Feat/debian upgrade (#78)

* move to bookworm debian release, upgrade all dockerfile dependencies * updated dependencies update doc, renamed binaries check doc, fmt and update readme * improved local dev script * remove useless python from dockerfile, update container test template tom atch version udpates * update doc to match python removal, add openssh in included tools list * update dockerhub description action to use org dockerhub PAT --------- Co-authored-by: bgauduch <[email protected]>
zenika-open-source · Jul 1, 2023 · 8e4d4c3 · 8e4d4c3
1 parent db8fbcd
commit 8e4d4c3
Show file tree

Hide file tree

Showing 7 changed files with 58 additions and 42 deletions.
diff --git a/.github/workflows/dockerhub-description-update.yml b/.github/workflows/dockerhub-description-update.yml
@@ -19,5 +19,5 @@ jobs:
         uses: peter-evans/dockerhub-description@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PAT_BGA }}
+          password: ${{ secrets.DOCKERHUB_PAT }}
           repository: zenika/terraform-aws-cli
diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,7 @@
 # Setup build arguments
 ARG AWS_CLI_VERSION
 ARG TERRAFORM_VERSION
-ARG PYTHON_MAJOR_VERSION=3.9
-ARG DEBIAN_VERSION=bullseye-20230109-slim
+ARG DEBIAN_VERSION=bookworm-20230612-slim
 ARG DEBIAN_FRONTEND=noninteractive
 
 # Download Terraform binary
@@ -11,10 +10,10 @@ ARG TARGETARCH
 ARG TERRAFORM_VERSION
 RUN apt-get update
 # RUN apt-get install --no-install-recommends -y libcurl4=7.74.0-1.3+deb11u7
-RUN apt-get install --no-install-recommends -y curl=7.74.0-1.3+deb11u7
-RUN apt-get install --no-install-recommends -y ca-certificates=20210119
-RUN apt-get install --no-install-recommends -y unzip=6.0-26+deb11u1
-RUN apt-get install --no-install-recommends -y gnupg=2.2.27-2+deb11u2
+RUN apt-get install --no-install-recommends -y ca-certificates=20230311
+RUN apt-get install --no-install-recommends -y curl=7.88.1-10
+RUN apt-get install --no-install-recommends -y gnupg=2.2.40-1.1
+RUN apt-get install --no-install-recommends -y unzip=6.0-28
 WORKDIR /workspace
 RUN curl --silent --show-error --fail --remote-name https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip
 COPY security/hashicorp.asc ./
@@ -28,12 +27,11 @@ RUN unzip -j terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip
 FROM debian:${DEBIAN_VERSION} as aws-cli
 ARG AWS_CLI_VERSION
 RUN apt-get update
-RUN apt-get install -y --no-install-recommends curl=7.74.0-1.3+deb11u7
-RUN apt-get install -y --no-install-recommends ca-certificates=20210119
-RUN apt-get install -y --no-install-recommends unzip=6.0-26+deb11u1
-RUN apt-get install -y --no-install-recommends groff=1.22.4-6
-RUN apt-get install -y --no-install-recommends gnupg=2.2.27-2+deb11u2
-RUN apt-get install -y --no-install-recommends git=1:2.30.2-1+deb11u2
+RUN apt-get install -y --no-install-recommends ca-certificates=20230311
+RUN apt-get install -y --no-install-recommends curl=7.88.1-10
+RUN apt-get install -y --no-install-recommends gnupg=2.2.40-1.1
+RUN apt-get install -y --no-install-recommends unzip=6.0-28
+RUN apt-get install -y --no-install-recommends git=1:2.39.2-1.1
 RUN apt-get install -y --no-install-recommends jq=1.6-2.1
 WORKDIR /workspace
 RUN curl --show-error --fail --output "awscliv2.zip" --remote-name "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-${AWS_CLI_VERSION}.zip"
@@ -47,17 +45,14 @@ RUN ./aws/install --install-dir /usr/local/aws-cli --bin-dir /usr/local/bin
 # Build final image
 FROM debian:${DEBIAN_VERSION} as build
 LABEL maintainer="bgauduch@github"
-ARG PYTHON_MAJOR_VERSION
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \
-    ca-certificates=20210119\
-    git=1:2.30.2-1+deb11u2 \
+    ca-certificates=20230311\
+    git=1:2.39.2-1.1 \
     jq=1.6-2.1 \
-    python3=${PYTHON_MAJOR_VERSION}.2-3 \
-    openssh-client=1:8.4p1-5+deb11u1 \
+    openssh-client=1:9.2p1-2 \
   && apt-get clean \
-  && rm -rf /var/lib/apt/lists/* \
-  && update-alternatives --install /usr/bin/python python /usr/bin/python${PYTHON_MAJOR_VERSION} 1
+  && rm -rf /var/lib/apt/lists/*
 WORKDIR /workspace
 COPY --from=terraform /workspace/terraform /usr/local/bin/terraform
 COPY --from=aws-cli /usr/local/bin/ /usr/local/bin/

