From 25bbe0777ca7683705b9f8be2b4ddf33df76ad7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kr=C3=B3likowski?= Date: Sun, 3 Aug 2025 17:34:16 +0200 Subject: [PATCH 1/2] Adding dockerfile --- .github/workflows/docker-build-push.yml | 139 ++++++++++++++++++++++++ Dockerfile | 29 +++++ README.md | 126 +++++++++++++++++++++ 3 files changed, 294 insertions(+) create mode 100644 .github/workflows/docker-build-push.yml create mode 100644 Dockerfile create mode 100644 README.md diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml new file mode 100644 index 0000000..52efd35 --- /dev/null +++ b/.github/workflows/docker-build-push.yml @@ -0,0 +1,139 @@ +name: Build and Push Docker Image + +on: + push: + branches: + - main + tags: + - "v*" + pull_request: + branches: + - main + - develop + +env: + REGISTRY: docker.io + IMAGE_NAME: iac-tools + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to Docker Hub + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Extract metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }} + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=raw,value=latest,enable={{is_default_branch}} + type=sha,prefix={{branch}}- + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + test: + runs-on: ubuntu-latest + needs: build + if: github.event_name != 'pull_request' + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build test image + uses: docker/build-push-action@v5 + with: + context: . + load: true + tags: test-image + cache-from: type=gha + + - name: Test Terraform + run: | + echo "Testing Terraform installation..." + docker run --rm test-image terraform --version + + - name: Test Terragrunt + run: | + echo "Testing Terragrunt installation..." + docker run --rm test-image terragrunt --version + + - name: Test Ansible + run: | + echo "Testing Ansible installation..." + docker run --rm test-image ansible --version + + - name: Test Git + run: | + echo "Testing Git installation..." + docker run --rm test-image git --version + + security-scan: + runs-on: ubuntu-latest + needs: build + if: github.event_name != 'pull_request' + permissions: + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build image for scanning + uses: docker/build-push-action@v5 + with: + context: . + load: true + tags: scan-image + cache-from: type=gha + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "scan-image" + format: "sarif" + output: "trivy-results.sarif" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: "trivy-results.sarif" diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..2aac6c2 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,29 @@ +FROM ubuntu:24.04 +LABEL maintainer="Krzysztof Królikowski " +LABEL description="Docker image for a basic Ubuntu setup with IAC tools" +LABEL version="1.0" + +ENV DEBIAN_FRONTEND="noninteractive" +ENV TERRAGRUNT_VERSION="v0.77.22" +ENV TF_VERSION="1.11.4" +ENV ARCH="amd64" +ENV OS="linux" +ENV BINARY_NAME="terragrunt_${OS}_${ARCH}" +ENV PATH="$PATH:/root/.local/bin" + +RUN apt-get update && \ + apt-get install -y \ + git \ + curl \ + unzip \ + pipx && \ + rm -rf /var/lib/apt/lists/* +RUN curl -L "https://github.com/gruntwork-io/terragrunt/releases/download/${TERRAGRUNT_VERSION}/${BINARY_NAME}" -o "${BINARY_NAME}" && \ + chmod +x "${BINARY_NAME}" && \ + mv "${BINARY_NAME}" /usr/local/bin/terragrunt +RUN curl -L "https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_${OS}_${ARCH}.zip" -o terraform.zip && \ + unzip terraform.zip && \ + mv terraform /usr/local/bin/ && \ + rm terraform.zip && \ + chmod +x /usr/local/bin/terraform +RUN pipx install --include-deps ansible diff --git a/README.md b/README.md new file mode 100644 index 0000000..650a934 --- /dev/null +++ b/README.md @@ -0,0 +1,126 @@ +# IAC Tools Docker Image + +A Docker image containing essential Infrastructure as Code (IAC) tools for automating infrastructure management and deployment. + +## Overview + +This Docker image is based on Ubuntu 24.04 and includes popular IAC tools commonly used in DevOps workflows: + +- **Terraform** - Infrastructure provisioning tool +- **Terragrunt** - Terraform wrapper for managing multiple environments +- **Ansible** - Configuration management and automation tool + +## Included Tools + +| Tool | Version | Description | +| ---------- | -------- | ------------------------------------------------------------------------------------------------ | +| Terraform | 1.11.4 | Infrastructure as Code tool for building, changing, and versioning infrastructure | +| Terragrunt | v0.77.22 | Thin