-
Notifications
You must be signed in to change notification settings - Fork 592
Expand file tree
/
Copy pathinstall.sh
More file actions
executable file
·673 lines (607 loc) · 29.4 KB
/
install.sh
File metadata and controls
executable file
·673 lines (607 loc) · 29.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
#!/usr/bin/env bash
#-------------------------------------------------------------------------------------------------------------
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information.
#-------------------------------------------------------------------------------------------------------------
#
# Docs: https://github.com/microsoft/vscode-dev-containers/blob/main/script-library/docs/terraform.md
# Maintainer: The VS Code and Codespaces Teams
set -e
# Clean up
rm -rf /var/lib/apt/lists/*
TERRAFORM_VERSION="${VERSION:-"latest"}"
TFLINT_VERSION="${TFLINT:-"latest"}"
TERRAGRUNT_VERSION="${TERRAGRUNT:-"latest"}"
INSTALL_SENTINEL=${INSTALLSENTINEL:-false}
INSTALL_TFSEC=${INSTALLTFSEC:-false}
INSTALL_TERRAFORM_DOCS=${INSTALLTERRAFORMDOCS:-false}
CUSTOM_DOWNLOAD_SERVER="${CUSTOMDOWNLOADSERVER:-""}"
# This is because ubuntu noble and debian trixie don't support the old format of GPG keys and validation
NEW_GPG_CODENAMES="trixie noble"
TERRAFORM_SHA256="${TERRAFORM_SHA256:-"automatic"}"
TFLINT_SHA256="${TFLINT_SHA256:-"automatic"}"
TERRAGRUNT_SHA256="${TERRAGRUNT_SHA256:-"automatic"}"
SENTINEL_SHA256="${SENTINEL_SHA256:-"automatic"}"
TFSEC_SHA256="${TFSEC_SHA256:-"automatic"}"
TERRAFORM_DOCS_SHA256="${TERRAFORM_DOCS_SHA256:-"automatic"}"
HASHICORP_RELEASES_URL="https://releases.hashicorp.com"
if [ -n "${CUSTOM_DOWNLOAD_SERVER}" ]; then
HASHICORP_RELEASES_URL="${CUSTOM_DOWNLOAD_SERVER}"
fi
TERRAFORM_GPG_KEY="72D7468F"
TFLINT_GPG_KEY_URI="https://raw.githubusercontent.com/terraform-linters/tflint/v0.46.1/8CE69160EB3F2FE9.key"
KEYSERVER_PROXY="${HTTPPROXY:-"${HTTP_PROXY:-""}"}"
architecture="$(uname -m)"
case ${architecture} in
x86_64) architecture="amd64";;
aarch64 | armv8*) architecture="arm64";;
aarch32 | armv7* | armvhf*) architecture="arm";;
i?86) architecture="386";;
*) echo "(!) Architecture ${architecture} unsupported"; exit 1 ;;
esac
if [ "$(id -u)" -ne 0 ]; then
echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.'
