From 6730f351e7d25af184bd8c2d870fbe7bcf17e5e2 Mon Sep 17 00:00:00 2001 From: Vemund Gaukstad Date: Tue, 28 Jan 2025 14:24:22 +0100 Subject: [PATCH] feat: terraform azure devops agent (#1270) * add terraform azure devops agent dockerfile * add cache and security scan * remove unused var extraction step * only build for amd64 * Update infrastructure/images/terraform-azure-devops-agent/README.md Co-authored-by: Renato Monteiro <45536168+monteiro-renato@users.noreply.github.com> * build scan and push * add trivy ignore * updated base image and added more context to readme * Update infrastructure/images/terraform-azure-devops-agent/README.md Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update infrastructure/images/terraform-azure-devops-agent/README.md Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --------- Co-authored-by: tjololo <1145298+tjololo@users.noreply.github.com> Co-authored-by: Renato Monteiro <45536168+monteiro-renato@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --- .../workflows/terraform-azdev-agent-pr.yml | 47 +++++++++++++ .../terraform-azdev-agent-release.yml | 69 +++++++++++++++++++ .../terraform-azure-devops-agent/.trivyignore | 2 + .../terraform-azure-devops-agent/Dockerfile | 3 + .../terraform-azure-devops-agent/README.md | 26 +++++++ .../scripts/install.sh | 16 +++++ 6 files changed, 163 insertions(+) create mode 100644 .github/workflows/terraform-azdev-agent-pr.yml create mode 100644 .github/workflows/terraform-azdev-agent-release.yml create mode 100644 infrastructure/images/terraform-azure-devops-agent/.trivyignore create mode 100644 infrastructure/images/terraform-azure-devops-agent/Dockerfile create mode 100644 infrastructure/images/terraform-azure-devops-agent/README.md create mode 100755 infrastructure/images/terraform-azure-devops-agent/scripts/install.sh diff --git a/.github/workflows/terraform-azdev-agent-pr.yml b/.github/workflows/terraform-azdev-agent-pr.yml new file mode 100644 index 00000000..2f420fee --- /dev/null +++ b/.github/workflows/terraform-azdev-agent-pr.yml @@ -0,0 +1,47 @@ +name: Test build terraform azure devops agent + +on: + pull_request: + branches: + - main + paths: + - .github/workflows/terraform-azdev-agent-pr.yml + - infrastructure/images/terraform-azure-devops-agent/** + +permissions: + contents: read + packages: read + +jobs: + build: + name: Test build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Get Git commit timestamps + run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Build + id: docker_build + uses: docker/build-push-action@v6 + with: + context: ./infrastructure/images/terraform-azure-devops-agent + push: false + load: true + platforms: linux/amd64 + tags: terraform-azure-devops-agent:test + env: + SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} + - name: Scan with trivy + uses: aquasecurity/trivy-action@0.29.0 + with: + image-ref: terraform-azure-devops-agent:test + format: table + exit-code: 1 + ignore-unfixed: true + trivyignores: ./infrastructure/images/terraform-azure-devops-agent/.trivyignore + vuln-type: os,library + severity: HIGH,CRITICAL \ No newline at end of file diff --git a/.github/workflows/terraform-azdev-agent-release.yml b/.github/workflows/terraform-azdev-agent-release.yml new file mode 100644 index 00000000..7085d7f3 --- /dev/null +++ b/.github/workflows/terraform-azdev-agent-release.yml @@ -0,0 +1,69 @@ +name: Release azure devops agent + +on: + push: + tags: + - "tf-azdev-agent-*" + +permissions: + contents: read + packages: write + +jobs: + release: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Get variables from tags + id: vars + run: | + tag=${GITHUB_REF/refs\/tags\/tf-azdev-agent-/} + echo "version=${tag%-demo}" >> "$GITHUB_OUTPUT" + echo "reponame=${GITHUB_REPOSITORY,,}" >> "${GITHUB_OUTPUT}" + - name: Get Git commit timestamps + run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to Docker + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build + id: docker_build + uses: docker/build-push-action@v6 + with: + context: ./infrastructure/images/terraform-azure-devops-agent + push: false + load: true + platforms: linux/amd64 + cache-from: gha + cache-to: gha + tags: ghcr.io/${{ steps.vars.outputs.reponame }}/terraform-azure-devops-agent:v${{ steps.vars.outputs.version }} + env: + SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.29.0 + with: + image-ref: ghcr.io/${{ steps.vars.outputs.reponame }}/terraform-azure-devops-agent:v${{ steps.vars.outputs.version }} + format: 'table' + exit-code: '1' + ignore-unfixed: true + trivyignores: ./infrastructure/images/terraform-azure-devops-agent/.trivyignore + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + - name: Push + id: docker_push + uses: docker/build-push-action@v6 + with: + context: ./infrastructure/images/terraform-azure-devops-agent + push: true + platforms: linux/amd64 + cache-from: gha + cache-to: gha + tags: ghcr.io/${{ steps.vars.outputs.reponame }}/terraform-azure-devops-agent:v${{ steps.vars.outputs.version }} + env: + SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} \ No newline at end of file diff --git a/infrastructure/images/terraform-azure-devops-agent/.trivyignore b/infrastructure/images/terraform-azure-devops-agent/.trivyignore new file mode 100644 index 00000000..e2d9531f --- /dev/null +++ b/infrastructure/images/terraform-azure-devops-agent/.trivyignore @@ -0,0 +1,2 @@ +# Checkd against kubectl with govulncheck and kubectl is not affected (false positiv) +CVE-2024-45338 \ No newline at end of file diff --git a/infrastructure/images/terraform-azure-devops-agent/Dockerfile b/infrastructure/images/terraform-azure-devops-agent/Dockerfile new file mode 100644 index 00000000..49d8baf6 --- /dev/null +++ b/infrastructure/images/terraform-azure-devops-agent/Dockerfile @@ -0,0 +1,3 @@ +FROM ghcr.io/altinn/altinn-platform/azure-devops-agent:v1.2.0 +COPY scripts/install.sh . +RUN ./install.sh \ No newline at end of file diff --git a/infrastructure/images/terraform-azure-devops-agent/README.md b/infrastructure/images/terraform-azure-devops-agent/README.md new file mode 100644 index 00000000..490f27e8 --- /dev/null +++ b/infrastructure/images/terraform-azure-devops-agent/README.md @@ -0,0 +1,26 @@ +# Altinn Terraform Azure DevOps Agent Image + +Image maintained by the platform team which installs some standard software that is used by our Terraform pipelines + +## Maintenance +Renovate is enabled on this repository and will automatically create a PR when there is a new version of the base image. +If quicker turnaround is needed update the `Dockerfile` + +### Additional software installed + +#### kubectl +This should be updated to the latest stable release once a month or when some other update is made to the image. + +To update the kubectl version get the latest stable release with `curl -L -s https://dl.k8s.io/release/stable.txt` and update the variable KUBECTL_VERSION in the top of the `scripts/install.sh` file. + +### New trivy alerts +This image is set up with Trivy to scan for vulnerabilities. If any vulnerabilities are found, the workflow will fail. + +#### Managing Vulnerabilities +1. **False Positives**: If an alert is a false positive, add the CVE ID to `.trivyignore` +2. **Accepted Risks**: For known risks that have been assessed and accepted: + - Add the CVE ID to `.trivyignore` + - Add a comment above the CVE explaining: + - Why the risk is acceptable + - Any mitigating controls in place + - When the decision should be reviewed \ No newline at end of file diff --git a/infrastructure/images/terraform-azure-devops-agent/scripts/install.sh b/infrastructure/images/terraform-azure-devops-agent/scripts/install.sh new file mode 100755 index 00000000..0f0407b7 --- /dev/null +++ b/infrastructure/images/terraform-azure-devops-agent/scripts/install.sh @@ -0,0 +1,16 @@ +#!/bin/bash +set -e + +# Versions +KUBECTL_VERSION="v1.32.1" #Get the latest version with: curl -L -s https://dl.k8s.io/release/stable.txt + +# Install kubectl +echo "Installing kubectl $KUBECTL_VERSION" +curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" +curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256" +# Verify the checksum +echo "$(cat kubectl.sha256) kubectl" | sha256sum --check +# Install kubectl +install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl +# Clean up +rm kubectl kubectl.sha256 install.sh \ No newline at end of file