From 38f2a482e4fb8509adfa8721b0cea90a50113688 Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Thu, 1 Sep 2022 21:28:41 +0000 Subject: [PATCH 01/28] Add read permissions to tmpfile in wrapper hook --- hooks/terraform_wrapper_module_for_each.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hooks/terraform_wrapper_module_for_each.sh b/hooks/terraform_wrapper_module_for_each.sh index dd80b6021..ebcbe4f40 100755 --- a/hooks/terraform_wrapper_module_for_each.sh +++ b/hooks/terraform_wrapper_module_for_each.sh @@ -414,6 +414,9 @@ function create_tmp_file_tf { mv "$tmp_file" "$tmp_file.tf" tmp_file_tf="$tmp_file.tf" + # mktemp creates with no group/other read permissions + chmod a+r "$tmp_file_tf" + echo "$CONTENT_MAIN_TF" > "$tmp_file_tf" } From 4f3d2386a2d10a1a99276bd6f69f9bbe3590a15e Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Thu, 1 Sep 2022 23:03:59 +0000 Subject: [PATCH 02/28] Update docs for running docker with user --- README.md | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a7e820f33..af61d58de 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,10 @@ If you are using `pre-commit-terraform` already or want to support its developme * [terraform_wrapper_module_for_each](#terraform_wrapper_module_for_each) * [terrascan](#terrascan) * [tfupdate](#tfupdate) +* [Docker Usage](#docker-usage) + * [File Permissions](#file-permissions) + * [Other Settings](#other-settings) + * [1. Module short name for terraform_wrapper_module_for_each](#1-module-short-name-for-terraformwrappermoduleforeach) * [Authors](#authors) * [License](#license) * [Additional information for users from Russia and Belarus](#additional-information-for-users-from-russia-and-belarus) @@ -229,14 +233,14 @@ Or, using Docker ([available tags](https://github.com/antonbabenko/pre-commit-te ```bash TAG=latest -docker run -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a +docker run -v $(pwd):/lint -w /lint -e HOME=/tmp --user $(id -u):$(id -g) ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a ``` Execute this command to list the versions of the tools in Docker: ```bash TAG=latest -docker run --entrypoint cat ghcr.io/antonbabenko/pre-commit-terraform:$TAG /usr/bin/tools_versions_info +docker run --rm --entrypoint cat ghcr.io/antonbabenko/pre-commit-terraform:$TAG /usr/bin/tools_versions_info ``` ## Available Hooks @@ -779,6 +783,36 @@ Sample configuration: Check [`tfupdate` usage instructions](https://github.com/minamijoyo/tfupdate#usage) for other available options and usage examples. No need to pass `--recursive .` as it is added automatically. +## Docker Usage + +### File Permissions + +The docker container runs as the ```root``` user by default. This can cause file permission issues in the repository on which pre-commit is run, as the source repo is mounted to the container via a bind mount. This will cause files owned by ```root``` to be created in the source repo directory. The recommended command to run pre-commit sets the container user and group to the user that is calling ```docker run```. This user will not exist in the container, so the container's home directory is set to ```/tmp``` to allow storing settings and caches for the various tools. + +```bash +TAG=latest +docker run -v $(pwd):/lint -w /lint -e HOME=/tmp --user $(id -u):$(id -g) ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a +``` + +If the local repository is using a different user or group for permissions, the ```--user``` option can be modified based on the ownership of the repository directory. It can be retrieved from the 2nd (user) and 3rd (group) columns of ```ls``` output. + +```bash +$ ls -aldn . +drwxr-xr-x 9 1000 1000 4096 Sep 1 16:23 . +``` + +### Other Settings + +#### 1. Module short name for ```terraform_wrapper_module_for_each``` + +The [terraform_wrapper_module_for_each](#terraformwrappermoduleforeach) hook attempts to determine the module's short name to be inserted into the generated ```README.md``` files for the ```source``` URLs. Since the container uses a bind mount at a static location, it can cause this short name to be incorrect. If the generated name is incorrect, it can be set by providing the ```module-repo-shortname``` option to the hook. + +```yaml +- id: terraform_wrapper_module_for_each + args: + - '--args=--module-repo-shortname=ec2-instance' # module repo short name +``` + ## Authors This repository is managed by [Anton Babenko](https://github.com/antonbabenko) with help from these awesome contributors: From cd766e19851a3583b261135f2f28c621d3796e98 Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Fri, 2 Sep 2022 00:12:26 -0500 Subject: [PATCH 03/28] Add initial docker entrypoint script --- .dockerignore | 1 + Dockerfile | 7 +++++-- tools/entrypoint.sh | 17 +++++++++++++++++ 3 files changed, 23 insertions(+), 2 deletions(-) create mode 100755 tools/entrypoint.sh diff --git a/.dockerignore b/.dockerignore index 50c8ea340..a78e675d2 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,3 +1,4 @@ * !.dockerignore !Dockerfile +!tools/entrypoint.sh diff --git a/Dockerfile b/Dockerfile index 809a9059a..bff0ddeb4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -201,11 +201,14 @@ RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = ; fi && \ # Fix git runtime fatal: # unsafe repository ('/lint' is owned by someone else) - git config --global --add safe.directory /lint + git config --global --add safe.directory /lint && \ + apk add --no-cache su-exec=~0 + +COPY tools/entrypoint.sh /entrypoint.sh ENV PRE_COMMIT_COLOR=${PRE_COMMIT_COLOR:-always} ENV INFRACOST_API_KEY=${INFRACOST_API_KEY:-} ENV INFRACOST_SKIP_UPDATE_CHECK=${INFRACOST_SKIP_UPDATE_CHECK:-false} -ENTRYPOINT [ "pre-commit" ] +ENTRYPOINT [ "/entrypoint.sh" ] diff --git a/tools/entrypoint.sh b/tools/entrypoint.sh new file mode 100755 index 000000000..c88162198 --- /dev/null +++ b/tools/entrypoint.