From 4012bbf3538fb9bcca89d728378f2aafaa444c32 Mon Sep 17 00:00:00 2001 From: Ross Imlach Date: Thu, 16 Mar 2023 13:22:19 +0000 Subject: [PATCH 1/2] Add initial Dockerfile and skeleton for ssosync lambda chmod +x entrypoint Assume correct ECR role Use correct ECR repository Fix entrypoint Add details about secrets manager Tidy up formatting of Dockerfile for linting Use quiet wget Pin awscli and jq versions Fix dockerfile linter config Update check-build.yml Just run on PRs --- .github/linters/.dockerfilelintrc | 104 ++++++++++++++++++++++++++++++ .github/workflows/check-build.yml | 38 +++++++++++ .github/workflows/linter.yml | 53 +++++++++++++++ .github/workflows/main.yml | 40 ++++++++++++ .github/workflows/reviewdog.yml | 13 ++++ Dockerfile | 21 ++++++ bin/entrypoint.sh | 11 ++++ 7 files changed, 280 insertions(+) create mode 100644 .github/linters/.dockerfilelintrc create mode 100644 .github/workflows/check-build.yml create mode 100644 .github/workflows/linter.yml create mode 100644 .github/workflows/main.yml create mode 100644 .github/workflows/reviewdog.yml create mode 100644 Dockerfile create mode 100755 bin/entrypoint.sh diff --git a/.github/linters/.dockerfilelintrc b/.github/linters/.dockerfilelintrc new file mode 100644 index 00000000..f44fc983 --- /dev/null +++ b/.github/linters/.dockerfilelintrc @@ -0,0 +1,104 @@ +########################### +########################### +## Dockerfile Lint rules ## +########################### +########################### + +################################# +# Default is 'on' for all rules # +# You can disable as needed. # +################################# +# Additional Info can be found at: +# https://github.com/replicatedhq/dockerfilelint + +# Set the rules +rules: + # All commands in a Dockerfile require at least 1 argument + required_params: on + + # For clarity and readability, all instructions in + # a Dockerfile should be uppercase + uppercase_commands: on + + # The first instruction in a Dockerfile must specify + # the base image using a FROM + from_first: on + + # This line is not a valid Dockerfile line + invalid_line: on + + # Use of sudo is not allowed in a Dockerfile + # DISABLED Oct21 - This is giving a false positive for installing sudo. + sudo_usage: off + + # Consider using a `--no-install-recommends` when `apt-get` + # installing packages + apt-get_missing_param: on + + # Consider using a `--no-install-recommends` when `apt-get` + # installing packages + apt-get_recommends: on + + # Use of `apt-get upgrade` is not allowed in a Dockerfile + apt-get-upgrade: on + + # Use of `apt-get dist-upgrade` is not allowed in a Dockerfile + apt-get-dist-upgrade: on + + # All instances of `apt-get update` should have the `apt-get install` + # commands on the same line to reduce image size + apt-get-update_require_install: on + + # Consider using a `--no-cache` (supported in alpine linux >= 3.3) or + # `--update` followed by the command `rm -rf /var/cache/apk/*` + # when `apk` adding packages. This will result in a smaller image size + apkadd-missing_nocache_or_updaterm: on + + # Consider using a `--virtual` or `-t` switch to group multiple packages + # for easy cleanup. This will help ensure future authors will continue + # to clean up build dependencies and other temporary packages + apkadd-missing-virtual: on + + # Exposing ports should only be valid port numbers + invalid_port: on + + # Only valid commands are allowed in a Dockerfile + invalid_command: on + + # Expose Only Container Port + expose_host_port: on + + # Using LABEL should be in key=value format + label_invalid: on + + # Base images should specify a tag to use + missing_tag: on + + # Base images should not use the latest tag + latest_tag: on + + # This command has extra arguments and will be ignored + extra_args: on + + # This command requires additional arguments + missing_args: on + + # All files referenced in an ADD command should + # be part of the Docker build context + add_src_invalid: on + + # When adding multiple files, the destination should be a directory + add_dest_invalid: on + + # Using a WORKDIR parameter that has spaces should be escaped + invalid_workdir: on + + # The arguments to this command are invalid + invalid_format: on + + # Use of apt-get update should be paired with + # rm -rf /var/lib/apt/lists/* in the same layer + apt-get_missing_rm: on + + # This INSTRUCTION is deprecated as of Docker 1.13 + deprecated_in_1.13: on diff --git a/.github/workflows/check-build.yml