diff options
| -rw-r--r-- | src/terraform/devcontainer-feature.json | 6 | ||||
| -rwxr-xr-x | src/terraform/install.sh | 61 | ||||
| -rw-r--r-- | test/terraform/older_tflint.sh | 13 | ||||
| -rw-r--r-- | test/terraform/scenarios.json | 8 |
4 files changed, 77 insertions, 11 deletions
diff --git a/src/terraform/devcontainer-feature.json b/src/terraform/devcontainer-feature.json index 5238583..00f6ba4 100644 --- a/src/terraform/devcontainer-feature.json +++ b/src/terraform/devcontainer-feature.json @@ -1,6 +1,6 @@ { "id": "terraform", - "version": "1.3.1", + "version": "1.3.2", "name": "Terraform, tflint, and TFGrunt", "documentationURL": "https://github.com/devcontainers/features/tree/main/src/terraform", "description": "Installs the Terraform CLI and optionally TFLint and Terragrunt. Auto-detects latest version and installs needed dependencies.", @@ -24,8 +24,8 @@ "0.47.0", "0.46.1" ], - "default": "0.46.1", - "description": "Tflint version (Default value temporarily pinned to version 0.46.1: https://github.com/devcontainers/features/issues/581)" + "default": "latest", + "description": "Tflint version (https://github.com/terraform-linters/tflint/releases)" }, "terragrunt": { "type": "string", diff --git a/src/terraform/install.sh b/src/terraform/install.sh index 75653c3..81682e8 100755 --- a/src/terraform/install.sh +++ b/src/terraform/install.sh @@ -158,6 +158,26 @@ check_packages() { fi } +# Install 'cosign' for validating signatures +# https://docs.sigstore.dev/cosign/overview/ +ensure_cosign() { + check_packages curl ca-certificates gnupg2 + + if ! type cosign > /dev/null 2>&1; then + echo "Installing cosign..." + local LATEST_COSIGN_VERSION=$(curl https://api.github.com/repos/sigstore/cosign/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ") + curl -L "https://github.com/sigstore/cosign/releases/latest/download/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb" -o /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb + + dpkg -i /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb + rm /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb + fi + if ! type cosign > /dev/null 2>&1; then + echo "(!) Failed to install cosign." + exit 1 + fi + cosign version +} + # Ensure apt is in non-interactive to avoid prompts export DEBIAN_FRONTEND=noninteractive @@ -198,17 +218,42 @@ if [ "${TFLINT_VERSION}" != "none" ]; then TFLINT_FILENAME="tflint_linux_${architecture}.zip" curl -sSL -o /tmp/tf-downloads/${TFLINT_FILENAME} https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/${TFLINT_FILENAME} if [ "${TFLINT_SHA256}" != "dev-mode" ]; then - if [ "${TFLINT_SHA256}" = "automatic" ]; then - curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}" - gpg -q --import tflint_key - curl -sSL -o tflint_checksums.txt https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt - curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig - gpg --verify tflint_checksums.txt.sig tflint_checksums.txt - else + + if [ "${TFLINT_SHA256}" != "automatic" ]; then echo "${TFLINT_SHA256} *${TFLINT_FILENAME}" > tflint_checksums.txt + sha256sum --ignore-missing -c tflint_checksums.txt + else + curl -sSL -o tflint_checksums.txt https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt + + set +e + curl -sSL -o checksums.txt.keyless.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.keyless.sig + set -e + + # Check that checksums.txt.keyless.sig exists and is not empty + if [ -s checksums.txt.keyless.sig ]; then + # Validate checksums with cosign + curl -sSL -o checksums.txt.pem https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.pem + ensure_cosign + cosign verify-blob \ + --certificate=/tmp/tf-downloads/checksums.txt.pem \ + --signature=/tmp/tf-downloads/checksums.txt.keyless.sig \ + --certificate-identity-regexp="^https://github.com/terraform-linters/tflint" \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + /tmp/tf-downloads/tflint_checksums.txt + # Ensure that checksums.txt has $TFLINT_FILENAME + grep ${TFLINT_FILENAME} /tmp/tf-downloads/tflint_checksums.txt + # Validate downloaded file + sha256sum --ignore-missing -c tflint_checksums.txt + else + # Fallback to older, GPG-based verification (pre-0.47.0 of tflint) + curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig + curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}" + gpg -q --import tflint_key + gpg --verify tflint_checksums.txt.sig tflint_checksums.txt + fi fi - sha256sum --ignore-missing -c tflint_checksums.txt fi + unzip /tmp/tf-downloads/${TFLINT_FILENAME} mv -f tflint /usr/local/bin/ fi diff --git a/test/terraform/older_tflint.sh b/test/terraform/older_tflint.sh new file mode 100644 index 0000000..20009c9 --- /dev/null +++ b/test/terraform/older_tflint.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +# Optional: Import test library +source dev-container-features-test-lib + +check "terraform" terraform -version + +check "tflint" tflint --version + +# Report result +reportResults
\ No newline at end of file diff --git a/test/terraform/scenarios.json b/test/terraform/scenarios.json index 8977635..0a4d895 100644 --- a/test/terraform/scenarios.json +++ b/test/terraform/scenarios.json @@ -22,5 +22,13 @@ "installTerraformDocs": true } } + }, + "older_tflint": { + "image": "mcr.microsoft.com/devcontainers/base:jammy", + "features": { + "terraform": { + "tflint": "0.40.0" + } + } } }
\ No newline at end of file |