ci tests

.container-structure-test-config.yaml

@@ -0,0 +1,44 @@
+schemaVersion: '2.0.0'
+commandTests:
+  - name: "pre-commit"
+    command: "pre-commit"
+    args: ["-V"]
+    expectedOutput: ["^pre-commit ([0-9]+\\.){2}[0-9]+\\n$"]
+  - name: "terraform"
+    command: "terraform"
+    args: ["-version"]
+    expectedOutput: ["^Terraform v([0-9]+\\.){2}[0-9]+\\non linux_amd64\\n$"]
+  - name: "checkov"
+    command: "checkov"
+    args: ["--version"]
+    expectedOutput: ["^([0-9]+\\.){2}[0-9]+\\n$"]
+  - name: "infracost"
+    command: "infracost"
+    args: ["--version"]
+    expectedOutput: ["^Infracost v([0-9]+\\.){2}[0-9]+\\n$"]
+  - name: "terraform-docs"
+    command: "terraform-docs"
+    args: ["--version"]
+    expectedOutput: ["^terraform-docs version v([0-9]+\\.){2}[0-9]+ [a-z0-9]+ linux/amd64\\n$"]
+  - name: "terragrunt"
+    command: "terragrunt"
+    args: ["--version"]
+    expectedOutput: ["^terragrunt version v([0-9]+\\.){2}[0-9]+\\n$"]
+  - name: "terrascan"
+    command: "terrascan"
+    args: [ "version" ]
+    expectedOutput: [ "^version: v([0-9]+\\.){2}[0-9]+\\n$" ]
+  - name: "tflint"
+    command: "tflint"
+    args: [ "--version" ]
+    expectedOutput: [ "TFLint version ([0-9]+\\.){2}[0-9]+\\n$" ]
+  - name: "tfsec"
+    command: "tfsec"
+    args: [ "--version" ]
+    expectedOutput: [ "([0-9]+\\.){2}[0-9]+\\n$" ]
+fileExistenceTests:
+  - name: 'terrascan init'
+    path: '/root/.terrascan/pkg/policies/opa/rego/github/github_repository/privateRepoEnabled.rego'
+    shouldExist: true
+    uid: 0
+    gid: 0

.dive-ci.yaml

@@ -0,0 +1,13 @@
+rules:
+  # If the efficiency is measured below X%, mark as failed.
+  # Expressed as a ratio between 0-1.
+  lowestEfficiency: 0.99
+
+  # If the amount of wasted space is at least X or larger than X, mark as failed.
+  # Expressed in B, KB, MB, and GB.
+  highestWastedBytes: 1MB
+
+  # If the amount of wasted space makes up for X% or more of the image, mark as failed.
+  # Note: the base image layer is NOT included in the total image size.
+  # Expressed as a ratio between 0-1; fails if the threshold is met or crossed.
+  highestUserWastedPercent: 0.5

.github/workflows/build-image.yaml

@@ -30,6 +30,26 @@ jobs:
       - name: Set tag for image
         run: |
           echo IMAGE_TAG=$([ ${{ github.ref_type }} == 'tag' ] && echo ${{ github.ref_name }} || echo 'latest') >> $GITHUB_ENV
+      - name: Build and Push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          build-args: |
+            INSTALL_ALL=true
+          load: true
+          tags: |
+            ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}
+      - name: run structure tests
+        uses: plexsystems/[email protected]
+        with:
+          image: ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}
+          config: ${{ github.workspace }}/.container-structure-test-config.yaml
+      - name: Dive
+        uses: yuichielectric/[email protected]
+        with:
+          image: ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}
+          config-file: ${{ github.workspace }}/.dive-ci.yml
+          github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and Push
         uses: docker/build-push-action@v2
         with:

Dockerfile

@@ -98,28 +98,37 @@ RUN pip install --no-cache-dir --disable-pip-version-check ./dist/*.whl
 WORKDIR /
 
 # Checking binaries versions and write it to debug file
-COPY ./docker-scripts/echo-versions.sh /docker-scripts/echo-versions.sh
-RUN /docker-scripts/echo-versions.sh
+COPY ./docker-scripts/write_tools-versions-info.sh /docker-scripts/write_tools-versions-info.sh
+RUN /docker-scripts/write_tools-versions-info.sh
 
 # runtime image
 FROM python:${TAG}
 
+ARG INFRACOST_VERSION=${INFRACOST_VERSION:-false}
+ARG TERRAFORM_DOCS_VERSION=${TERRAFORM_DOCS_VERSION:-false}
+
 ENV PYTHONUNBUFFERED=1
 
 RUN apk add --no-cache \
     # pre-commit deps
     git \
     # All hooks deps
-    bash
+    bash && \
+    if [ "${TERRAFORM_DOCS_VERSION}" = "false" ]; then \
+        apk add --no-cache perl \
+    ; fi && \
+    if [ "${INFRACOST_VERSION}" = "false" ]; then \
+        apk add --no-cache jq \
+    ; fi
+
+# Copy terrascan policies
+COPY --from=builder /root/.terrascan/pkg/policies/opa/rego/ /root/.terrascan/pkg/policies/opa/rego/
 
 # copy venv
 ENV VIRTUAL_ENV=/opt/venv
 COPY --from=builder /opt/venv $VIRTUAL_ENV
 ENV PATH="$VIRTUAL_ENV/bin:$PATH"
 
-# Copy terrascan policies
-COPY --from=builder /root/.terrascan/pkg/policies/opa/rego /root/.terrascan/pkg/policies/opa/rego
-
 ENV PRE_COMMIT_COLOR=${PRE_COMMIT_COLOR:-always}
 
 ENV INFRACOST_API_KEY=${INFRACOST_API_KEY:-}

docker-scripts/install_terrascan.sh

@@ -3,6 +3,8 @@
 
 set -exuo pipefail
 
+mkdir -p /root/.terrascan/pkg/policies/opa/rego/
+
 . /.env
 if [ "$TERRASCAN_VERSION" != "false" ]; then
   export PCT_VERSION=$TERRASCAN_VERSION

docker-scripts/write_tools-versions-info.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env ash
+# shellcheck shell=dash
+
+set -exuo pipefail
+
+. /.env
+F="${VIRTUAL_ENV}/tools_versions_info"
+{
+  pre-commit --version
+  terraform --version | head -n 1
+  (if [ "$CHECKOV_VERSION" != "false" ]; then echo "checkov $(checkov --version)"; else echo "checkov SKIPPED"; fi)
+  (if [ "$INFRACOST_VERSION" != "false" ]; then infracost --version; else echo "infracost SKIPPED"; fi)
+  (if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then terraform-docs --version; else echo "terraform-docs SKIPPED"; fi)
+  (if [ "$TERRAGRUNT_VERSION" != "false" ]; then terragrunt --version; else echo "terragrunt SKIPPED"; fi)
+  (if [ "$TERRASCAN_VERSION" != "false" ]; then echo "terrascan $(terrascan version)"; else echo "terrascan SKIPPED"; fi)
+  (if [ "$TFLINT_VERSION" != "false" ]; then tflint --version; else echo "tflint SKIPPED"; fi)
+  (if [ "$TFSEC_VERSION" != "false" ]; then echo "tfsec $(tfsec --version)"; else echo "tfsec SKIPPED"; fi)
+} >> "$F"
+printf '\n\n' && cat "$F" && printf '\n\n'