diff --git a/README.md b/README.md
@@ -10,13 +10,15 @@
 # Terraform and AWS CLI Docker image
 
 ## 📦 Supported tags and respective Dockerfile links
+
 Available image tags can be found on the Docker Hub registry: [zenika/terraform-aws-cli](https://hub.docker.com/r/zenika/terraform-aws-cli/tags)
 
 Supported versions are listed in the [`supported_versions.json`](https://github.com/Zenika/terraform-aws-cli/blob/master/supported_versions.json) file.
 
 The following image tag strategy is applied:
+
 * `zenika/terraform-aws-cli:latest` - build from master
-  * Included CLI versions are the latest in [`supported_versions.json` ](https://github.com/Zenika/terraform-aws-cli/blob/master/supported_versions.json) file.
+  * Included CLI versions are the latest in [`supported_versions.json`](https://github.com/Zenika/terraform-aws-cli/blob/master/supported_versions.json) file.
 * `zenika/terraform-aws-cli:release-S.T_terraform-UU.VV.WW_awscli-XX.YY.ZZ` - build from releases
   * `release-S.T` is the release tag
   * `terraform-UU.VV.WWW` is the **Terraform** version included in the image
@@ -27,23 +29,26 @@ Please report to the [releases page](https://github.com/Zenika/terraform-aws-cli
 > Any other tags are not supported even if available.
 
 ## 💡 Motivation
+
 The goal is to create a **minimalist** and **lightweight** image with these tools in order to reduce network and storage impact.
 
 This image gives you the flexibility to be used for development or as a base image as you see fits.
 
 ## 🔧 What's inside ?
+
 Tools included:
 
 * [Terraform CLI](https://www.terraform.io/docs/commands/index.html)
 * [AWS CLI](https://aws.amazon.com/fr/cli/)
 * [Git](https://git-scm.com/) for Terraform remote module usage
-* [Python 3](https://www.python.org/)
 * [jq](https://stedolan.github.io/jq/) to process JSON returned by AWS
+* [OpenSSH Client](https://www.openssh.com/) to handle Terraform module clone over SSH
 * This image uses a non-root user with a UID and GID of 1001 to conform with docker security best practices.
 
 ## 🚀 Usage
 
 ### 🐚 Launch the CLI
+
 Set your AWS credentials (optional) and use the CLI as you would on any other platform, for instance using the latest image:
 
 ```bash
@@ -57,9 +62,11 @@ docker container run -it --rm -e "AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}" -e "AW
 > The `--rm` flag will completely destroy the container and its data on exit.
 
 ### ⚙️ Build the image
+
 The image can be built locally directly from the Dockerfiles, using the build script.
 
 It will :
+
 * Lint the Dockerfile with [Hadolint](https://github.com/hadolint/hadolint);
 * Build and tag the image `zenika/terraform-aws-cli:dev`;
 * Execute [container structure tests](https://github.com/GoogleContainerTools/container-structure-test) on the image.
@@ -73,8 +80,8 @@ Optionally, it is possible to choose the tools desired versions :
 