b/.github/workflows/check-build.yml new file mode 100644 index 00000000..4cda9fc7 --- /dev/null +++ b/.github/workflows/check-build.yml @@ -0,0 +1,38 @@ +name: Confirm successful image build +on: + pull_request: + branches-ignore: + - master +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v1 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: eu-west-1 + role-to-assume: arn:aws:iam::486229364833:role/allow_ecr_push_pull_access + role-duration-seconds: 1200 + + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Build + env: + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + ECR_REPOSITORY: ssosync + IMAGE_TAG: ${{ github.sha }} + run: | + docker build -t "${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}" -t "${ECR_REGISTRY}/${ECR_REPOSITORY}:latest" . + docker push "${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}" + docker push "${ECR_REGISTRY}/${ECR_REPOSITORY}:latest" + - name: Logout of Amazon ECR + if: always() + run: docker logout ${{ steps.login-ecr.outputs.registry }} diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml new file mode 100644 index 00000000..a2fd1352 --- /dev/null +++ b/.github/workflows/linter.yml @@ -0,0 +1,53 @@ +--- +########################### +########################### +## Linter GitHub Actions ## +########################### +########################### +name: Lint Code Base + +# +# Documentation: +# https://help.github.com/en/articles/workflow-syntax-for-github-actions +# + +############################# +# Start the job on all push # +############################# +on: + push: + branches-ignore: [master] + # Remove the line above to run when pushing to master + +############### +# Set the Job # +############### +jobs: + build: + # Name the Job + name: Lint Code Base + # Set the agent to run on + runs-on: ubuntu-latest + + ################## + # Load all steps # + ################## + steps: + ########################## + # Checkout the code base # + ########################## + - name: Checkout Code + uses: actions/checkout@v2 + with: + # Full git history is needed to get a proper list of changed files within `super-linter` + fetch-depth: 0 + + ################################ + # Run Linter against code base # + ################################ + - name: Lint Code Base + uses: docker://ghcr.io/github/super-linter:slim-v4 + env: + VALIDATE_ALL_CODEBASE: false + DEFAULT_BRANCH: master + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 00000000..15e487e8 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,40 @@ +name: Build and push SSOSync image to ECR +on: + push: + branches: + - master + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v1 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: eu-west-1 + role-to-assume: arn:aws:iam::486229364833:role/allow_ecr_push_pull_access + role-duration-seconds: 1200 + + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Build, tag, and push image to Amazon ECR + env: + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + ECR_REPOSITORY: ssosync + IMAGE_TAG: ${{ github.sha }} + run: | + docker build -t "${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}" -t "${ECR_REGISTRY}/${ECR_REPOSITORY}:latest" . + docker push "${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}" + docker push "${ECR_REGISTRY}/${ECR_REPOSITORY}:latest" + - name: Logout of Amazon ECR + if: always() + run: docker logout ${{ steps.login-ecr.outputs.registry }} + diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml new file mode 100644 index 00000000..cc34363a --- /dev/null +++ b/.github/workflows/reviewdog.yml @@ -0,0 +1,13 @@ +name: reviewdog +on: [pull_request] +jobs: + actionlint: + name: runner / actionlint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: actionlint + uses: reviewdog/action-actionlint@v1.22.0 + with: + fail_on_error: true + reporter: github-pr-review diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..b053733d --- /dev/null +++ b/Dockerfile @@ -0,0 +1,21 @@ +FROM alpine:3.17.2 + +ARG SSOSYNC_VERSION=v2.0.2 + +# Install awscli and jq +RUN apk add --no-cache aws-cli=1.25.97-r0 jq=1.6-r2 && \ + rm -rf /var/cache/apk/ + +# Download SSOSync binary +RUN mkdir -p downloads && \ + wget -q https://github.com/awslabs/ssosync/releases/download/${SSOSYNC_VERSION}/ssosync_Linux_x86_64.tar.gz -P downloads/ && \ + tar xzvf downloads/ssosync_Linux_x86_64.tar.gz -C downloads/ && \ + mv downloads/ssosync /usr/local/bin/ && \ + rm -rf downloads + +# Copy over custom scripts and ensure scripts are exectutable +COPY bin/* /usr/local/bin/ +RUN chmod +x /usr/local/bin/* + + +ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] diff --git a/bin/entrypoint.sh b/bin/entrypoint.sh new file mode 100755 index 00000000..0de980b6 --- /dev/null +++ b/bin/entrypoint.sh @@ -0,0 +1,11 @@ +#!