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +#exit on error +set -e + +USERID=${USERID:-"0:0"} +if [[ ! $USERID =~ ^[0-9]+:[0-9]+$ ]]; then + echo "USERID environment variable invalid, format is userid:groupid. Received: \"${USERID}\"" + exit 1 +fi + +uid=${USERID%%:*} +gid=${USERID##*:} + +if [[ ${uid} == 0 && ${gid} == 0 ]]; then + su-exec 0:0 pre-commit "$@" +fi + From c3a65290e8a71c47e34f2b3a1fee2419072ddbb7 Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Fri, 2 Sep 2022 18:13:38 +0000 Subject: [PATCH 04/28] Add entrypoint user creation and permission checks --- Dockerfile | 1 + tools/entrypoint.sh | 65 ++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 65 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index bff0ddeb4..cce513fc8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -205,6 +205,7 @@ RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = apk add --no-cache su-exec=~0 COPY tools/entrypoint.sh /entrypoint.sh +RUN cp -r /root/ /etc/skel/ ENV PRE_COMMIT_COLOR=${PRE_COMMIT_COLOR:-always} diff --git a/tools/entrypoint.sh b/tools/entrypoint.sh index c88162198..42a1f2a7f 100755 --- a/tools/entrypoint.sh +++ b/tools/entrypoint.sh @@ -2,16 +2,79 @@ #exit on error set -e +readonly USERBASE="run" + +# make sure USERID makes sense as UID:GID +# it looks like the alpine distro limits UID and GID to 256000, but +# could be more, so we accept any valid integers USERID=${USERID:-"0:0"} if [[ ! $USERID =~ ^[0-9]+:[0-9]+$ ]]; then echo "USERID environment variable invalid, format is userid:groupid. Received: \"${USERID}\"" exit 1 fi +# separate uid and gid uid=${USERID%%:*} gid=${USERID##*:} +# if requested UID:GID is root, go ahead and run without other processing if [[ ${uid} == 0 && ${gid} == 0 ]]; then - su-exec 0:0 pre-commit "$@" + exec su-exec 0:0 pre-commit "$@" +fi + +# make sure workdir and some files are readable/writable by the provided UID/GID +# combo, otherwise will have errors when processing hooks +wdir="$(pwd)" +if ! su-exec "${uid}:${gid}" "/bin/bash" -c "test -w ${wdir} && test -r ${wdir}" ; then + echo "user:gid ${uid}:${gid} lacks permissions to ${wdir}/" + exit 1 +fi +if ! su-exec "${uid}:${gid}" "/bin/bash" -c "test -w ${wdir}/.git/index && test -r ${wdir}/.git/index" ; then + echo "user:gid ${uid}:${gid} cannot write to ${wdir}/.git/index2" + exit 1 +fi + +# check if group by this GID already exists, if so get the name since adduser +# only accepts names +if groupinfo="$(getent group "${gid}")"; then + groupname="${groupinfo%%:*}" +else + # create group in advance in case GID is different than UID + groupname="${USERBASE}${gid}" + if ! err="$(addgroup -g "${gid}" "${groupname}" 2>&1)" ; then + echo "failed to create gid \"${gid}\" with name \"${groupname}\"" + echo "command output: ${err}" + exit 1 + fi +fi + +# check if user by this UID already exists, if so get the name since id +# only accepts names +if userinfo="$(getent passwd "${uid}")"; then + username="${userinfo%%:*}" +else + username="${USERBASE}${uid}" + if ! err="$(adduser -h "/home/${username}" -s "/bin/bash" -G "${groupname}" -D -u "${uid}" -k "/etc/skel" "${username}")" ; then + echo "failed to create uid \"${uid}\" with name \"${username}\" and group \"${groupname}\"" + echo "command output: ${err}" + exit 1 + fi +fi + +# it's possible it was not in the group specified, add it +if ! idgroupinfo="$(id -G "${username}" 2>&1)" ; then + echo "failed to get group list for username \"${username}\"" + echo "command output: ${idgroupinfo}" + exit 1 +fi +if [[ ! " ${idgroupinfo} " =~ [:blank:]${gid}[:blank:] ]] ; then + if ! err="$(addgroup "${username}" "${groupname}")" ; then + echo "failed to add user \"${username}\" to group \"${groupname}\"" + echo "command output: ${err}" + exit 1 + fi fi +# user and group of specified UID/GID should exist now, and user should be +# a member of group, so execute pre-commit +exec su-exec "${uid}:${gid}" pre-commit "$@" From 78fdb40719923bac5f3a3367e170966cfe878f39 Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Fri, 2 Sep 2022 15:34:18 -0500 Subject: [PATCH 05/28] Add entrypoint.sh to trigger github image test --- .github/workflows/build-image-test.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index 9ba0282b4..451de9606 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -19,6 +19,8 @@ jobs: with: files: | Dockerfile + .dockerignore + tools/entrypoint.sh - name: Build if Dockerfile changed if: steps.changed-files-specific.outputs.any_changed == 'true' From f7871ca38c130a5385ad2e85a398debc3445b202 Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Fri, 2 Sep 2022 15:34:42 -0500 Subject: [PATCH 06/28] Add entrypoint container structure tests --- .github/.container-structure-test-config.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/.container-structure-test-config.yaml b/.github/.container-structure-test-config.yaml index a860febe4..dd23c58c5 100644 --- a/.github/.container-structure-test-config.yaml +++ b/.github/.container-structure-test-config.yaml @@ -60,9 +60,24 @@ commandTests: args: [ "version" ] expectedOutput: [ "([0-9]+\\.){2}[0-9]+\\n$" ] + - name: 'entrypoint.sh' + envVars: + - key: "USERID" + value: "1000:1000" + command: "/entrypoint.sh" + args: [ "-V" ] + expectedOutput: ["^user:gid 1000:1000 lacks permissions to //\\n$"] + exitCode: 1 + fileExistenceTests: - name: 'terrascan init' path: '/root/.terrascan/pkg/policies/opa/rego/github/github_repository/privateRepoEnabled.rego' shouldExist: true uid: 0 gid: 0 + + - name: 'skeleton terrascan init' + path: '/root/.terrascan/pkg/policies/opa/rego/github/github_repository/privateRepoEnabled.rego' + shouldExist: true + uid: 0 + gid: 0 From 1ac51f8e6de4da3ec633daf9062f6a360633dec5 Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Fri, 2 Sep 2022 16:25:20 -0500 Subject: [PATCH 07/28] Fix whitespace in entrypoint.sh --- tools/entrypoint.sh | 72 ++++++++++++++++++++++----------------------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/tools/entrypoint.sh b/tools/entrypoint.sh index 42a1f2a7f..f7b5ddf72 100755 --- a/tools/entrypoint.sh +++ b/tools/entrypoint.sh @@ -4,13 +4,13 @@ set -e readonly USERBASE="run" -# make sure USERID makes sense as UID:GID +# make sure USERID makes sense as UID:GID # it looks like the alpine distro limits UID and GID to 256000, but # could be more, so we accept any valid integers USERID=${USERID:-"0:0"} if [[ ! $USERID =~ ^[0-9]+:[0-9]+$ ]]; then - echo "USERID environment variable