +GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?/v${VERSION}/${TOOL}_.+?_${TARGETOS}-${ARCH}.tar.gz" +DISTRIBUTED_AS="tar.gz" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" From 133fe03bd40c890b55b9cff3eb9923158f08ff3e Mon Sep 17 00:00:00 2001 From: Maksym Vlasov Date: Mon, 18 Mar 2024 21:49:15 +0200 Subject: [PATCH 10/18] Apply suggestions from code review Co-authored-by: George L. Yermulnik --- tools/install/_common.sh | 2 +- tools/install/terrascan.sh | 11 +++++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/tools/install/_common.sh b/tools/install/_common.sh index 6a212780e..70297f297 100755 --- a/tools/install/_common.sh +++ b/tools/install/_common.sh @@ -53,7 +53,7 @@ function common::install_from_gh_release { local -r PKG="$TOOL" ;; *) - echo "Unknown DISTRIBUTED_AS: '$DISTRIBUTED_AS'. Should be one of: 'tar.gz', 'zip' or 'binary'." + echo "Unknown DISTRIBUTED_AS: '$DISTRIBUTED_AS'. Should be one of: 'tar.gz', 'zip' or 'binary'." >&2 exit 1 ;; esac diff --git a/tools/install/terrascan.sh b/tools/install/terrascan.sh index 51dae0538..8d4c6165a 100755 --- a/tools/install/terrascan.sh +++ b/tools/install/terrascan.sh @@ -8,11 +8,8 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # Unique part # -if [[ $TARGETARCH != amd64 ]]; then - readonly ARCH="$TARGETARCH" -else - readonly ARCH="x86_64" -fi +[[ $TARGETARCH != amd64 ]] && ARCH="$TARGETARCH" || ARCH="x86_64" +readonly ARCH # Convert the first letter to Uppercase OS="${TARGETOS^}" @@ -24,4 +21,6 @@ DISTRIBUTED_AS="tar.gz" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION" -./terrascan init +# Download (caching) terrascan rego policies to save time during terrascan run +# https://runterrascan.io/docs/usage/_print/#pg-2cba380a2ef14e4ae3c674e02c5f9f53 +./${TOOL} init From 0fbbb5ba8629cf744a04518294bfce9fc850f549 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Mon, 18 Mar 2024 21:59:24 +0200 Subject: [PATCH 11/18] Rewrite `readonly` definitions + fix dumb error --- hooks/infracost_breakdown.sh | 4 ++-- hooks/terraform_checkov.sh | 4 ++-- hooks/terraform_docs.sh | 4 ++-- hooks/terraform_fmt.sh | 4 ++-- hooks/terraform_providers_lock.sh | 4 ++-- hooks/terraform_tflint.sh | 4 ++-- hooks/terraform_tfsec.sh | 4 ++-- hooks/terraform_trivy.sh | 4 ++-- hooks/terraform_validate.sh | 4 ++-- hooks/terraform_wrapper_module_for_each.sh | 4 ++-- hooks/terragrunt_fmt.sh | 4 ++-- hooks/terragrunt_providers_lock.sh | 4 ++-- hooks/terragrunt_validate.sh | 4 ++-- hooks/terrascan.sh | 4 ++-- hooks/tfupdate.sh | 4 ++-- tools/install/checkov.sh | 4 ++-- tools/install/hcledit.sh | 4 ++-- tools/install/infracost.sh | 4 ++-- tools/install/pre-commit.sh | 4 ++-- tools/install/terraform-docs.sh | 4 ++-- tools/install/terraform.sh | 9 ++++++--- tools/install/terragrunt.sh | 4 ++-- tools/install/terrascan.sh | 6 +++--- tools/install/tflint.sh | 4 ++-- tools/install/tfsec.sh | 4 ++-- tools/install/tfupdate.sh | 4 ++-- tools/install/trivy.sh | 4 ++-- 27 files changed, 59 insertions(+), 56 deletions(-) diff --git a/hooks/infracost_breakdown.sh b/hooks/infracost_breakdown.sh index 551579112..d5351b9bf 100755 --- a/hooks/infracost_breakdown.sh +++ b/hooks/infracost_breakdown.sh @@ -2,8 +2,8 @@ set -eo pipefail # globals variables -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/hooks/terraform_checkov.sh b/hooks/terraform_checkov.sh index a9603afd9..dbbdc463b 100755 --- a/hooks/terraform_checkov.sh +++ b/hooks/terraform_checkov.sh @@ -2,8 +2,8 @@ set -eo pipefail # globals variables -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/hooks/terraform_docs.sh b/hooks/terraform_docs.sh index c597730b0..472d6487c 100755 --- a/hooks/terraform_docs.sh +++ b/hooks/terraform_docs.sh @@ -2,8 +2,8 @@ set -eo pipefail # globals variables -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/hooks/terraform_fmt.sh b/hooks/terraform_fmt.sh index 727635caa..949a066a8 100755 --- a/hooks/terraform_fmt.sh +++ b/hooks/terraform_fmt.sh @@ -2,8 +2,8 @@ set -eo pipefail # globals variables -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/hooks/terraform_providers_lock.sh b/hooks/terraform_providers_lock.sh index bf2aa2084..34bce58b2 100755 --- a/hooks/terraform_providers_lock.sh +++ b/hooks/terraform_providers_lock.sh @@ -3,8 +3,8 @@ set -eo pipefail # globals variables -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/hooks/terraform_tflint.sh b/hooks/terraform_tflint.sh index 9c8373676..211e648bc 100755 --- a/hooks/terraform_tflint.sh +++ b/hooks/terraform_tflint.sh @@ -3,8 +3,8 @@ set -eo pipefail # globals variables -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/hooks/terraform_tfsec.sh b/hooks/terraform_tfsec.sh index 75966bf8c..52cab2c71 100755 --- a/hooks/terraform_tfsec.sh +++ b/hooks/terraform_tfsec.sh @@ -2,8 +2,8 @@ set -eo pipefail # globals variables -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/hooks/terraform_trivy.sh b/hooks/terraform_trivy.sh index fd9a3203a..7de40188b 100755 --- a/hooks/terraform_trivy.sh +++ b/hooks/terraform_trivy.sh @@ -2,8 +2,8 @@ set -eo pipefail # globals variables -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/hooks/terraform_validate.sh b/hooks/terraform_validate.sh index 9a6c50fce..a56e8c6db 100755 --- a/hooks/terraform_validate.sh +++ b/hooks/terraform_validate.sh @@ -2,8 +2,8 @@ set -eo pipefail # globals variables -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/hooks/terraform_wrapper_module_for_each.sh b/hooks/terraform_wrapper_module_for_each.sh index b01fe4601..7a6e4f5f9 100755 --- a/hooks/terraform_wrapper_module_for_each.sh +++ b/hooks/terraform_wrapper_module_for_each.sh @@ -2,8 +2,8 @@ set -eo pipefail # globals variables -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/hooks/terragrunt_fmt.sh b/hooks/terragrunt_fmt.sh index 1effbf47b..a39c78a79 100755 --- a/hooks/terragrunt_fmt.sh +++ b/hooks/terragrunt_fmt.sh @@ -2,8 +2,8 @@ set -eo pipefail # globals variables -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/hooks/terragrunt_providers_lock.sh b/hooks/terragrunt_providers_lock.sh index f05a571c4..059f8d1f5 100755 --- a/hooks/terragrunt_providers_lock.sh +++ b/hooks/terragrunt_providers_lock.sh @@ -2,8 +2,8 @@ set -eo pipefail # globals variables -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/hooks/terragrunt_validate.sh b/hooks/terragrunt_validate.sh index 8fafada0a..e595329b6 100755 --- a/hooks/terragrunt_validate.sh +++ b/hooks/terragrunt_validate.sh @@ -2,8 +2,8 @@ set -eo pipefail # globals variables -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/hooks/terrascan.sh b/hooks/terrascan.sh index 0c1447bd4..d7dc5f4a5 100755 --- a/hooks/terrascan.sh +++ b/hooks/terrascan.sh @@ -2,8 +2,8 @@ set -eo pipefail # globals variables -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/hooks/tfupdate.sh b/hooks/tfupdate.sh index 9397cfe94..5c9979a47 100755 --- a/hooks/tfupdate.sh +++ b/hooks/tfupdate.sh @@ -2,8 +2,8 @@ set -eo pipefail # globals variables -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/tools/install/checkov.sh b/tools/install/checkov.sh index b49546f93..7ac70677c 100755 --- a/tools/install/checkov.sh +++ b/tools/install/checkov.