From 8cd74cdb06e18cbca74cf7ddd758dc23fc5cc141 Mon Sep 17 00:00:00 2001
From: Simon Rondelez <simonrondelez@me.com>
Date: Fri, 17 May 2024 16:01:37 +0200
Subject: [PATCH 1/2] Create docker image for terragrunt runner

---
 terragrunt/Dockerfile | 73 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 terragrunt/Dockerfile

diff --git a/terragrunt/Dockerfile b/terragrunt/Dockerfile
new file mode 100644
index 0000000..2cf3fd0
--- /dev/null
+++ b/terragrunt/Dockerfile
@@ -0,0 +1,73 @@
+ARG TARGETARCH
+
+ARG SOPS_VERSION=v3.8.1
+ARG TOFU_version=1.6.2
+ARG TERRAGRUNT_VERSION=v0.58.6
+ARG KUBECTL_VERSION=v1.12.7
+ARG HELM_VERSION=v2.13.1
+
+FROM alpine:latest as build
+
+RUN apk update && \
+  apk add curl ca-certificates
+#aws-cli jq yq ca-certificates git bash  curl
+
+# install cosign
+COPY --from=gcr.io/projectsigstore/cosign:latest /ko-app/cosign /usr/local/bin/cosign
+
+RUN curl -L https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.${TARGETARCH} -o /usr/local/bin/sops && \
+  curl -LO https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.checksums.txt && \
+  curl -LO https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.checksums.pem && \
+  curl -LO https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.checksums.sig && \
+  cosign verify-blob sops-${SOPS_VERSION}.checksums.txt \
+  --certificate sops-${SOPS_VERSION}.checksums.pem \
+  --signature sops-${SOPS_VERSION}.checksums.sig \
+  --certificate-identity-regexp=https://github.com/getsops \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com && \
+  chmod +x /usr/local/bin/sops
+RUN sops --version
+
+RUN curl -L https://github.com/opentofu/opentofu/releases/download/v${TOFU_version}/tofu_${TOFU_version}_linux_${TARGETARCH}.zip -o tofu.zip && \
+  curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_version}/tofu_${TOFU_version}_SHA256SUMS && \
+  curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_version}/tofu_${TOFU_version}_SHA256SUMS.sig && \
+  curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_version}/tofu_${TOFU_version}_SHA256SUMS.pem && \
+  cosign verify-blob \
+  --signature tofu_${TOFU_version}_SHA256SUMS.sig \
+  --certificate tofu_${TOFU_version}_SHA256SUMS.pem \
+  --certificate-identity https://github.com/opentofu/opentofu/.github/workflows/release.yml@refs/heads/v1.6 \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com tofu_${TOFU_version}_SHA256SUMS && \
+  unzip -qq tofu.zip && \
+  mv tofu /usr/local/bin/tofu && \
+  chmod +x /usr/local/bin/tofu
+RUN tofu --version
+
+RUN curl -L \
+  https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64 -o terragrunt && \
+  chmod +x terragrunt && \
+  mv terragrunt /usr/local/bin/
+RUN terragrunt --version
+
+RUN curl -L -o kubectl https://dl.k8s.io/release/${KUBECTL_VERSION}bin/linux/${TARGETARCH}/kubectl && \
+  curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256" && \
+  echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check && \
+  chmod +x kubectl && \
+  mv kubectl /usr/local/bin/kubectl
+
+RUN curl -L -o helm.tar.gz https://get.helm.sh/helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz && \
+  curl -LO https://get.helm.sh/helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz.sha256sum && \
+  sha256sum -c helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz.sha256sum && \
+  tar -xvzf helm.tar.gz && \
+  chmod +x linux-${TARGETARCH}/helm && \
+  mv linux-${TARGETARCH}/helm /usr/local/bin/helm
+
+FROM alpine:latest
+
+RUN apk update && \
+  apk add aws-cli jq yq git
+RUN aws --version
+
+COPY --from=build /usr/local/bin/sops /usr/local/bin/sops
+COPY --from=build /usr/local/bin/tofu /usr/local/bin/tofu
+COPY --from=build /usr/local/bin/terragrunt /usr/local/bin/terragrunt
+COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
+COPY --from=build /usr/local/bin/helm /usr/local/bin/helm