invalid, format is userid:groupid. Received: \"${USERID}\"" - exit 1 + echo "USERID environment variable invalid, format is userid:groupid. Received: \"${USERID}\"" + exit 1 fi # separate uid and gid @@ -19,60 +19,60 @@ gid=${USERID##*:} # if requested UID:GID is root, go ahead and run without other processing if [[ ${uid} == 0 && ${gid} == 0 ]]; then - exec su-exec 0:0 pre-commit "$@" + exec su-exec 0:0 pre-commit "$@" fi -# make sure workdir and some files are readable/writable by the provided UID/GID +# make sure workdir and some files are readable/writable by the provided UID/GID # combo, otherwise will have errors when processing hooks wdir="$(pwd)" -if ! su-exec "${uid}:${gid}" "/bin/bash" -c "test -w ${wdir} && test -r ${wdir}" ; then - echo "user:gid ${uid}:${gid} lacks permissions to ${wdir}/" - exit 1 +if ! su-exec "${uid}:${gid}" "/bin/bash" -c "test -w ${wdir} && test -r ${wdir}"; then + echo "user:gid ${uid}:${gid} lacks permissions to ${wdir}/" + exit 1 fi -if ! su-exec "${uid}:${gid}" "/bin/bash" -c "test -w ${wdir}/.git/index && test -r ${wdir}/.git/index" ; then - echo "user:gid ${uid}:${gid} cannot write to ${wdir}/.git/index2" - exit 1 +if ! su-exec "${uid}:${gid}" "/bin/bash" -c "test -w ${wdir}/.git/index && test -r ${wdir}/.git/index"; then + echo "user:gid ${uid}:${gid} cannot write to ${wdir}/.git/index2" + exit 1 fi # check if group by this GID already exists, if so get the name since adduser # only accepts names if groupinfo="$(getent group "${gid}")"; then - groupname="${groupinfo%%:*}" + groupname="${groupinfo%%:*}" else - # create group in advance in case GID is different than UID - groupname="${USERBASE}${gid}" - if ! err="$(addgroup -g "${gid}" "${groupname}" 2>&1)" ; then - echo "failed to create gid \"${gid}\" with name \"${groupname}\"" - echo "command output: ${err}" - exit 1 - fi + # create group in advance in case GID is different than UID + groupname="${USERBASE}${gid}" + if ! err="$(addgroup -g "${gid}" "${groupname}" 2>&1)"; then + echo "failed to create gid \"${gid}\" with name \"${groupname}\"" + echo "command output: ${err}" + exit 1 + fi fi # check if user by this UID already exists, if so get the name since id # only accepts names if userinfo="$(getent passwd "${uid}")"; then - username="${userinfo%%:*}" + username="${userinfo%%:*}" else - username="${USERBASE}${uid}" - if ! err="$(adduser -h "/home/${username}" -s "/bin/bash" -G "${groupname}" -D -u "${uid}" -k "/etc/skel" "${username}")" ; then - echo "failed to create uid \"${uid}\" with name \"${username}\" and group \"${groupname}\"" - echo "command output: ${err}" - exit 1 - fi + username="${USERBASE}${uid}" + if ! err="$(adduser -h "/home/${username}" -s "/bin/bash" -G "${groupname}" -D -u "${uid}" -k "/etc/skel" "${username}")"; then + echo "failed to create uid \"${uid}\" with name \"${username}\" and group \"${groupname}\"" + echo "command output: ${err}" + exit 1 + fi fi # it's possible it was not in the group specified, add it -if ! idgroupinfo="$(id -G "${username}" 2>&1)" ; then - echo "failed to get group list for username \"${username}\"" - echo "command output: ${idgroupinfo}" - exit 1 +if ! idgroupinfo="$(id -G "${username}" 2>&1)"; then + echo "failed to get group list for username \"${username}\"" + echo "command output: ${idgroupinfo}" + exit 1 fi -if [[ ! " ${idgroupinfo} " =~ [:blank:]${gid}[:blank:] ]] ; then - if ! err="$(addgroup "${username}" "${groupname}")" ; then - echo "failed to add user \"${username}\" to group \"${groupname}\"" - echo "command output: ${err}" - exit 1 - fi +if [[ ! " ${idgroupinfo} " =~ [:blank:]${gid}[:blank:] ]]; then + if ! err="$(addgroup "${username}" "${groupname}")"; then + echo "failed to add user \"${username}\" to group \"${groupname}\"" + echo "command output: ${err}" + exit 1 + fi fi # user and group of specified UID/GID should exist now, and user should be From 64ccfa154a72ac603b20e220789d69f1015831ed Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Fri, 2 Sep 2022 17:03:07 -0500 Subject: [PATCH 08/28] Update docker documentation in README --- README.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index af61d58de..819f27f21 100644 --- a/README.md +++ b/README.md @@ -231,9 +231,11 @@ pre-commit run -a Or, using Docker ([available tags](https://github.com/antonbabenko/pre-commit-terraform/pkgs/container/pre-commit-terraform/versions)): +**NOTE:** This command uses your user id and group id for the docker container to use to access the local files. If the files are owned by another user, update the ```USERID``` environment variable. See [File Permissions](#file-permissions) for more information. + ```bash TAG=latest -docker run -v $(pwd):/lint -w /lint -e HOME=/tmp --user $(id -u):$(id -g) ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a +docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a ``` Execute this command to list the versions of the tools in Docker: @@ -787,14 +789,18 @@ No need to pass `--recursive .` as it is added automatically. ### File Permissions -The docker container runs as the ```root``` user by default. This can cause file permission issues in the repository on which pre-commit is run, as the source repo is mounted to the container via a bind mount. This will cause files owned by ```root``` to be created in the source repo directory. The recommended command to run pre-commit sets the container user and group to the user that is calling ```docker run```. This user will not exist in the container, so the container's home directory is set to ```/tmp``` to allow storing settings and caches for the various tools. +A mismatch between the Docker container's user and the local repository file ownership can cause permission issues in the repository where pre-commit is run. The container runs as the ```root``` user by default, and uses an entrypoint script to assume a user ID and group ID if specified by environment variable ```USERID```. + +The [recommended command](#4-run) to run the Docker container is: ```bash TAG=latest -docker run -v $(pwd):/lint -w /lint -e HOME=/tmp --user $(id -u):$(id -g) ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a +docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a ``` -If the local repository is using a different user or group for permissions, the ```--user``` option can be modified based on the ownership of the repository directory. It can be retrieved from the 2nd (user) and 3rd (group) columns of ```ls``` output. +which uses your current session's user ID and group ID to set the variable in the run command. Without this setting, you may find files and directories owned by ```root``` in your local repository. + +If the local repository is using a different user or group for permissions, you can modify the USERID to the user ID and group ID needed. **Do not use the username or groupname in the environment variable, as it has no meaning in the container.