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/tools/install/hcledit.sh b/tools/install/hcledit.sh index 62a58a59a..278c17281 100755 --- a/tools/install/hcledit.sh +++ b/tools/install/hcledit.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/tools/install/infracost.sh b/tools/install/infracost.sh index 33eab962c..df43318b2 100755 --- a/tools/install/infracost.sh +++ b/tools/install/infracost.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/tools/install/pre-commit.sh b/tools/install/pre-commit.sh index aaf6c9d65..9f3bdfb24 100755 --- a/tools/install/pre-commit.sh +++ b/tools/install/pre-commit.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/tools/install/terraform-docs.sh b/tools/install/terraform-docs.sh index a25a35573..8aaa712b5 100755 --- a/tools/install/terraform-docs.sh +++ b/tools/install/terraform-docs.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/tools/install/terraform.sh b/tools/install/terraform.sh index d23d7d744..65ec21c2b 100755 --- a/tools/install/terraform.sh +++ b/tools/install/terraform.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" @@ -9,8 +9,11 @@ readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" # # shellcheck disable=SC2153 # We are using the variable from _common.sh if [[ $VERSION == latest ]]; then - readonly version="$(curl -s https://api.github.com/repos/hashicorp/terraform/releases/latest | grep tag_name | grep -o -E -m 1 "[0-9.]+")" + version="$(curl -s https://api.github.com/repos/hashicorp/terraform/releases/latest | grep tag_name | grep -o -E -m 1 "[0-9.]+")" +else + version=$VERSION fi +readonly version curl -L "https://releases.hashicorp.com/terraform/${version}/${TOOL}_${version}_${TARGETOS}_${TARGETARCH}.zip" > "${TOOL}.zip" unzip "${TOOL}.zip" "$TOOL" diff --git a/tools/install/terragrunt.sh b/tools/install/terragrunt.sh index 6b75f0e0c..e47baf1ab 100755 --- a/tools/install/terragrunt.sh +++ b/tools/install/terragrunt.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/tools/install/terrascan.sh b/tools/install/terrascan.sh index 8d4c6165a..7e7a924b4 100755 --- a/tools/install/terrascan.sh +++ b/tools/install/terrascan.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" @@ -23,4 +23,4 @@ common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ # Download (caching) terrascan rego policies to save time during terrascan run # https://runterrascan.io/docs/usage/_print/#pg-2cba380a2ef14e4ae3c674e02c5f9f53 -./${TOOL} init +./"$TOOL" init diff --git a/tools/install/tflint.sh b/tools/install/tflint.sh index 08ed28be8..b286987ce 100755 --- a/tools/install/tflint.sh +++ b/tools/install/tflint.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/tools/install/tfsec.sh b/tools/install/tfsec.sh index 3eacc0e7f..0b8af4d39 100755 --- a/tools/install/tfsec.sh +++ b/tools/install/tfsec.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/tools/install/tfupdate.sh b/tools/install/tfupdate.sh index 512095803..780429bf9 100755 --- a/tools/install/tfupdate.sh +++ b/tools/install/tfupdate.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" diff --git a/tools/install/trivy.sh b/tools/install/trivy.sh index a562e7552..db82fa9cf 100755 --- a/tools/install/trivy.sh +++ b/tools/install/trivy.