From 4fcd241f8f90dc0b33d215de7dd773e33aec1856 Mon Sep 17 00:00:00 2001 From: JonZeolla Date: Mon, 29 Jul 2024 14:53:52 -0400 Subject: [PATCH] fix: allow tofu/terraform caches to stay local (#331) --- build/.terraformrc | 2 -- build/Dockerfile.opentofu | 2 -- build/Dockerfile.terraform | 2 -- build/Dockerfrag.kics | 4 ---- build/Dockerfrag.opentofu | 1 - build/Dockerfrag.terraform | 1 - docs/Terraform/index.rst | 20 ++++++++++---------- 7 files changed, 10 insertions(+), 22 deletions(-) delete mode 100644 build/.terraformrc diff --git a/build/.terraformrc b/build/.terraformrc deleted file mode 100644 index 0718798d..00000000 --- a/build/.terraformrc +++ /dev/null @@ -1,2 +0,0 @@ -plugin_cache_dir = "$HOME/.terraform.d/plugin-cache" - diff --git a/build/Dockerfile.opentofu b/build/Dockerfile.opentofu index 0949926d..826bd249 100644 --- a/build/Dockerfile.opentofu +++ b/build/Dockerfile.opentofu @@ -11,8 +11,6 @@ ARG TOFUENV_VERSION ENV TOFUENV_VERSION="${TOFUENV_VERSION}" ARG DEBIAN_FRONTEND="noninteractive" -COPY --chown=easy_infra:easy_infra .terraformrc /home/easy_infra/ - SHELL ["/bin/bash", "-o", "pipefail", "-c"] USER root # hadolint ignore=DL3008 diff --git a/build/Dockerfile.terraform b/build/Dockerfile.terraform index b0ffe1c0..ce196de4 100644 --- a/build/Dockerfile.terraform +++ b/build/Dockerfile.terraform @@ -11,8 +11,6 @@ ARG TFENV_VERSION ENV TFENV_VERSION="${TFENV_VERSION}" ARG DEBIAN_FRONTEND="noninteractive" -COPY --chown=easy_infra:easy_infra .terraformrc /home/easy_infra/ - SHELL ["/bin/bash", "-o", "pipefail", "-c"] USER root # hadolint ignore=DL3008 diff --git a/build/Dockerfrag.kics b/build/Dockerfrag.kics index c81be7d9..288fc4a7 100644 --- a/build/Dockerfrag.kics +++ b/build/Dockerfrag.kics @@ -10,7 +10,3 @@ COPY --from=kics --chown=easy_infra:easy_infra /app/bin/kics /usr/local/bin/kics COPY --from=kics --chown=easy_infra:easy_infra /app/bin/assets/libraries /home/easy_infra/.kics/assets/libraries COPY --from=kics --chown=easy_infra:easy_infra /app/bin/assets/queries /home/easy_infra/.kics/assets/queries COPY --from=kics --chown=easy_infra:easy_infra /tmp/reports/kics /tmp/reports/kics - -# Intentionally left out because KICS is not currently used in the Terraform image -#COPY --from=kics --chown=easy_infra:easy_infra /root/.terraform.d/plugins/linux_amd64 /home/easy_infra/.terraform.d/plugins/linux_amd64 -#COPY --from=kics --chown=easy_infra:easy_infra /usr/bin/terraformer /usr/local/bin/terraformer diff --git a/build/Dockerfrag.opentofu b/build/Dockerfrag.opentofu index 3b53a7af..76fe4904 100644 --- a/build/Dockerfrag.opentofu +++ b/build/Dockerfrag.opentofu @@ -7,7 +7,6 @@ ENV TOFUENV_VERSION="${TOFUENV_VERSION}" ARG DEBIAN_FRONTEND="noninteractive" COPY --from=opentofu --chown=easy_infra:easy_infra /home/easy_infra/.terraform.d /home/easy_infra/.terraform.d -COPY --from=opentofu --chown=easy_infra:easy_infra /home/easy_infra/.terraformrc /home/easy_infra/.terraformrc COPY --from=opentofu --chown=easy_infra:easy_infra /home/easy_infra/.tofuenv /home/easy_infra/.tofuenv COPY --from=opentofu --chown=easy_infra:easy_infra /usr/local/bin /usr/local/bin COPY --from=opentofu --chown=easy_infra:easy_infra /home/easy_infra/.local /home/easy_infra/.local diff --git a/build/Dockerfrag.terraform b/build/Dockerfrag.terraform index 65ee1a78..72ba1df3 100644 --- a/build/Dockerfrag.terraform +++ b/build/Dockerfrag.terraform @@ -7,7 +7,6 @@ ENV TFENV_VERSION="${TFENV_VERSION}" ARG DEBIAN_FRONTEND="noninteractive" COPY --from=terraform --chown=easy_infra:easy_infra /home/easy_infra/.terraform.d /home/easy_infra/.terraform.d -COPY --from=terraform --chown=easy_infra:easy_infra /home/easy_infra/.terraformrc /home/easy_infra/.terraformrc COPY --from=terraform --chown=easy_infra:easy_infra /home/easy_infra/.tfenv /home/easy_infra/.tfenv COPY --from=terraform --chown=easy_infra:easy_infra /usr/local/bin /usr/local/bin COPY --from=terraform --chown=easy_infra:easy_infra /home/easy_infra/.local /home/easy_infra/.local diff --git a/docs/Terraform/index.rst b/docs/Terraform/index.rst