** You can get the current directory's owner user ID and group ID from the 3rd (user) and 4th (group) columns in ```ls``` output: ```bash $ ls -aldn . From 9266a93174cba8de2beb3a45f0d0a26b13c99903 Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Fri, 2 Sep 2022 17:26:42 -0500 Subject: [PATCH 09/28] Clean up pip cache from skeleton files --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index cce513fc8..3cc0f0443 100644 --- a/Dockerfile +++ b/Dockerfile @@ -205,7 +205,7 @@ RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = apk add --no-cache su-exec=~0 COPY tools/entrypoint.sh /entrypoint.sh -RUN cp -r /root/ /etc/skel/ +RUN cp -r /root/ /etc/skel/ && rm -rf /etc/skel/.cache/pip ENV PRE_COMMIT_COLOR=${PRE_COMMIT_COLOR:-always} From 0b4d72a104061bddaffcb5a81f7290d21619c13c Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Sat, 3 Sep 2022 02:56:39 -0500 Subject: [PATCH 10/28] Add su-exec container structure test --- .github/.container-structure-test-config.yaml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/.container-structure-test-config.yaml b/.github/.container-structure-test-config.yaml index dd23c58c5..01b791cf5 100644 --- a/.github/.container-structure-test-config.yaml +++ b/.github/.container-structure-test-config.yaml @@ -60,7 +60,7 @@ commandTests: args: [ "version" ] expectedOutput: [ "([0-9]+\\.){2}[0-9]+\\n$" ] - - name: 'entrypoint.sh' + - name: "entrypoint.sh" envVars: - key: "USERID" value: "1000:1000" @@ -69,15 +69,13 @@ commandTests: expectedOutput: ["^user:gid 1000:1000 lacks permissions to //\\n$"] exitCode: 1 + - name: "su-exec" + command: "su-exec" + expectedOutput: ["^Usage: su-exec user-spec command \\[args\\]\\n$"] + fileExistenceTests: - name: 'terrascan init' path: '/root/.terrascan/pkg/policies/opa/rego/github/github_repository/privateRepoEnabled.rego' shouldExist: true uid: 0 gid: 0 - - - name: 'skeleton terrascan init' - path: '/root/.terrascan/pkg/policies/opa/rego/github/github_repository/privateRepoEnabled.rego' - shouldExist: true - uid: 0 - gid: 0 From 281c53ed849c03e05f2caaceb724ecf2f332fad9 Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Sat, 3 Sep 2022 02:57:09 -0500 Subject: [PATCH 11/28] Use /root for new user homedir skeleton --- Dockerfile | 1 - tools/entrypoint.sh | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3cc0f0443..bff0ddeb4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -205,7 +205,6 @@ RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = apk add --no-cache su-exec=~0 COPY tools/entrypoint.sh /entrypoint.sh -RUN cp -r /root/ /etc/skel/ && rm -rf /etc/skel/.cache/pip ENV PRE_COMMIT_COLOR=${PRE_COMMIT_COLOR:-always} diff --git a/tools/entrypoint.sh b/tools/entrypoint.sh index f7b5ddf72..439212cfc 100755 --- a/tools/entrypoint.sh +++ b/tools/entrypoint.sh @@ -19,7 +19,7 @@ gid=${USERID##*:} # if requested UID:GID is root, go ahead and run without other processing if [[ ${uid} == 0 && ${gid} == 0 ]]; then - exec su-exec 0:0 pre-commit "$@" + exec su-exec "0:0" pre-commit "$@" fi # make sure workdir and some files are readable/writable by the provided UID/GID @@ -54,7 +54,7 @@ if userinfo="$(getent passwd "${uid}")"; then username="${userinfo%%:*}" else username="${USERBASE}${uid}" - if ! err="$(adduser -h "/home/${username}" -s "/bin/bash" -G "${groupname}" -D -u "${uid}" -k "/etc/skel" "${username}")"; then + if ! err="$(adduser -h "/home/${username}" -s "/bin/bash" -G "${groupname}" -D -u "${uid}" -k "${HOME}" "${username}")"; then echo "failed to create uid \"${uid}\" with name \"${username}\" and group \"${groupname}\"" echo "command output: ${err}" exit 1 From a019428d5480a7146c9cb950833238b2acd409ac Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Mon, 5 Sep 2022 14:44:15 -0500 Subject: [PATCH 12/28] Clean up Dockerfile apk installs --- Dockerfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index bff0ddeb4..d01ee5120 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,8 +5,7 @@ WORKDIR /bin_dir RUN apk add --no-cache \ # Builder deps - curl=~7 \ - unzip=~6 && \ + curl=~7 && \ # Upgrade pip for be able get latest Checkov python3 -m pip install --no-cache-dir --upgrade pip @@ -177,7 +176,9 @@ RUN apk add --no-cache \ bash=~5 \ # pre-commit-hooks deps: https://github.com/pre-commit/pre-commit-hooks musl-dev=~1 \ - gcc=~10 + gcc=~10 \ + # entrypoint wrapper deps + su-exec=~0 # Copy tools COPY --from=builder \ @@ -201,8 +202,7 @@ RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = ; fi && \ # Fix git runtime fatal: # unsafe repository ('/lint' is owned by someone else) - git config --global --add safe.directory /lint && \ - apk add --no-cache su-exec=~0 + git config --global --add safe.directory /lint COPY tools/entrypoint.sh /entrypoint.sh From 0988930ac516f7b13ac11ee774a776ddae1af61b Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Mon, 5 Sep 2022 15:05:55 -0500 Subject: [PATCH 13/28] Clean up root su-exec Co-authored-by: George L. Yermulnik --- tools/entrypoint.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tools/entrypoint.sh b/tools/entrypoint.sh index 439212cfc..62a0f1d6b 100755 --- a/tools/entrypoint.sh +++ b/tools/entrypoint.sh @@ -18,9 +18,7 @@ uid=${USERID%%:*} gid=${USERID##*:} # if requested UID:GID is root, go ahead and run without other processing -if [[ ${uid} == 0 && ${gid} == 0 ]]; then - exec su-exec "0:0" pre-commit "$@" -fi +[[ $USERID == "0:0" ]] && exec su-exec "$USERID" pre-commit "$@" # make sure workdir and some files are readable/writable by the provided UID/GID # combo, otherwise will have errors when processing hooks From 5ad0a7d3efc83966e65dc9f9becd84828ca9b004 Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Mon, 5 Sep 2022 15:49:26 -0500 Subject: [PATCH 14/28] Clean up variable references --- tools/entrypoint.