Merge branch 'master' into feature/run_single_functional_test

.travis.yml

@@ -73,7 +73,7 @@ jobs:
         - echo "export LATEST_TERRAFORM_VERSION=$(curl https://checkpoint-api.hashicorp.com/v1/check/terraform | jq -r .current_version)" > terraform_version.sh
         - source terraform_version.sh
         - if [ -z "$LATEST_TERRAFORM_VERSION" ]; then echo "Can not identify latest terraform version!"; travis_terminate 1; fi
-        - travis_retry docker build --compress --no-cache -t "$IMAGE_NAME" --build-arg VERSION=$RELEASE_VERSION --build-arg LATEST_TERRAFORM_VERSION=$LATEST_TERRAFORM_VERSION . || travis_terminate 1
+        - travis_retry docker build --compress --no-cache -t "$IMAGE_NAME" --build-arg VERSION=$RELEASE_VERSION --build-arg LATEST_TERRAFORM_VERSION=$LATEST_TERRAFORM_VERSION --build-arg HASHICORP_PGP_KEY="$(cat hashicorp-pgp-key.pub)" . || travis_terminate 1
         - docker images || travis_terminate 1
         - docker login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PASS" || travis_terminate 1
         - docker tag "$IMAGE_NAME" eerkunt/terraform-compliance:latest || travis_terminate 1

Dockerfile

@@ -3,21 +3,53 @@ FROM python:3.7.3-slim
 ARG VERSION
 ARG LATEST_TERRAFORM_VERSION
 
+ARG HASHICORP_PGP_KEY
+ARG TARGET_ARCH='linux_amd64'
+
 LABEL terraform_compliance.version="${VERSION}"
 LABEL author="Emre Erkunt <emre.erkunt@gmail.com>"
 LABEL source="https://github.com/eerkunt/terraform-compliance"
 
 ENV TERRAFORM_VERSION=${LATEST_TERRAFORM_VERSION}
+ENV TARGET_ARCH="${TARGET_ARCH}"
+ENV HASHICORP_PGP_KEY="${HASHICORP_PGP_KEY}"
 
-RUN  apt-get update && \
-     apt-get install -y git curl unzip && \
-     curl https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip --output terraform_linux_amd64.zip && \
-     unzip terraform_linux_amd64.zip -d /usr/bin && \
-     pip install terraform-compliance==${VERSION} && \
-     pip uninstall -y radish radish-bdd && \
-     pip install radish radish-bdd && \
-     rm -rf /var/lib/apt/lists/* && \
-     mkdir -p /target
+RUN  set -ex \
+     && BUILD_DEPS='wget unzip gpg' \
+     && RUN_DEPS='git' \
+     && apt-get update \
+     && apt-get install -y ${BUILD_DEPS} ${RUN_DEPS} \
+     && TERRAFORM_FILE_NAME="terraform_${TERRAFORM_VERSION}_${TARGET_ARCH}.zip" \
+     && SHA256SUM_FILE_NAME="terraform_${TERRAFORM_VERSION}_SHA256SUMS" \
+     && SHA256SUM_SIG_FILE_NAME="terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig" \
+     && SHA256SUM_FILE_NAME_FOR_ARCH="${SHA256SUM_FILE_NAME}.${TARGET_ARCH}" \
+     && HASHICORP_PGP_KEY_FILE='hashicorp-pgp-key.pub' \
+     && OLD_BASEDIR="$(pwd)" \
+     && TMP_DIR=$(mktemp -d) \
+     && cd "${TMP_DIR}" \
+     && echo "${HASHICORP_PGP_KEY}" > "${HASHICORP_PGP_KEY_FILE}" \
+     && wget -q "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/${SHA256SUM_FILE_NAME}" \
+     && wget -q "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/${SHA256SUM_SIG_FILE_NAME}" \
+     && gpg --import "${HASHICORP_PGP_KEY_FILE}" \
+     && gpg --verify "${SHA256SUM_SIG_FILE_NAME}" "${SHA256SUM_FILE_NAME}" \
+     && wget -q "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/${TERRAFORM_FILE_NAME}" \
+     && grep "${TERRAFORM_FILE_NAME}" "${SHA256SUM_FILE_NAME}" > "${SHA256SUM_FILE_NAME_FOR_ARCH}" \
+     && ls -al . \
+     && sha256sum -c "${SHA256SUM_FILE_NAME_FOR_ARCH}" \
+     && unzip "${TERRAFORM_FILE_NAME}" \
+     && install terraform /usr/bin/ \
+     && cd "${OLD_BASEDIR}" \
+     && unset OLD_BASEDIR \
+     && rm -vrf ${TMP_DIR} \
+     && pip install --upgrade pip \
+     && pip install terraform-compliance=="${VERSION}" \
+     && pip uninstall -y radish radish-bdd \
+     && pip install radish radish-bdd \
+     && apt-get remove -y ${BUILD_DEPS} \
+     && apt-get autoremove -y \
+     && apt-get clean -y \
+     && rm -rf /var/lib/apt/lists/* \
+     && mkdir -p /target
 