exit 1
fi
# Detect Ubuntu Noble or Debian Trixie and use new repo setup, else use legacy GPG logic
IS_GPG_NEW=0
. /etc/os-release
if [[ "${NEW_GPG_CODENAMES}" == *"${VERSION_CODENAME}"* ]]; then
IS_GPG_NEW=1
fi
# Get the list of GPG key servers that are reachable
get_gpg_key_servers() {
declare -A keyservers_curl_map=(
["hkps://keyserver.ubuntu.com"]="https://keyserver.ubuntu.com"
["hkps://keys.openpgp.org"]="https://keys.openpgp.org"
["hkps://keyserver.pgp.com"]="https://keyserver.pgp.com"
)
local curl_args=""
local keyserver_reachable=false # Flag to indicate if any keyserver is reachable
if [ ! -z "${KEYSERVER_PROXY}" ]; then
curl_args="--proxy ${KEYSERVER_PROXY}"
fi
for keyserver in "${!keyservers_curl_map[@]}"; do
local keyserver_curl_url="${keyservers_curl_map[${keyserver}]}"
if curl -s ${curl_args} --max-time 5 ${keyserver_curl_url} > /dev/null; then
echo "keyserver ${keyserver}"
keyserver_reachable=true
else
echo "(*) Keyserver ${keyserver} is not reachable." >&2
fi
done
if ! $keyserver_reachable; then
echo "(!) No keyserver is reachable." >&2
exit 1
fi
}
# Import the specified key in a variable name passed in as
receive_gpg_keys() {
local keys=${!1}
local keyring_args=""
if [ ! -z "$2" ]; then
keyring_args="--no-default-keyring --keyring $2"
fi
if [ ! -z "${KEYSERVER_PROXY}" ]; then
keyring_args="${keyring_args} --keyserver-options http-proxy=${KEYSERVER_PROXY}"
fi
# Install curl
if ! type curl > /dev/null 2>&1; then
check_packages curl
fi
# Use a temporary location for gpg keys to avoid polluting image
export GNUPGHOME="/tmp/tmp-gnupg"
mkdir -p ${GNUPGHOME}
chmod 700 ${GNUPGHOME}
# Special handling for HashiCorp GPG key on Ubuntu Noble
if [ "$IS_GPG_NEW" -eq 1 ] && [ "$keys" = "$TERRAFORM_GPG_KEY" ]; then
echo "(*) Ubuntu Noble detected, using Keybase for HashiCorp GPG key import...."
curl -fsSL https://keybase.io/hashicorp/pgp_keys.asc | gpg --import
if ! gpg --list-keys "${TERRAFORM_GPG_KEY}" > /dev/null 2>&1; then
gpg --list-keys
echo "(*) Warning: HashiCorp GPG key not found in keyring after import."
echo " Continuing installation without GPG verification on Ubuntu Noble."
echo " This is expected behavior for Ubuntu Noble due to keyserver issues."
return 1 # Return failure to indicate GPG verification should be skipped
fi
return 0
fi
echo -e "disable-ipv6\n$(get_gpg_key_servers)" > ${GNUPGHOME}/dirmngr.conf
# GPG key download sometimes fails for some reason and retrying fixes it.
local retry_count=0
local gpg_ok="false"
set +e
until [ "${gpg_ok}" = "true" ] || [ "${retry_count}" -eq "5" ];
do
echo "(*) Downloading GPG key..."
( echo "${keys}" | xargs -n 1 gpg -q ${keyring_args} --recv-keys) 2>&1 && gpg_ok="true"
if [ "${gpg_ok}" != "true" ]; then
echo "(*) Failed getting key, retrying in 10s..."
(( retry_count++ ))
sleep 10s
fi
done
# If all attempts fail, try getting the keyserver IP address and explicitly passing it to gpg
if [ "${gpg_ok}" = "false" ]; then
retry_count=0;
echo "(*) Resolving GPG keyserver IP address..."
local keyserver_ip_address=$( dig +short keyserver.ubuntu.com | head -n1 )
echo "(*) GPG keyserver IP address $keyserver_ip_address"
until [ "${gpg_ok}" = "true" ] || [ "${retry_count}" -eq "3" ];
do
echo "(*) Downloading GPG key..."
( echo "${keys}" | xargs -n 1 gpg -q ${keyring_args} --recv-keys --keyserver ${keyserver_ip_address}) 2>&1 && gpg_ok="true"
if [ "${gpg_ok}" != "true" ]; then
echo "(*) Failed getting key, retrying in 10s..."