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/tools/entrypoint.sh b/tools/entrypoint.sh index 62a0f1d6b..bad6b3ba2 100755 --- a/tools/entrypoint.sh +++ b/tools/entrypoint.sh @@ -3,6 +3,7 @@ set -e readonly USERBASE="run" +readonly BASHPATH="/bin/bash" # make sure USERID makes sense as UID:GID # it looks like the alpine distro limits UID and GID to 256000, but @@ -23,12 +24,13 @@ gid=${USERID##*:} # make sure workdir and some files are readable/writable by the provided UID/GID # combo, otherwise will have errors when processing hooks wdir="$(pwd)" -if ! su-exec "${uid}:${gid}" "/bin/bash" -c "test -w ${wdir} && test -r ${wdir}"; then - echo "user:gid ${uid}:${gid} lacks permissions to ${wdir}/" +if ! su-exec "$USERID" "$BASHPATH" -c "test -w ${wdir} && test -r ${wdir}"; then + echo "uid:gid $USERID lacks permissions to ${wdir}/" exit 1 fi -if ! su-exec "${uid}:${gid}" "/bin/bash" -c "test -w ${wdir}/.git/index && test -r ${wdir}/.git/index"; then - echo "user:gid ${uid}:${gid} cannot write to ${wdir}/.git/index2" +wdirgitindex="$wdir/.git/index" +if ! su-exec "$USERID" "$BASHPATH" -c "test -w $wdirgitindex && test -r $wdirgitindex"; then + echo "uid:gid $USERID cannot write to ${wdir}/.git/index" exit 1 fi @@ -52,7 +54,7 @@ if userinfo="$(getent passwd "${uid}")"; then username="${userinfo%%:*}" else username="${USERBASE}${uid}" - if ! err="$(adduser -h "/home/${username}" -s "/bin/bash" -G "${groupname}" -D -u "${uid}" -k "${HOME}" "${username}")"; then + if ! err="$(adduser -h "/home/${username}" -s "$BASHPATH" -G "${groupname}" -D -u "${uid}" -k "${HOME}" "${username}")"; then echo "failed to create uid \"${uid}\" with name \"${username}\" and group \"${groupname}\"" echo "command output: ${err}" exit 1 @@ -75,4 +77,4 @@ fi # user and group of specified UID/GID should exist now, and user should be # a member of group, so execute pre-commit -exec su-exec "${uid}:${gid}" pre-commit "$@" +exec su-exec "$USERID" pre-commit "$@" From 367f0a4165a693e933fbd53440d892b345f1080c Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Mon, 5 Sep 2022 16:30:36 -0500 Subject: [PATCH 15/28] Create function for error reporting --- tools/entrypoint.sh | 34 ++++++++++++++-------------------- 1 file changed, 14 insertions(+), 20 deletions(-) diff --git a/tools/entrypoint.sh b/tools/entrypoint.sh index bad6b3ba2..d69619aff 100755 --- a/tools/entrypoint.sh +++ b/tools/entrypoint.sh @@ -5,13 +5,17 @@ set -e readonly USERBASE="run" readonly BASHPATH="/bin/bash" +function echo_error_and_exit { + echo -e "ERROR: $@" >&2 + exit 1 +} + # make sure USERID makes sense as UID:GID # it looks like the alpine distro limits UID and GID to 256000, but # could be more, so we accept any valid integers USERID=${USERID:-"0:0"} if [[ ! $USERID =~ ^[0-9]+:[0-9]+$ ]]; then - echo "USERID environment variable invalid, format is userid:groupid. Received: \"${USERID}\"" - exit 1 + echo_error_and_exit "USERID environment variable invalid, format is userid:groupid. Received: \"${USERID}\"" fi # separate uid and gid @@ -25,13 +29,11 @@ gid=${USERID##*:} # combo, otherwise will have errors when processing hooks wdir="$(pwd)" if ! su-exec "$USERID" "$BASHPATH" -c "test -w ${wdir} && test -r ${wdir}"; then - echo "uid:gid $USERID lacks permissions to ${wdir}/" - exit 1 + echo_error_and_exit "uid:gid $USERID lacks permissions to ${wdir}/" fi wdirgitindex="$wdir/.git/index" if ! su-exec "$USERID" "$BASHPATH" -c "test -w $wdirgitindex && test -r $wdirgitindex"; then - echo "uid:gid $USERID cannot write to ${wdir}/.git/index" - exit 1 + echo_error_and_exit "uid:gid $USERID cannot write to ${wdir}/.git/index" fi # check if group by this GID already exists, if so get the name since adduser @@ -42,9 +44,7 @@ else # create group in advance in case GID is different than UID groupname="${USERBASE}${gid}" if ! err="$(addgroup -g "${gid}" "${groupname}" 2>&1)"; then - echo "failed to create gid \"${gid}\" with name \"${groupname}\"" - echo "command output: ${err}" - exit 1 + echo_error_and_exit "failed to create gid \"${gid}\" with name \"${groupname}\" command output: \"$err\"" fi fi @@ -54,24 +54,18 @@ if userinfo="$(getent passwd "${uid}")"; then username="${userinfo%%:*}" else username="${USERBASE}${uid}" - if ! err="$(adduser -h "/home/${username}" -s "$BASHPATH" -G "${groupname}" -D -u "${uid}" -k "${HOME}" "${username}")"; then - echo "failed to create uid \"${uid}\" with name \"${username}\" and group \"${groupname}\"" - echo "command output: ${err}" - exit 1 + if ! err="$(adduser -h "/home/${username}" -s "$BASHPATH" -G "${groupname}" -D -u "${uid}" -k "${HOME}" "${username}" 2>&1)"; then + echo_error_and_exit "failed to create uid \"${uid}\" with name \"${username}\" and group \"${groupname}\" command output: \"$err\"" fi fi # it's possible it was not in the group specified, add it if ! idgroupinfo="$(id -G "${username}" 2>&1)"; then - echo "failed to get group list for username \"${username}\"" - echo "command output: ${idgroupinfo}" - exit 1 + echo_error_and_exit "failed to get group list for username \"${username}\" command output: \"$idgroupinfo\"" fi if [[ ! " ${idgroupinfo} " =~ [:blank:]${gid}[:blank:] ]]; then - if ! err="$(addgroup "${username}" "${groupname}")"; then - echo "failed to add user \"${username}\" to group \"${groupname}\"" - echo "command output: ${err}" - exit 1 + if ! err="$(addgroup "${username}" "${groupname}" 2>&1)"; then + echo_error_and_exit "failed to add user \"${username}\" to group \"${groupname}\" command output: \"${err}\"" fi fi From ed40055eb25cf03dfa2b8663cd2eed6208b36a9c Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Mon, 5 Sep 2022 17:20:17 -0500 Subject: [PATCH 16/28] Remove extraneous braces from variables --- tools/entrypoint.sh | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/tools/entrypoint.sh