feat!: Update Dockerfile to install terraform-validator from gcloud (#…

…156) * Update Dockerfile to install terraform-validator from gcloud * address comments * update document and change dockerfile base image * add gcloud image version to tf modules * fix build error Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>
terraform-google-modules · Jun 8, 2022 · a300b9c · a300b9c
1 parent 5a925f8
commit a300b9c
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 26 deletions.
diff --git a/docs/upgrading_to_v6.0.md b/docs/upgrading_to_v6.0.md
@@ -0,0 +1,5 @@
+# Upgrading to v6.0
+
+## Terraform Validator is migrated to gcloud terraform-tools component
+
+terraform-validator is migrated to `gcloud beta terraform vet`[https://cloud.google.com/docs/terraform/policy-validation].
diff --git a/modules/cloudbuild/README.md b/modules/cloudbuild/README.md
@@ -60,6 +60,7 @@ Functional examples and sample Cloud Build definitions are included in the [exam
 | default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no |
 | folder\_id | The ID of a folder to host this project | `string` | `""` | no |
 | gar\_repo\_name | Custom name to use for GAR repo. | `string` | `""` | no |
+| gcloud\_version | Default gcloud image version. | `string` | `"388.0.0-slim"` | no |
 | group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes |
 | impersonate\_service\_account | The service account to impersonate while running the gcloud builds submit command. | `string` | `""` | no |
 | org\_id | GCP Organization ID | `string` | n/a | yes |
@@ -73,7 +74,6 @@ Functional examples and sample Cloud Build definitions are included in the [exam
 | terraform\_sa\_email | Email for terraform service account. | `string` | n/a | yes |
 | terraform\_sa\_name | Fully-qualified name of the terraform service account. | `string` | n/a | yes |
 | terraform\_state\_bucket | Default state bucket, used in Cloud Build substitutions. | `string` | n/a | yes |
-| terraform\_validator\_release | Default terraform-validator release. | `string` | `"v0.6.0"` | no |
 | terraform\_version | Default terraform version. | `string` | `"1.0.2"` | no |
 | terraform\_version\_sha256sum | sha256sum for default terraform version. | `string` | `"7329f887cc5a5bda4bedaec59c439a4af7ea0465f83e3c1b0f4d04951e1181f4"` | no |
 

diff --git a/modules/cloudbuild/cloudbuild_builder/Dockerfile b/modules/cloudbuild/cloudbuild_builder/Dockerfile
@@ -12,33 +12,25 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM gcr.io/cloud-builders/gcloud-slim
+ARG GCLOUD_VERSION=slim
+FROM google/cloud-sdk:${GCLOUD_VERSION}
 
 # Use ARG so that values can be overriden by user/cloudbuild
 ARG TERRAFORM_VERSION=0.13.7
 ARG TERRAFORM_VERSION_SHA256SUM=4a52886e019b4fdad2439da5ff43388bbcc6cce9784fde32c53dcd0e28ca9957
-ARG TERRAFORM_VALIDATOR_RELEASE=v0.6.0
 
 ENV ENV_TERRAFORM_VERSION=$TERRAFORM_VERSION
 ENV ENV_TERRAFORM_VERSION_SHA256SUM=$TERRAFORM_VERSION_SHA256SUM
-ENV ENV_TERRAFORM_VALIDATOR_RELEASE=$TERRAFORM_VALIDATOR_RELEASE
 
 RUN apt-get update && \
-   /builder/google-cloud-sdk/bin/gcloud -q components install alpha beta && \
     apt-get -y install curl jq unzip git ca-certificates && \
     curl https://releases.hashicorp.com/terraform/${ENV_TERRAFORM_VERSION}/terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip \
       > terraform_linux_amd64.zip && \
     echo "${ENV_TERRAFORM_VERSION_SHA256SUM} terraform_linux_amd64.zip" > terraform_SHA256SUMS && \
     sha256sum -c terraform_SHA256SUMS --status && \
+    mkdir -p /builder && \
     unzip terraform_linux_amd64.zip -d /builder/terraform && \
     rm -f terraform_linux_amd64.zip terraform_SHA256SUMS && \
-    TERRAFORM_VALIDATOR_VERSION="$(echo $ENV_TERRAFORM_VALIDATOR_RELEASE | sed -e 's/^v//')" && \
-    TERRAFORM_VALIDATOR_ARCHIVE="terraform-validator_linux_amd64-${TERRAFORM_VALIDATOR_VERSION}.tar.gz" && \
-    TERRAFORM_VALIDATOR_GCS_PATH="gs://terraform-validator/releases/${ENV_TERRAFORM_VALIDATOR_RELEASE}/${TERRAFORM_VALIDATOR_ARCHIVE}" && \
-    gsutil cp "${TERRAFORM_VALIDATOR_GCS_PATH}" . && \
-    tar -zxvf "${TERRAFORM_VALIDATOR_ARCHIVE}" --no-same-owner -C /builder/terraform terraform-validator && \
-    chmod 0755 /builder/terraform/terraform-validator && \
-    rm -f "${TERRAFORM_VALIDATOR_ARCHIVE}" && \
     apt-get --purge -y autoremove && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*

