feat: terraform azure devops agent (#1270)

* add terraform azure devops agent dockerfile * add cache and security scan * remove unused var extraction step * only build for amd64 * Update infrastructure/images/terraform-azure-devops-agent/README.md Co-authored-by: Renato Monteiro <45536168+monteiro-renato@users.noreply.github.com> * build scan and push * add trivy ignore * updated base image and added more context to readme * Update infrastructure/images/terraform-azure-devops-agent/README.md Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update infrastructure/images/terraform-azure-devops-agent/README.md Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --------- Co-authored-by: tjololo <1145298+tjololo@users.noreply.github.com> Co-authored-by: Renato Monteiro <45536168+monteiro-renato@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Altinn · Jan 28, 2025 · 6730f35 · 6730f35
1 parent fa71e04
commit 6730f35
Show file tree

Hide file tree

Showing 6 changed files with 163 additions and 0 deletions.
diff --git a/.github/workflows/terraform-azdev-agent-pr.yml b/.github/workflows/terraform-azdev-agent-pr.yml
@@ -0,0 +1,47 @@
+name: Test build terraform azure devops agent
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - .github/workflows/terraform-azdev-agent-pr.yml
+      - infrastructure/images/terraform-azure-devops-agent/**
+
+permissions:
+  contents: read
+  packages: read
+
+jobs:
+  build:
+    name: Test build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Get Git commit timestamps
+        run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build
+        id: docker_build
+        uses: docker/build-push-action@v6
+        with:
+          context: ./infrastructure/images/terraform-azure-devops-agent
+          push: false
+          load: true
+          platforms: linux/amd64
+          tags: terraform-azure-devops-agent:test
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+      - name: Scan with trivy
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          image-ref: terraform-azure-devops-agent:test
+          format: table
+          exit-code: 1
+          ignore-unfixed: true
+          trivyignores: ./infrastructure/images/terraform-azure-devops-agent/.trivyignore
+          vuln-type: os,library
+          severity: HIGH,CRITICAL
diff --git a/.github/workflows/terraform-azdev-agent-release.yml b/.github/workflows/terraform-azdev-agent-release.yml
@@ -0,0 +1,69 @@
+name: Release azure devops agent
+
+on:
+  push:
+    tags:
+      - "tf-azdev-agent-*"
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Get variables from tags
+        id: vars
+        run: |
+          tag=${GITHUB_REF/refs\/tags\/tf-azdev-agent-/}
+          echo "version=${tag%-demo}" >> "$GITHUB_OUTPUT"
+          echo "reponame=${GITHUB_REPOSITORY,,}" >> "${GITHUB_OUTPUT}"
+      - name: Get Git commit timestamps
+        run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Docker
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build
+        id: docker_build
+        uses: docker/build-push-action@v6
+        with:
+          context: ./infrastructure/images/terraform-azure-devops-agent
+          push: false
+          load: true
+          platforms: linux/amd64
+          cache-from: gha
+          cache-to: gha
+          tags: ghcr.io/${{ steps.vars.outputs.reponame }}/terraform-azure-devops-agent:v${{ steps.vars.outputs.version }}
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          image-ref: ghcr.io/${{ steps.vars.outputs.reponame }}/terraform-azure-devops-agent:v${{ steps.vars.outputs.version }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          trivyignores: ./infrastructure/images/terraform-azure-devops-agent/.trivyignore
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+      - name: Push
+        id: docker_push
+        uses: docker/build-push-action@v6
+        with:
+          context: ./infrastructure/images/terraform-azure-devops-agent
+          push: true
+          platforms: linux/amd64
+          cache-from: gha
+          cache-to: gha
+          tags: ghcr.io/${{ steps.vars.outputs.reponame }}/terraform-azure-devops-agent:v${{ steps.vars.outputs.version }}
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
diff --git a/infrastructure/images/terraform-azure-devops-agent/.trivyignore b/infrastructure/images/terraform-azure-devops-agent/.trivyignore
@@ -0,0 +1,2 @@
+# Checkd against kubectl with govulncheck and kubectl is not affected (false positiv)
+CVE-2024-45338
diff --git a/infrastructure/images/terraform-azure-devops-agent/Dockerfile b/infrastructure/images/terraform-azure-devops-agent/Dockerfile
@@ -0,0 +1,3 @@
+FROM ghcr.io/altinn/altinn-platform/azure-devops-agent:v1.2.0
+COPY scripts/install.sh .
+RUN ./install.sh
diff --git a/infrastructure/images/terraform-azure-devops-agent/README.md b/infrastructure/images/terraform-azure-devops-agent/README.md
@@ -0,0 +1,26 @@
+# Altinn Terraform Azure DevOps Agent Image
+
+Image maintained by the platform team which installs some standard software that is used by our Terraform pipelines
+
+## Maintenance
+Renovate is enabled on this repository and will automatically create a PR when there is a new version of the base image.
+If quicker turnaround is needed update the `Dockerfile`
+
+### Additional software installed
+
+#### kubectl
+This should be updated to the latest stable release once a month or when some other update is made to the image.
+
+To update the kubectl version get the latest stable release with `curl -L -s https://dl.k8s.io/release/stable.txt` and update the variable KUBECTL_VERSION in the top of the `scripts/install.sh` file.
+
+### New trivy alerts
+This image is set up with Trivy to scan for vulnerabilities. If any vulnerabilities are found, the workflow will fail.
+
+#### Managing Vulnerabilities
+1. **False Positives**: If an alert is a false positive, add the CVE ID to `.trivyignore`
+2. **Accepted Risks**: For known risks that have been assessed and accepted:
+   - Add the CVE ID to `.trivyignore`
+   - Add a comment above the CVE explaining:
+     - Why the risk is acceptable
+     - Any mitigating controls in place
+     - When the decision should be reviewed
diff --git a/infrastructure/images/terraform-azure-devops-agent/scripts/install.sh b/infrastructure/images/terraform-azure-devops-agent/scripts/install.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+set -e
+
+# Versions
+KUBECTL_VERSION="v1.32.1" #Get the latest version with: curl -L -s https://dl.k8s.io/release/stable.txt
+
+# Install kubectl
+echo "Installing kubectl $KUBECTL_VERSION"
+curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl"
+curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256"
+# Verify the checksum
+echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check
+# Install kubectl
+install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+# Clean up
+rm kubectl kubectl.sha256 install.sh
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Checkd against kubectl with govulncheck and kubectl is not affected (false positiv)
		CVE-2024-45338