(( retry_count++ ))
sleep 10s
fi
done
fi
set -e
if [ "${gpg_ok}" = "false" ]; then
echo "(!) Failed to get gpg key."
exit 1
fi
}
# Figure out correct version of a three part version number is not passed
find_version_from_git_tags() {
local variable_name=$1
local requested_version=${!variable_name}
if [ "${requested_version}" = "none" ]; then return; fi
local repository=$2
local prefix=${3:-"tags/v"}
local separator=${4:-"."}
local last_part_optional=${5:-"false"}
if [ "$(echo "${requested_version}" | grep -o "." | wc -l)" != "2" ]; then
local escaped_separator=${separator//./\\.}
local last_part
if [ "${last_part_optional}" = "true" ]; then
last_part="(${escaped_separator}[0-9]+)?"
else
last_part="${escaped_separator}[0-9]+"
fi
local regex="${prefix}\\K[0-9]+${escaped_separator}[0-9]+${last_part}$"
local version_list="$(git ls-remote --tags ${repository} | grep -oP "${regex}" | tr -d ' ' | tr "${separator}" "." | sort -rV)"
if [ "${requested_version}" = "latest" ] || [ "${requested_version}" = "current" ] || [ "${requested_version}" = "lts" ]; then
declare -g ${variable_name}="$(echo "${version_list}" | head -n 1)"
else
set +e
declare -g ${variable_name}="$(echo "${version_list}" | grep -E -m 1 "^${requested_version//./\\.}([\\.\\s]|$)")"
set -e
fi
fi
if [ -z "${!variable_name}" ] || ! echo "${version_list}" | grep "^${!variable_name//./\\.}$" > /dev/null 2>&1; then
echo -e "Invalid ${variable_name} value: ${requested_version}\nValid values:\n${version_list}" >&2
exit 1
fi
echo "${variable_name}=${!variable_name}"
}
# Use semver logic to decrement a version number then look for the closest match
find_prev_version_from_git_tags() {
local variable_name=$1
local current_version=${!variable_name}
local repository=$2
# Normally a "v" is used before the version number, but support alternate cases
local prefix=${3:-"tags/v"}
# Some repositories use "_" instead of "." for version number part separation, support that
local separator=${4:-"."}
# Some tools release versions that omit the last digit (e.g. go)
local last_part_optional=${5:-"false"}
# Some repositories may have tags that include a suffix (e.g. actions/node-versions)
local version_suffix_regex=$6
# Try one break fix version number less if we get a failure. Use "set +e" since "set -e" can cause failures in valid scenarios.
set +e
major="$(echo "${current_version}" | grep -oE '^[0-9]+' || echo '')"
minor="$(echo "${current_version}" | grep -oP '^[0-9]+\.\K[0-9]+' || echo '')"
breakfix="$(echo "${current_version}" | grep -oP '^[0-9]+\.[0-9]+\.\K[0-9]+' 2>/dev/null || echo '')"
if [ "${minor}" = "0" ] && [ "${breakfix}" = "0" ]; then
((major=major-1))
declare -g ${variable_name}="${major}"
# Look for latest version from previous major release
find_version_from_git_tags "${variable_name}" "${repository}" "${prefix}" "${separator}" "${last_part_optional}"
# Handle situations like Go's odd version pattern where "0" releases omit the last part
elif [ "${breakfix}" = "" ] || [ "${breakfix}" = "0" ]; then
((minor=minor-1))
declare -g ${variable_name}="${major}.${minor}"
# Look for latest version from previous minor release
find_version_from_git_tags "${variable_name}" "${repository}" "${prefix}" "${separator}" "${last_part_optional}"
else
((breakfix=breakfix-1))
if [ "${breakfix}" = "0" ] && [ "${last_part_optional}" = "true" ]; then
declare -g ${variable_name}="${major}.${minor}"
else
declare -g ${variable_name}="${major}.${minor}.${breakfix}"
fi
fi
set -e
}
find_sentinel_version_from_url() {
local variable_name=$1
local requested_version=${!variable_name}
if [ "${requested_version}" = "none" ]; then return; fi
local repository=$2
if [ "$(echo "${requested_version}" | grep -o "." | wc -l)" != "2" ]; then
local prefix='sentinel_'
local regex="${prefix}\d.\d{2}.\d(?:-\w*)?"