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines -readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" +readonly SCRIPT_DIR # shellcheck source=_common.sh . "$SCRIPT_DIR/_common.sh" From 51cfcd9579046bbf49572a66753698f8528ba367 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Mon, 18 Mar 2024 22:03:43 +0200 Subject: [PATCH 12/18] Minor style improvements --- tools/install/infracost.sh | 1 + tools/install/terraform-docs.sh | 1 + tools/install/terragrunt.sh | 1 + tools/install/terrascan.sh | 2 +- tools/install/tfupdate.sh | 1 + tools/install/trivy.sh | 7 ++----- 6 files changed, 7 insertions(+), 6 deletions(-) diff --git a/tools/install/infracost.sh b/tools/install/infracost.sh index df43318b2..6f3ffc330 100755 --- a/tools/install/infracost.sh +++ b/tools/install/infracost.sh @@ -7,6 +7,7 @@ readonly SCRIPT_DIR # # Unique part # + GH_ORG="infracost" GH_RELEASE_REGEX_LATEST="https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz" GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}/${TOOL}-${TARGETOS}-${TARGETARCH}.tar.gz" diff --git a/tools/install/terraform-docs.sh b/tools/install/terraform-docs.sh index 8aaa712b5..079a01bae 100755 --- a/tools/install/terraform-docs.sh +++ b/tools/install/terraform-docs.sh @@ -7,6 +7,7 @@ readonly SCRIPT_DIR # # Unique part # + GH_ORG="terraform-docs" GH_RELEASE_REGEX_LATEST="https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz" GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz" diff --git a/tools/install/terragrunt.sh b/tools/install/terragrunt.sh index e47baf1ab..41df2510a 100755 --- a/tools/install/terragrunt.sh +++ b/tools/install/terragrunt.sh @@ -7,6 +7,7 @@ readonly SCRIPT_DIR # # Unique part # + GH_ORG="gruntwork-io" GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}_${TARGETOS}_${TARGETARCH}" GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}/${TOOL}_${TARGETOS}_${TARGETARCH}" diff --git a/tools/install/terrascan.sh b/tools/install/terrascan.sh index 7e7a924b4..bce43ef21 100755 --- a/tools/install/terrascan.sh +++ b/tools/install/terrascan.sh @@ -8,7 +8,7 @@ readonly SCRIPT_DIR # Unique part # -[[ $TARGETARCH != amd64 ]] && ARCH="$TARGETARCH" || ARCH="x86_64" +[[ $TARGETARCH != amd64 ]] && ARCH="x86_64" || ARCH="$TARGETARCH" readonly ARCH # Convert the first letter to Uppercase OS="${TARGETOS^}" diff --git a/tools/install/tfupdate.sh b/tools/install/tfupdate.sh index 780429bf9..278c17281 100755 --- a/tools/install/tfupdate.sh +++ b/tools/install/tfupdate.sh @@ -7,6 +7,7 @@ readonly SCRIPT_DIR # # Unique part # + GH_ORG="minamijoyo" GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz" GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz" diff --git a/tools/install/trivy.sh b/tools/install/trivy.sh index db82fa9cf..0c01f8c00 100755 --- a/tools/install/trivy.sh +++ b/tools/install/trivy.sh @@ -8,11 +8,8 @@ readonly SCRIPT_DIR # Unique part # -if [[ $TARGETARCH != amd64 ]]; then - readonly ARCH="$TARGETARCH" -else - readonly ARCH="64bit" -fi +[[ $TARGETARCH == amd64 ]] && ARCH="64bit" || ARCH="$TARGETARCH" +readonly ARCH GH_ORG="aquasecurity" GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}_.+?