docker-terraform

This repository contains a templated Dockerfile for image variants designed to run deployments using Terraform, Terragrunt, and the AWS CLI.

• Usage
  • Authentication with AWS Vault
• Template Variables
• Testing

Usage

Via Docker Compose, which includes volumes for basic functionality:

services:
  terraform:
    image: ghcr.io/foreflight/terraform:1.3.5
    volumes:
      - ./:/usr/local/src
      - $HOME/.aws:/root/.aws:ro
    environment:
      - AWS_PROFILE
    working_dir: /usr/local/src
    entrypoint: bash

$ docker-compose run --rm terraform
root@5e7b9d6614b0:/usr/local/src# terraform -version
Terraform v1.3.5
on linux_amd64

Authentication with AWS Vault

At ForeFlight, we use AWS Vault to log into our numerous AWS accounts via the AssumeRole API.

By default, the AWS CLI looks for credentials in multiple places, starting with credentials passed as CLI parameters and ending with credentials exposed by the instance metadata server. AWS Vault has a local implementation of the EC2 instance metadata server. So, we can use AWS Vault's local instance metadata server to supply credentials to the AWS CLI without needing to mount or pass anything to the container image:

$ aws-vault exec --server my-aws-profile
$ docker-compose run --rm terraform
root@59531b150efd:/usr/local/src# aws sts get-caller-identity
{
    "UserId": "AIDASAMPLEUSERID",
    "Account": "123456789012",
    "Arn": "arn:aws:iam::123456789012:user/DevAdmin"
}

Template Variables

• TERRAFORM_VERSION - Terraform version.
• TERRAGRUNT_VERSION - Terragrunt version.
• AWSCLI_VERSION - AWS CLI version 2 version.

Testing

An example of how to use cibuild to build and test an image:

$ CI=1 TERRAFORM_VERSION=1.3.5 TERRAGRUNT_VERSION=v0.40.0 AWSCLI_VERSION=2.9.0 ./scripts/cibuild