local version_list="$(wget -q $2 -O - | grep -oP ${regex} | tr -d ${prefix} | sort -rV)"
if [ "${requested_version}" = "latest" ] || [ "${requested_version}" = "current" ] || [ "${requested_version}" = "lts" ]; then
declare -g ${variable_name}="$(echo "${version_list}" | head -n 1)"
else
set +e
declare -g ${variable_name}="$(echo "${version_list}" | grep -E -m 1 "^${requested_version//./\\.}([\\.\\s]|$)")"
set -e
fi
fi
if [ -z "${!variable_name}" ] || ! echo "${version_list}" | grep "^${!variable_name//./\\.}$" >/dev/null 2>&1; then
echo -e "Invalid ${variable_name} value: ${requested_version}\nValid values:\n${version_list}" >&2
exit 1
fi
echo "${variable_name}=${!variable_name}"
}
apt_get_update()
{
if [ "$(find /var/lib/apt/lists/* | wc -l)" = "0" ]; then
echo "Running apt-get update..."
apt-get update -y
fi
}
# Checks if packages are installed and installs them if not
check_packages() {
if ! dpkg -s "$@" > /dev/null 2>&1; then
apt_get_update
apt-get -y install --no-install-recommends "$@"
fi
}
# Function to fetch the version released prior to the latest version
get_previous_version() {
local url=$1
local repo_url=$2
local variable_name=$3
prev_version=${!variable_name}
output=$(curl -s "$repo_url");
# install jq
check_packages jq
message=$(echo "$output" | jq -r '.message')
if [[ $message == "API rate limit exceeded"* ]]; then
echo -e "\nAn attempt to find latest version using GitHub Api Failed... \nReason: ${message}"
echo -e "\nAttempting to find latest version using GitHub tags."
find_prev_version_from_git_tags prev_version "$url" "tags/v"
declare -g ${variable_name}="${prev_version}"
else
echo -e "\nAttempting to find latest version using GitHub Api."
version=$(echo "$output" | jq -r '.tag_name')
declare -g ${variable_name}="${version#v}"
fi
echo "${variable_name}=${!variable_name}"
}
get_github_api_repo_url() {
local url=$1
echo "${url/https:\/\/github.com/https:\/\/api.github.com\/repos}/releases/latest"
}
install_previous_version() {
given_version=$1
requested_version=${!given_version}
local URL=$2
INSTALLER_FN=$3
local REPO_URL=$(get_github_api_repo_url "$URL")
local PKG_NAME=$(get_pkg_name "${given_version}")
echo -e "\n(!) Failed to fetch the latest artifacts for ${PKG_NAME} v${requested_version}..."
get_previous_version "$URL" "$REPO_URL" requested_version
echo -e "\nAttempting to install ${requested_version}"
declare -g ${given_version}="${requested_version#v}"
$INSTALLER_FN "${!given_version}"
echo "${given_version}=${!given_version}"
}
install_cosign() {
COSIGN_VERSION=$1
local URL=$2
cosign_filename="/tmp/cosign_${COSIGN_VERSION}_${architecture}.deb"
cosign_url="https://github.com/sigstore/cosign/releases/latest/download/cosign_${COSIGN_VERSION}_${architecture}.deb"
curl -L "${cosign_url}" -o $cosign_filename
if grep -q "Not Found" "$cosign_filename"; then
echo -e "\n(!) Failed to fetch the latest artifacts for cosign v${COSIGN_VERSION}..."
REPO_URL=$(get_github_api_repo_url "$URL")
get_previous_version "$URL" "$REPO_URL" COSIGN_VERSION
echo -e "\nAttempting to install ${COSIGN_VERSION}"
cosign_filename="/tmp/cosign_${COSIGN_VERSION}_${architecture}.deb"
cosign_url="https://github.com/sigstore/cosign/releases/latest/download/cosign_${COSIGN_VERSION}_${architecture}.deb"
curl -L "${cosign_url}" -o $cosign_filename
fi
dpkg -i $cosign_filename
rm $cosign_filename
echo "Installation of cosign succeeded with ${COSIGN_VERSION}."