From c5c2cc7b6aa9fc1579518303c3725f05f420b244 Mon Sep 17 00:00:00 2001
From: Simon Rondelez <simonrondelez@me.com>
Date: Wed, 12 Jun 2024 14:57:20 +0200
Subject: [PATCH 2/2] Wrap up terragunt container

---
 .../workflows/publish-terragrunt-image.yml    | 41 ++++++++++++
 README.md                                     | 11 +++
 terragrunt/Dockerfile                         | 67 ++++++-------------
 3 files changed, 73 insertions(+), 46 deletions(-)
 create mode 100644 .github/workflows/publish-terragrunt-image.yml

diff --git a/.github/workflows/publish-terragrunt-image.yml b/.github/workflows/publish-terragrunt-image.yml
new file mode 100644
index 0000000..b9f138a
--- /dev/null
+++ b/.github/workflows/publish-terragrunt-image.yml
@@ -0,0 +1,41 @@
+name: Publish Terragrunt Image
+
+on:
+  push:
+    paths:
+      - "terragrunt/**"
+      - ".github/workflows/publish-terragrunt-image.yml"
+    branches:
+      - master
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository_owner }}/terragrunt
+
+jobs:
+  build-latest:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up QEMU #emulation support with QEMU to be able to build against more platforms.
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push the container to GitHub Container Registry using the latest tag
+        uses: docker/build-push-action@v5.3.0
+        with:
+          context: .
+          file: terragrunt/Dockerfile
+          platforms: |
+            linux/amd64
+            linux/arm64
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          push: true
+          provenance: false
diff --git a/README.md b/README.md
index 4ae007f..45a4cdc 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,17 @@ This is a Docker image for [Teleport](https://gravitational.com/teleport/)
 
 This will build a Teleport image from the Debian base image. This Dockerfile expects the released Teleport binaries in `teleport/teleport` folder.
 
+## Terragrunt
+
+This is a Docker image that contains all the tools needed to run Terragrunt in Skyscrapers:
+
+* [AWS CLI](https://aws.amazon.com/cli/)
+* [Helm](https://helm.sh/)
+* [Kubectl](https://kubernetes.io/docs/reference/kubectl/overview/)
+* [OpenTofu](https://github.com/opentofu/opentofu)
+* [Sops](https://github.com/mozilla/sops)
+* [Terragrunt](https://terragrunt.gruntwork.io/)
+
 ## volume-populator
 
 This container is used to populate volumes from configmaps. Useful in Kubernetes as an init container to populate a volume with data before the application starts.
diff --git a/terragrunt/Dockerfile b/terragrunt/Dockerfile
index 2cf3fd0..ffda367 100644
--- a/terragrunt/Dockerfile
+++ b/terragrunt/Dockerfile
@@ -1,73 +1,48 @@
-ARG TARGETARCH
-
+# Versions
+ARG ALPINE_VERSION=3.20
+ARG TOFU_VERSION=1.6.2
 ARG SOPS_VERSION=v3.8.1
-ARG TOFU_version=1.6.2
-ARG TERRAGRUNT_VERSION=v0.58.6
-ARG KUBECTL_VERSION=v1.12.7
-ARG HELM_VERSION=v2.13.1
 
-FROM alpine:latest as build
-
-RUN apk update && \
-  apk add curl ca-certificates
-#aws-cli jq yq ca-certificates git bash  curl
+FROM ghcr.io/getsops/sops:${SOPS_VERSION}-alpine as sops
+FROM ghcr.io/opentofu/opentofu:${TOFU_VERSION} as tofu
 
-# install cosign
-COPY --from=gcr.io/projectsigstore/cosign:latest /ko-app/cosign /usr/local/bin/cosign
+FROM alpine:${ALPINE_VERSION} as build
 