wrapper for Terraform that provides extra tools for working with multiple Terraform modules | +| Ansible | Latest | Automation platform for configuration management, application deployment, and task automation | + +## Additional Packages + +- Git - Version control system +- Curl - Command line tool for transferring data +- Unzip - Archive extraction utility +- Pipx - Tool for installing and running Python applications in isolated environments + +## Usage + +### Pull the image + +```bash +# From Docker Hub (after CI/CD setup) +docker pull /iac-tools:latest + +# Or build locally +docker build -t iac-tools:latest . +``` + +### Run the container + +```bash +# Interactive shell +docker run -it --rm iac-tools:latest /bin/bash + +# Mount your workspace +docker run -it --rm -v $(pwd):/workspace -w /workspace iac-tools:latest /bin/bash + +# Run specific commands +docker run --rm -v $(pwd):/workspace -w /workspace iac-tools:latest terraform --version +docker run --rm -v $(pwd):/workspace -w /workspace iac-tools:latest terragrunt --version +docker run --rm -v $(pwd):/workspace -w /workspace iac-tools:latest ansible --version +``` + +### Docker Compose + +You can also use this image with Docker Compose: + +```yaml +version: "3.8" +services: + iac-tools: + image: iac-tools:latest + volumes: + - .:/workspace + working_dir: /workspace + stdin_open: true + tty: true +``` + +## Building the Image + +### Local Build +To build the image locally: + +```bash +docker build -t iac-tools:latest . +``` + +### Automated CI/CD +This repository includes a GitHub Actions workflow that automatically: +- Builds multi-platform Docker images (amd64/arm64) on every push +- Tests all included tools (Terraform, Terragrunt, Ansible, Git) +- Performs security vulnerability scanning +- Publishes to Docker Hub on main branch and tags + +See [GITHUB_ACTIONS_SETUP.md](GITHUB_ACTIONS_SETUP.md) for detailed setup instructions. + +## Environment Variables + +- `DEBIAN_FRONTEND=noninteractive` - Prevents interactive prompts during package installation +- `TERRAGRUNT_VERSION=v0.77.22` - Specifies the Terragrunt version to install +- `TF_VERSION=1.11.4` - Specifies the Terraform version to install +- `ARCH=amd64` - Target architecture +- `OS=linux` - Target operating system +- `PATH` - Includes `/root/.local/bin` for pipx-installed tools + +## Use Cases + +This image is ideal for: + +- CI/CD pipelines requiring infrastructure automation +- Development environments for IAC workflows +- Consistent tooling across different environments +- Containerized infrastructure deployments +- Learning and experimenting with IAC tools + +## Security + +- The image runs as root user (default for this use case) +- Base image is Ubuntu 24.04 with latest security updates +- Only essential packages are installed to minimize attack surface + +## Maintenance + +- **Maintainer**: Krzysztof Królikowski +- **Version**: 1.0 +- **Base Image**: Ubuntu 24.04 + +## License + +See the [LICENSE](LICENSE) file for license information. + +## Contributing + +Feel free to submit issues and enhancement requests! From 53ba480573b9bccdc0232777cd04a6748e50e2c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kr=C3=B3likowski?= Date: Sun, 3 Aug 2025 17:41:41 +0200 Subject: [PATCH 2/2] workflow update --- .github/workflows/docker-build-push.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index 52efd35..57190fb 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -9,7 +9,6 @@ on: pull_request: branches: - main - - develop env: REGISTRY: docker.io @@ -30,7 +29,7 @@ jobs: uses: docker/setup-buildx-action@v3 - name: Log in to Docker Hub - if: github.event_name != 'pull_request' + if: startsWith(github.ref, 'refs/tags/') uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} @@ -38,6 +37,7 @@ jobs: password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Extract metadata + if: startsWith(github.ref, 'refs/tags/') id: meta uses: docker/metadata-action@v5 with: @@ -52,6 +52,7 @@ jobs: type=sha,prefix={{branch}}- - name: Build and push Docker image + if: startsWith(github.ref, 'refs/tags/') uses: docker/build-push-action@v5 with: context: . @@ -65,7 +66,7 @@ jobs: test: runs-on: ubuntu-latest needs: build - if: github.event_name != 'pull_request' + if: github.event_name == 'pull_request' steps: - name: Checkout repository @@ -105,7 +106,7 @@ jobs: security-scan: runs-on: ubuntu-latest needs: build - if: github.event_name != 'pull_request' + if: github.event_name == 'pull_request' permissions: contents: read security-events: write