}
# Install 'cosign' for validating signatures
# https://docs.sigstore.dev/cosign/overview/
ensure_cosign() {
check_packages curl ca-certificates gnupg2
if ! type cosign > /dev/null 2>&1; then
echo "Installing cosign..."
COSIGN_VERSION="latest"
cosign_url='https://github.com/sigstore/cosign'
find_version_from_git_tags COSIGN_VERSION "${cosign_url}"
install_cosign "${COSIGN_VERSION}" "${cosign_url}"
fi
if ! type cosign > /dev/null 2>&1; then
echo "(!) Failed to install cosign."
exit 1
fi
cosign version
}
# Ensure apt is in non-interactive to avoid prompts
export DEBIAN_FRONTEND=noninteractive
# Install dependencies if missing
check_packages curl ca-certificates gnupg2 dirmngr coreutils unzip dnsutils
if ! type git > /dev/null 2>&1; then
check_packages git
fi
terraform_url='https://github.com/hashicorp/terraform'
tflint_url='https://github.com/terraform-linters/tflint'
terragrunt_url='https://github.com/gruntwork-io/terragrunt'
# Verify requested version is available, convert latest
find_version_from_git_tags TERRAFORM_VERSION "$terraform_url"
find_version_from_git_tags TFLINT_VERSION "$tflint_url"
find_version_from_git_tags TERRAGRUNT_VERSION "$terragrunt_url"
install_terraform() {
local TERRAFORM_VERSION=$1
terraform_filename="terraform_${TERRAFORM_VERSION}_linux_${architecture}.zip"
curl -sSL -o ${terraform_filename} "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/${terraform_filename}"
}
verify_signature() {
local gpg_key=$1
local sha256sums_url=$2
local sig_url=$3
local sha256sums_file=$4
local sig_file=$5
local verify_result=0
receive_gpg_keys "$gpg_key"
verify_result=$?
if [ $verify_result -ne 0 ] && [ "$IS_GPG_NEW" -eq 1 ]; then
echo "Skipping the gpg key validation for ubuntu noble as unable to import the key."
return 1
fi
curl -sSL -o "$sha256sums_file" "$sha256sums_url"
curl -sSL -o "$sig_file" "$sig_url"
# Try GPG verification, but don't fail on Noble
gpg --verify "$sig_file" "$sha256sums_file"
verify_result=$?
if [ $verify_result -ne 0 ]; then
echo "(!) GPG verification failed."
exit 1
fi
}
mkdir -p /tmp/tf-downloads
cd /tmp/tf-downloads
# Install Terraform, tflint, Terragrunt
echo "Downloading terraform..."
terraform_filename="terraform_${TERRAFORM_VERSION}_linux_${architecture}.zip"
install_terraform "$TERRAFORM_VERSION"
if grep -q "The specified key does not exist." "${terraform_filename}"; then
install_previous_version TERRAFORM_VERSION $terraform_url "install_terraform"
terraform_filename="terraform_${TERRAFORM_VERSION}_linux_${architecture}.zip"
fi
if [ "${TERRAFORM_SHA256}" != "dev-mode" ]; then
if [ "${TERRAFORM_SHA256}" = "automatic" ]; then
# For Ubuntu Noble, try GPG verification but continue if it fails
if [ "$IS_GPG_NEW" -eq 1 ]; then
echo "(*) Ubuntu Noble detected - attempting GPG verification with fallback..."
set +e
sha256sums_url="${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS"
sig_url="${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig"
verify_signature TERRAFORM_GPG_KEY "$sha256sums_url" "$sig_url" "terraform_SHA256SUMS" "terraform_SHA256SUMS.sig"
verify_result=$?
set -e
if [ $verify_result -ne 0 ]; then
echo "(*) GPG verification failed on Ubuntu Noble, but continuing installation."
echo " Downloading checksums for basic integrity check..."
