Terraform: Add cosign integrity check for TFLint (#586)
* add cosign integrity check for tflint * fallback to gpg verification
This commit is contained in:
parent
2258fcb040
commit
d934503a05
4 changed files with 77 additions and 11 deletions
|
@ -1,6 +1,6 @@
|
||||||
{
|
{
|
||||||
"id": "terraform",
|
"id": "terraform",
|
||||||
"version": "1.3.1",
|
"version": "1.3.2",
|
||||||
"name": "Terraform, tflint, and TFGrunt",
|
"name": "Terraform, tflint, and TFGrunt",
|
||||||
"documentationURL": "https://github.com/devcontainers/features/tree/main/src/terraform",
|
"documentationURL": "https://github.com/devcontainers/features/tree/main/src/terraform",
|
||||||
"description": "Installs the Terraform CLI and optionally TFLint and Terragrunt. Auto-detects latest version and installs needed dependencies.",
|
"description": "Installs the Terraform CLI and optionally TFLint and Terragrunt. Auto-detects latest version and installs needed dependencies.",
|
||||||
|
@ -24,8 +24,8 @@
|
||||||
"0.47.0",
|
"0.47.0",
|
||||||
"0.46.1"
|
"0.46.1"
|
||||||
],
|
],
|
||||||
"default": "0.46.1",
|
"default": "latest",
|
||||||
"description": "Tflint version (Default value temporarily pinned to version 0.46.1: https://github.com/devcontainers/features/issues/581)"
|
"description": "Tflint version (https://github.com/terraform-linters/tflint/releases)"
|
||||||
},
|
},
|
||||||
"terragrunt": {
|
"terragrunt": {
|
||||||
"type": "string",
|
"type": "string",
|
||||||
|
|
|
@ -158,6 +158,26 @@ check_packages() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Install 'cosign' for validating signatures
|
||||||
|
# https://docs.sigstore.dev/cosign/overview/
|
||||||
|
ensure_cosign() {
|
||||||
|
check_packages curl ca-certificates gnupg2
|
||||||
|
|
||||||
|
if ! type cosign > /dev/null 2>&1; then
|
||||||
|
echo "Installing cosign..."
|
||||||
|
local LATEST_COSIGN_VERSION=$(curl https://api.github.com/repos/sigstore/cosign/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ")
|
||||||
|
curl -L "https://github.com/sigstore/cosign/releases/latest/download/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb" -o /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb
|
||||||
|
|
||||||
|
dpkg -i /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb
|
||||||
|
rm /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb
|
||||||
|
fi
|
||||||
|
if ! type cosign > /dev/null 2>&1; then
|
||||||
|
echo "(!) Failed to install cosign."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
cosign version
|
||||||
|
}
|
||||||
|
|
||||||
# Ensure apt is in non-interactive to avoid prompts
|
# Ensure apt is in non-interactive to avoid prompts
|
||||||
export DEBIAN_FRONTEND=noninteractive
|
export DEBIAN_FRONTEND=noninteractive
|
||||||
|
|
||||||
|
@ -198,17 +218,42 @@ if [ "${TFLINT_VERSION}" != "none" ]; then
|
||||||
TFLINT_FILENAME="tflint_linux_${architecture}.zip"
|
TFLINT_FILENAME="tflint_linux_${architecture}.zip"
|
||||||
curl -sSL -o /tmp/tf-downloads/${TFLINT_FILENAME} https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/${TFLINT_FILENAME}
|
curl -sSL -o /tmp/tf-downloads/${TFLINT_FILENAME} https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/${TFLINT_FILENAME}
|
||||||
if [ "${TFLINT_SHA256}" != "dev-mode" ]; then
|
if [ "${TFLINT_SHA256}" != "dev-mode" ]; then
|
||||||
if [ "${TFLINT_SHA256}" = "automatic" ]; then
|
|
||||||
|
if [ "${TFLINT_SHA256}" != "automatic" ]; then
|
||||||
|
echo "${TFLINT_SHA256} *${TFLINT_FILENAME}" > tflint_checksums.txt
|
||||||
|
sha256sum --ignore-missing -c tflint_checksums.txt
|
||||||
|
else
|
||||||
|
curl -sSL -o tflint_checksums.txt https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt
|
||||||
|
|
||||||
|
set +e
|
||||||
|
curl -sSL -o checksums.txt.keyless.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.keyless.sig
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Check that checksums.txt.keyless.sig exists and is not empty
|
||||||
|
if [ -s checksums.txt.keyless.sig ]; then
|
||||||
|
# Validate checksums with cosign
|
||||||
|
curl -sSL -o checksums.txt.pem https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.pem
|
||||||
|
ensure_cosign
|
||||||
|
cosign verify-blob \
|
||||||
|
--certificate=/tmp/tf-downloads/checksums.txt.pem \
|
||||||
|
--signature=/tmp/tf-downloads/checksums.txt.keyless.sig \
|
||||||
|
--certificate-identity-regexp="^https://github.com/terraform-linters/tflint" \
|
||||||
|
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
|
||||||
|
/tmp/tf-downloads/tflint_checksums.txt
|
||||||
|
# Ensure that checksums.txt has $TFLINT_FILENAME
|
||||||
|
grep ${TFLINT_FILENAME} /tmp/tf-downloads/tflint_checksums.txt
|
||||||
|
# Validate downloaded file
|
||||||
|
sha256sum --ignore-missing -c tflint_checksums.txt
|
||||||
|
else
|
||||||
|
# Fallback to older, GPG-based verification (pre-0.47.0 of tflint)
|
||||||
|
curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig
|
||||||
curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}"
|
curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}"
|
||||||
gpg -q --import tflint_key
|
gpg -q --import tflint_key
|
||||||
curl -sSL -o tflint_checksums.txt https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt
|
|
||||||
curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig
|
|
||||||
gpg --verify tflint_checksums.txt.sig tflint_checksums.txt
|
gpg --verify tflint_checksums.txt.sig tflint_checksums.txt
|
||||||
else
|
|
||||||
echo "${TFLINT_SHA256} *${TFLINT_FILENAME}" > tflint_checksums.txt
|
|
||||||
fi
|
fi
|
||||||
sha256sum --ignore-missing -c tflint_checksums.txt
|
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
unzip /tmp/tf-downloads/${TFLINT_FILENAME}
|
unzip /tmp/tf-downloads/${TFLINT_FILENAME}
|
||||||
mv -f tflint /usr/local/bin/
|
mv -f tflint /usr/local/bin/
|
||||||
fi
|
fi
|
||||||
|
|
13
test/terraform/older_tflint.sh
Normal file
13
test/terraform/older_tflint.sh
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Optional: Import test library
|
||||||
|
source dev-container-features-test-lib
|
||||||
|
|
||||||
|
check "terraform" terraform -version
|
||||||
|
|
||||||
|
check "tflint" tflint --version
|
||||||
|
|
||||||
|
# Report result
|
||||||
|
reportResults
|
|
@ -22,5 +22,13 @@
|
||||||
"installTerraformDocs": true
|
"installTerraformDocs": true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
"older_tflint": {
|
||||||
|
"image": "mcr.microsoft.com/devcontainers/base:jammy",
|
||||||
|
"features": {
|
||||||
|
"terraform": {
|
||||||
|
"tflint": "0.40.0"
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
Loading…
Reference in a new issue