_${TARGETOS}-${ARCH}.tar.gz" From 8c86ac0fad6dc7634d179bf41c47397dfaa99f9e Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Tue, 19 Mar 2024 18:45:07 +0200 Subject: [PATCH 13/18] Fix tests for arm --- .github/.container-structure-test-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/.container-structure-test-config.yaml b/.github/.container-structure-test-config.yaml index 8cbf7e4de..1e7ec3acb 100644 --- a/.github/.container-structure-test-config.yaml +++ b/.github/.container-structure-test-config.yaml @@ -13,7 +13,7 @@ commandTests: - name: "terraform" command: "terraform" args: ["-version"] - expectedOutput: ["^Terraform v([0-9]+\\.){2}[0-9]+\\non linux_amd64\\n$"] + expectedOutput: ["^Terraform v([0-9]+\\.){2}[0-9]+\\n"] - name: "gcc" command: "gcc" @@ -33,7 +33,7 @@ commandTests: - name: "terraform-docs" command: "terraform-docs" args: ["--version"] - expectedOutput: ["^terraform-docs version v([0-9]+\\.){2}[0-9]+ [a-z0-9]+ linux/amd64\\n$"] + expectedOutput: ["^terraform-docs version v([0-9]+\\.){2}[0-9]+ [a-z0-9]+"] - name: "terragrunt" command: "terragrunt" From 84b043343f9cec3a145931783b115cf50cd7ce25 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Tue, 19 Mar 2024 19:28:02 +0200 Subject: [PATCH 14/18] fix refactoring error --- tools/install/terrascan.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/install/terrascan.sh b/tools/install/terrascan.sh index bce43ef21..f50cb6352 100755 --- a/tools/install/terrascan.sh +++ b/tools/install/terrascan.sh @@ -8,7 +8,7 @@ readonly SCRIPT_DIR # Unique part # -[[ $TARGETARCH != amd64 ]] && ARCH="x86_64" || ARCH="$TARGETARCH" +[[ $TARGETARCH == amd64 ]] && ARCH="x86_64" || ARCH="$TARGETARCH" readonly ARCH # Convert the first letter to Uppercase OS="${TARGETOS^}" From fd6efa87df2d60378e36c6f8fb968f4780c052b1 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Wed, 24 Apr 2024 20:53:10 +0300 Subject: [PATCH 15/18] Apply review suggestions --- Dockerfile | 10 ++++++---- tools/install/checkov.sh | 2 ++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 443c68e62..3822194e5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,8 +23,10 @@ ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest} ARG TERRAFORM_VERSION=${TERRAFORM_VERSION:-latest} RUN touch /.env && \ - if [ "$PRE_COMMIT_VERSION" = "false" ]; then echo "PRE_COMMIT_VERSION=latest" >> /.env; fi; \ - if [ "$TERRAFORM_VERSION" = "false" ]; then echo "TERRAFORM_VERSION=latest" >> /.env; fi + if [ "$PRE_COMMIT_VERSION" = "false" ] || [ "$TERRAFORM_VERSION" = "false" ]; then \ + echo "Vital software can't be skipped" && exit 1; \ + fi + RUN /install/pre-commit.sh RUN /install/terraform.sh @@ -50,15 +52,15 @@ ARG TRIVY_VERSION=${TRIVY_VERSION:-false} ARG INSTALL_ALL=${INSTALL_ALL:-false} RUN if [ "$INSTALL_ALL" != "false" ]; then \ echo "CHECKOV_VERSION=latest" >> /.env && \ + echo "HCLEDIT_VERSION=latest" >> /.env && \ echo "INFRACOST_VERSION=latest" >> /.env && \ echo "TERRAFORM_DOCS_VERSION=latest" >> /.env && \ echo "TERRAGRUNT_VERSION=latest" >> /.env && \ echo "TERRASCAN_VERSION=latest" >> /.env && \ echo "TFLINT_VERSION=latest" >> /.env && \ echo "TFSEC_VERSION=latest" >> /.env && \ - echo "TRIVY_VERSION=latest" >> /.env && \ echo "TFUPDATE_VERSION=latest" >> /.env && \ - echo "HCLEDIT_VERSION=latest" >> /.env \ + echo "TRIVY_VERSION=latest" >> /.env \ ; fi RUN /install/checkov.sh diff --git a/tools/install/checkov.sh b/tools/install/checkov.sh index 7ac70677c..8be8c649e 100755 --- a/tools/install/checkov.sh +++ b/tools/install/checkov.sh @@ -31,4 +31,6 @@ else fi apk del gcc libffi-dev musl-dev +# no longer required once checkov version depends on rustworkx >0.14.0 +# https://github.com/bridgecrewio/checkov/pull/6045 apk del cargo git rust From