index f6ea7580..c885c4e6 100644 --- a/docs/Terraform/index.rst +++ b/docs/Terraform/index.rst @@ -10,7 +10,7 @@ environments as Infrastructure as Code (IaC). ``easy_infra`` uses security tools, such as `Checkov `_, to transparently assess the provided IaC against the defined security policy. .. warning:: - ``easy_infra``'s `terraform` images are incompatable with the terraform ``-chdir`` argument as documented `here + ``easy_infra``'s `terraform` images are incompatible with the terraform ``-chdir`` argument as documented `here `_. @@ -20,11 +20,11 @@ Use Cases If you use Software Version Control (such as ``git``) to manage your Terraform IaC, consider executing ``terraform validate`` with easy_infra as a pipeline action on commit or pull request:: - docker run -v .:/iac seiso/easy_infra:latest-terraform terraform validate + docker run -v "$(pwd)":/iac seiso/easy_infra:latest-terraform terraform validate You can also use easy_infra to deploy your infrastructure using ``terraform plan`` and ``terraform deploy``:: - docker run -v .:/iac seiso/easy_infra:latest-terraform /bin/bash -c "terraform plan && terraform apply -auto-approve" + docker run -v "$(pwd)":/iac seiso/easy_infra:latest-terraform /bin/bash -c "terraform plan && terraform apply -auto-approve" Customizing Checkov @@ -91,7 +91,7 @@ For instance:: CHECKOV_BASELINE=/iac/.checkov.baseline CHECKOV_EXTERNAL_CHECKS_DIR=/iac/checkov_rules/ CHECKOV_SKIP_CHECK=CKV_AWS_20 - docker run --env-file <(env | grep ^CHECKOV_) -v .:/iac easy_infra:latest-terraform terraform validate + docker run --env-file <(env | grep ^CHECKOV_) -v "$(pwd)":/iac easy_infra:latest-terraform terraform validate In addition, you can customize some ``checkov``-specific environment variables at runtime for different effects. By setting these environment variables, you are customizing the ``checkov`` environment **only** while it is running. @@ -105,16 +105,16 @@ customizing the ``checkov`` environment **only** while it is running. For instance, the following command will run with ``checkov`` in debug mode (which is separate from running ``easy_infra`` in debug mode):: CHECKOV_LOG_LEVEL=DEBUG - docker run --env CHECKOV_LOG_LEVEL -v .:/iac easy_infra:latest-terraform terraform validate + docker run --env CHECKOV_LOG_LEVEL -v "$(pwd)":/iac easy_infra:latest-terraform terraform validate -Preinstalled Hooks +Pre-installed Hooks ^^^^^^^^^^^^^^^^^^ -There are some preinstalled hooks in ``/opt/hooks/bin/`` which apply to terraform commands: +There are some pre-installed hooks in ``/opt/hooks/bin/`` which apply to terraform commands: * If the ``TERRAFORM_VERSION`` environment variable is customized, easy_infra will attempt to install and switch to that version at runtime. This - effectively makes it the "new default" in place of the version which was preinstalled in the version of the easy_infra container. + effectively makes it the "new default" in place of the version which was pre-installed in the version of the easy_infra container. * If ``AUTODETECT`` is set to ``true``, easy_infra will attempt to detect and install the correct version of terraform for each folder that a ``terraform`` command runs in using the ``required_version`` block in the code. Since this is module-specific, it will override the default terraform version to use (specified by ``TERRAFORM_VERSION``; see the prior bullet). @@ -123,9 +123,9 @@ There are some preinstalled hooks in ``/opt/hooks/bin/`` which apply to terrafor Terraform Caching ^^^^^^^^^^^^^^^^^ -If you're working with the same terraform code across multiple runs, you can leverage the cache:: +If you're working with the same terraform code across multiple runs, you can leverage the cache which is automatically placed in the current working directory:: - docker run -v .:/iac -v "$(pwd)/plugin-cache:/home/easy_infra/.terraform.d/plugin-cache" easy_infra:latest-terraform /bin/bash -c "terraform init; terraform validate" + docker run -v "$(pwd)":/iac easy_infra:latest-terraform /bin/bash -c "terraform init; terraform validate" Disabling Security