/bin/sh +# shellcheck shell=sh +# https://github.com/koalaman/shellcheck/wiki/SC1008 +set -e + +# Load Google secrets at runtime. +# Stored with the command `aws secretsmanager create-secret --name "ops/ssosync/googlecredentials" --secret-binary $(base64 -i credentials.json)` +aws secretsmanager get-secret-value --region "eu-west-1" --secret-id "ops/ssosync/googlecredentials" --output "json" | jq -r ".SecretBinary" | base64 -d > credentials.json + +# Run SSO Sync, the rest of the config is pulled in through environment variables. +/usr/local/bin/ssosync From bd2d784fda70d12f640f995416f45930981a763e Mon Sep 17 00:00:00 2001 From: Ross Imlach Date: Thu, 16 Mar 2023 16:31:03 +0000 Subject: [PATCH 2/2] Remove dockerfilelintrc to fix linter... --- .github/linters/.dockerfilelintrc | 104 ------------------------------ 1 file changed, 104 deletions(-) delete mode 100644 .github/linters/.dockerfilelintrc diff --git a/.github/linters/.dockerfilelintrc b/.github/linters/.dockerfilelintrc deleted file mode 100644 index f44fc983..00000000 --- a/.github/linters/.dockerfilelintrc +++ /dev/null @@ -1,104 +0,0 @@ -########################### -########################### -## Dockerfile Lint rules ## -########################### -########################### - -################################# -# Default is 'on' for all rules # -# You can disable as needed. # -################################# -# Additional Info can be found at: -# https://github.com/replicatedhq/dockerfilelint - -# Set the rules -rules: - # All commands in a Dockerfile require at least 1 argument - required_params: on - - # For clarity and readability, all instructions in - # a Dockerfile should be uppercase - uppercase_commands: on - - # The first instruction in a Dockerfile must specify - # the base image using a FROM - from_first: on - - # This line is not a valid Dockerfile line - invalid_line: on - - # Use of sudo is not allowed in a Dockerfile - # DISABLED Oct21 - This is giving a false positive for installing sudo. - sudo_usage: off - - # Consider using a `--no-install-recommends` when `apt-get` - # installing packages - apt-get_missing_param: on - - # Consider using a `--no-install-recommends` when `apt-get` - # installing packages - apt-get_recommends: on - - # Use of `apt-get upgrade` is not allowed in a Dockerfile - apt-get-upgrade: on - - # Use of `apt-get dist-upgrade` is not allowed in a Dockerfile - apt-get-dist-upgrade: on - - # All instances of `apt-get update` should have the `apt-get install` - # commands on the same line to reduce image size - apt-get-update_require_install: on - - # Consider using a `--no-cache` (supported in alpine linux >= 3.3) or - # `--update` followed by the command `rm -rf /var/cache/apk/*` - # when `apk` adding packages. This will result in a smaller image size - apkadd-missing_nocache_or_updaterm: on - - # Consider using a `--virtual` or `-t` switch to group multiple packages - # for easy cleanup. This will help ensure future authors will continue - # to clean up build dependencies and other temporary packages - apkadd-missing-virtual: on - - # Exposing ports should only be valid port numbers - invalid_port: on - - # Only valid commands are allowed in a Dockerfile - invalid_command: on - - # Expose Only Container Port - expose_host_port: on - - # Using LABEL should be in key=value format - label_invalid: on - - # Base images should specify a tag to use - missing_tag: on - - # Base images should not use the latest tag - latest_tag: on - - # This command has extra arguments and will be ignored - extra_args: on - - # This command requires additional arguments - missing_args: on - - # All files referenced in an ADD command should - # be part of the Docker build context - add_src_invalid: on - - # When adding multiple files, the destination should be a directory - add_dest_invalid: on - - # Using a WORKDIR parameter that has spaces should be escaped - invalid_workdir: on - - # The arguments to this command are invalid - invalid_format: on - - # Use of apt-get update should be paired with - # rm -rf /var/lib/apt/lists/* in the same layer - apt-get_missing_rm: on - - # This INSTRUCTION is deprecated as of Docker 1.13 - deprecated_in_1.13: on