 WORKDIR /target
 ENTRYPOINT ["terraform-compliance"]

hashicorp-pgp-key.pub

@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f
+W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq
+fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA
+3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca
+KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k
+SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1
+cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JATgEEwECACIFAlMORM0CGwMG
+CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFGFLYc0j/xMyWIIAIPhcVqiQ59n
+Jc07gjUX0SWBJAxEG1lKxfzS4Xp+57h2xxTpdotGQ1fZwsihaIqow337YHQI3q0i
+SqV534Ms+j/tU7X8sq11xFJIeEVG8PASRCwmryUwghFKPlHETQ8jJ+Y8+1asRydi
+psP3B/5Mjhqv/uOK+Vy3zAyIpyDOMtIpOVfjSpCplVRdtSTFWBu9Em7j5I2HMn1w
+sJZnJgXKpybpibGiiTtmnFLOwibmprSu04rsnP4ncdC2XRD4wIjoyA+4PKgX3sCO
+klEzKryWYBmLkJOMDdo52LttP3279s7XrkLEE7ia0fXa2c12EQ0f0DQ1tGUvyVEW
+WmJVccm5bq25AQ0EUw5EzQEIANaPUY04/g7AmYkOMjaCZ6iTp9hB5Rsj/4ee/ln9
+wArzRO9+3eejLWh53FoN1rO+su7tiXJA5YAzVy6tuolrqjM8DBztPxdLBbEi4V+j
+2tK0dATdBQBHEh3OJApO2UBtcjaZBT31zrG9K55D+CrcgIVEHAKY8Cb4kLBkb5wM
+skn+DrASKU0BNIV1qRsxfiUdQHZfSqtp004nrql1lbFMLFEuiY8FZrkkQ9qduixo
+mTT6f34/oiY+Jam3zCK7RDN/OjuWheIPGj/Qbx9JuNiwgX6yRj7OE1tjUx6d8g9y
+0H1fmLJbb3WZZbuuGFnK6qrE3bGeY8+AWaJAZ37wpWh1p0cAEQEAAYkBHwQYAQIA
+CQUCUw5EzQIbDAAKCRBRhS2HNI/8TJntCAClU7TOO/X053eKF1jqNW4A1qpxctVc
+z8eTcY8Om5O4f6a/rfxfNFKn9Qyja/OG1xWNobETy7MiMXYjaa8uUx5iFy6kMVaP
+0BXJ59NLZjMARGw6lVTYDTIvzqqqwLxgliSDfSnqUhubGwvykANPO+93BBx89MRG
+unNoYGXtPlhNFrAsB1VR8+EyKLv2HQtGCPSFBhrjuzH3gxGibNDDdFQLxxuJWepJ
+EK1UbTS4ms0NgZ2Uknqn1WRU1Ki7rE4sTy68iZtWpKQXZEJa0IGnuI2sSINGcXCJ
+oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C
+=LYpS
+-----END PGP PUBLIC KEY BLOCK-----

requirements.txt

@@ -1,6 +1,6 @@
 radish-bdd==0.13.1
-gitpython==3.0.5
-mock==4.0.0
+mock==4.0.1
+gitpython==3.0.7
 netaddr==0.7.19
 colorful==0.5.4
 filetype==1.0.5