b/tools/entrypoint.sh index d69619aff..30e2544df 100755 --- a/tools/entrypoint.sh +++ b/tools/entrypoint.sh @@ -4,6 +4,7 @@ set -e readonly USERBASE="run" readonly BASHPATH="/bin/bash" +readonly HOMEPATH="/home" function echo_error_and_exit { echo -e "ERROR: $@" >&2 @@ -15,7 +16,7 @@ function echo_error_and_exit { # could be more, so we accept any valid integers USERID=${USERID:-"0:0"} if [[ ! $USERID =~ ^[0-9]+:[0-9]+$ ]]; then - echo_error_and_exit "USERID environment variable invalid, format is userid:groupid. Received: \"${USERID}\"" + echo_error_and_exit "USERID environment variable invalid, format is userid:groupid. Received: \"$USERID\"" fi # separate uid and gid @@ -28,44 +29,44 @@ gid=${USERID##*:} # make sure workdir and some files are readable/writable by the provided UID/GID # combo, otherwise will have errors when processing hooks wdir="$(pwd)" -if ! su-exec "$USERID" "$BASHPATH" -c "test -w ${wdir} && test -r ${wdir}"; then - echo_error_and_exit "uid:gid $USERID lacks permissions to ${wdir}/" +if ! su-exec "$USERID" "$BASHPATH" -c "test -w $wdir && test -r $wdir"; then + echo_error_and_exit "uid:gid $USERID lacks permissions to $wdir/" fi wdirgitindex="$wdir/.git/index" if ! su-exec "$USERID" "$BASHPATH" -c "test -w $wdirgitindex && test -r $wdirgitindex"; then - echo_error_and_exit "uid:gid $USERID cannot write to ${wdir}/.git/index" + echo_error_and_exit "uid:gid $USERID cannot write to $wdirgitindex" fi # check if group by this GID already exists, if so get the name since adduser # only accepts names -if groupinfo="$(getent group "${gid}")"; then +if groupinfo="$(getent group "$gid")"; then groupname="${groupinfo%%:*}" else # create group in advance in case GID is different than UID - groupname="${USERBASE}${gid}" - if ! err="$(addgroup -g "${gid}" "${groupname}" 2>&1)"; then - echo_error_and_exit "failed to create gid \"${gid}\" with name \"${groupname}\" command output: \"$err\"" + groupname="$USERBASE$gid" + if ! err="$(addgroup -g "$gid" "$groupname" 2>&1)"; then + echo_error_and_exit "failed to create gid \"$gid\" with name \"$groupname\" command output: \"$err\"" fi fi # check if user by this UID already exists, if so get the name since id # only accepts names -if userinfo="$(getent passwd "${uid}")"; then +if userinfo="$(getent passwd "$uid")"; then username="${userinfo%%:*}" else - username="${USERBASE}${uid}" - if ! err="$(adduser -h "/home/${username}" -s "$BASHPATH" -G "${groupname}" -D -u "${uid}" -k "${HOME}" "${username}" 2>&1)"; then - echo_error_and_exit "failed to create uid \"${uid}\" with name \"${username}\" and group \"${groupname}\" command output: \"$err\"" + username="$USERBASE$uid" + if ! err="$(adduser -h "$HOMEPATH$username" -s "$BASHPATH" -G "$groupname" -D -u "$uid" -k "$HOME" "$username" 2>&1)"; then + echo_error_and_exit "failed to create uid \"$uid\" with name \"$username\" and group \"$groupname\" command output: \"$err\"" fi fi # it's possible it was not in the group specified, add it -if ! idgroupinfo="$(id -G "${username}" 2>&1)"; then - echo_error_and_exit "failed to get group list for username \"${username}\" command output: \"$idgroupinfo\"" +if ! idgroupinfo="$(id -G "$username" 2>&1)"; then + echo_error_and_exit "failed to get group list for username \"$username\" command output: \"$idgroupinfo\"" fi -if [[ ! " ${idgroupinfo} " =~ [:blank:]${gid}[:blank:] ]]; then - if ! err="$(addgroup "${username}" "${groupname}" 2>&1)"; then - echo_error_and_exit "failed to add user \"${username}\" to group \"${groupname}\" command output: \"${err}\"" +if [[ ! " $idgroupinfo " =~ [:blank:]${gid}[:blank:] ]]; then + if ! err="$(addgroup "$username" "$groupname" 2>&1)"; then + echo_error_and_exit "failed to add user \"$username\" to group \"$groupname\" command output: \"$err\"" fi fi From 6b3f6a97889eafa6256044ebf0f97b7a556128e9 Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Mon, 5 Sep 2022 17:43:16 -0500 Subject: [PATCH 17/28] Add check to insure container is running as root --- tools/entrypoint.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/entrypoint.sh b/tools/entrypoint.sh index 30e2544df..130d175a9 100755 --- a/tools/entrypoint.sh +++ b/tools/entrypoint.sh @@ -11,6 +11,12 @@ function echo_error_and_exit { exit 1 } +# make sure entrypoint is running as root +[[ ! $(id -u) == "0" ]] && \ + echo_error_and_exit "Container must run as root. Use environment variable USERID to set user.\n"\ + " example: \"TAG=latest &&" \ + "docker run -e USERID=$(id -u):$(id -g) -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a\"" + # make sure USERID makes sense as UID:GID # it looks like the alpine distro limits UID and GID to 256000, but # could be more, so we accept any valid integers From 12d8526c6629c4ad856ffb914e6cfb53900d785c Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Tue, 6 Sep 2022 13:29:30 -0500 Subject: [PATCH 18/28] Correct initial UID check Co-authored-by: George L. Yermulnik --- tools/entrypoint.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tools/entrypoint.sh b/tools/entrypoint.sh index 130d175a9..123aafe51 100755 --- a/tools/entrypoint.sh +++ b/tools/entrypoint.sh @@ -12,10 +12,11 @@ function echo_error_and_exit { } # make sure entrypoint is running as root -[[ ! $(id -u) == "0" ]] && \ - echo_error_and_exit "Container must run as root. Use environment variable USERID to set user.\n"\ - " example: \"TAG=latest &&" \ +if [[ $(id -u) -ne 0 ]]; then + echo_error_and_exit "Container must run as root. Use environment variable USERID to set user.