 ```bash
 # Set tools desired versions
-AWS_CLI_VERSION=1.18.189
-TERRAFORM_VERSION=0.14.0
+AWS_CLI_VERSION=2.12.6
+TERRAFORM_VERSION=1.5.2
 
 # launch the build script with parameters
 ./dev.sh $AWS_CLI_VERSION $TERRAFORM_VERSION
@@ -86,7 +93,7 @@ Do not hesitate to contribute by [filling an issue](https://github.com/Zenika/te
 ## 📚 Documentations
 
 * [Dependencies upgrades checklist](https://github.com/zenika-open-source/terraform-aws-cli/tree/master/docs/dependencies-upgrades.md)
-* [Terraform binaries verifications](https://github.com/zenika-open-source/terraform-aws-cli/tree/master/docs/terraform-binaries-verifications.md)
+* [Binaries verifications](https://github.com/zenika-open-source/terraform-aws-cli/tree/master/docs/binaries-verifications.md)
 
 ## 🚩 Similar repositories
 

diff --git a/dev.sh b/dev.sh
@@ -18,12 +18,22 @@ PLATEFORM="linux/$(uname -m)"
 
 # Lint Dockerfile
 echo "Linting Dockerfile..."
-docker container run --rm --interactive --volume "${PWD}":/data --workdir /data --platform "${PLATEFORM}" hadolint/hadolint:2.12.0-alpine /bin/hadolint --config hadolint.yaml Dockerfile
+docker container run --rm --interactive \
+  --volume "${PWD}":/data \
+  --workdir /data \
+  --platform "${PLATEFORM}" \
+  hadolint/hadolint:2.12.0-alpine /bin/hadolint \
+  --config hadolint.yaml Dockerfile
 echo "Lint Successful!"
 
 # Build image
 echo "Building images with AWS_CLI_VERSION=${AWS_VERSION} and TERRAFORM_VERSION=${TF_VERSION}..."
-docker buildx build --platform "${PLATEFORM}" --build-arg AWS_CLI_VERSION="${AWS_VERSION}" --build-arg TERRAFORM_VERSION="${TF_VERSION}" --tag ${IMAGE_NAME}:${IMAGE_TAG} .
+docker buildx build \
+  --progress plain \
+  --platform "${PLATEFORM}" \
+  --build-arg AWS_CLI_VERSION="${AWS_VERSION}" \
+  --build-arg TERRAFORM_VERSION="${TF_VERSION}" \
+  --tag ${IMAGE_NAME}:${IMAGE_TAG} .
 echo "Image successfully builded!"
 
 # Test image
@@ -32,7 +42,12 @@ export AWS_VERSION=${AWS_VERSION} && export TF_VERSION=${TF_VERSION}
 envsubst '${AWS_VERSION},${TF_VERSION}' < tests/container-structure-tests.yml.template > tests/container-structure-tests.yml
 echo "Test config successfully generated!"
 echo "Executing container structure test..."
-docker container run --rm --interactive --volume "${PWD}"/tests/container-structure-tests.yml:/tests.yml:ro --volume /var/run/docker.sock:/var/run/docker.sock:ro gcr.io/gcp-runtimes/container-structure-test:v1.15.0 test --image ${IMAGE_NAME}:${IMAGE_TAG} --config /tests.yml
+docker container run --rm --interactive \
+  --volume "${PWD}"/tests/container-structure-tests.yml:/tests.yml:ro \
+  --volume /var/run/docker.sock:/var/run/docker.sock:ro \
+  gcr.io/gcp-runtimes/container-structure-test:v1.15.0 test \
+  --image ${IMAGE_NAME}:${IMAGE_TAG} \
+  --config /tests.yml
 