b3436cf430775981d422096c5be41ae07faa714d Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Wed, 24 Apr 2024 21:58:11 +0300 Subject: [PATCH 16/18] Reorder fields --- tools/install/hcledit.sh | 2 +- tools/install/infracost.sh | 2 +- tools/install/terraform-docs.sh | 2 +- tools/install/terragrunt.sh | 2 +- tools/install/terrascan.sh | 2 +- tools/install/tflint.sh | 2 +- tools/install/tfsec.sh | 2 +- tools/install/tfupdate.sh | 2 +- tools/install/trivy.sh | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/tools/install/hcledit.sh b/tools/install/hcledit.sh index 278c17281..498e4fb6f 100755 --- a/tools/install/hcledit.sh +++ b/tools/install/hcledit.sh @@ -9,8 +9,8 @@ readonly SCRIPT_DIR # GH_ORG="minamijoyo" -GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz" GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz" +GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz" DISTRIBUTED_AS="tar.gz" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ diff --git a/tools/install/infracost.sh b/tools/install/infracost.sh index 6f3ffc330..9974ca1d1 100755 --- a/tools/install/infracost.sh +++ b/tools/install/infracost.sh @@ -9,8 +9,8 @@ readonly SCRIPT_DIR # GH_ORG="infracost" -GH_RELEASE_REGEX_LATEST="https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz" GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}/${TOOL}-${TARGETOS}-${TARGETARCH}.tar.gz" +GH_RELEASE_REGEX_LATEST="https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz" DISTRIBUTED_AS="tar.gz" UNUSUAL_TOOL_NAME_IN_PKG="${TOOL}-${TARGETOS}-${TARGETARCH}" diff --git a/tools/install/terraform-docs.sh b/tools/install/terraform-docs.sh index 079a01bae..9eec05394 100755 --- a/tools/install/terraform-docs.sh +++ b/tools/install/terraform-docs.sh @@ -9,8 +9,8 @@ readonly SCRIPT_DIR # GH_ORG="terraform-docs" -GH_RELEASE_REGEX_LATEST="https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz" GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz" +GH_RELEASE_REGEX_LATEST="https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz" DISTRIBUTED_AS="tar.gz" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ diff --git a/tools/install/terragrunt.sh b/tools/install/terragrunt.sh index 41df2510a..20cc60ff7 100755 --- a/tools/install/terragrunt.sh +++ b/tools/install/terragrunt.sh @@ -9,8 +9,8 @@ readonly SCRIPT_DIR # GH_ORG="gruntwork-io" -GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}_${TARGETOS}_${TARGETARCH}" GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}/${TOOL}_${TARGETOS}_${TARGETARCH}" +GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}_${TARGETOS}_${TARGETARCH}" DISTRIBUTED_AS="binary" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ diff --git a/tools/install/terrascan.sh b/tools/install/terrascan.sh index f50cb6352..4393159d3 100755 --- a/tools/install/terrascan.sh +++ b/tools/install/terrascan.sh @@ -14,8 +14,8 @@ readonly ARCH OS="${TARGETOS^}" GH_ORG="tenable" -GH_RELEASE_REGEX_LATEST="https://.+?_${OS}_${ARCH}.tar.gz" GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${OS}_${ARCH}.tar.gz" +GH_RELEASE_REGEX_LATEST="https://.+?_${OS}_${ARCH}.tar.gz" DISTRIBUTED_AS="tar.gz" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ diff --git a/tools/install/tflint.sh b/tools/install/tflint.sh index b286987ce..ac2556b81 100755 --- a/tools/install/tflint.sh +++ b/tools/install/tflint.sh @@ -9,8 +9,8 @@ readonly SCRIPT_DIR # GH_ORG="terraform-linters" -GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.zip" GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?