\n" \ + "Example: \"TAG=latest && " \ "docker run -e USERID=$(id -u):$(id -g) -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a\"" +fi # make sure USERID makes sense as UID:GID # it looks like the alpine distro limits UID and GID to 256000, but From c5e4d0150bdad97d2099db342295d3bd370bc458 Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Tue, 6 Sep 2022 13:33:38 -0500 Subject: [PATCH 19/28] Split long gid error into multiline Co-authored-by: George L. Yermulnik --- tools/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/entrypoint.sh b/tools/entrypoint.sh index 123aafe51..15af792a3 100755 --- a/tools/entrypoint.sh +++ b/tools/entrypoint.sh @@ -52,7 +52,7 @@ else # create group in advance in case GID is different than UID groupname="$USERBASE$gid" if ! err="$(addgroup -g "$gid" "$groupname" 2>&1)"; then - echo_error_and_exit "failed to create gid \"$gid\" with name \"$groupname\" command output: \"$err\"" + echo_error_and_exit "failed to create gid \"$gid\" with name \"$groupname\"\ncommand output: \"$err\"" fi fi From 070b8a225e39bc75c7db86cea3c4fbab5feb935f Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Tue, 6 Sep 2022 13:35:12 -0500 Subject: [PATCH 20/28] Split long uid failure error message Co-authored-by: George L. Yermulnik --- tools/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/entrypoint.sh b/tools/entrypoint.sh index 15af792a3..67c42153b 100755 --- a/tools/entrypoint.sh +++ b/tools/entrypoint.sh @@ -63,7 +63,7 @@ if userinfo="$(getent passwd "$uid")"; then else username="$USERBASE$uid" if ! err="$(adduser -h "$HOMEPATH$username" -s "$BASHPATH" -G "$groupname" -D -u "$uid" -k "$HOME" "$username" 2>&1)"; then - echo_error_and_exit "failed to create uid \"$uid\" with name \"$username\" and group \"$groupname\" command output: \"$err\"" + echo_error_and_exit "failed to create uid \"$uid\" with name \"$username\" and group \"$groupname\"\ncommand output: \"$err\"" fi fi From ea6f65f11dd4b5e64d7a6ecc5f321ec8c2d8bba3 Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Tue, 6 Sep 2022 13:36:32 -0500 Subject: [PATCH 21/28] Split long id -G error message Co-authored-by: George L. Yermulnik --- tools/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/entrypoint.sh b/tools/entrypoint.sh index 67c42153b..e3bb7dfad 100755 --- a/tools/entrypoint.sh +++ b/tools/entrypoint.sh @@ -69,7 +69,7 @@ fi # it's possible it was not in the group specified, add it if ! idgroupinfo="$(id -G "$username" 2>&1)"; then - echo_error_and_exit "failed to get group list for username \"$username\" command output: \"$idgroupinfo\"" + echo_error_and_exit "failed to get group list for username \"$username\"\ncommand output: \"$idgroupinfo\"" fi if [[ ! " $idgroupinfo " =~ [:blank:]${gid}[:blank:] ]]; then if ! err="$(addgroup "$username" "$groupname" 2>&1)"; then From 87541f43e9a509e9f82d7c4feca8a52919e7b757 Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Tue, 6 Sep 2022 13:38:00 -0500 Subject: [PATCH 22/28] Split long addgroup error message Co-authored-by: George L. Yermulnik --- tools/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/entrypoint.sh b/tools/entrypoint.sh index e3bb7dfad..c24f8555c 100755 --- a/tools/entrypoint.sh +++ b/tools/entrypoint.sh @@ -73,7 +73,7 @@ if ! idgroupinfo="$(id -G "$username" 2>&1)"; then fi if [[ ! " $idgroupinfo " =~ [:blank:]${gid}[:blank:] ]]; then if ! err="$(addgroup "$username" "$groupname" 2>&1)"; then - echo_error_and_exit "failed to add user \"$username\" to group \"$groupname\" command output: \"$err\"" + echo_error_and_exit "failed to add user \"$username\" to group \"$groupname\"\ncommand output: \"$err\"" fi fi From ab15d72c685273511c78df981e3bdde98c792d51 Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Tue, 6 Sep 2022 13:54:10 -0500 Subject: [PATCH 23/28] Fix bad pattern match for group info Co-authored-by: George L. Yermulnik --- tools/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/entrypoint.sh b/tools/entrypoint.sh index c24f8555c..b43a66957 100755 --- a/tools/entrypoint.sh +++ b/tools/entrypoint.sh @@ -71,7 +71,7 @@ fi if ! idgroupinfo="$(id -G "$username" 2>&1)"; then echo_error_and_exit "failed to get group list for username \"$username\"\ncommand output: \"$idgroupinfo\"" fi -if [[ ! " $idgroupinfo " =~ [:blank:]${gid}[:blank:] ]]; then +if [[ ! " $idgroupinfo " =~ [[:blank:]]${gid}[[:blank:]] ]]; then if ! err="$(addgroup "$username" "$groupname" 2>&1)"; then echo_error_and_exit "failed to add user \"$username\" to group \"$groupname\"\ncommand output: \"$err\"" fi From 527a5216f968b4f24e38ee6b9488bc5313cd08ba Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Tue, 6 Sep 2022 13:58:44 -0500 Subject: [PATCH 24/28] Separate error message array from string --- tools/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/entrypoint.sh b/tools/entrypoint.sh index b43a66957..86d5e369a 100755 --- a/tools/entrypoint.sh +++ b/tools/entrypoint.sh @@ -7,7 +7,7 @@ readonly BASHPATH="/bin/bash" readonly HOMEPATH="/home" function echo_error_and_exit { - echo -e "ERROR: $@" >&2 + echo -e "ERROR: " "$@" >&2 exit 1 } From 8df4f205b921bee359e415bae51072dd612044d7 Mon Sep 17 00:00:00 2001 From: John Schutz <328434+tofupup@users.noreply.github.com> Date: Tue, 6 Sep 2022 14:09:07 -0500 Subject: [PATCH 25/28] Fix entrypoint container test with new error msg --- .github/.container-structure-test-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.container-structure-test-config.yaml b/.github/.container-structure-test-config.yaml index 01b791cf5..c485db00f 100644 --- a/.github/.container-structure-test-config.yaml +++ b/.github/.container-structure-test-config.yaml @@ -66,7 +66,7 @@ commandTests: value: "1000:1000" command: "/entrypoint.sh" args: [ "-V" ] - expectedOutput: ["^user:gid 1000:1000 lacks permissions to //\\n$"] + expectedError: ["^ERROR: uid:gid 1000:1000 lacks permissions to //\\n$"] exitCode: 1 - name: "su-exec" From 44263d080450dbb708951fd92b19dbd5b88bf5d5 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Wed, 7 Sep 2022 14:06:44 +0300 Subject: [PATCH 26/28] Pin su-exec more strictly su-exec now seems too unstable (https://semver.org/spec/v2.0.0.html#spec-item-4), to be able to pin only major version. Now installed 0.2-r1, in alpine edge exist 0.2-r2 package. I hope that will be no breaking changes in 0.2.x, so pin only MAJOR.MINOR --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index d01ee5120..bb598ad5b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -178,7 +178,7 @@ RUN apk add --no-cache \ musl-dev=~1 \ gcc=~10 \ # entrypoint wrapper deps - su-exec=~0 + su-exec=~0.2 # Copy tools COPY --from=builder \ From c16e2f4cce0e2c080ba01a9d2b57e9acec50fe0b Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Wed, 7 Sep 2022 14:35:24 +0300 Subject: [PATCH 27/28] Reorder docs and fix minor issues --- README.md | 39 ++++++++++++++++----------------------- 1 file changed, 16 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 819f27f21..53aff5992 100644 --- a/README.md +++ b/README.md @@ -51,10 +51,7 @@ If you are using `pre-commit-terraform` already or want to support its developme * [terraform_wrapper_module_for_each](#terraform_wrapper_module_for_each) * [terrascan](#terrascan) * [tfupdate](#tfupdate) -* [Docker Usage](#docker-usage) - * [File Permissions](#file-permissions) - * [Other Settings](#other-settings) - * [1. Module short name for terraform_wrapper_module_for_each](#1-module-short-name-for-terraformwrappermoduleforeach) +* [Docker Usage: File Permissions](#docker-usage-file-permissions) * [Authors](#authors) * [License](#license) * [Additional information for users from Russia and Belarus](#additional-information-for-users-from-russia-and-belarus) @@ -231,7 +228,7 @@ pre-commit run -a Or, using Docker ([available tags](https://github.com/antonbabenko/pre-commit-terraform/pkgs/container/pre-commit-terraform/versions)): -**NOTE:** This command uses your user id and group id for the docker container to use to access the local files. If the files are owned by another user, update the ```USERID``` environment variable. See [File Permissions](#file-permissions) for more information. +**NOTE:** This command uses your user id and group id for the docker container to use to access the local files. If the files are owned by another user, update the `USERID` environment variable. See [File Permissions section](#docker-usage-file-permissions) for more information. ```bash TAG=latest @@ -741,6 +738,16 @@ Sample configuration: - --args=--verbose # Verbose output ``` +**If you use hook inside Docker:** +The `terraform_wrapper_module_for_each` hook attempts to determine the module's short name to be inserted into the generated `README.md` files for the `source` URLs. Since the container uses a bind mount at a static location, it can cause this short name to be incorrect. +If the generated name is incorrect, set them by providing the `module-repo-shortname` option to the hook: + +```yaml +- id: terraform_wrapper_module_for_each + args: + - '--args=--module-repo-shortname=ec2-instance' # module repo short name +``` + ### terrascan 1. `terrascan` supports custom arguments so you can pass supported flags like `--non-recursive` and `--policy-type` to disable recursive inspection and set the policy type respectively: @@ -785,11 +792,9 @@ Sample configuration: Check [`tfupdate` usage instructions](https://github.com/minamijoyo/tfupdate#usage) for other available options and usage examples. No need to pass `--recursive .` as it is added automatically. -## Docker Usage +## Docker Usage: File Permissions -### File Permissions - -A mismatch between the Docker container's user and the local repository file ownership can cause permission issues in the repository where pre-commit is run. The container runs as the ```root``` user by default, and uses an entrypoint script to assume a user ID and group ID if specified by environment variable ```USERID```. +A mismatch between the Docker container's user and the local repository file ownership can cause permission issues in the repository where `pre-commit` is run. The container runs as the `root` user by default, and uses a `tools/entrypoint.sh` script to assume a user ID and group ID if specified by the environment variable `USERID`. The [recommended command](#4-run) to run the Docker container is: @@ -798,27 +803,15 @@ TAG=latest docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a ``` -which uses your current session's user ID and group ID to set the variable in the run command. Without this setting, you may find files and directories owned by ```root``` in your local repository. +which uses your current session's user ID and group ID to set the variable in the run command. Without this setting, you may find files and directories owned by `root` in your local repository. -If the local repository is using a different user or group for permissions, you can modify the USERID to the user ID and group ID needed. **Do not use the username or groupname in the environment variable, as it has no meaning in the container.** You can get the current directory's owner user ID and group ID from the 3rd (user) and 4th (group) columns in ```ls``` output: +If the local repository is using a different user or group for permissions, you can modify the `USERID` to the user ID and group ID needed. **Do not use the username or groupname in the environment variable, as it has no meaning in the container.** You can get the current directory's owner user ID and group ID from the 3rd (user) and 4th (group) columns in `ls` output: ```bash $ ls -aldn . drwxr-xr-x 9 1000 1000 4096 Sep 1 16:23 . ``` -### Other Settings - -#### 1. Module short name for ```terraform_wrapper_module_for_each``` - -The [terraform_wrapper_module_for_each](#terraformwrappermoduleforeach) hook attempts to determine the module's short name to be inserted into the generated ```README.md``` files for the ```source``` URLs. Since the container uses a bind mount at a static location, it can cause this short name to be incorrect. If the generated name is incorrect, it can be set by providing the ```module-repo-shortname``` option to the hook. - -```yaml -- id: terraform_wrapper_module_for_each - args: - - '--args=--module-repo-shortname=ec2-instance' # module repo short name -``` - ## Authors This repository is managed by [Anton Babenko](https://github.com/antonbabenko) with help from these awesome contributors: From 4064ba1a81c833f1c375a717df11d2e808d75b4c Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Wed, 7 Sep 2022 14:18:59 +0200 Subject: [PATCH 28/28] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 53aff5992..82c04dad6 100644 --- a/README.md +++ b/README.md @@ -745,7 +745,7 @@ If the generated name is incorrect, set them by providing the `module-repo-short ```yaml - id: terraform_wrapper_module_for_each args: - - '--args=--module-repo-shortname=ec2-instance' # module repo short name + - '--args=--module-repo-shortname=ec2-instance' ``` ### terrascan