 # cleanup
 unset AWS_VERSION

diff --git a/docs/terraform-binaries-verifications.md → docs/binaries-verifications.md b/docs/terraform-binaries-verifications.md → docs/binaries-verifications.md
diff --git a/docs/dependencies-upgrades.md b/docs/dependencies-upgrades.md
@@ -1,17 +1,16 @@
 # ⬆️ Dependencies upgrades checklist
 
-* Supported versions:
-  * check available **AWS CLI** version on the [PyPip release page](https://pypi.org/project/awscli/)
-  * check available **Terraform CLI** version (keep all minor versions from 0.11) available on the [project release page](https://github.com/hashicorp/terraform/releases)
-    * [Report to the doc](https://github.com/zenika-open-source/terraform-aws-cli/tree/master/docs/terraform-binaries-verifications.md) to add required security files when adding a new supported Terraform version
+* Supported tools versions:
+  * [Report to the doc](https://github.com/zenika-open-source/terraform-aws-cli/tree/master/docs/binaries-verifications.md) to add required security files when adding a new supported versions
+  * check available **AWS CLI** version on the [project release page](https://github.com/aws/aws-cli/tags)
+  * check available **Terraform CLI** version (keep all minor versions from 0.11) on the [project release page](https://github.com/hashicorp/terraform/releases)
 * Dockerfile:
   * check **base image** version [on DockerHub](https://hub.docker.com/_/debian?tab=tags&page=1&name=bullseye)
   * check OS package versions on Debian package repository
     * Available **Git** versions on the [Debian Packages repository](https://packages.debian.org/search?suite=bullseye&arch=any&searchon=names&keywords=git)
-    * Available **Python** versions on the [Debian packages repository](https://packages.debian.org/search?suite=bullseye&arch=any&searchon=names&keywords=python3)
     * Available **JQ** versions on the [Debian Packages repository](https://packages.debian.org/search?suite=bullseye&arch=any&searchon=names&keywords=jq)
     * same process for all other packages
-  * check **Pip** package versions on [pypi](https://pypi.org/)
+* Dockerfile tests : update version according to changes in Dockerfile in [tests/container-structure-tests.yml.template](tests/container-structure-tests.yml.template)
 * Github actions:
   * check [runner version](https://github.com/actions/virtual-environments#available-environments)
   * check **each action release** versions

diff --git a/tests/container-structure-tests.yml.template b/tests/container-structure-tests.yml.template
@@ -8,21 +8,21 @@ metadataTest:
   workdir: "/workspace"
 
 commandTests:
-  - name: "Check Python version"
-    command: "python"
-    args: ["--version"]
-    expectedOutput: ["Python 3.9.2"]
-
   - name: "Check Git version"
     command: "git"
     args: ["--version"]
-    expectedOutput: ["git version 2.30.2"]
+    expectedOutput: ["git version 2.39.2"]
 
   - name: "Check JQ version"
     command: "jq"
     args: ["--version"]
     expectedOutput: ["jq-1.6"]
 
+  - name: "Check OpenSSH client version"
+    command: "ssh"
+    args: ["-V"]
+    expectedError: ["OpenSSH_9.2p1"]
+
   - name: "Check Terraform CLI version"
     command: "terraform"
     args: ["version"]
@@ -34,14 +34,14 @@ commandTests:
     expectedOutput: ["aws-cli/${AWS_VERSION}"]
 
 fileExistenceTests:
-  - name: 'Check nonroot user home'
+  - name: 'Check non-root user home'
     path: '/home/nonroot'
     shouldExist: true
     permissions: 'drwxr-xr-x'
     uid: 1001
     gid: 1001
     isExecutableBy: 'group'
-  - name: 'Check nonroot user rights on /workspace folder'
+  - name: 'Check non-root user rights on /workspace folder'
     path: '/workspace'
     shouldExist: true
     permissions: 'drwxr-xr-x'