aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJosh Spicer <joshspicer@github.com>2023-06-21 21:13:46 +0300
committerGitHub <noreply@github.com>2023-06-21 21:13:46 +0300
commitd934503a050ba84e6b42a006aacd891c4088eb62 (patch)
tree44be975bd7ce4832c81ac93bc7ad4f15fc200b36
parent2258fcb040d74de01dbfc9df7d8800d90a13d56c (diff)
Terraform: Add cosign integrity check for TFLint (#586)feature_terraform_1.3.2
* add cosign integrity check for tflint * fallback to gpg verification
-rw-r--r--src/terraform/devcontainer-feature.json6
-rwxr-xr-xsrc/terraform/install.sh61
-rw-r--r--test/terraform/older_tflint.sh13
-rw-r--r--test/terraform/scenarios.json8
4 files changed, 77 insertions, 11 deletions
diff --git a/src/terraform/devcontainer-feature.json b/src/terraform/devcontainer-feature.json
index 5238583..00f6ba4 100644
--- a/src/terraform/devcontainer-feature.json
+++ b/src/terraform/devcontainer-feature.json
@@ -1,6 +1,6 @@
{
"id": "terraform",
- "version": "1.3.1",
+ "version": "1.3.2",
"name": "Terraform, tflint, and TFGrunt",
"documentationURL": "https://github.com/devcontainers/features/tree/main/src/terraform",
"description": "Installs the Terraform CLI and optionally TFLint and Terragrunt. Auto-detects latest version and installs needed dependencies.",
@@ -24,8 +24,8 @@
"0.47.0",
"0.46.1"
],
- "default": "0.46.1",
- "description": "Tflint version (Default value temporarily pinned to version 0.46.1: https://github.com/devcontainers/features/issues/581)"
+ "default": "latest",
+ "description": "Tflint version (https://github.com/terraform-linters/tflint/releases)"
},
"terragrunt": {
"type": "string",
diff --git a/src/terraform/install.sh b/src/terraform/install.sh
index 75653c3..81682e8 100755
--- a/src/terraform/install.sh
+++ b/src/terraform/install.sh
@@ -158,6 +158,26 @@ check_packages() {
fi
}
+# Install 'cosign' for validating signatures
+# https://docs.sigstore.dev/cosign/overview/
+ensure_cosign() {
+ check_packages curl ca-certificates gnupg2
+
+ if ! type cosign > /dev/null 2>&1; then
+ echo "Installing cosign..."
+ local LATEST_COSIGN_VERSION=$(curl https://api.github.com/repos/sigstore/cosign/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ")
+ curl -L "https://github.com/sigstore/cosign/releases/latest/download/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb" -o /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb
+
+ dpkg -i /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb
+ rm /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb
+ fi
+ if ! type cosign > /dev/null 2>&1; then
+ echo "(!) Failed to install cosign."
+ exit 1
+ fi
+ cosign version
+}
+
# Ensure apt is in non-interactive to avoid prompts
export DEBIAN_FRONTEND=noninteractive
@@ -198,17 +218,42 @@ if [ "${TFLINT_VERSION}" != "none" ]; then
TFLINT_FILENAME="tflint_linux_${architecture}.zip"
curl -sSL -o /tmp/tf-downloads/${TFLINT_FILENAME} https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/${TFLINT_FILENAME}
if [ "${TFLINT_SHA256}" != "dev-mode" ]; then
- if [ "${TFLINT_SHA256}" = "automatic" ]; then
- curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}"
- gpg -q --import tflint_key
- curl -sSL -o tflint_checksums.txt https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt
- curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig
- gpg --verify tflint_checksums.txt.sig tflint_checksums.txt
- else
+
+ if [ "${TFLINT_SHA256}" != "automatic" ]; then
echo "${TFLINT_SHA256} *${TFLINT_FILENAME}" > tflint_checksums.txt
+ sha256sum --ignore-missing -c tflint_checksums.txt
+ else
+ curl -sSL -o tflint_checksums.txt https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt
+
+ set +e
+ curl -sSL -o checksums.txt.keyless.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.keyless.sig
+ set -e
+
+ # Check that checksums.txt.keyless.sig exists and is not empty
+ if [ -s checksums.txt.keyless.sig ]; then
+ # Validate checksums with cosign
+ curl -sSL -o checksums.txt.pem https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.pem
+ ensure_cosign
+ cosign verify-blob \
+ --certificate=/tmp/tf-downloads/checksums.txt.pem \
+ --signature=/tmp/tf-downloads/checksums.txt.keyless.sig \
+ --certificate-identity-regexp="^https://github.com/terraform-linters/tflint" \
+ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+ /tmp/tf-downloads/tflint_checksums.txt
+ # Ensure that checksums.txt has $TFLINT_FILENAME
+ grep ${TFLINT_FILENAME} /tmp/tf-downloads/tflint_checksums.txt
+ # Validate downloaded file
+ sha256sum --ignore-missing -c tflint_checksums.txt
+ else
+ # Fallback to older, GPG-based verification (pre-0.47.0 of tflint)
+ curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig
+ curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}"
+ gpg -q --import tflint_key
+ gpg --verify tflint_checksums.txt.sig tflint_checksums.txt
+ fi
fi
- sha256sum --ignore-missing -c tflint_checksums.txt
fi
+
unzip /tmp/tf-downloads/${TFLINT_FILENAME}
mv -f tflint /usr/local/bin/
fi
diff --git a/test/terraform/older_tflint.sh b/test/terraform/older_tflint.sh
new file mode 100644
index 0000000..20009c9
--- /dev/null
+++ b/test/terraform/older_tflint.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+# Optional: Import test library
+source dev-container-features-test-lib
+
+check "terraform" terraform -version
+
+check "tflint" tflint --version
+
+# Report result
+reportResults \ No newline at end of file
diff --git a/test/terraform/scenarios.json b/test/terraform/scenarios.json
index 8977635..0a4d895 100644
--- a/test/terraform/scenarios.json
+++ b/test/terraform/scenarios.json
@@ -22,5 +22,13 @@
"installTerraformDocs": true
}
}
+ },
+ "older_tflint": {
+ "image": "mcr.microsoft.com/devcontainers/base:jammy",
+ "features": {
+ "terraform": {
+ "tflint": "0.40.0"
+ }
+ }
}
} \ No newline at end of file