curl -sSL -o terraform_SHA256SUMS "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS"
fi
else
sha256sums_url="${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS"
sig_url="${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig"
verify_signature TERRAFORM_GPG_KEY "$sha256sums_url" "$sig_url" "terraform_SHA256SUMS" "terraform_SHA256SUMS.sig"
fi
else
echo "${TERRAFORM_SHA256} *${terraform_filename}" > terraform_SHA256SUMS
fi
sha256sum --ignore-missing -c terraform_SHA256SUMS
fi
unzip ${terraform_filename}
mv -f terraform /usr/local/bin/
install_tflint() {
TFLINT_VERSION=$1
curl -sSL -o /tmp/tf-downloads/${TFLINT_FILENAME} https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/${TFLINT_FILENAME}
}
verify_tflint_attestations() {
local checksums=$1
local checksums_sha256=$(sha256sum "$checksums" | cut -d " " -f 1)
check_packages jq
curl -L -f "https://api.github.com/repos/terraform-linters/tflint/attestations/sha256:${checksums_sha256}" > attestation.json
curl_exit_code=$?
if [ $curl_exit_code -ne 0 ]; then
echo "(*) Failed to fetch GitHub Attestations for tflint checksums"
return 1
fi
jq ".attestations[].bundle" attestation.json > bundle.jsonl
gh at verify "$checksums" -R terraform-linters/tflint -b bundle.jsonl
}
if [ "${TFLINT_VERSION}" != "none" ]; then
echo "Downloading tflint..."
TFLINT_FILENAME="tflint_linux_${architecture}.zip"
install_tflint "$TFLINT_VERSION"
if grep -q "Not Found" "/tmp/tf-downloads/${TFLINT_FILENAME}"; then
install_previous_version TFLINT_VERSION "$tflint_url" "install_tflint"
fi
if [ "${TFLINT_SHA256}" != "dev-mode" ]; then
if [ "${TFLINT_SHA256}" != "automatic" ]; then
echo "${TFLINT_SHA256} *${TFLINT_FILENAME}" > tflint_checksums.txt
sha256sum --ignore-missing -c tflint_checksums.txt
else
curl -sSL -o tflint_checksums.txt https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt
# Attempt GitHub Attestation verification (0.51.1+)
set +e
verify_tflint_attestations tflint_checksums.txt
verify_result=$?
set -e
if [ $verify_result -eq 0 ]; then
sha256sum --ignore-missing -c tflint_checksums.txt
echo "(*) tflint_checksums.txt verified successfully using GitHub Attestation."
else
# Fallback to cosign verification
echo "(*) GitHub Attestation verification failed or not supported for this version, falling back to Cosign verification..."
set +e
curl -sSL -o checksums.txt.keyless.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.keyless.sig
set -e
# Check that checksums.txt.keyless.sig exists and is not empty
if [ -s checksums.txt.keyless.sig ]; then
# Validate checksums with cosign
curl -sSL -o checksums.txt.pem https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.pem
ensure_cosign
cosign verify-blob \
--certificate=/tmp/tf-downloads/checksums.txt.pem \
--signature=/tmp/tf-downloads/checksums.txt.keyless.sig \
--certificate-identity-regexp="^https://github.com/terraform-linters/tflint" \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
/tmp/tf-downloads/tflint_checksums.txt
# Ensure that checksums.txt has $TFLINT_FILENAME
grep ${TFLINT_FILENAME} /tmp/tf-downloads/tflint_checksums.txt
# Validate downloaded file
sha256sum --ignore-missing -c tflint_checksums.txt
else
# Fallback to older, GPG-based verification (pre-0.47.0 of tflint)
curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig
curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}"
gpg -q --import tflint_key
gpg --verify tflint_checksums.txt.sig tflint_checksums.txt
fi
fi
fi
fi
unzip /tmp/tf-downloads/${TFLINT_FILENAME}
mv -f tflint /usr/local/bin/
fi
install_terragrunt() {
TERRAGRUNT_VERSION=$1
curl -sSL -o /tmp/tf-downloads/${terragrunt_filename} https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/${terragrunt_filename}
}
if [ "${TERRAGRUNT_VERSION}" != "none" ]; then
echo "Downloading Terragrunt..."
