Chore: [AEA-0000] - add tflint to eps-storage-terraform#94
Chore: [AEA-0000] - add tflint to eps-storage-terraform#94anthony-nhs wants to merge 10 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds TFLint to the eps-storage-terraform devcontainer build so Terraform linting is available in that environment, and updates CI/release workflows to provide the permissions/env needed for the build steps.
Changes:
- Add a dedicated
Dockerfile.tflint+ install script to download and verify TFLint, then copy the binary into theeps-storage-terraformdevcontainer image. - Harden the root install script with
set -euo pipefail. - Update Makefile and GitHub Actions workflows to support the new build step (including passing
GITHUB_TOKENinto the build environment).
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/projects/eps-storage-terraform/.devcontainer/scripts/root_install.sh | Harden shell execution flags. |
| src/projects/eps-storage-terraform/.devcontainer/scripts/install_tflint.sh | Add TFLint installer (download + checksum/attestation verification). |
| src/projects/eps-storage-terraform/.devcontainer/Dockerfile.tflint | Build a minimal image exporting the TFLint binary. |
| src/projects/eps-storage-terraform/.devcontainer/Dockerfile | Copy the TFLint binary into the devcontainer image. |
| Makefile | Add build-tflint and wire it into image builds; adjust eps-storage-terraform container name. |
| .github/workflows/ci.yml | Add job permissions required by the devcontainer quality checks. |
| .github/workflows/pull_request.yml | Add job permissions required by the devcontainer quality checks. |
| .github/workflows/release.yml | Add job permissions required by the devcontainer quality checks. |
| .github/workflows/build_multi_arch_image.yml | Export GITHUB_TOKEN into the build environment for the new build step. |
| ARCH="${TARGETARCH}" \ | ||
| VERSION="${TFLINT_VERSION}" \ |
There was a problem hiding this comment.
The install script reads TARGETARCH and TFLINT_VERSION, but this RUN invocation sets ARCH and VERSION instead. As written, install_tflint.sh will exit because TARGETARCH/TFLINT_VERSION are unset, so the tflint image build will fail. Pass the expected variable names (or update the script to consume ARCH/VERSION consistently).
| ARCH="${TARGETARCH}" \ | |
| VERSION="${TFLINT_VERSION}" \ | |
| TARGETARCH="${TARGETARCH}" \ | |
| TFLINT_VERSION="${TFLINT_VERSION}" \ |
Makefile
Outdated
| build-tflint: | ||
| docker buildx build \ | ||
| --secret id=GH_TOKEN,env=GITHUB_TOKEN \ | ||
| -f src/projects/eps-storage-terraform/.devcontainer/Dockerfile.tflint \ |
There was a problem hiding this comment.
This uses docker buildx build to tag local_tflint:latest, but without --load (or an explicit --output type=docker). With the common docker-container buildx driver (e.g., in GitHub Actions), the tagged image won't be loaded into the local Docker daemon, so subsequent devcontainer build steps that do FROM local_tflint:latest will fail to resolve the image. Add --load (single-platform) or change the approach to export the binary via --output and copy it in.
| -f src/projects/eps-storage-terraform/.devcontainer/Dockerfile.tflint \ | |
| -f src/projects/eps-storage-terraform/.devcontainer/Dockerfile.tflint \ | |
| --load \ |
| --tag local_tflint:latest \ | ||
| src/projects/eps-storage-terraform/.devcontainer/ | ||
|
|
||
| build-image: build-syft build-grype build-grant build-tflint guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG |
There was a problem hiding this comment.
build-image now always depends on build-tflint, which introduces an extra build step (and a required GITHUB_TOKEN secret) even when building unrelated devcontainers. This can break local builds and adds avoidable CI time. Consider making build-tflint conditional (e.g., only when CONTAINER_NAME=eps-storage-terraform), or moving the tflint build into the eps-storage-terraform Dockerfile so other images don't pay the cost.
| build-image: build-syft build-grype build-grant build-tflint guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG | |
| build-image: build-syft build-grype build-grant guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG | |
| if [ "$${CONTAINER_NAME}" = "eps_storage_terraform" ]; then \ | |
| $(MAKE) build-tflint; \ | |
| fi; \ |
| TFLINT_URL="https://github.com/terraform-linters/tflint/releases/download/${TFLINT_VERSION}/tflint_linux_${TFLINT_ARCH}.zip" | ||
| TFLINT_ASSET_NAME="tflint_linux_${TFLINT_ARCH}.zip" | ||
| CHECKSUMS_URL="https://github.com/terraform-linters/tflint/releases/download/${TFLINT_VERSION}/checksums.txt" | ||
| tmp_dir="$(mktemp -d)" |
There was a problem hiding this comment.
Because the script runs with set -u, referencing ${TFLINT_VERSION} will cause an immediate exit with a generic 'unbound variable' error if it isn't provided by the caller. Add an explicit check (with a clear message) or a default value before constructing the download URLs so failures are actionable.
Summary
Details