-RUN curl -L https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.${TARGETARCH} -o /usr/local/bin/sops && \
-  curl -LO https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.checksums.txt && \
-  curl -LO https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.checksums.pem && \
-  curl -LO https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.checksums.sig && \
-  cosign verify-blob sops-${SOPS_VERSION}.checksums.txt \
-  --certificate sops-${SOPS_VERSION}.checksums.pem \
-  --signature sops-${SOPS_VERSION}.checksums.sig \
-  --certificate-identity-regexp=https://github.com/getsops \
-  --certificate-oidc-issuer=https://token.actions.githubusercontent.com && \
-  chmod +x /usr/local/bin/sops
-RUN sops --version
+ARG TARGETARCH=arm64
+ARG TERRAGRUNT_VERSION=v0.58.6
+ARG KUBECTL_VERSION=v1.30.0
+ARG HELM_VERSION=v3.15.1
 
-RUN curl -L https://github.com/opentofu/opentofu/releases/download/v${TOFU_version}/tofu_${TOFU_version}_linux_${TARGETARCH}.zip -o tofu.zip && \
-  curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_version}/tofu_${TOFU_version}_SHA256SUMS && \
-  curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_version}/tofu_${TOFU_version}_SHA256SUMS.sig && \
-  curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_version}/tofu_${TOFU_version}_SHA256SUMS.pem && \
-  cosign verify-blob \
-  --signature tofu_${TOFU_version}_SHA256SUMS.sig \
-  --certificate tofu_${TOFU_version}_SHA256SUMS.pem \
-  --certificate-identity https://github.com/opentofu/opentofu/.github/workflows/release.yml@refs/heads/v1.6 \
-  --certificate-oidc-issuer=https://token.actions.githubusercontent.com tofu_${TOFU_version}_SHA256SUMS && \
-  unzip -qq tofu.zip && \
-  mv tofu /usr/local/bin/tofu && \
-  chmod +x /usr/local/bin/tofu
-RUN tofu --version
+RUN apk update && \
+  apk add curl ca-certificates
 
 RUN curl -L \
-  https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64 -o terragrunt && \
+  https://github.com/gruntwork-io/terragrunt/releases/download/${TERRAGRUNT_VERSION}/terragrunt_linux_amd64 -o terragrunt && \
   chmod +x terragrunt && \
   mv terragrunt /usr/local/bin/
 RUN terragrunt --version
 
-RUN curl -L -o kubectl https://dl.k8s.io/release/${KUBECTL_VERSION}bin/linux/${TARGETARCH}/kubectl && \
+RUN curl -L -o kubectl https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl && \
   curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256" && \
-  echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check && \
+  echo "$(cat kubectl.sha256)  kubectl" | sha256sum -c && \
   chmod +x kubectl && \
   mv kubectl /usr/local/bin/kubectl
 
-RUN curl -L -o helm.tar.gz https://get.helm.sh/helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz && \
+RUN curl -LO https://get.helm.sh/helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz && \
   curl -LO https://get.helm.sh/helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz.sha256sum && \
   sha256sum -c helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz.sha256sum && \
-  tar -xvzf helm.tar.gz && \
+  tar -xvzf helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz && \
   chmod +x linux-${TARGETARCH}/helm && \
   mv linux-${TARGETARCH}/helm /usr/local/bin/helm
 
-FROM alpine:latest
+FROM alpine:${ALPINE_VERSION}
 
 RUN apk update && \
-  apk add aws-cli jq yq git
+  apk add aws-cli jq yq-go git
 RUN aws --version
 
-COPY --from=build /usr/local/bin/sops /usr/local/bin/sops
-COPY --from=build /usr/local/bin/tofu /usr/local/bin/tofu
+COPY --from=sops /usr/local/bin/sops /usr/local/bin/sops
+COPY --from=tofu /usr/local/bin/tofu /usr/local/bin/tofu
 COPY --from=build /usr/local/bin/terragrunt /usr/local/bin/terragrunt
 COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY --from=build /usr/local/bin/helm /usr/local/bin/helm