terragrunt_filename="terragrunt_linux_${architecture}"
install_terragrunt "$TERRAGRUNT_VERSION"
output=$(cat "/tmp/tf-downloads/${terragrunt_filename}")
if [[ $output == "Not Found" ]]; then
install_previous_version TERRAGRUNT_VERSION $terragrunt_url "install_terragrunt"
fi
if [ "${TERRAGRUNT_SHA256}" != "dev-mode" ]; then
if [ "${TERRAGRUNT_SHA256}" = "automatic" ]; then
curl -sSL -o terragrunt_SHA256SUMS https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/SHA256SUMS
else
echo "${TERRAGRUNT_SHA256} *${terragrunt_filename}" > terragrunt_SHA256SUMS
fi
sha256sum --ignore-missing -c terragrunt_SHA256SUMS
fi
chmod a+x /tmp/tf-downloads/${terragrunt_filename}
mv -f /tmp/tf-downloads/${terragrunt_filename} /usr/local/bin/terragrunt
fi
if [ "${INSTALL_SENTINEL}" = "true" ]; then
SENTINEL_VERSION="latest"
sentinel_releases_url="${HASHICORP_RELEASES_URL}/sentinel"
find_sentinel_version_from_url SENTINEL_VERSION ${sentinel_releases_url}
sentinel_filename="sentinel_${SENTINEL_VERSION}_linux_${architecture}.zip"
echo "(*) Downloading Sentinel... ${sentinel_filename}"
curl -sSL -o /tmp/tf-downloads/${sentinel_filename} ${sentinel_releases_url}/${SENTINEL_VERSION}/${sentinel_filename}
if [ "${SENTINEL_SHA256}" != "dev-mode" ]; then
if [ "${SENTINEL_SHA256}" = "automatic" ]; then
# For Ubuntu Noble, try GPG verification but continue if it fails
if [ "$IS_GPG_NEW" -eq 1 ]; then
echo "(*) Ubuntu Noble detected - attempting Sentinel GPG verification with fallback..."
set +e
sha256sums_url="${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS"
sig_url="${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig"
verify_signature TERRAFORM_GPG_KEY "$sha256sums_url" "$sig_url" "sentinel_checksums.txt" "sentinel_checksums.txt.sig"
verify_result=$?
set -e
if [ $verify_result -ne 0 ]; then
echo "(*) GPG verification failed on Ubuntu Noble, but continuing installation."
echo " Downloading checksums for basic integrity check..."
curl -sSL -o sentinel_checksums.txt "${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS"
fi
else
sha256sums_url="${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS"
sig_url="${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig"
verify_signature TERRAFORM_GPG_KEY "$sha256sums_url" "$sig_url" "sentinel_checksums.txt" "sentinel_checksums.txt.sig"
fi
# Verify the SHASUM matches the archive
shasum -a 256 --ignore-missing -c sentinel_checksums.txt
else
echo "${SENTINEL_SHA256} *${SENTINEL_FILENAME}" >sentinel_checksums.txt
fi
sha256sum --ignore-missing -c sentinel_checksums.txt
fi
unzip /tmp/tf-downloads/${sentinel_filename}
chmod a+x /tmp/tf-downloads/sentinel
mv -f /tmp/tf-downloads/sentinel /usr/local/bin/sentinel
fi
install_tfsec() {
local TFSEC_VERSION=$1
tfsec_filename="tfsec_${TFSEC_VERSION}_linux_${architecture}.tar.gz"
curl -sSL -o /tmp/tf-downloads/${tfsec_filename} https://github.com/aquasecurity/tfsec/releases/download/v${TFSEC_VERSION}/${tfsec_filename}