/v${VERSION}/${TOOL}_${TARGETOS}_${TARGETARCH}.zip" +GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.zip" DISTRIBUTED_AS="zip" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ diff --git a/tools/install/tfsec.sh b/tools/install/tfsec.sh index 0b8af4d39..3c9c2430d 100755 --- a/tools/install/tfsec.sh +++ b/tools/install/tfsec.sh @@ -9,8 +9,8 @@ readonly SCRIPT_DIR # GH_ORG="aquasecurity" -GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}-${TARGETOS}-${TARGETARCH}" GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}/${TOOL}-${TARGETOS}-${TARGETARCH}" +GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}-${TARGETOS}-${TARGETARCH}" DISTRIBUTED_AS="binary" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ diff --git a/tools/install/tfupdate.sh b/tools/install/tfupdate.sh index 278c17281..498e4fb6f 100755 --- a/tools/install/tfupdate.sh +++ b/tools/install/tfupdate.sh @@ -9,8 +9,8 @@ readonly SCRIPT_DIR # GH_ORG="minamijoyo" -GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz" GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz" +GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz" DISTRIBUTED_AS="tar.gz" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ diff --git a/tools/install/trivy.sh b/tools/install/trivy.sh index 0c01f8c00..c07625b53 100755 --- a/tools/install/trivy.sh +++ b/tools/install/trivy.sh @@ -12,8 +12,8 @@ readonly SCRIPT_DIR readonly ARCH GH_ORG="aquasecurity" -GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}_.+?_${TARGETOS}-${ARCH}.tar.gz" GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?/v${VERSION}/${TOOL}_.+?_${TARGETOS}-${ARCH}.tar.gz" +GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}_.+?_${TARGETOS}-${ARCH}.tar.gz" DISTRIBUTED_AS="tar.gz" common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \ From 6b0c4ee1b89a989d85c85356d1998135baea211c Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Wed, 24 Apr 2024 22:07:32 +0300 Subject: [PATCH 17/18] Add example of how to add add a new dependency --- .github/CONTRIBUTING.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index 388bf3751..1d1568e51 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -113,6 +113,9 @@ You can use [this PR](https://github.com/antonbabenko/pre-commit-terraform/pull/ ### Add code +> [!TIP] +> Here is a screencast of [how to add new dependency in `tools/install/`](https://github.com/antonbabenko/pre-commit-terraform/assets/11096782/8fc461e9-f163-4592-9497-4a18fa89c0e8) - used in Dockerfile + 1. Based on prev. block, add hook dependencies installation to [Dockerfile](../Dockerfile). Check that works: * `docker build -t pre-commit --build-arg INSTALL_ALL=true .` From 8f1e05c61330b22061be07c776ff9f197a307314 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Wed, 24 Apr 2024 22:25:15 +0300 Subject: [PATCH 18/18] nfracost changed their version output --- .github/.container-structure-test-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.container-structure-test-config.yaml b/.github/.container-structure-test-config.yaml index 1e7ec3acb..c746d83fc 100644 --- a/.github/.container-structure-test-config.yaml +++ b/.github/.container-structure-test-config.yaml @@ -28,7 +28,7 @@ commandTests: - name: "infracost" command: "infracost" args: ["--version"] - expectedOutput: ["^Infracost v([0-9]+\\.){2}[0-9]+\\n$"] + expectedOutput: ["^Infracost v([0-9]+\\.){2}[0-9]+"] - name: "terraform-docs" command: "terraform-docs"