diff --git a/modules/cloudbuild/cloudbuild_builder/cloudbuild.yaml b/modules/cloudbuild/cloudbuild_builder/cloudbuild.yaml
@@ -19,15 +19,14 @@ steps:
   args: [
     'build',
     '--tag=${_REGION}-docker.pkg.dev/${PROJECT_ID}/${_REPOSITORY}/terraform',
+    '--build-arg=GCLOUD_VERSION=${_GCLOUD_VERSION}',
     '--build-arg=TERRAFORM_VERSION=${_TERRAFORM_VERSION}',
     '--build-arg=TERRAFORM_VERSION_SHA256SUM=${_TERRAFORM_VERSION_SHA256SUM}',
-    '--build-arg=TERRAFORM_VALIDATOR_RELEASE=${_TERRAFORM_VALIDATOR_RELEASE}',
     '.'
     ]
 - name: '${_REGION}-docker.pkg.dev/${PROJECT_ID}/${_REPOSITORY}/terraform'
   args: ['version']
 substitutions:
   _TERRAFORM_VERSION: '1.0.2' # default value
   _TERRAFORM_VERSION_SHA256SUM: '7329f887cc5a5bda4bedaec59c439a4af7ea0465f83e3c1b0f4d04951e1181f4' # default value
-  _TERRAFORM_VALIDATOR_RELEASE: 'v0.6.0'
 images: ['${_REGION}-docker.pkg.dev/${PROJECT_ID}/${_REPOSITORY}/terraform']
diff --git a/modules/cloudbuild/main.tf b/modules/cloudbuild/main.tf
@@ -273,7 +273,7 @@ resource "null_resource" "cloudbuild_terraform_builder" {
 
   provisioner "local-exec" {
     command = <<EOT
-    gcloud ${local.impersonate_service_account} builds submit ${path.module}/cloudbuild_builder/ --project ${module.cloudbuild_project.project_id} --config=${path.module}/cloudbuild_builder/cloudbuild.yaml --substitutions=_TERRAFORM_VERSION=${var.terraform_version},_TERRAFORM_VERSION_SHA256SUM=${var.terraform_version_sha256sum},_TERRAFORM_VALIDATOR_RELEASE=${var.terraform_validator_release},_REGION=${google_artifact_registry_repository.tf-image-repo.location},_REPOSITORY=${local.gar_name}
+    gcloud ${local.impersonate_service_account} builds submit ${path.module}/cloudbuild_builder/ --project ${module.cloudbuild_project.project_id} --config=${path.module}/cloudbuild_builder/cloudbuild.yaml --substitutions=_GCLOUD_VERSION=${var.gcloud_version},_TERRAFORM_VERSION=${var.terraform_version},_TERRAFORM_VERSION_SHA256SUM=${var.terraform_version_sha256sum},_REGION=${google_artifact_registry_repository.tf-image-repo.location},_REPOSITORY=${local.gar_name}
   EOT
   }
   depends_on = [

diff --git a/modules/cloudbuild/variables.tf b/modules/cloudbuild/variables.tf
@@ -137,21 +137,16 @@ variable "terraform_version" {
   default     = "1.0.2"
 }
 
-variable "terraform_version_sha256sum" {
-  description = "sha256sum for default terraform version."
+variable "gcloud_version" {
+  description = "Default gcloud image version."
   type        = string
-  default     = "7329f887cc5a5bda4bedaec59c439a4af7ea0465f83e3c1b0f4d04951e1181f4"
+  default     = "388.0.0-slim"
 }
 
-variable "terraform_validator_release" {
-  description = "Default terraform-validator release."
+variable "terraform_version_sha256sum" {
+  description = "sha256sum for default terraform version."
   type        = string
-  default     = "v0.6.0"
-
-  validation {
-    condition     = try(tonumber(trimprefix(replace(var.terraform_validator_release, ".", ""), "v")), 0) >= 60
-    error_message = "Terraform-validator release must be >= v0.6.0."
-  }
+  default     = "7329f887cc5a5bda4bedaec59c439a4af7ea0465f83e3c1b0f4d04951e1181f4"
 }
 
 variable "cloudbuild_plan_filename" {