}
if [ "${INSTALL_TFSEC}" = "true" ]; then
TFSEC_VERSION="latest"
tfsec_url='https://github.com/aquasecurity/tfsec'
find_version_from_git_tags TFSEC_VERSION $tfsec_url
tfsec_filename="tfsec_${TFSEC_VERSION}_linux_${architecture}.tar.gz"
echo "(*) Downloading TFSec... ${tfsec_filename}"
install_tfsec "$TFSEC_VERSION"
if grep -q "Not Found" "/tmp/tf-downloads/${tfsec_filename}"; then
install_previous_version TFSEC_VERSION $tfsec_url "install_tfsec"
tfsec_filename="tfsec_${TFSEC_VERSION}_linux_${architecture}.tar.gz"
fi
if [ "${TFSEC_SHA256}" != "dev-mode" ]; then
if [ "${TFSEC_SHA256}" = "automatic" ]; then
curl -sSL -o tfsec_SHA256SUMS https://github.com/aquasecurity/tfsec/releases/download/v${TFSEC_VERSION}/tfsec_${TFSEC_VERSION}_checksums.txt
else
echo "${TFSEC_SHA256} *${tfsec_filename}" > tfsec_SHA256SUMS
fi
sha256sum --ignore-missing -c tfsec_SHA256SUMS
fi
mkdir -p /tmp/tf-downloads/tfsec
tar -xzf /tmp/tf-downloads/${tfsec_filename} -C /tmp/tf-downloads/tfsec
chmod a+x /tmp/tf-downloads/tfsec/tfsec
mv -f /tmp/tf-downloads/tfsec/tfsec /usr/local/bin/tfsec
fi
install_terraform_docs() {
local TERRAFORM_DOCS_VERSION=$1
tfdocs_filename="terraform-docs-v${TERRAFORM_DOCS_VERSION}-linux-${architecture}.tar.gz"
curl -sSL -o /tmp/tf-downloads/${tfdocs_filename} https://github.com/terraform-docs/terraform-docs/releases/download/v${TERRAFORM_DOCS_VERSION}/${tfdocs_filename}
}
if [ "${INSTALL_TERRAFORM_DOCS}" = "true" ]; then
TERRAFORM_DOCS_VERSION="latest"
terraform_docs_url='https://github.com/terraform-docs/terraform-docs'
find_version_from_git_tags TERRAFORM_DOCS_VERSION $terraform_docs_url
tfdocs_filename="terraform-docs-v${TERRAFORM_DOCS_VERSION}-linux-${architecture}.tar.gz"
echo "(*) Downloading Terraform docs... ${tfdocs_filename}"
install_terraform_docs "$TERRAFORM_DOCS_VERSION"
if grep -q "Not Found" "/tmp/tf-downloads/${tfdocs_filename}"; then
install_previous_version TERRAFORM_DOCS_VERSION $terraform_docs_url "install_terraform_docs"
tfdocs_filename="terraform-docs-v${TERRAFORM_DOCS_VERSION}-linux-${architecture}.tar.gz"
fi
if [ "${TERRAFORM_DOCS_SHA256}" != "dev-mode" ]; then
if [ "${TERRAFORM_DOCS_SHA256}" = "automatic" ]; then
curl -sSL -o tfdocs_SHA256SUMS https://github.com/terraform-docs/terraform-docs/releases/download/v${TERRAFORM_DOCS_VERSION}/terraform-docs-v${TERRAFORM_DOCS_VERSION}.sha256sum
else
echo "${TERRAFORM_DOCS_SHA256} *${tfsec_filename}" > tfdocs_SHA256SUMS
fi
sha256sum --ignore-missing -c tfdocs_SHA256SUMS
fi
mkdir -p /tmp/tf-downloads/tfdocs
tar -xzf /tmp/tf-downloads/${tfdocs_filename} -C /tmp/tf-downloads/tfdocs
chmod a+x /tmp/tf-downloads/tfdocs/terraform-docs
mv -f /tmp/tf-downloads/tfdocs/terraform-docs /usr/local/bin/terraform-docs
fi
rm -rf /tmp/tf-downloads ${GNUPGHOME}
# Clean up
rm -rf /var/lib/apt/lists/*
echo "Done!"